ISDN backup
I have been using ISDN link as a backup using floating static routinng and it is working fine.Now How we want that ISDN dials only in office hour if Primary links fail.Hhat I have to do for it? Please suggest me.
You need to use time-based access list to define interesting traffic.
Can get more info:
http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a0080094089.shtml
Thanks,
Mak
Similar Messages
-
Hello,
I have big problem. My client has to have ISDN back-up but there is no possibility to get ISDN line to my client location. Router has WIC 1B S/T and should call in to the another router with PRI interface when there is a problem with main line (FR).
How can I resolve this problem?? Where can I plug ISDN line?
Best regards,
JarekHi Jarek,
If there is no ISDN service where the remote site is then you will have to forget about using ISDN backup from that particular site.
Your best way to get dial backup would be to use something like a WIC-1AM or WIC-2AM (analog modem WICs) at the remote site, connected to normal POTS phone lines. You would then need to install some digital modems into the router with the PRI (NM-6DM etc). In this way the analog modems can dial into the PRI, whereby the PRI router will direct the call internally to the digital modems.
This won't give as good a performance as a BRI ISDN circuit, but it will at least allow you to implement a dial backup solution.
Hope that helps.
Vaughan -
ISDN backup for ADSL connected sites using separate router
In our set-up we have a central site with a large number of remote sites connected.
We have moved a number of remote sites from ISDN connections to ADSL connections. However, we would like to keep the ISDN and use it for backup.
The problem I have is - how do I implement ISDN backup with our current set-up? From the documentation, I can see how to do this for more "straightforward" set-ups but not for the set-up we have! Let me explain:
At the central site, we have a Cisco 7206 router. The ISDN connected sites connect directly to this router (which is configured with a large number of dialer map statements for each site)
The 7206 connects to a PIX515E firewall. The ADSL connected sites connect over the public internet using IPSEC with the tunnels terminating on the PIX.
The 7206 router contains static routes for the ADSL connected sites, pointing to the firewall.
At the remote sites, we have a Cisco 837 router for the ADSL connection.
This is connected (via ethernet) to the router we want to use for ISDN backup - a Cisco 800. The 837 and 800 are configured with HSRP.
However, at the moment, if the 837 or the ADSL link was to go down, there would be no means to connect to the central site. How can we configure this to use the 2nd router for ISDN backup, given our set-up?
Any suggestions would be greatly appreciated!
(incidentally, I have only recently joined this company and have taken this over, without any information to go on as to why things are set up as they are !)Hello again,
I think you can pretty much ignore my last message. I've done a bit more digging and I think I have a better idea of what you mean now!
Lets see if I've got this about right. To recap:
I need to set up a GRE tunnel between the remote site and 7206 router at head office, which in turn would be using IPSEC tunnel between remote router and PIX.
So, steps required:
1) set up IPSec tunnel to to PIX (this is the way it is already currenly configured - am I right in thinking no further configuration would be required as far as the PIX is concerned, for the new set-up?)
2) set up GRE tunnel between remote ADSL router and 7206 - requires tunnel interface on both router with start point and end point configured. Use GRE keepalive to enable the line protocol to be brought down if the far end cannot be reached.
3) Add static routes on ADSL router to reach head office network via tunnel interface
4) Add static route on 7206 router to reach remote network via tunnel interface
5) Configure ISDN map statement on 7206 mapping remote network to ISDN number
6) Configure "floating" static routes on 7206 to use ISDN to reach remote network
7) Configure HSRP on ADSL and ISDN routers with tracking of tunnel interface. If tunnel interface goes down, then ISDN router takes over as active.
8) Configure static routes on ISDN router to point to head office network using BRI0 interface.
So, under normal operation, traffic between head office and remote office will be routed across the GRE tunnel using the ADSL link.
If the ADSL link was to go down then the GRE tunnel would also go down. So, the 7206 would then use the floating static routes to reach the remote network via the ISDN connection.
The ISDN router would take over as active at the remote site since the tunnel interface would have gone down, forcing the HSRP to failover.
Does that all sound about right? Is there anything I've missed?
I'll start trying to put some configurations together when I get the chance - but, if its ok, I'll probably run these past you too, just to make sure they seem correct!
Thanks,
Neil -
I have situation where half of my network is connected with one central location and other half with second central location. Every router is connected with primary frame-relay link and ISDN as backup link (floating static route conf).
I need to configure that in case backup link can't manage to connect with one central location start connection with second central location. Failover ISDN backup link. Any sugestions? ThanksConfigure the two numbers under dialer interface. These will be tried in sequence, and in fact if things are configured properly it will be no problem if some branches are connected to primary hub and some to secondary.
Hope this helps, please rate post if it does! -
Hello,
we have an ISDN backup line between a client (having unfortunatelly motorola router) and our main site. This isdn backs up a leased line of 128 Kbps and the encapsulation used is x25. In fact the whole network is x25 (it is used to carry SNA data).
The main site has a PRI controller that backs up about 9 clients, so we have defined about 9 dialer profiles.
On one of them we want to have bandwidth of 128 Kbps (so, not only one "serial" to be bound to the dialer profile but two).
Is there a way to accomplish this having in mind we only use x25 encap between the sites?
The connection works fine, this is not a problem of non connectivity. It is a matter of upgrading the isdn to 128 Kbps on a PRI controller when x25 encap is used.Just a tip. Instead of using X25encap on the link, you might consider using a GRE tunnel. You could then switch the X25 traffic over the GRE tunnel?
http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html
This is one of the issues that GRE was originally developed for.
Regards,
Leo -
Hello,
i have a remote site that have two WAN lines, one primary and the another is Backup ISDN (PPP), MY points is about the ISDN line i have made a configuration as the following:
interface BRI0/0/0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap
interface Serial0/1/0
bandwidth 256
ip address 10.1.2.2 255.255.255.252
ip route-cache flow
service-policy output QoS-Policy
ip rtp header-compression
ip rtp priority 32000 1000 80
interface Virtual-Template1
no ip address
ppp multilink
ppp multilink interleave
ppp multilink fragment delay 20
ip rtp reserve 32000 1000 64
interface Vlan1
no ip address
no snmp trap link-status
interface Dialer1
ip address 192.168.99.14 255.255.255.252
encapsulation ppp
dialer pool 1
dialer remote-name cr-02
dialer idle-timeout 500
dialer string XXXX400
dialer load-threshold 128 either
dialer-group 1
no snmp trap link-status
no cdp enable
ppp authentication chap
router eigrp 1
network 10.0.0.0
network 192.168.99.0
no auto-summary
eigrp stub connected
ip route 0.0.0.0 0.0.0.0 10.100.1.1
ip route 0.0.0.0 0.0.0.0 192.168.99.13 20
But when the primary link is down the ISDN link doent come up, i tried to make a debugging it give me the following messege :
*Aug 4 06:42:27.275: ISDN BR0/0/0 **ERROR**: handle_l2d_srq_mail: Layer 1 inactive.
*Aug 4 06:42:29.507: ISDN BR0/0/0 Q921: L2_EstablishDataLink: sending SABME
*Aug 4 06:42:29.527: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0/0, TEI 95 changed to up
*Aug 4 06:42:29.639: ISDN BR0/0/0 **ERROR**: host_disconnect_ack: Call rejected cause No circuit/channel available(0x22) call id 0x818D.
*Aug 4 06:42:31.271: ISDN BR0/0/0 Q931: Applying typeplan for sw-type 0x1 is 0x0 0x0, Called num XXXX400
*Aug 4 06:42:31.375: ISDN BR0/0/0 **ERROR**: host_disconnect_ack: Call rejected cause No circuit/channel available(0x22) call id 0x818E.
*Aug 4 06:42:33.271: ISDN BR0/0/0 Q931: Applying typeplan for sw-type 0x1 is 0x0 0x0, Called num XXXX400
*Aug 4 06:42:33.375: ISDN BR0/0/0 **ERROR**: host_disconnect_ack: Call rejected cause No circuit/channel available(0x22) call id 0x818F.
*Aug 4 06:42:35.271: ISDN BR0/0/0 Q931: Applying typeplan for sw-type 0x1 is 0x0 0x0, Called num XXXX400
*Aug 4 06:42:35.375: ISDN BR0/0/0 **ERROR**: host_disconnect_ack: Call rejected cause No circuit/channel available(0x22) call id 0x8190.
Success rate is 0 percent (0/5)
ar-BRH#
*Aug 4 06:42:50.375: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0/0, TEI 95 changed to down
*Aug 4 06:42:50.383: ISDN BR0/0/0 Q931: Ux_DLRelInd: DL_REL_IND received from L2
ar-BRH#
*Aug 4 06:43:00.967: ISDN BR0/0/0 Q931: L3_ShutDown: Shutting down ISDN Layer 3
*Aug 4 06:43:00.971: ISDN BR0/0/0 Q931: Ux_DLRelInd: DL_REL_IND received from L2
Kindlly your help
THanksDharmesh
I do not believe that the original poster intended to use backup interface, and I do not believe that backup interface is necessarily needed here. The floating static default route points to the dialer interface:
ip route 0.0.0.0 0.0.0.0 10.100.1.1
ip route 0.0.0.0 0.0.0.0 192.168.99.13 20
and if the primary static default route is withdrawn the router will begin sending traffic to the dialer.
I do note that in the amount of configuration shown I do not see a way to get to 10.100.1.1 and so there may be a problem with the primary static default route. Or it may be that the address is reachable through some interface not shown in the posted config.
I believe that there is a more fundamental problem shown in the original post. One of the lines indicates that layer 1 is not active. If layer 1 is not active then nothing can be sent over this interface. Perhaps we could have posted the output of show isdn status. This would clarify the status of layer 1 and layer 2 for the ISDN.
HTH
Rick -
Hello People,
I am facing a issue with my ISDN Connection, when I check the ISDN status below is the output
Global ISDN Switchtype = basic-net3
ISDN BRI1/0 interface
dsl 16, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 16 CCBs = 0
The Free Channel Mask: 0x80000003
ISDN BRI1/1 interface
dsl 17, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 17 CCBs = 0
The Free Channel Mask: 0x80000003
ISDN BRI1/2 interface
dsl 18, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 18 CCBs = 0
The Free Channel Mask: 0x80000003
ISDN BRI1/3 interface
dsl 19, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 19 CCBs = 0
The Free Channel Mask: 0x80000003
Total Allocated ISDN CCBs = 0
Then once I clear the interfaces 2 of the 4 bri becomes active with Frame esatblishment, but that is also temporary, it will become deactivated after sometime, what is the cause for this problem, is ther any way to overcome it???, thanks in advance
Regards
KrishnaUdupi Krishna wrote:Hello People, I am facing a issue with my ISDN Connection, when I check the ISDN status below is the outputGlobal ISDN Switchtype = basic-net3ISDN BRI1/0 interface dsl 16, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Active dsl 16 CCBs = 0 The Free Channel Mask: 0x80000003ISDN BRI1/1 interface dsl 17, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Active dsl 17 CCBs = 0 The Free Channel Mask: 0x80000003ISDN BRI1/2 interface dsl 18, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Active dsl 18 CCBs = 0 The Free Channel Mask: 0x80000003ISDN BRI1/3 interface dsl 19, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Active dsl 19 CCBs = 0 The Free Channel Mask: 0x80000003 Total Allocated ISDN CCBs = 0Then once I clear the interfaces 2 of the 4 bri becomes active with Frame esatblishment, but that is also temporary, it will become deactivated after sometime, what is the cause for this problem, is ther any way to overcome it???, thanks in advanceRegardsKrishna
Do you have the correct ISDN switch type configured?
Basic-Net3 covers only a couple of countries in Europe and also New Zealand. I don't know where you are, but have you verified which type you need configured?
See the following URL for information on switch types.
http://www.cisco.com/en/US/docs/ios/11_3/feature/guide/natisdn.html#wp4291
Cheers. -
Monitoring IP ISDN status on main routers
Dear all
I would need to test the ISDN (backup) connection of peripheral routers (Cisco) to their respective main routers on a regular basis. At present this is done manually. That is the operator gets on the peripheral router through its loopback IP and then pings the ISDN IP of the main router. Here are data of a real company as an example:
Society: Zurigo
Location: Foggia
Router name: AITFG00EZA
IP loopback: 172.23.239.164
IP bri: 172.23.247.100
IP ISDN of main router: 172.23.247.65
So once the operator gets on the router AITFG00EZA, he pings 172.23.247.65 thereby verifying the good functioning of the whole backup connection.
I heard there's a UNIX script that could deal with that. But I also heard of network capacities of JAVA. I would imagine a java program that goes like this:
1. Telnet peripheral router with user/pwd strings
2. Ping main router specifying packet size and Time To Live
3. Print results indicating connection as OK or NOT OK
20 Duke Dollars for the solution. I would be grateful for any help/suggestions/comments.
Take care.Do it with the Unix script. I'd imagine that some Perl programmer could probably do this with a single source code line (but you'd never be able to change or debug it! :^) ).
You could do this with Java, but you'd have to implement the telnet (trivial, but still some coding) and the ping (relatively trivial, but still some coding).
Unless you are just dying to figure out Java networking, go the easy route and use a scripted language that is designed for this type of thing.
- K -
ISDN dial-in with Cisco 1721 and WIC-1B-S/T
Hi there,
we use a Cisco 1721 with a WIC-1B-S/T interface for ISDN backup purposes. I configured the Cisco 1721 and connected the BRI-WIC to a ISDN channel. When I try to test the ISDN connection, I always get the error that the line protocol is down. The WIC is connected to the ISDN correctly. I do not understand why the line protocol is always down. Could anybody help? The chosen encapsulation is PPP, the ISDN Switch Type is basic-1tr6 (I think thats the right one for Germany). The IOS version is 12.4 (1c).
Regards, J. SchroederHi there,
the BRI interface is connected to a telephone system and not directly to a NTBA. The hostname matches the username, is this right? When I try to dial out, I get this messages:
*Mar 9 16:28:11.804: ISDN BR0 **ERROR**: host_disconnect_ack: Unfound B-channel on Disconnect_Ack call id 0x8003
*Mar 9 16:28:33.792: ISDN BR0 **ERROR**: CCBRI_Go: NO CCB Src->HOST call id 0x8003, event 0x5 ces 1
*Mar 9 16:29:47.324: ISDN BR0 **ERROR**: host_disconnect_ack: Unfound B-channel on Disconnect_Ack call id 0x8004
*Mar 9 16:30:09.312: ISDN BR0 **ERROR**: CCBRI_Go: NO CCB Src->HOST call id 0x8004, event 0x5 ces 1
*Mar 9 16:30:12.952: ISDN BR0 **ERROR**: host_disconnect_ack: Unfound B-channel on Disconnect_Ack call id 0x8005
*Mar 9 16:30:34.940: ISDN BR0 **ERROR**: CCBRI_Go: NO CCB Src->HOST call id 0x8005, event 0x5 ces 1 -
Good Day
We have a IDN BRI connection to ISP.
We are seeing this error log in the router. Any body have seen this error log before?
000759: *Nov 18 13:01:04.652 : ISDN BR0 **ERROR**: process_bri_call: Outgoing call id 0x809B blocked
000760: *Nov 18 13:01:04.652 : ISDN BR0 **ERROR**: UserIdle: process_bri_call failed on call to 0321632168
000761: *Nov 18 13:01:22.547 : BRI0: wait for isdn carrier timeout, call id=0x809A
000762: *Nov 18 13:01:22.547 : ISDN BR0 EVENT: UserIdle: callid 0x809A received ISDN_HANGUP (0x1)
000763: *Nov 18 13:01:22.547 : ISDN BR0 EVENT: isdn_hangup: Hangup call to call id 0x809A ces = 1
000764: *Nov 18 13:01:22.547 : ISDN BR0 **ERROR**: CCBRI_Go: NO CCB Src->HOST call id 0x809A, event 0x5 ces 1
000765: *Nov 18 13:01:22.547 : ISDN BR0 EVENT: process_rxstate: ces/callid 1/0x809A calltype 1 HOST_QUERY_RESPONSE
000766: *Nov 18 13:01:34.644 : BRI0: wait for isdn carrier timeout, call id=0x809B
000767: *Nov 18 13:01:34.644 : ISDN BR0 EVENT: UserIdle: callid 0x809B received ISDN_HANGUP (0x1)
000768: *Nov 18 13:01:34.644 : ISDN BR0 EVENT: isdn_hangup: Hangup call to call id 0x809B ces = 1
configuration of the router.
ROUTER#sh run int BRI0
Building configuration...
Current configuration : 523 bytes
interface BRI0
description ***** ISDN Backup for ADSL *****
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1400
dialer idle-timeout 60
dialer string 0320544000
dialer string 2856000
dialer watch-group 1
dialer-group 2
isdn switch-type basic-net3
isdn point-to-point-setup
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 XXXXX
end
ROUTER#sh isdn sta
Global ISDN Switchtype = basic-net3
ISDN BRI0 interface
dsl 0, interface ISDN Switchtype = basic-net3
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 67, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0x80000003
Total Allocated ISDN CCBs = 0Actually I did.
When I upgraded the IOS on the router I mistakenly used the AdvanceIP services as we used that on all 871 routers. The 876 should, however have been upgraded with the Enterprise version.
The fault message was due to a license issue.
Took long time to figure this out and find something about it. -
Static routes, ISDN & different remote IP addresses
Scenario:
My client has 4 sites situated around an ISP MPLS cloud. All 4 CE routers connect to ISP PE equipment via different access circuits (See attached diagram).
The central site has Cisco 2800 router with 10M LES circuit into MPLS cloud (FastEthernet i/f) and ISDN BRI i/f for incoming calls from 3 remote sites.
The 3 remote sites are Cisco 1800 routers all with ISDN dial-out i/fs and 1 site has numbered X21 serial link into MPLS cloud, whilst other 2 sites have IP unnumbered DSL circuits.
Problem:
1. Routing on the 4 routers is by static routes only, as ISP does not permit routing protocol.
2. Central router does not know if the remote DSL & X21 circuits have gone down, as they are all access circuits into MPLS cloud.
3. Central router (2800) needs floating static routes to change so that packets route via ISDN when remote sites dial in, but these are proving problematic to configure, as both the ISDN and FastEther i/fs show as up on the 2800 under normal operation. So the routes stay as the higher weighted route all the time, regardless of whether the remote has dialled in or not.
The remote routers (3) can dial in fine when their Serial or ATM interfaces go down (using backup command on i/fs). I have tried using floating static routes on the central router using 10.1.0.0/29 addresses assigned to the 4 ISDN interfaces, but the floating static remains up all the time, as the interface on the central router stays up all the time (as expected). The ISDN static route therefore stays in the routing table all the time, even when there is no ISDN call into the central site. The config on the central router is as follows:
interface BRI0/1/0
ip address 10.1.0.1 255.255.255.248
encapsulation ppp
isdn switch-type basic-net3
ppp authentication chap
ip route 172.16.2.0 255.255.255.0 10.1.0.2
ip route 172.16.2.0 255.255.255.0 10.0.0.1 200
ip route 172.16.3.0 255.255.255.0 10.1.0.3
ip route 172.16.3.0 255.255.255.0 10.0.0.1 200
ip route 172.16.4.0 255.255.255.0 10.1.0.4
ip route 172.16.4.0 255.255.255.0 10.0.0.1 200
The only way I think I can get around this problem in a simple manner is to have floating static routes with higher weights assigned to completely different IP addresses than the local ISDN interface. In the past I have seen that async modems dialing into a PRI circuit appear as directly connected in the routing table of an AS5300 (and work), even though they may be different network addresses than the PRI Dialer i/f address. An example of the static routes on the central router would be as follows:
ip route 172.16.2.0 255.255.255.0 2.2.2.2 (Route to site 1 only when ISDN backup is invoked)
ip route 172.16.2.0 255.255.255.0 10.0.0.1 200 (Route to site 1 under normal conditions, i.e when remote has NOT dialled central via ISDN)
ip route 172.16.3.0 255.255.255.0 3.3.3.3 (Route to site 2 only when ISDN backup is invoked)
ip route 172.16.3.0 255.255.255.0 10.0.0.1 200 (Route to site 2 under normal conditions, i.e when remote has NOT dialled central via ISDN)
ip route 172.16.4.0 255.255.255.0 4.4.4.4 (Route to site 3 only when ISDN backup is invoked)
ip route 172.16.4.0 255.255.255.0 10.0.0.1 200 (Route to site 3 under normal conditions, i.e when remote has NOT dialled central via ISDN)
Questions:
1. Has anyone experienced this type of problem across multiple access circuits?
2. Has anyone tried to implement different IP addresses at the remote ends of an ISDN network? (See diagram below) I want to try /32 addresses on the 4 routers, e.g 1.1.1.1, 2.2.2.2, 3.3.3.3 and 4.4.4.4. (Dont have time to lab test this solution)
3. Can anyone suggest a simple solution?What you want is object tracking, which will resolve this problem.
This technology sets up an object that pings a remote address. You use a route map to force the ping out of the interface that appears to remain up, in this case the MPLS main interface.
When a link fails somewhere, the object no longer gets a response and transitions to the down state.
You can use a static route that tracks the object to become active, this will be used to activate your local ISDN.
This was described in Packet Magazine 2ndQ 2004, here:
http://www.cisco.com/web/about/ac123/ac114/downloads/packet/packet/apr04/pdfs/apr04.pdf
Read the article about Static and Policy Routing Enhancements, its excellent and should help you out.
Another way would be to build a GRE based VPN over the existing MPLS network, have you considerd that?
Andy -
Dear all
i am facing a problem in my network, i am using RIP V1 as a routing protocol, also i ahve isdn backup, when the main link is down, and the isdn is up, no dynamic routes in the remote site, so i have to configure them static, so can you please help me
Note: i am using a floating route for backup route, but do not get other dynamic routessadam
Without details from your config it is difficult for us to know for sure what the problem is. Probably the most common cause of the symptoms that you describe is that the dialer map used for ISDN does not contain the broadcast keyword. Without the broadcast keyword the RIP updates can not be transmitted over the ISDN.
If the dialer map does not contain the broadcast keyword then I suggest that you add it and see if the corrects the problem. If you still have a problem then I suggest that you post the router config.
HTH
Rick -
DDR Backup holdtown timers?
We want to backup a serial line, connected to a 7200, which, by itself, is connected to a radius-server. Via Ethernet, we have an as5300 connected to the 7200, where the ISDN backup should terminate. The problem is, that if the 7200 goes down, the effect is that
<p>a) backup ddr is triggered
<p>b) no connectivity to radius is available.
<p>So the CPE dials, and dials, and dials (about 15 times a minute, with no success of course).
any idea for this scenario? how can i configure a backoff, which dials for example 3 times, waits for 2 minutes, dials 3 times, waits for 4 minutes ... and so on?I'm assuming you have no control over
the CPE device? If so, the only way is
to either move the AAA server so that it
is more redundant, or add local authentication
to the 5300.
If you have control over the CPE dialing,
then have a look at dialer redial.
http://www/univercd/cc/td/doc/product/software/ios122/122cgcr/fdial_c/fnsprt5/dcdspoke.htm#xtocid322623 -
ZBFW Intra zone traffic not working
I am having an issue on one of our 2811 routers where I can't get traffic between interfaces within the same zone to flow. I know this should happen by default and that's why it is so confusing.
One of the interfaces is fastethernet0/0.1 which is internal LAN And the others are tunnel interfaces using IPSEC tunnel protection back to the main datacenter. By design one tunnel is preferred over the other by using OSPF costing. Due to this there doesn't seem to be any asymmetric routing.
I inter zone traffic working just fine by defining the policy and zone pair. It is just when I enable another zone on our internal LAN interfaces it stops passing traffic. Just to note I do have this working on our LAB 2811 router running the same IOS version.
Any recommendations would be helpful. I have a case open with TAC but they aren't figuring it out. So now I'm calling the experts.
Thanks in advance. Elton
Sent from Cisco Technical Support iPhone AppHere is the sanitized configuration. The zone that I am trying to apply is "LAN".
I would like to apply it to all of the tunnel interfaces along with the fastethernet0/0.1 interface. This is working on another 2811 router.
Thanks again for the assistance.
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname ****************
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 16384 informational
enable secret 5 ******************************
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa session-id common
clock timezone est -5
clock summer-time SummerTime recurring
dot11 syslog
ip source-route
ip traffic-export profile CAPTURE mode capture
bidirectional
incoming access-list CAPTURE_IN
outgoing access-list CAPTURE_OUT
length 512
ip cef
ip dhcp excluded-address 192.168.43.33 192.168.43.37
ip dhcp pool CREDIT_CARD_SCANNERS
network 192.168.43.32 255.255.255.224
default-router 192.168.43.33
dns-server 4.2.2.2 8.8.4.4
lease 2
no ip domain lookup
ip multicast-routing
ip inspect log drop-pkt
ip inspect name incoming tcp router-traffic
ip inspect name incoming udp router-traffic
login on-failure log every 3
no ipv6 cef
ntp server 10.69.16.1
multilink bundle-name authenticated
isdn switch-type basic-ni
voice-card 0
crypto pki trustpoint TP-self-signed-218647659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-218647659
revocation-check none
rsakeypair TP-self-signed-218647659
crypto pki certificate chain TP-self-signed-218647659
certificate self-signed 03
30820242 308201AB A0030201 02020103 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313836 34373635 39301E17 0D313130 36303831 38303833
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3231 38363437
36353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F9FF373A F00F58CF F4C6E6B1 C7676D6E EBD0D2D1 E239FAAA 42BD4335 B779D873
A2D654FA 04F47F90 CCC79596 B3D5B719 D3994E6E 43B05D4D 4419D92C F8EC6149
5094F9AB 7CB11EFA 5E72B723 A04D2999 BB43A8B8 11314E45 CA26BA77 909A63AA
64A95D75 411C5141 026AA11A EA27724F A6832EBF A0C5DD7B A1E48803 4B8C0585
02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D
11041030 0E820C42 524B2D43 32383131 2D543130 1F060355 1D230418 30168014
CA02D9F0 3B1772EE BECCFD40 888CD35B 4BF00440 301D0603 551D0E04 160414CA
02D9F03B 1772EEBE CCFD4088 8CD35B4B F0044030 0D06092A 864886F7 0D010104
05000381 810077C0 3260CF10 8652CE8D 6B0DE3F8 9BD87870 51087020 E00CC56B
F01EBC1C F6DE78D9 D309E3D6 B63B713C 80FEE77B CEA7AD0D 3CA587B3 26912CC8
EADA52D9 74698936 B8196FE0 120071EA B9F4CF3C 14D9E67C 34A0EA61 192BF856
F77B5034 D45834CE D38D241A B1B08694 C786FAAF 9833D6DD DDF00562 F4839A51
7ECEE3C1 BC06
quit
username ************************** privilege 15 secret 5 ***********************************
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ***************** address *****************
crypto isakmp key **************** address *********************
crypto isakmp key ************* address **********************
crypto isakmp key ******************* address *********************
crypto isakmp keepalive 120 periodic
crypto ipsec transform-set TRANSFORM-AES esp-aes esp-sha-hmac
crypto ipsec transform-set TRANSFORM-AES-TRAN esp-aes esp-sha-hmac
mode transport require
crypto ipsec profile PROFILE-DMVPN
set transform-set TRANSFORM-AES
crypto ipsec profile PROFILE-DMVPN-TRAN
set transform-set TRANSFORM-AES-TRAN
track 1 ip sla 1 reachability
track 10 interface FastEthernet0/1 line-protocol
class-map type inspect match-any CC_SCAN_TRAFFIC_CLASS
match access-group name CC_SCAN_OUT
class-map type inspect match-all BBDBU-CMAP
match access-group name BBDBU
policy-map type inspect CC_SCAN_TRAFFIC_POLICY
class type inspect CC_SCAN_TRAFFIC_CLASS
inspect
class class-default
drop log
policy-map type inspect BBDBU-PMAP
class type inspect BBDBU-CMAP
pass
class class-default
drop log
zone security internet
zone security CC_SCAN_LAN
zone security LAN
zone-pair security self-to-internet source self destination internet
service-policy type inspect BBDBU-PMAP
zone-pair security internet-to-self source internet destination self
service-policy type inspect BBDBU-PMAP
zone-pair security CC_SCAN-TO-INTERNET source CC_SCAN_LAN destination internet
service-policy type inspect CC_SCAN_TRAFFIC_POLICY
interface Tunnel1
description Broadband backup circuit
bandwidth 256
ip address 10.69.7.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication ****************
ip nhrp map 10.69.7.1 *********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.7.1
ip nhrp server-only
ip ospf authentication-key 7 *******************
ip ospf network broadcast
ip ospf cost 130
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key ********************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel2
description Backup Tunne2
bandwidth 512
ip address 10.69.10.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication **************
ip nhrp map 10.69.10.1 ********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.10.1
ip nhrp server-only
ip ospf authentication-key 7 ********************
ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key *********************
tunnel path-mtu-discovery
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel16
description mGRE TUNNEL FOR NYe0008981
bandwidth 1500
ip address 10.69.4.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nat outside
ip nhrp authentication ****************
ip nhrp map 10.69.4.1 *********************
ip nhrp network-id ***************
ip nhrp holdtime 300
ip nhrp nhs 10.69.4.1
ip nhrp server-only
ip virtual-reassembly
ip ospf network broadcast
ip ospf cost 120
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination ******************
tunnel key ******************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel17
description mGRE TUNNEL FOR NYe0008981
bandwidth 1450
ip address 10.69.8.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nhrp authentication *******************
ip nhrp map 10.69.8.1 ****************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.8.1
ip nhrp server-only
ip ospf network broadcast
ip ospf cost 125
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination *****************
tunnel key ****************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface FastEthernet0/0
description PARENT INTERFACE
no ip address
ip flow ingress
ip traffic-export apply CAPTURE size 10000000
duplex auto
speed auto
interface FastEthernet0/0.1
description DEFAULT VLAN
encapsulation dot1Q 1 native
ip address 10.27.19.1 255.255.255.0
ip helper-address 10.69.16.7
ip pim sparse-mode
ip tcp adjust-mss 1344
ip traffic-export apply CAPTURE size 10000000
ip policy route-map PBR
ip ospf priority 0
interface FastEthernet0/0.10
description INITIAL VLAN
encapsulation dot1Q 10
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.20
description AUTH-FAIL VLAN
encapsulation dot1Q 20
ip traffic-export apply CAPTURE size 10000000
shutdown
interface FastEthernet0/0.43
description CREDIT_CARD_SCANNERS
encapsulation dot1Q 43
ip address 192.168.43.33 255.255.255.224
ip nat inside
ip virtual-reassembly
zone-member security CC_SCAN_LAN
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.98
description Remediation Vlan
encapsulation dot1Q 98
ip address 10.69.243.1 255.255.255.248
ip access-group Remediation in
ip helper-address 10.69.252.7
ip inspect incoming out
ip traffic-export apply CAPTURE size 10000000
ip ospf priority 0
interface FastEthernet0/0.99
description GUEST VLAN
encapsulation dot1Q 99
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.666
description VENDOR VLAN
encapsulation dot1Q 666
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/1
mtu 1492
ip address 192.168.1.47 255.255.255.0 secondary
ip address ************************** ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security internet
duplex auto
speed auto
interface Serial0/0/0
ip address **************************
ip flow ingress
encapsulation ppp
no fair-queue
service-module t1 remote-alarm-enable
service-module t1 fdl both
no cdp enable
interface BRI0/2/0
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-ni
isdn point-to-point-setup
isdn spid1 71878317920101 7831792
isdn spid2 71878340300101 7834030
no cdp enable
interface Async0/1/0
no ip address
encapsulation slip
interface Dialer1
description T-1 Site ISDN Backup
ip address 192.168.103.38 255.255.255.0
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer idle-timeout 120 either
dialer load-threshold 32 either
dialer-group 1
no peer default ip address
no cdp enable
ppp multilink
router ospf 1
router-id 10.27.19.1
log-adjacency-changes
area 48 stub
network 10.27.19.0 0.0.0.255 area 48
network 10.69.4.0 0.0.0.255 area 48
network 10.69.7.0 0.0.0.255 area 48
network 10.69.8.0 0.0.0.255 area 48
network 10.69.10.0 0.0.0.255 area 48
network 10.69.243.0 0.0.0.7 area 48
ip forward-protocol nd
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc
ip route 198.203.191.83 255.255.255.255 ******************** track 1
ip route 198.203.192.245 255.255.255.255 *************** track 1
ip route 198.203.192.20 255.255.255.255 ****************** track 1
ip route 8.8.4.4 255.255.255.255 ***************** track 1
ip route 4.2.2.2 255.255.255.255 ******************* track 1
ip route 8.8.8.8 255.255.255.255 ********************** track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 10.48.9.254 255.255.255.255 *****************
ip route 10.48.32.101 255.255.255.255 *****************
ip route 10.48.32.102 255.255.255.255 *****************
ip route 161.11.124.78 255.255.255.255 ******************
ip route 173.226.250.130 255.255.255.255 **************
ip route 204.89.170.126 255.255.255.255 ****************
no ip http server
no ip http secure-server
ip pim rp-address 10.69.31.1
ip nat pool CC_DMV_POOL 10.27.19.253 10.27.19.253 prefix-length 24
ip nat inside source route-map CC_BB_NAT interface FastEthernet0/1 overload
ip nat inside source route-map CC_DMV_NAT pool CC_DMV_POOL overload
ip tacacs source-interface FastEthernet0/0.1
ip access-list extended BBDBU
permit esp host *****************************
permit udp host **************************
permit gre host *******************************
permit udp host ****************************
permit gre host **************************
permit esp host ***********************
permit ip host **************************
permit ip host *****************************
permit icmp any host 8.8.8.8 echo
permit icmp host 8.8.8.8 any echo-reply
ip access-list extended BRK
permit ip 10.27.19.0 0.0.0.255 host 10.69.31.128
ip access-list extended CAPTURE_IN
permit ip host 10.27.19.10 host 10.69.66.108
ip access-list extended CAPTURE_OUT
permit ip host 10.69.66.108 host 10.27.19.10
ip access-list extended CC_SCAN_OUT
permit icmp 192.168.43.32 0.0.0.31 host 8.8.8.8
permit udp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host *************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit udp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit udp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
ip access-list extended Remediation
permit ip 10.69.240.0 0.0.15.255 host 10.69.252.7 log
permit icmp 10.69.240.0 0.0.15.255 10.69.66.0 0.0.0.255 log
permit tcp any host 10.69.16.182 eq 443 log
permit tcp any host 10.69.17.38 eq 8444 log
permit udp any any eq bootps
deny ip any any
ip access-list extended VTY
permit tcp 10.69.66.0 0.0.0.255 any eq telnet log
permit tcp 10.69.66.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq 22 log
permit tcp 1.11.1.0 0.0.0.255 any eq telnet log
permit tcp 1.11.1.0 0.0.0.255 any eq 22 log
deny ip any any
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/1
timeout 7000
threshold 7000
frequency 10
ip sla schedule 1 life forever start-time now
logging 10.69.27.129
access-list 1 permit 10.69.66.11
access-list 1 remark SNMP Managers
access-list 1 permit 10.69.31.97
access-list 1 permit 10.69.31.100
access-list 1 permit 10.69.31.101
access-list 1 permit 10.69.66.59
access-list 1 permit 10.69.66.108
access-list 1 permit 10.69.16.223
access-list 1 permit 10.69.30.242
access-list 1 permit 10.69.16.250
access-list 1 permit 10.69.19.229
access-list 1 permit 10.69.16.150
access-list 1 permit 10.69.27.129
access-list 4 permit 10.69.31.148
access-list 4 permit 10.69.31.149
access-list 4 permit 10.69.31.150
access-list 4 permit 10.69.31.151
access-list 101 deny ospf any any
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
route-map CC_DMV_NAT permit 10
match ip address CC_SCAN_OUT
match interface Tunnel16
route-map PBR permit 10
description BRK
match ip address BRK
set ip next-hop 10.69.7.1
route-map CC_BB_NAT permit 10
match ip address CC_SCAN_OUT
match interface FastEthernet0/1
snmp-server community ******************
snmp-server community *****************
snmp-server community ******************
snmp-server location **********************
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps config
snmp-server enable traps syslog
tacacs-server host 10.69.31.18 timeout 10
tacacs-server host 10.69.31.17
tacacs-server directed-request
tacacs-server key 7 ********************
control-plane
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
banner login ^C************************************
Unauthorized Entry To This Device Is
STRICTLY PROHIBITED
************************************^C
line con 0
exec-timeout 30 0
logging synchronous
line aux 0
line 0/1/0
exec-timeout 60 0
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class VTY in
exec-timeout 30 0
password 7 *********************
logging synchronous
transport input ssh
scheduler allocate 20000 1000
end -
Perfect router for small office (2-3 peoples)
Hello,
I'm trying to find the most cost effective VoIP solution for one of our small branch offices. This office will have no more than 3 peoples, but each person requires to have a PC and Cisco IP phone (voicemail, multiple line, direct inbound, pstn dial out and etc).
Building will provide ethernet hand-off for internet access (part of T1 I guess) so we are planning to create VPN connection between our data center and the local gateway.
As for the PSTN connection, 2 POTS will be provided by LEC. Gateway should be able to accomodate 4 Ports FXO module.
What would be the smallest but the best router can handle firewall/VPN/IP Voice/PSTN for the small office?
Thank you very much for your help in advance.Hi,
What drives the price up a bit is the FXO requirement. Cisco used to have a router small as the 1751V, but it is EOL now, so the smaller you can get is a 2801. The price is almost the same but the earlier model was a bit more office-friendly due the box shape and size, while the 2801 is a classic rack box 1 unit.
The good thing with the 2801 is that it supports POE (optionally), so if you put one 4 or 9 port ethernet switch (HWIC) in the router, your phones can work without the external power supply.
You can configure the voice system be totally controlled by the router itself with the embedded CCME, or be part of company's CallManager (now CommunicationManager)
Can I give you another advice, try to get ISDN BRI preferentially instead of FXO. You will have all the features like DID, caller-ID, and much easier setup a diagnostic in the router. Plus, if you add a WIC-1B/ST you can also have ISDN backup using the same data facilities.
Please remember to rate useful posts!
Maybe you are looking for
-
Drag and Drop in CSS Styles Panel
So, I am going through Dreamweaver CS5 Classroom in a Book. In lesson 6, pages 106 through109, it tells you to drag and drop rules in the CSS Styles Panel into a certain order. I can't seem to get it to work for me. Am I missing something?
-
Pics from individual web pages are not showing on summary page
I've just started trying out iWeb '09. On the Blog summary page, it shows the excerpt from the actual page, but the picture from the actual entry page doesn't show. Shouldn't it show, too? The Media placeholder box pops up when I hover over that text
-
Character string buffer too small error in tabular form
Hi Folks, One of my tabular forms suddenly stopped working out of the blue after 3 months of working perfectly. So I've run into the debug and looks like something went wrong rendering my LOV as below: 0.16968 0.00328 ...Execute Statemen
-
The Download-File for Photoshop CS3 Extended "Deutsch" in the column for Windows inadvertent is not deposited as an exe- or zip-file but as a dmg-file for MacOS; this cannot be opened under Windows. (See download http://helpx.adobe.com/de/creative-su
-
C7 - Lack of "GPS Data" application
On my old Nokia E66 it was "GPS Data" application (with gps data and simple navigation). That simple navi was very useful and helpful, maybe could you add it to Symbian Belle update?