Cisco.Press.CCIE.Professional.Development.Troubleshooting.Remote.Access.Networks

As a lead engineer for Frame Relay with the Remote Access group, he participated in design, support, and troubleshooting Frame Relay, ISDN, VPN, and Dial.. Contents at a Glance Foreword

201 W 103rd StreetIndianapolis, IN 46290 USA

Troubleshooting Remote Access Networks

Plamen Nedeltchev, Ph.D.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

First Printing November 2002

Library of Congress Cataloging-in-Publication Number: 2001096586

ISBN: 1-58705-076-5

Warning and Disclaimer

This book is designed to provide information about troubleshooting remote access networks Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied

The information is provided on an “as is” basis The author, Cisco Press, and Cisco Systems, Inc shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc

Trademark Acknowledgments

All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community

Readers’ feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message

We greatly appreciate your assistance

Cisco Press Program Manager Sonia Torres Chavez Cisco Marketing Communications Manager Tom Geitner Cisco Marketing Program Manager Edie Quiroz

Brian Morgan William R Wagner Jonathan Zung

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 526-4100

European Headquarters

Cisco Systems Europe

11 Rue Camille Desmoulins

92782 Issy-les-Moulineaux Cedex 9

France http://www-europe.cisco.com Tel: 33 1 58 04 60 00 Fax: 33 1 58 04 61 00

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883

Asia Pacific Headquarters

Cisco Systems Australia, Pty., Ltd

Level 17, 99 Walker Street North Sydney

NSW 2059 Australia http://www.cisco.com Tel: +61 2 8448 7100 Fax: +61 2 9957 4350

Copyright © 2000, Cisco Systems, Inc All rights reserved Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The

iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc or its affiliates in the U.S and certain other countries

All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership

Cisco Systems has more than 200 offices in the following countries Addresses, phone numbers, and fax numbers are listed on the

Cisco Web site at www.cisco.com/go/offices

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia • Scotland

• Singapore • Slovakia • Slovenia • South Africa • Spain Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine

• United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

iv

About the Author

Plamen Nedeltchev was born in February 1954 in Silistra, Bulgaria He graduated from high school as valedictorian in 1972 In 1980, he received an M.S (Summa Cum Laude) from Saint Petersburg State Electro-Technical University In 1989, he received his Ph.D from the Bulgarian Academy of Science, Sofia, Bulgaria

Plamen worked as the chief information officer of VMT (a division of the Ministry of Transport of Bulgaria) in his country of origin He joined Sprint E-Solutions in 1999 as a senior network architect The same year, he joined Cisco’s Remote Access team as a technical consultant During his career, he has published more than 40 publications in English, Russian, and Bulgarian, including four recent articles in the Cisco Packet Magazine He speaks five languages and has one technical patent The scope of his technical expertise and interests includes bridging, switching, routing, capacity planning, compression, multicast, QoS, content networking, SOHO, ROBO, design/modeling/simulation, ISDN, Frame Relay, VPN, xDSL, cable modem, dial, wireless, and troubleshooting In his spare time, he enjoys political history, philosophy, literature, sports, and music

About the Technical Reviewers

Brian Feeny (CCIE No 8036) is the senior network engineer for ShreveNet Inc., an Internet service provider, where he has been working for the last six years He is also a Partner in Netjam LLC, which specializes in sales and support of Cisco network equipment Brian has more than ten years experience in the networking industry

Brian Morgan (CCIE No 4865) is a Cisco Press author (CCNP Remote Access Exam

Certification Guide) and a frequent contributor in both editing and content He has been in the networking industry for over ten years as a consultant in large internetworking environments He has also spent much of the last five years as an instructor for Cisco Learning Partners teaching ICND, BSCN/I, BCRAN, CATM, CVOICE, CCIE/CCNP bootcamps, and other courses

William R Wagner works as a Cisco Certified System Instructor for Skyline Computer Corp

He has 23 years of computer programming and data communication experience He has worked for corporations and companies such as Independent Computer Consultants, Numerax, McGraw-Hill/Numerax, and Standard and Poors He has teaching experience with the Chubb Institute, Protocol Interface Inc., Geotrain, Mentor Technologies, and he is currently teaching

at Skyline Computers Corp William also holds a degree in Computer Science, is a CNE, and currently holds his CCNA and CCNP from Cisco

Jonathan Zung (CCNP, CCDP, working towards CCIE) has been at Cisco for nearly five years

He started at Cisco as a UNIX systems administrator, but for the last four years at Cisco, he has been working as a network engineer supporting Cisco’s internal remote access environment He graduated from California Polytechnic State University at San Luis Obispo with a B.S in MIS and a minor in Computer Science in 1997

In addition to being one of the book’s technical reviewers who helped me with all phases to improve the content, Jonathan is the principal author of the design and troubleshooting content

of Multi-Chassis Multilink Point-to-Point Protocol (MMP) in Chapter 10, “ISDN Design Solutions” and Chapter 12, “ISDN BRI Troubleshooting” of this book

To the Cisco Press team:

Many thanks to Brett Bartow for giving me the chance to write for Cisco Press, and Drew Cupp for his assistance, persistence, and remarkable language skills during the creation of this book

I would also like to thank Sheri Cain for her excellent work in managing this book through the production process Finally, I want to thank Jill Batistick, Ginny Bess Munroe, Christopher Cleveland, Cris Mattison, Doug Ingersoll, and Marianne Huff for providing me with assistance, formatting, and editing the content, improving the language, and for technical corrections

To the technical editors of this book:

My special appreciation goes to Brian Feeny (CCIE No 8036), Brian Morgan (CCIE No 4865), Bill Wagner (CCSI), and especially to Jonathan Zung (CCDP, CCNP) for their valuable comments, devotion and time, and helping me to make this book better

To my colleagues who helped write and edit:

Many thanks to my colleagues from the Remote Access team at Cisco, who are some of the most talented engineers I’ve ever worked with in my carrier All of them are at different stages

of achieving the highest Cisco certifications, but all together, they make what usually is referred

to as “The Team” and as such, everyone has their own technical strengths, preferences, and proven techniques Some of them have written part of this book, some of them have reviewed the content, and some of them did both Overall, sharing this collective experience, in my understanding, adds value to this book and serves the readers’ needs best As a result, this book includes only the proven best practices type of information and proven troubleshooting scenarios from more than tens of thousands of cases in the recent years I would like to thank the following team members and note their contributions to this book:

Felicia Brych (BComm, MPM) is from Canada and holds degrees from Memorial University

of Newfoundland and the University of Quebec Felicia managed Cisco’s Internal Remote Access Services department from December 1999 to August 2001, with successes that included the global deployment of VPN and significant cost reduction for all remote access solutions Prior to working for Cisco, she managed Remote Access and Technology Services for Revenue Canada Felicia currently leads IT initiatives involving collaboration infrastructure and IP telephony for the home In her spare time, Felicia enjoys gardening and spending time with her husband, three stepchildren, and two Labrador Retrievers

Felicia is the principal author of the foreword and the “Management Considerations” section for Chapter 1 of this book Felicia edited the entire content of this book for style and language

Chuck Cardamon is an IT analyst in Infrastructure, Carrier Services & Provisioning He has

an AOS degree in Culinary Arts and is a veteran, retiring as a U.S Navy SEAL after 20 years

of service He is a proponent of organ donation and was a live liver donor to save the life of a friend In his spare time, he rides motorcycles and fly fishes He has been married for 26 years and has 4 adult children

Chuck is the principal author of the “Provisioning of Enterprise Remote Access Services” section for Chapter 1

Jered T Huegen is a network engineer supporting remote access services for Cisco Systems

He has been working towards his CCIE in Communications and Services and passed the written exam Jered has helped to facilitate the growth of the remote access infrastructure from a few hundred clients to accommodate 40,000 clients He has a college background in math and accounting In his spare time, Jered enjoys being a pit crewmember and making split-second setup decisions for a dirt-track race team He was married in September 2002

Jered is the principal author of the following chapters:

• Chapter 5, “Dial Technology Background”

• Chapter 6, “Dial Design and Configuration Solutions”

• Chapter 7, “Dial Troubleshooting”

• Chapter 8, “Dial Troubleshooting Scenarios”

Omid Kaabipour (CCNA) has a B.S in Business Administration (MIS) from San Jose State University As a lead engineer for Frame Relay with the Remote Access group, he participated

in design, support, and troubleshooting Frame Relay, ISDN, VPN, and Dial Recently, Omid has been working with the Cisco Northeast Transport Group on transport technologies across a wide range of Cisco platforms, including WAN, LAN, MAN and Frame Relay troubleshooting, design, and maintenance In his spare time, he thrives on listening to classical music and enjoys going to movies

Omid is the principal author of the Frame Relay host migration scenario in Chapter 18 of this book and helped with the technical review of this book at its final phase

David Iacobacci is a network engineer in the Cisco IT Remote Access Services group and has been the technical lead of the team for about two years He has been working toward his CCIE

in Security A native New Yorker, he lived in Japan for over nine years, working for Nihon Cisco Systems and Procter & Gamble Far East, Inc., after obtaining an MBA from the International University of Japan He also holds a BS in Mechanical Engineering from Rutgers University and has worked for Citigoup, FMC Corporation, and the U.S Navy When not working, David enjoys his free time with his wife and daughter

David is the principal author of the following chapters:

• Chapter 20, “Remote Access VPN Design and Configuration Solutions”

• Chapter 21, “Remote Access VPN Troubleshooting”

Zack Schaefer (CCNP, CCDP) is currently working on his CCIE. He has spent a majority of his post college career working for Cisco in its Remote Access department Throughout his entire career at Cisco, he has helped support Cisco’s entire VPN infrastructure, solving thousands of VPN problems yearly He is currently a network engineer supporting WAN, LAN, MAN, and remote access for Latin America and the Central and Southeast United States Additionally, he routinely performs VPN troubleshooting training for fellow Cisco employees.Zack is the principal author of Chapter 22, “Remote Access VPN Troubleshooting Scenarios.”

James Michael Thompson (CCNP, CCDA) made a move from the music industry to the networking industry in the late 1980s Before working with the Cisco Remote Access team, Jim worked as a WAN engineer and as a CNE at a network integration company Jim passed the CCIE qualifying exam and is scheduled to take the lab exam in the near future He lives

in Sonora, California, with hobbies such as photography, hiking, mountain biking, kayaking, and still enjoys making music

Jim helped with the technical review of this book at its final phase

Lainie van Doornewaard has been with Cisco Systems, Inc for approx five and a half years after leaving a career in law enforcement She worked as the team lead for support for the engineering community, then joined the Network Operations Team, which is responsible for Cisco’s corporate LAN, WAN, and MAN infrastructure She transferred to the Remote Access team in July of 2000 and has been the backup engineer for VPN and lead engineer for xDSL for almost two years She is currently a team lead for the Remote Access Engineering team in San Jose

Lainie helped with the technical review of this book at its final phase

I’d like to acknowledge the contributions of some of the founders of the Remote Access environment at Cisco: Yinpo Wong, BS, BA, MBA, currently Engineering Manager at Cisco Systems, Inc., John B Cornell III, currently Member of Technical Staff (IT) at Cisco Systems, Inc., and Craig Huegen, CCIE #2100, who is currently Chief Network Architect for Cisco Systems

Finally, this book enjoyed the encouragement of many people, and I’d like to thank Dave Holloway, Kristine Smith, Lanny Ripple, Julie Martinez, Jeff Galisky, Terrance Blackman, Lilyan Gonzalez, Albert Soeherman, Diana Perez, Sidney Thompson, Damian Morris, Al Roethlisberger, Jawahar Sivasankaran (CCIE 8870), Doug Gober, Kathleen O’Looney, and many others

Contents at a Glance

Foreword xxiiiIntroduction xxv

Chapter 1 Remote Access Overview 5

Chapter 2 Telecommunication Basics 37

Chapter 3 The Cloud 69

Chapter 4 Troubleshooting Approaches, Models, and Tools 95

Chapter 5 Dial Technology Background 125

Chapter 6 Dial Design and Configuration Solutions 141

Chapter 7 Dial Troubleshooting 181

Chapter 8 Dial Troubleshooting Scenarios 219

Chapter 9 ISDN Technology Background 233

Chapter 10 ISDN Design Solutions 257

Chapter 11 Cisco ISDN Configuration Solutions 289

Chapter 12 ISDN BRI Troubleshooting 313

Chapter 13 Troubleshooting Scenarios for ISDN BRI 359

Chapter 14 Frame Relay Technology Background 413

Chapter 15 Frame Relay Design Solutions 433

Chapter 16 Basic and Advanced Frame Relay Configurations 457

Chapter 17 Frame Relay Troubleshooting 491

Chapter 18 Frame Relay Troubleshooting Scenarios 547

x

Chapter 19 VPN Technology Background 591

Chapter 20 Remote Access VPN Design and Configuration Solutions 633

Chapter 21 Remote Access VPN Troubleshooting 675

Chapter 22 Remote Access VPN Troubleshooting Scenarios 765

Appendix A Answers to Review Questions 807

Index 835

Contents

Foreword xxiiiIntroduction xxv

Chapter 1 Remote Access Overview 5

Management Considerations 6Cost 6

Availability 7Support 7In-Sourcing Versus Outsourcing 7Billing and Charge Backs 7User-Managed Versus Corporate-Managed 8Security 8

Applications 8Home Access Versus Mobility 8Defining the Remote Access User Population 9Remote Access Service Options 9

Analog Dialup Services 12ISDN Services 14

Frame Relay Services 17VPN Services 18VPN Service Vehicles 20Cable Modem Services 20xDSL Services 22Wireless Broadband Services 25Satellite Services 28

Provisioning of Enterprise Remote Access Services 30Summary 35

Review Questions 35

Chapter 2 Telecommunication Basics 37

Shannon’s Capacity Theorem 38Modulation and Line-Coding Techniques in Wired Networks 39Amplitude, Frequency, and Phase Modulations 40

Quadrature Amplitude Modulation 41xDSL Coding Techniques 42

Pseudo-Ternary and Two Binary One Quaternary Signaling 55T1 Digital Coding and Framing 59

T1 and T3 Framing 62PRI—1.544-Mbps Interface 64PRI—2.048-Mbps Interface 65End Notes 66

Summary 66Review Questions 66

Chapter 3 The Cloud 69

Carriers, Service Providers, and How Traffic Is Carried 69FDM 71

Digitalization of the Signal and Pulse Code Modulation 72TDM 73

T-Carriers 75T1/E1 and Primary Rate Interfaces, T1s, and DS 75T1s and DS and TDM Hierarchy 77

E1 77Network Signaling Systems and SS7 78SONET, Synchronous Transport Signal, and Synchronous Digital Hierarchy 79The Optical Fiber Hierarchy of Circuits 80

Carrier’s Facilities and Switching Systems 80First-Tier Exchange Carriers 80

Inside the CO 81Second Layer Exchange Carriers—IXC 81Switches and Tandems 82

LEC/IXC Operations 82Tandem Office and Tool Office 83

ISPs and ASPs 85Data Centers and Internet Hosting Services 87The Future of Service Providers 89

Service Offering 90The Last-Mile Problem 90The 3G Wireless Alternative 91End Note 92

Summary 92Review Questions 92

Chapter 4 Troubleshooting Approaches, Models, and Tools 95

Interconnection Models 96Department of Defense Model 97Seven-Layer OSI Model 98Troubleshooting Models and the Baseline 101Troubleshooting Models 101

The Baseline 103Common and Cisco-Specific Tools 109Ping and Privileged (Extended) Ping Commands 110The Traceroute and Privileged (Extended) Traceroute Commands 114The Netcat Utility 115

Service Assurance Agent 117The IOS Commands show and debug 118End Notes 119

Summary 119Review Questions 119

Chapter 5 Dial Technology Background 125

Overview of Modems 125Telco Issues 128

Digital Pad 129Line Code Errors 130Authentication Options 132

xiv

PPP 134Link Dead (Physical Layer Not Ready) 135Link Establishment Phase 135

Authentication Phase 136Network Layer Protocol Phase 136Link Termination Phase 137PPP Troubleshooting Considerations 137End Notes 138

Summary 138Review Questions 138

Chapter 6 Dial Design and Configuration Solutions 141

Dial Design Solutions 142Text Dial-In Network 143PPP Dial-In Network 143Text Dial-Out Network 144PPP Dial-Out Network 145Large-Scale Dial-Out Network 146Dial-On-Demand Backup Network 147Dial Configuration Solutions 149

Text Dial-In Configuration 150PPP Dial-In Configuration 151Large-Scale Dial-In Configuration 159Text Dial-Out Configuration 164PPP Dial-Out Configuration 168Large-Scale Dial-Out Configuration 171Dial-On-Demand Backup Configuration 173Summary 177

Review Questions 177

Chapter 7 Dial Troubleshooting 181

Troubleshooting NAS WAN Links 181Troubleshooting T1 Circuits 181Troubleshooting PRI Circuits 188Troubleshooting Dial-In Service 190Step One: Verify that the Modem Is Ready to Accept Calls 191Step Two: Verify Type of Incoming Connection 192

Step Three: Verify PPP Negotiation 194

Troubleshooting Dial-Out Service 200AS5x00 Specific Commands and Debugs 205AS5200 Specific Commands and Debugs 207AS5300 Specific Commands and Debugs 209AS5400 Specific Commands and Debugs 214Summary 215

Review Questions 215

Chapter 8 Dial Troubleshooting Scenarios 219

Scenario 1: Authentication Time Outs—Part I 219Scenario 2: Authentication Time Outs—Part II 221Scenario 3: Frequent Retrains and Disconnects 221Scenario 4: Dirty Phone Line 223

Scenario 5: Bad Modem 225Frequently Asked Questions and Answers 226Summary 228

Chapter 9 ISDN Technology Background 233

ISDN Standards 233E-Series 233I-Series 234Q-Series 234ISDN Channels 234ISDN Planes: ISDN Layer Architecture 236Layer 1: BRI 237

The Layer 2 D Channel: LAPD 242Layer 3 in the D Channel: Q.931 and Message Format 248ISDN Switch Types 252

Summary 253Review Questions 253

xvi

Chapter 10 ISDN Design Solutions 257

Enterprise and ISP Designs 258Setting the ISDN Switch Type 259Setting SPIDs and LDNs 260

IP Pool Design 262NAT and PAT 265PAT 266NAT 267Per-User (Per Function) Configuration 272Virtual Interface Templates 272Virtual Profiles 273

MLP 273

MMP Configuration 281MMP Sample Implementation 282Verifying MMP 284

Summary 285Review Questions 286

Chapter 11 Cisco ISDN Configuration Solutions 289

Cisco ISDN Cost-Effective Solutions 289Spoofing 290

Snapshot Routing and OSPF Demand Circuits 290DDR 293

PPP Callback for ISDN 303ISDN Security 305

Configuring the POTS (Telephone) Interfaces 306Creating Dial Peers 307

Advanced Telephone Features 308Summary 310

Review Questions 310

Chapter 12 ISDN BRI Troubleshooting 313

Troubleshooting the Physical Layer 314Troubleshooting the Data Link Layer 319Troubleshooting the Network Layer 324

Troubleshooting PPP 335Troubleshooting PPP LCP 335Troubleshooting PPP Authentication 340Troubleshooting PPP Network Control Protocols 341PPP: Termination of the Connection 352

Troubleshooting Telephone Interfaces 353End Notes 356

Summary 356Review Questions 356

Chapter 13 Troubleshooting Scenarios for ISDN BRI 359

Recommendations for Practical Troubleshooting of ISDN Remote Services 359Using #show isdn status to View Service Layers 360

Preconfiguring the Routers on Both Ends 364Accessing the Remote User’s Router 365Scenario 1: New Install Problems 369Scenario 2: Dial-Out Problems 372Scenario 3: ISDN Performance Problems 376Short-Term Routing Issues 377

Line Problems 377Configuration Setting Problems 382LEC Switch Problems 382

Scenario 4: End-to-End Communication Problems 386The LEC’s ISDN Switch Settings 387

LCP Problems and the Magic 22 Seconds 387Authentication Problems 396

End-to-End Routing Problems 399Scenario 5: Windows 2000 DDR Issue 399Step 1: Implement the Manufacturer’s Recommendations and Determine if They Are Effective 400

Step 2: Monitor and Sniff All Traffic and Try to Find Patterns and Characteristics of the Traffic 402

Step 3: Use a Cisco Knowledge Base to Remedy any Identified Problems 406Step 4: Select a Solution and Test It 407

Summary 408

Part IV Frame Relay 411

Chapter 14 Frame Relay Technology Background 413

Frame Relay Standards 415Frame Relay Service Architecture 417Frame Relay Protocols 419

LAPF 419End Notes 429Summary 429Review Questions 429

Chapter 15 Frame Relay Design Solutions 433

Design Parameters 434CIR Options 435UNI 438NNI 438Voice over Frame Relay 440Frame Relay Multicast 440Frame Relay Topologies and Congestion Control 441Partial-Mesh and Full-Mesh Frame Relay Designs 441User and Frame Relay Switch Operations Under Congestion 441Congestion and Windowing 443

Frame Relay Performance Criteria 444Frame Relay and Upper-Layer Protocols 445Encapsulating IP, Q.933, and SNAP 447Encapsulating Other Protocols over Frame Relay 448Frame Relay Fragmentation 448

LMI 449Consortium (Cisco) LMI Type 451Annex D (ANSI) LMI Type 451ITU-T Q.933 Annex A LMI Type 453Address Resolution: ARP, Reverse ARP, and Inverse ARP 453ARP 453

Reverse ARP 454Inverse ARP 454End Notes 454Summary 455Review Questions 455

Chapter 16 Basic and Advanced Frame Relay Configurations 457

Basic Frame Relay Configurations 458Point-to-Multipoint Configurations 458Point-to-Point Configurations 461Maximum Number of DLCIs Per Interface 466Routing Protocols and Frame Relay Configurations 467Frame Relay Broadcast Queue 468

Advanced Frame Relay Configurations 469Configuring IP Unnumbered Frame Relay 469Frame Switching 469

Frame Relay and ISDN Backup Configuration 471Frame Relay and Bridging 474

Frame Relay Compression 476Frame Relay and IP Multicast Configuration 482Frame Relay and Traffic Shaping 483

Summary 488Review Questions 489

Chapter 17 Frame Relay Troubleshooting 491

Beginning the Frame Relay Troubleshooting Process 492Physical Layer Troubleshooting 493

Line and Clocking Problems 493Serial Interface 0 and Line Protocol Is Down 498Performance Issues Related to the Physical Layer 501Data Link Layer Troubleshooting 506

PVC Configuration Issues 507 LMI Issues 513

Performance Problems 526Flapping Links 526End-to-End Problems 528Frame Relay Shaping Problems 534Troubleshooting Compression Over Frame Relay 537End Notes 544

Summary 544Review Questions 544

Chapter 18 Frame Relay Troubleshooting Scenarios 547

Scenario 1: New Install Issues 548Scenario 2: Mismatched DLCI Settings 556Scenario 3: Performance Issues from Flapping Lines and Traffic Shaping Issues 562Flapping Lines 563

Traffic Shaping Issues 566Scenario 4: IP Multicast Issues in Frame Relay 573Scenario 5: Frame Relay Host Migration 580Working with Your Vendor 580

Preparing the Host 581Routing Options 583Endpoint Migration 584Summary 585

Chapter 19 VPN Technology Background 591

Service Provider, Dedicated, and Access VPNs 591Enterprise VPNs Overview 593

Enterprise VPN Categories 595Functional VPN Categories 595Technology Category 598Network Layer (Layer 3) VPNs 604Layer 3 Tunneling 605

Security Associations and Security Policy for IKE and IPSec 605Negotiations of ISAKMP and IPSec Phases and Modes 607Mutable and Immutable Fields and the ICV 608

Fragmentation, Path MTU Discovery, and ICMP Processing 610IPSec Modes 612

IPSec Protocols 613Authentication in VPN 619End Notes 628

Summary 629Review Questions 629

Chapter 20 Remote Access VPN Design and Configuration Solutions 633

Remote Access VPN Design Solutions 633Remote Access VPN Design Objectives 634Remote Access VPN Management 635Remote Access VPN Security Considerations 636Remote Access VPN Termination Equipment Design Considerations 641VPN Configuration Considerations 648

Configuration of the VPN 3000 Concentrator 648Cisco Remote Access VPN Clients 662

End Notes 671Summary 672Review Questions 672

Chapter 21 Remote Access VPN Troubleshooting 675

Troubleshooting Cisco Remote Access VPN Clients 676Cisco VPN Unity SW Client 676

Cisco 3002 HW Client Troubleshooting 706Cisco Easy VPN Client 713

Cisco PIX VPN Client 721Internet Technologies and Remote Access VPNs 732VPN and ADSL 732

VPN and Internet Access Through a Cable TV Infrastructure 740VPN and Internet Access over Satellite and Wireless Systems 745LAN and General Networking Issues Affecting Remote Access VPNs 753Multiple VPN Clients Behind a NAT Device 753

MTU—A Critical Factor for Troubleshooting Internet IPSec Connectivity 754Slow or Inaccessible Login to Kerberos Active Directory 760

End Notes 761Summary 761Review Questions 762

Chapter 22 Remote Access VPN Troubleshooting Scenarios 765

Warming Up with Preliminary Troubleshooting Steps 766Step 1: Determine if There Is an Internet Connection 767Step 2: Ensure that the VPN Client Is Properly Installed 771Step 3: Check or Create Your Profiles 772

Scenario 1: Cannot Authenticate 773Case 1: Bad Group Name or Group Password 774Case 2: Prompted Multiple Times for Username and Password 775Case 3: Firewall Software 777

Case 4: MTU Set High 779Case 5: MTU Set Low 784Scenario 2: Can Authenticate but Problems Passing Data 784Case 1: Cannot Pass Traffic and Using NAT Connection Entry 785Case 2: MTU Causing Packet Loss 786

Case 3: Connection Keeps Dropping 786Case 4: Cannot Browse the Internal Domain 787Scenario 3: PPPoE Software/Hardware Problems 790Case 1: PPPoE Software Issues 791

Case 2: IOS-Based PPPoE Issues 793Scenario 4: 3002 Connection Problems 795Check the Interfaces Status on the 3002 797Confirm the Group Name and Password Are Correct 800Problems with User Authentication 800

Scenario 5: Extranet Issues 801Protocol 50—ESP 801UDP 500—ISAKMP 801UDP 10,000 (Allow IPSec Through NAT) 802Tunnel Keepalives 802

Dead Peer Detection 803Summary 805

Appendix A Answers to Review Questions 807

Index 835

Cisco Systems Inc is built on the philosophy of changing the way we work, live, play, and learn The ability to telecommute and work remotely from any location is a large part of this change Telecommuting is not a new concept; employees have been able to work remotely for decades Significant benefits are associated with this practice

Today, the ability to be productive while working remotely can occur only when required office applications and tools are accessed and used as if you were physically present in the office The early days of dialup networking are replaced with high-speed access to the home at prices that are more cost effective The requirement to telecommute and to access the corporate network while on business travel has played a significant role in creating an entire industry around remote access Future trends include more prevalent broadband connectivity available from hotels, airports, and other public locations

Over the last five years, the Information Technology organization of Cisco Systems created and maintained a dedicated Remote Access Services (RAS) department to provide support to Cisco employees in the U.S The team, which was based at the San Jose campus in California, grew

in responsibility for design, engineering, and support of remote access solutions in the Americas The IT organizations outside of the Americas provided local remote access support

to employees within their regions The remote and corporate organizations work jointly together to develop global standards strategies and solutions

Through the years, the team implemented and supported services that consisted of analog dial, ISDN, Frame Relay, xDSL, and VPN In total, through a combination of in-sourced and outsourced services, the team supported 30,000 dialup users and over 16,000 users with high-speed access to their homes This RAS team of 15 engineers, provisioners, analysts, and project managers supported more users and services than most medium-sized Internet service providers (ISPs) in the U.S A separate helpdesk organization provided all first-level support for users globally

I had the privilege of leading the Remote Access Services team for a 20-month period during

2000 and 2001 They are the most professional, hard-working group of individuals I have ever worked with Providing remote access support can be thankless and frustrating when dealing with end users who believe their individual remote connectivity should have high level of support with a four-hour mean time to repair Furthermore, supporting an engineering user base further complicates matters because home networking requirements become more complex to accommodate

Unlike most enterprises, RAS responsibilities for Cisco also included testing and implementing new Cisco products to showcase their use within our own networks One could say most of our network was a living lab and, although we were making frequent changes to the infrastructure, the RAS team consistently maintained greater than 99.925 percent availability each quarter The team contributed to making product improvements and enhanced the testing of new hardware

and software by identifying product bugs that were fixed before a customer encountered the problem.

The team achieved significant results during the last fiscal year that included increasing the number of users who have broadband connectivity at home by 62 percent while decreasing average cost per user by 50 percent The team also improved support ratios for broadband users from 1000 users per engineer to 1700 users per engineer A member of the team, Plamen Nedeltchev, also developed a solution to address the problems with the huge number of transactions a Windows 2000 network generates, especially for an ISDN usage-based environment His solution significantly reduced the usage costs for ISDN users and the corporation, and was significantly better than any solution recommended by Microsoft.Plamen is a key contributor to the enhancements implemented in our remote access network, especially to addressing the requirements of development engineers who work full time from home It was his vision to write this book for Cisco Press to address the gap of available remote access troubleshooting techniques It is a compilation of the current knowledge and practices

of one of the world’s best remote access teams

In August 2001, a reorganization of IT Infrastructure resulted in the restructuring of remote access within Cisco Although the centralized RAS team is now disbanded, this book is a testament to their achievements and a legacy to the knowledge they possess for developing and running leading-edge remote access networks I am proud to be associated with remote access services, and the experience I gained in my former position within Cisco will always be one of the highlights of my career

Felicia Brych

Manager

Cisco Remote Access Services

December 1999–August 2001

of the Internet, the super-media, during the last decade of the 20th century, has without a doubt been one of the principal, not only technical, but also social, events for generations that still stirs

NOTE Sofia is the capital of Bulgaria Plovdiv is the second biggest city in Bulgaria The distance

between the two cities is about 150 km

I always wanted to write this book Years and years of looking at computer screens always wondering if it is possible to put together a concise description of all these numbers, abbreviations, and symbols Meanwhile, I was always collecting pieces here and there, writing short manuals for myself Working in the remote access environment at Cisco, I finally had the chance to write this book, which started from an article about ISDN troubleshooting one night

in November 2000 (The article was published in the Cisco Packet Magazine in Q2 2001.) Brett

Bartow’s proposal for writing a book about remote access troubleshooting came just in time.Remote access is about buckets of technologies Remote access is about how to reach the remote LAN The uniqueness of working on remote access is the opportunity to enhance your knowledge and to design, implement, configure, and support the variety of technologies used for remote access solutions today Your troubleshooting ability changes based on your position

or location in the classical trio of remote access—whether you are a remote user, a service provider site, or at the corporate site As a troubleshooting engineer, maybe the best position you can choose is the last one The uniqueness of the enterprise remote access is that you have limited visibility into the cloud, but you can see both ends of the remote access service and you control the headend side Of course, troubleshooting is maybe more about hunches, about right-and-wrong, and about experience, but knowledge definitely helps Combined with passion, it can make troubleshooting a genuine craft

One of the main challenges of this book was to provide the reader with the minimum technology background sufficient to understand the technology basics This challenge came

from the fact that numerous studies and books published in the last 20 to 30 years have produced an abundance of information, which is almost impossible to synthesize in a limited number of pages for each technology in this book Combining this information with trouble-shooting techniques and recommendations was another challenge that this book needed to meet.

This book was written with appreciation of generations of scientists and engineers, constantly developing standards, coding and signaling schemes, hardware/software designs, and config-urations to provide remote users with full access to their resources, sometimes thousands of miles away This book was certainly written with an appreciation to Cisco’s contribution to the technology over the last decade

This book is written with appreciation to remote access solutions, where wired networks made possible the most common design solutions today That’s why Part I concentrates on the fundamentals, whereas Parts II, III, and IV deal with commonly available technologies, such as dial, ISDN, and Frame Relay

However, we are about to witness and participate in a significant change in the existing remote

access solutions Panta rhei—as every technology continuously changes its features, the remote

access environment is no different Today’s VPN (in all flavors) is only the first wave of moving away from legacy remote access, which is primarily based on permanent circuits That’s why Part V, “VPN,” is a bridge to the future—towards using locally available Internet services to access the corporate resources remotely

The evolving mobility adds a new dimension to remote access technologies Overcoming the tyranny of cables will transform remote access into ubiquitous access sooner rather than later

Objectives of This Book

The main objective of this book is to offer a concise version of troubleshooting remote access networks Whether you are an enterprise network manager or administrator, network or consulting engineer, or a remote access help-desk consultant, you will have access to both sides

of the connection If you are troubleshooting both end-user and core-environment issues, you will find the book useful because it provides you with the maximum reasonable descriptions, explanations, and examples possible

Secondly, this book’s focus is on the remote end of the connection instead of on the corporate side In my imagination, I always see a user, whose remote access service—his lifeline to the corporation—is down and he is desperately trying to restore it to meet his deadline I’ve been there I know what that’s like That’s why, even if you are an end user working with your local service provider or ISP, this book will enhance your knowledge and troubleshooting skills

Who Should Read This Book?

This book is not about the big picture, but about engineers whose day-to-day operations require remote troubleshooting This book is for those who, sitting behind non-working routers, are trying to figure out where to start and how to approach a problem This book is intended for any engineer who is contemplating changing his qualification to become a network engineer This book is for network engineers who already have a certain level of qualification and experience and are trying to enhance their knowledge in remote access technologies Finally, this book provides helpful remote access troubleshooting information for engineers working toward CCNP and CCIE certifications This book is written assuming the reader has a level of networking experience equivalent to that of a CCNA

The Organization of This Book

This book is based on the premise that if you really want to troubleshoot, you need to go through some preliminary phases first You need to start with the technology basics, progress through design and configuration solutions, and finally get to the troubleshooting methodologies, techniques, and tools Every chapter of this book is organized according to this concept, and every chapter includes review questions Finally, the examples and the scenarios in Parts II, III,

IV, and V are live-based and represent the best proven practices from more than tens of thousands of cases handled by the Cisco Remote Access team

Part I: Remote Access FundamentalsPart I, which describes the fundamentals of remote access networks, is the technological foundation of this book This part includes management considerations and remote access service options It provides relatively extensive information about telecommunications basics, modulations, and coding techniques in wired, wireless, and hybrid environments An integral part of this discussion is the clocking, line coding, and framing in carrier systems, including the most common T1s and PRIs An important section of Part I is the discussion about the cloud, and how the carriers and service providers handle the traffic The information about the future

of the service and the last-mile initiative of Cisco is provided as well

Although the first three chapters are about the remote access environment, the last chapter in Part I is about remote access inter-network layered models, methodology, and tools In this chapter, the layer-by-layer model of troubleshooting is introduced as one systematic approach

to troubleshooting issues

Part II: DialPart II is devoted to one of the most traditional remote access technologies: dial networking The initial technology information is designated to underline some of the fundamentals and specifics of dial, in addition to the information provided in Part I The detailed description of

modems and the overview of possible provider issues, as well as the detailed description of Point-to-Point Protocol (PPP), is among the main topics covered The design chapter includes information about text dialin network, PPP dialin network, text dial-out network, PPP dial-out network, large scale dial-out network, and dial-on-demand backup network, all of which are well-known design solutions in the industry today The same set of design solutions is also presented from a configuration point of view, with the necessary explanations, tips, and notes The dial troubleshooting section includes information on troubleshooting T1 and PRI circuits, dialin service, dial-out service, and important access server (AS5x00) specific commands and debugs.

The troubleshooting scenario chapter focuses on authentication problems, frequent retrains and disconnects, and dirty phone lines and bad modems

Part III: ISDN

Part III is about Integrated Services Digital Network (ISDN)—especially ISDN BRI This part provides concise ISDN technology background information about standards, channels, and ISDN architecture The necessary troubleshooting information about reference points, interfaces, and initializing of layers one, two, and three is provided here, as is information about ISDN switch types The common ISDN design solutions are focused on NAT/PAT

configurations and virtual profiles and interfaces Separate sections are designated to provide detailed discussion about Multilink Point-to-Point Protocol (MP) and Multi-Chassis Multilink Point-to-Point Protocol (MMP) designs The configuration chapter focuses on ISDN cost-effective solutions, such as spoofing, snapshot routing, and dial-on-demand routing (DDR) The ISDN troubleshooting chapter illustrates the layer-by-layer approach and includes detailed discussion about each and every layer, as well as extended information about troubleshooting

MP, MMP, and telephone interfaces

The troubleshooting scenarios include new install problems, dial-out problems, performance issues, end-to-end problems, and Windows 2000 and Cisco DDR controversy

Part IV: Frame Relay

The main focus of Part IV is Frame Relay More information is provided about the end user’s side of the design than about the corporate side The Frame Relay standards, protocols, and service architecture are the main foundation topics The Frame Relay design provides detailed information about User-Network Interface (UNI) and Network-to-Network Interface (NNI) Frame Relay performance criteria, fragmentations, Inverse ARP, upper-layer protocols, and Local Management Interface (LMI) are among the design objectives of Part IV The Frame Relay configuration provides some common configuration solutions and explanations The advanced configuration section includes IP unnumbered solution, frame switching, Frame Relay backup, compression, multicast, and traffic shaping The Frame Relay troubleshooting chapter applies the layer-by-layer approach and discusses Layer 1 and 2 problems,

performance, end-to-end issues, compression, and traffic-shaping problems

The Frame Relay troubleshooting scenarios in Chapter 18 focus on new installs, wrong DLCI, LMI settings, and performance and multicast issues Rehosting of Frame Relay service is included as well.

Part V: VPNVirtual Private Network (VPN) is about running private data over public networks Part V provides the minimum initial background for all versions of VPN, but focuses on remote access solutions PPTP, L2TP, IPSec, and key agreements are discussed in detail The common design solutions, the termination points, software and hardware VPN clients, EzVPN, and PIX-based solutions are explained concisely All available remote access VPN solutions and their configurations are another important part here They include Cisco VPN 3000 Series Concentrator configuration and Cisco VPN client configuration (including Cisco Unity VPN Client, Cisco VPN 3002 HW Client, Cisco Easy VPN IOS, and Cisco PIX 501 and 506 Client) The VPN troubleshooting chapter includes extensive and detailed explanations, divided into three main groups: Cisco VPN client issues, VPN and Internet technologies issues, and VPN and LAN issues affecting remote access VPN

The scenarios in Chapter 22 include VPN over PPPOE, authentication problems and cannot pass data issues, hardware VPN client issues, and extranet issues

Command Syntax Conventions

The command syntax in this book conforms to the following conventions:

• Commands, keywords, and actual values for arguments are bold.

• Arguments (which need to be supplied with an actual value) are italic.

• Optional keywords and arguments are in brackets []

• A choice of mandatory keywords and arguments is in braces {}

These conventions are for syntax only

References and Additional Reading

You might find the following list of resources helpful in your further study of remote access technologies:

Abe, George Residential Broadband, Second Edition Cisco Press, 2000.

Adams, Michael OpenCable Architecture Cisco Press, 2000.

Alwayn, Vivek Advanced MPLS Design and Implementation Cisco Press, 2001.

American National Standards Institute ANSI T1.601.1994 “ISDN Basic Access Interface for Use on Metallic Loops for Applications on the Network Side of the NT.”

Bingham, John A C ADSL, VDSL, and Multicarrier Modulation John Wiley and Sons Inc.,

2000

Birkner, Matthew H Cisco Internetwork Design Cisco Press, 2000.

Black, Ulysses D Frame Relay Networks: Specifications and Implementations McGraw Hill,

1998

——— ISDN and SS7: Architecture for Digital Signaling Networks Prentice Hall, 1997 Boyles, Tim and David Hucaby CCNP Switching Exam Certification Guide Cisco Press, 2000 Buckwalter, Jeff T Frame Relay: Technology and Practice Addison-Wesley Longman Inc.,

1999

Chappel, Laura Advanced Cisco Router Configuration Cisco Press, 1999.

Chappel, Laura and Dan Farkas Cisco Internetwork Troubleshooting Cisco Press, 1999 Cisco Systems, Inc Cisco IOS 12.0: Wide-Area Networking Solutions Cisco Press, 1999.

——— Dictionary of Internetworking Terms and Acronyms Cisco Press, 2001.

——— Internetworking Technologies Handbook, Third Edition Cisco Press, 2000.

——— Network Design and Case Studies (CCIE Fundamentals), Second Edition Cisco Press,

2000

——— “Cisco 700 Series Command Reference.” 1996-1997

——— “Cisco 700 Series Installation and Configuration Guide.” 1997

Conover, J “80211a: Making Space for Speed.” Network Computing, January 2001

Cooperman, G., E Jessen, and G Michler (eds.) Workshop on Wide-Area Networks and High

Performance Computing Springer, 1999.

Coutinho, S C The Mathematics of Ciphers: Number Theory and RSA Cryptography A K

Peters, Ltd., 1999

Flanagan, William A ISDN: A Practical Guide to Getting Up and Running CMP Books, 2000.

Frame Relay Forum, FRF.1.1 “User-to-Network Interface (UNI) Implementation Agreement.” January 1996

Goralski, Walter Frame Relay for High-Speed Networks John Wiley and Sons Inc., 1999 Gough, Clare CCNP Routing Exam Certification Guide Cisco Press, 2001.

Held, Gilbert Frame Relay Networking John Wiley and Sons Inc., 1999.

Jones, Burton W Modular Arithmetic Blaisdell Publishing Company, 1964.

Kessler, Gary, and Peter Southwick ISDN Concepts, Facilities, and Services, Third Edition

McGraw Hill, 1996

Khan, Ahmed S The Telecommunications Fact Book and Illustrated Dictionary Delma

Publishers Inc, 1992

Knuth, Donald E Art of Computer Programming, Volume III: Sorting and Searching (Second

Edition) Addison-Wesley Longman, 1998

McClain, Gary R Handbook of Networking and Connectivity AP Professional Academic Press,

1994

Mervana, Sanjeev and Chris Le Design and Implementation of DSL-Based Access Solutions

Cisco Press, 2002

Miller, Mark Analyzing Broadband Networks: ISDN, Frame Relay, SMDS, and ATM John

Wiley and Sons, Inc., 1996

Morgan, Brian and Craig Dennis CCNP Remote Access Exam Certification Guide Cisco Press,

2000

Oppenheimer, Priscilla Top-Down Network Design Cisco Press, 1999.

Pecar, Joseph A and David A Garbin The New McGraw-Hill Telecom Factbook, Second

Edition McGraw-Hill Professional Publishing, 2000

Pepelnjak, Ivan and Jim Guichard MPLS and VPN Architectures Cisco Press, 2000.

Nedeltchev, Plamen “Troubleshooting ISDN.” Cisco Packet Magazine, Q2 2001

——— “Wireless LAN Ready for Prime Time.” Cisco Packet Magazine, Q3 2001

Nedeltchev, Plamen and Radoslav Ratchkov “IPSec and Related Algorithms.” Cisco Packet Magazine, Q2 2002

Ranjbar, Amir S CCNP Support Exam Certification Guide Cisco Press, 2000.

Retana, A Slice, D., and White, R Advanced IP Network Design (CCIE Professional

Development) Cisco Press, 1999.

RFC 1191 “Path MTU Discovery.”

RFC 1918 “Address Allocation for Private Internets.”

RFC 2401 “Security Architecture for the Internet Protocol.”

RFC 2402 “IP Authentication Header.”

RFC 2403 “The Use of HMAC-MD5-96 Within ESP and AH.”

RFC 2404 “The Use of HMAC-SHA-1-96 Within ESP and AH.”

RFC 2405 “The ESP DES-CBC Cipher Algorithm with Explicit IV.”

RFC 2406 “IP Encapsulating Security Payload (ESP).”

RFC 2407 “The Internet IP Security Domain of Interpretation for ISAKMP.”

RFC 2408 “Internet Security Association and Key Management Protocol (ISAKMP).”RFC 2409 “The Internet Key Exchange (IKE).”

RFC 2410 “The NULL Encryption Algorithm and Its Use with IPSec.”

RFC 2411 “IP Security Document Roadmap.”

RFC 2412 “The OAKLEY Key Determination Protocol.”

RFC 2637 “Point-to-Point Tunneling Protocol.”

RFC 2661 “Layer Two Tunneling Protocol ’L2TP’.”

RFC 3078 “Microsoft Point-To-Point Encryption (MPPE) Protocol.”

Sapien, Mike, and Greg Piedmo Mastering ISDN Sybex, 1997.

Schneier, Bruc Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second

Edition John Wiley and Sons Inc., 1996

Srisuresh, P and M Holdrege “IP Network Address Translator (NAT) Terminology and Considerations.” RFC 2663, August 1999

Stallings, W Data and Computer Communications, Fifth Edition Prentice Hall, 1997 Stallings, William ISDN and Broadband ISDN with Frame Relay and ATM Prentice Hall,

1999

Tittel, Ed, and Steve James ISDN Networking Essentials AP Professional Academic Press,

1996

Williamson, Beau Developing IP Multicast Networks, Volume I Cisco Press, 2000.

Wright, Robert IP Routing Primer Cisco Press, 1998.

www.itu.int/ITU-T/

Wynston, Michael Cisco Enterprise Management Solutions, Volume I Cisco Press, 2001.

Remote Access Fundamentals

Chapter 1 Remote Access Overview

Chapter 2 Telecommunication Basics

Chapter 3 The Cloud

Chapter 4 Troubleshooting Approaches, Models, and Tools

Remote Access Overview

Remote access is a term that pertains to communication with a data processing facility from

a remote location or facility through a data link This chapter introduces remote access environment specifics and provides brief descriptions of remote access options in the following aspects:

• Management considerations and the pros and cons of remote access solutions

• Defining the remote access population

• Legacy remote access solutions

• Virtual Private Networks (VPNs) over some of the most popular technologies, such as cable modems, xDSL, wireless, and satellite services

• Provisioning of the corporate circuits

As a network administrator or network engineer, you need to identify the specifics of the environment and know the specifics of the solution that you are troubleshooting to set up your expectations accordingly

Remote access networks are often described as the most difficult type of network to support

In corporate local-area networks (LANs) and wide-area networks (WANs), data centers and network operations centers safeguard the networking infrastructure However, remote access to an employee’s home or from locations while an employee is traveling or working from a customer’s premises introduces many components not under a corporation’s control.Within a user’s home, there can be wiring problems or limited copper pairs, which can complicate the installation and troubleshooting process Users can power off their home routers or modems, referred to as customer premises equipment (CPE), at any time This makes proactive monitoring extremely difficult, if not impossible Users can install any hardware and software on their home network or computer that might interfere with, or not integrate with, the remote access solution It is difficult to control the security aspects of a user’s home network Finally, a user might be technically proficient enough to modify the CPE configuration, which can result in additional problems

While an employee is working on the road from either a hotel or a customer premises, additional complications exist, and sometimes getting answers to specific troubleshooting questions can be impossible The phone system in a hotel often contributes to dialup connectivity problems A broadband service offering in a hotel or a customer’s firewall can

block IPSec traffic for VPN users who are trying to reach their destination point through the Internet.

Some services that the remote user is accustomed to in the corporate environment might be unavailable, not permissible, or have a degradation of quality because of bandwidth, latency, or policy limitations from remote locations Some of these circumstances might require special setups to meet users’ expectations

For all these reasons, troubleshooting remote access problems can be a difficult and consuming process The purpose of this book is to provide networking professionals with

time-a collection of proven time-and current troubleshooting techniques for Cisco Systems remote access products and for most remote access service options Technologies addressed in this book include analog dial, ISDN, Frame Relay, and VPN

Management Considerations

As a network manager, deciding on the type of remote access services to provide to your organization depends on numerous factors For each of them, there might be an easy answer based on general knowledge of the organization, or you might be required to obtain specific business requirements that limit service options For many large enterprises, there is no one-size-fits-all service that meets all user requirements The categories described in this section are the most common ones that an organization should consider when making remote access service decisions (They are listed in no particular order.)

Cost

The budget for remote access can limit the options available The organization must determine what base of users will be granted access, what capacity and growth estimates are required, and how the costs will be allocated internally To form the basis for a remote access budget and funding approach, answer the following questions:

• Who will cover the initial capital and installation costs?

• What costs are required to deploy the solution?

• Are there any training costs?

• How will any monthly circuit costs for the back-end environment be funded?

• Should a user’s organization be charged for the user’s monthly access fees and any usage-based services?

• Is an approval process required for users to request remote access?

• Will the organization set a maximum limit on the monthly amount that a user can expense, and the user personally covers any additional costs?

• Should an internal fee be charged to fund the on-going operational support?

• Should the fee differ depending on the service or the level of support required?

An organization must define the geographic area (local, regional, national, or global) to which service must be supplied and determine the availability of network options within that area Besides rural areas, many metropolitan areas do not have options for high-speed access to the home that include ISDN, Frame Relay, xDSL, cable, wireless, and satellite The demise of many of the competitive local exchange carriers (CLECs) in the U.S., and

an economic downturn during 2000 and 2001, has further impacted the build out of speed network access to residential neighborhoods You must understand what options and technologies are available and whether or not you must restrict the options to one or more providers/carriers based on availability

high-Support

Support options can weigh heavily on the remote access option you choose You must define the service level for supporting the back end infrastructure and for supporting the end user Different profiles of users can require different levels of support Plan to set user expectations up front The decision to in-source versus outsource must also be considered The organization must have the available resources with the right skill sets to support the selected service Training might be required for support staff Local language and in-country support can be important Determine if you need consultants to help fill the skill or resource gap Assess whether the existing helpdesk organization can assume part of the support requirement As part of your deployment plan, ensure that you include the time required to develop support processes and to train support personnel

In-Sourcing Versus Outsourcing

The decision to in-source versus outsource depends on the core competency of your IT organization Besides support considerations, the time and effort to develop and deploy a solution is a factor in the outsourcing decision Determine if the organization has the available resources with the right skill sets to develop, deploy, provision, and support the selected service Are resources available in the deployment locations or will team members

be required to travel? Will security policies restrict the components that can be supported internally versus externally? What contracting process do you need to follow and how long will this take (that is, do you need to conduct a Request for Information or a Request for Proposal)? You need to solicit several bids from potential vendors and prepare a service and cost comparison of the internal versus external vendor options as part of the decision-making process

Billing and Charge Backs

The decision or ability to charge back expenses to a user’s organization was mentioned in the preceding section, “Cost.” If you decide to charge back for user services rather than

funding centrally, you must ensure that the necessary processes and systems are in place to handle the financial transactions Is there a process currently available for remote access purposes? Will the vendor provide the billing information in the required format or medium? Should the corporation centrally manage the bills or should they be sent to the user who submits an expense report to cover the charge? Should there be a maximum limit set on the amount to be expensed? How will exceptions and anomalies be dealt with? What reports are necessary and who must receive them? Be prepared to handle the administrative overhead to manage the billing function.

User-Managed Versus Corporate-Managed

As part of the service offering, the organization must determine if it wants to restrict users

to a limited number of vendors or open it up to any vendor and let the end user choose the provider This concept has been used to implement VPN services where a user can select any Internet service provider (ISP) available in the local area, and choose the provider based

on the criteria that are important to the user When the user rather than the corporation orders high-speed access, the user becomes responsible for dealing with the vendor when the service is down or experiencing problems The user also receives the monthly bill and

is expected to submit an expense report up to an approved amount

Security

The security policies of an organization are a significant factor in determining the solution Based on the sensitivity of the information managed by the corporation, policies surround-ing authentication, encryption, architecture, and outsourcing vary Ensure that the security organization is included in the initial planning of the remote access service

Applications

The applications that must be accessed remotely might restrict the technology alternatives

or might affect the network architecture Some applications can be useless if latency is too great or if the available bandwidth is insufficient Other applications might not function properly if accessed through a VPN connection Ensure that you work with the functional areas of the business to identify and test all the core applications that are required to be accessed remotely and to set user expectations on performance

Home Access Versus Mobility

The final criterion to be considered is the need to access the corporate network from home, and from on the road while in a hotel, convention center, airport, or a customer/business partner premises Depending on the organization’s remote access requirement, a mobile