From: Ajit (ajitmohanraj@vsnl.com)
Date: Mon Dec 02 2002 - 10:17:27 GMT-3
****************************** CONFIG R3
hostname r3
!
logging rate-limit console 10 except errors
!
username r4 password 0 cisco
ip subnet-zero
no ip finger
no ip domain-lookup
!
isdn switch-type basic-net3
cns event-service server
!!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
interface BRI0
ip address 10.0.0.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 10
dialer map ip 10.0.0.2 name r4 broadcast 2222
dialer-group 1
isdn switch-type basic-net3
ppp authentication chap
************************CONFIG OF R4
hostname r4
!
logging rate-limit console 10 except errors
!
username r3 password 0 cisco
ip subnet-zero
no ip finger
no ip domain-lookup
!
isdn switch-type basic-net3
cns event-service server
!!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
interface BRI0
ip address 10.0.0.2 255.255.255.0
encapsulation ppp
dialer map ip 10.0.0.1 name r3 broadcast 1111
isdn switch-type basic-net3 ****** No
Authenctication configured
!
************************ R3 pinging R4 **************
r3#debug pp nego
PPP protocol negotiation debugging is on
r3#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
00:16:10: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:16:10: BR0:1 PPP: Treating connection as a callout
00:16:10: BR0:1 PPP: Phase is ESTABLISHING, Active Open [0 sess, 0 load]
00:16:10: BR0:1 LCP: O CONFREQ [Closed] id 27 len 15
00:16:10: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
00:16:10: BR0:1 LCP: MagicNumber 0xD0677BEC (0x0506D0677BEC)
00:16:10: BR0:1 LCP: I CONFREQ [REQsent] id 52 len 10
00:16:10: BR0:1 LCP: MagicNumber 0xD06778EC (0x0506D06778EC)
00:16:10: BR0:1 LCP: O CONFACK [REQsent] id 52 len 10
00:16:10: BR0:1 LCP: MagicNumber 0xD06778EC (0x0506D06778EC)
00:16:10: BR0:1 LCP: I CONFACK [ACKsent] id 27 len 15
00:16:10: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
00:16:10: BR0:1 LCP: MagicNumber 0xD0677BEC (0x0506D0677BEC)
00:16:10: BR0:1 LCP: State is Open
00:16:10: BR0:1 PPP: Phase is AUTHENTICATING, by this end [0 sess, 0 load]
00:16:10: BR0:1 CHAP: O CHALLENGE id 27 len 23 from "r3"
00:16:10: BR0:1 CHAP: I RESPONSE id 27 len 23 from "r4"
00:16:10: BR0:1 CHAP: O SUCCESS id 27 len 4
00:16:10:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/36/36 ms
r3# BR0:1 PPP: Phase is UP [0 sess, 0 load]
00:16:10: BR0:1 IPCP: O CONFREQ [Closed] id 2 len 10
00:16:10: BR0:1 IPCP: Address 10.0.0.1 (0x03060A000001)
00:16:10: BR0:1 CDPCP: O CONFREQ [Closed] id 2 len 4
00:16:10: BR0:1 IPCP: I CONFREQ [REQsent] id 2 len 10
00:16:10: BR0:1 IPCP: Address 10.0.0.2 (0x03060A000002)
00:16:10: BR0:1 IPCP: O CONFACK [REQsent] id 2 len 10
00:16:10: BR0:1 IPCP: Address 10.0.0.2 (0x03060A000002)
00:16:10: BR0:1 CDPCP: I CONFREQ [REQsent] id 2 len 4
00:16:10: BR0:1 CDPCP: O CONFACK [REQsent] id 2 len 4
00:16:10: BR0:1 IPCP: I CONFACK [ACKsent] id 2 len 10
00:16:10: BR0:1 IPCP: Address 10.0.0.1 (0x03060A000001)
00:16:10: BR0:1 IPCP: State is Open
00:16:10: BR0:1 CDPCP: I CONFACK [ACKsent] id 2 len 4
00:16:10: BR0:1 CDPCP: State is Open
00:16:10: BR0 IPCP: Install route to 10.0.0.2
00:16:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state
to up
00:16:16: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 2222 r4
00:16:21: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from 2222 r4,
call
lasted 11 seconds
00:16:21: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:16:21: BR0:1 IPCP: State is Closed
00:16:21: BR0:1 CDPCP: State is Closed
00:16:21: BR0:1 PPP: Phase is TERMINATING [0 sess, 0 load]
00:16:21: BR0:1 LCP: State is Closed
00:16:21: BR0:1 PPP: Phase is DOWN [0 sess, 0 load]
00:16:21: BR0 IPCP: Remove route to 10.0.0.2
00:16:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed
state
to down
r3#
----- Original Message -----
From: "Ajit" <ajitmohanraj@vsnl.com>
To: "Jaroslaw Zak" <jaroslawz@hotmail.com>
Sent: Monday, December 02, 2002 6:21 PM
Subject: Re: To all DDR guru....
> Authentication is "optional" at the LCP stage. ..it is not mandatory for
the
> link to come up.
> ----- Original Message -----
> From: "Jaroslaw Zak" <jaroslawz@hotmail.com>
> To: <mtognon@tecnonetspa.it>; <ccielab@groupstudy.com>
> Sent: Monday, December 02, 2002 5:18 PM
> Subject: Re: To all DDR guru....
>
>
> > Hi,
> >
> > I don't think your link will come up if you omit authentication config
at
> > one side, and here is why: Authentication type and wheter to use it or
not
> > is negotiated by LCP on very early stage. If one side wants to use it,
and
> > other does not, link is declared down.
> >
> > You should see it using debug ppp negotiation and debug ppp
authenication.
> >
> > HTH
> > Jarek
> >
> >
> >
> >
> > >From: "Massimiliano Tognon" <mtognon@tecnonetspa.it>
> > >Reply-To: "Massimiliano Tognon" <mtognon@tecnonetspa.it>
> > >To: <ccielab@groupstudy.com>
> > >Subject: To all DDR guru....
> > >Date: Mon, 2 Dec 2002 12:20:50 +0100
> > >
> > >in some note i've found that if you don't want that router to challenge
> the
> > >other,simply omit the ppp authentication command....
> > >
> > >i try this on my lab, but i don't agree, 'cause if i omit th command,
> > >simply
> > >i haven't authentication.I try to make some debug and on ppp
negotiation
> > >there's no information about authentication in progress between
them.Some
> > >friends tell me that this is the correct answer...
> > >
> > >any comments???
> > >
> > >
> > >
> > >
> > >-----Messaggio originale-----
> > >Da: Kumar, Senthil [mailto:senthil.kumar@intechnology.co.uk]
> > >Inviato: martedl 26 novembre 2002 22.11
> > >A: 'Ajit '; Kumar, Senthil; 'charles.egbue@citicorp.com ';
> > >'ccielab@groupstudy.com '; 'mtognon@tecnonetspa.it ';
> > >'Sam.MicroGate@usa.telekom.de '
> > >Oggetto: RE: To all DDR guru....
> > >
> > >
> > >if r1 is set to authenticate incoming calls with callin keyword.it
> > >challenges and r2 responds. always a called party challenges.
> > >
> > >like if r1 is the central office and if r2 is remote, r2 will call r1,
so
> > >r1 is callin and r1 challenges.
> > >
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: Ajit
> > >To: Kumar, Senthil; charles.egbue@citicorp.com; ccielab@groupstudy.com;
> > >mtognon@tecnonetspa.it; Sam.MicroGate@usa.telekom.de
> > >Sent: 26/11/2002 20:39
> > >Subject: Re: To all DDR guru....
> > >
> > >Putting ppp authen chap callin on R1:-
> > >
> > >Would imply the following
> > >a. R2 has to intitate the call into R1. If it does, R1 will
authenticate
> > >R2
> > >(authenticate incoming calls only .."callin") but R1 will not challenge
> > >R2.
> > >which i think is what was required.
> > >
> > >So if this requirement is to work, the call needs to get intitated from
> > >R2.
> > >If there is a precondition that R2 cannot intitate a call to R1 ..then
I
> > >am
> > >stuck !!!
> > >
> > >
> > >
> > >
> > >----- Original Message -----
> > >From: "Kumar, Senthil" <senthil.kumar@intechnology.co.uk>
> > >To: "'Ajit '" <ajitmohanraj@vsnl.com>; <charles.egbue@citicorp.com>;
> > ><ccielab@groupstudy.com>; <mtognon@tecnonetspa.it>;
> > ><Sam.MicroGate@usa.telekom.de>
> > >Sent: Wednesday, November 27, 2002 1:54 AM
> > >Subject: RE: To all DDR guru....
> > >
> > >
> > > > if r1 should not challenge. r1 should call r2. when r2 receives an
> > >incoming
> > > > call and if chap is set as the authentication mode, it then
challenges
> > >the
> > > > caller, when r2 challenges r1, r1 responds and r2 validates. so if
at
> > >all
> > > > you want to prefer adding a callin keyword do it at r2. as r2 should
> > >only
> > > > accpet incoming calls and do authentication.
> > > >
> > > > isnt this how it works..
> > > >
> > > > -----Original Message-----
> > > > From: Ajit
> > > > To: charles.egbue@citicorp.com; ccielab@groupstudy.com;
> > > > mtognon@tecnonetspa.it; Sam.MicroGate@usa.telekom.de
> > > > Sent: 25/11/2002 21:24
> > > > Subject: Re: To all DDR guru....
> > > >
> > > > My inputs ...
> > > >
> > > > a.>>R1 should not challenge R2 :
> > > >
> > > > Put "ppp chap callin" under R1. What the callin on R1 really says is
> > > > "Hey
> > > > R2, you can cahhelge me but I cant challenge you" Used when you are
> > > > connecting a Cisco router like your R! to a non-cisco router that
> > >cannot
> > > > do
> > > > authnetication. Anyway that address requirement 1.
> > > >
> > > > b>> Greater than 25% of the bandwidth.
> > > >
> > > > ppp multilink
> > > > dialer load-threshold 64 ( since 255 represent a 100% load factor :
> > >64
> > > > ~
> > > > 25%)
> > > >
> > > > To touchup your config and adding what the rest have said.......
> > > >
> > > > a. username r1 password cisco on R2
> > > >
> > > > b. ppp multilink /dialer load threshold/ pppauthentication chap
callin
> > > > to be
> > > > added on R1 and ofcourse R2 (withouth the callin parameter)
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: <charles.egbue@citicorp.com>
> > > > To: <ccielab@groupstudy.com>; <mtognon@tecnonetspa.it>;
> > > > <Sam.MicroGate@usa.telekom.de>
> > > > Sent: Tuesday, November 26, 2002 1:50 AM
> > > > Subject: RE: To all DDR guru....
> > > >
> > > >
> > > > > 1. Spids are not required for the type of isdn switch that is
being
> > > > used
> > > > here (basic-net3)
> > > > > 2. You need the username statement on R2 (username r1 password
> > >cisco)
> > > > >
> > > > > Charles
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sam.MicroGate [mailto:Sam.MicroGate@usa.telekom.de]
> > > > > Sent: Monday, November 25, 2002 11:48 AM
> > > > > To: mtognon; ccielab
> > > > > Subject: RE: To all DDR guru....
> > > > >
> > > > > Hello Massimiliano.
> > > > >
> > > > > A few things:
> > > > > 1- You need isdn spid1 and isdn spid2 interface command in R1 and
> > >R2.
> > > > They
> > > > > are missing.
> > > > > 2- You need ppp multilink interface command for the second channel
> > >to
> > > > come
> > > > > up.
> > > > > 3- Because the word callin and callout are a little bit confusing
to
> > > > > interpret, Always use debug ppp authentication to monitor which
> > >router
> > > > > challenges the other and which router does not. The router that
> > > > challenges
> > > > > will have (O) challenge before the debug statement.
> > > > >
> > > > > Otherwise, everything is ok. Good luck.
> > > > >
> > > > >
> > > > > Sam
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Massimiliano Tognon [mailto:mtognon@tecnonetspa.it]
> > > > > Sent: Monday, November 25, 2002 10:05 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: To all DDR guru....
> > > > >
> > > > >
> > > > > Hi folks, question for you...
> > > > >
> > > > > this is the topology:
> > > > >
> > > > >
> > > > > R1------ ISDN------R2
> > > > >
> > > > >
> > > > > question is:
> > > > >
> > > > > Configure chap authentication between R1 and R2; R1 should not
> > > > challenge
> > > > R2.
> > > > > When the traffic is greater than 25% of the bandwidth, a second
> > > > channel
> > > > must
> > > > > be brought up.
> > > > >
> > > > > this is my configuration:
> > > > >
> > > > > R1:
> > > > >
> > > > > username r2 password cisco
> > > > >
> > > > > int bri 0
> > > > > ip address 192.168.1.1 255.255.255.0
> > > > > encapsulation ppp
> > > > > dialer map ip 192.168.1.2 name r2 broadcast 0200
> > > > > dialer idle-imeout 45
> > > > > ppp authentication chap
> > > > > dialer group 1
> > > > > isdn switch-type basic-net3
> > > > >
> > > > > dialer-list 1 protocol ip permit
> > > > >
> > > > > R2:
> > > > >
> > > > >
> > > > > int bri 0
> > > > > ip address 192.168.1.2 255.255.255.0
> > > > > encapsulation ppp
> > > > > dialer map ip 192.168.1.1 name r1broadcast 0300
> > > > > dialer idle-imeout 45
> > > > > ppp authentication chap
> > > > > dialer group 1
> > > > > isdn switch-type basic-net3
> > > > > dialer load-threshold 64 either
> > > > > ppp authentication chap callin
> > > > >
> > > > > dialer-list 1 protocol ip permit
> > > > >
> > > > >
> > > > >
> > > > > what do you think about?
> > > > > on R1 challenge is ignored but it is generated...
> > > > > do i need ppp multilink in order to work dialer load-threshlod ?
i'm
> > > > little
> > > > > bit confused... any help appreciated...
> > > > >
> > > > > thanks
> >
> >
> > _________________________________________________________________
> > Tired of spam? Get advanced junk mail protection with MSN 8.
> > http://join.msn.com/?page=features/junkmail
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:38 GMT-3