RE: interesting traffic on server (isdn callback)

From: Dmitry Volkov (dmitry.volkov@rogers.com)
Date: Sun Feb 08 2004 - 16:54:44 GMT-3

Rich,

Technically speaking ISDN Callback via AAA works with Rotary group on Server
and dial profiles on client (as showed in CCO example and in ciscopress
book) and with Legacy DDR on both server and client. Please not ciscopress
book You mentioned has a lot of Copy/Paste from CCO...(or maybe vice versa
;)

I say works because I tested it on many 12.2 or 12.2T (radius, tacacs, mppp,
dialer-watch, ospf demand, etc). I would say it's more often works with
Legacy (especially MPPP). We all know how buggy this subject. I don't have
any idea whether there any conceptual limitations (besides IOS developers
bugs) why it doesn't work with dialer profiles on server for example. At
least it never worked for me.
So I would say rotary-group is not necessary on server but dialer profiles
should NOT be used on server, if somebody made it work, please let me know
the version of code.

I don't know what we must use on lab. I would think that it depends on Lab
requirements and willingness of proctor to say You are allowed to use both
or You are not allowed to use something (after You show them that You
understand subject and what are You asking for). When I was preparing for
R&S Lab I always followed this tactic. Unfortunately these days on Sec Lab
it's more about luck - like lottery

So... Good Luck ;)

Thanks,
Dmitry

> -----Original Message-----
> From: rich doty [mailto:rich_doty@hotmail.com]
> Sent: Sunday, February 08, 2004 2:29 PM
> To: dmitry.volkov@rogers.com; patrick.basso@groupstudy.com
> Cc: ccielab@groupstudy.com; security@groupstudy.com
> Subject: RE: interesting traffic on server (isdn callback)
>
>
> What's your opinion on Dialer Rotary group? Is this necessary on the
> callback server? Dmitry Botokey's Practical Studies example
> shows it, and so
> do some examples on CCO. If it works without it, is it more
> correct to
> configure dialer profiles on the server and the client?
>
> Rich
>
>
> >From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> >Reply-To: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> >To: <patrick.basso@groupstudy.com>
> >CC: <ccielab@groupstudy.com>, <security@groupstudy.com>
> >Subject: RE: interesting traffic on server (isdn callback)
> >Date: Sun, 8 Feb 2004 10:45:49 -0700
> >MIME-Version: 1.0
> >Received: from mc4-f9.hotmail.com ([65.54.190.145]) by
> mc4-s3.hotmail.com
> >with Microsoft SMTPSVC(5.0.2195.6824); Sun, 8 Feb 2004 10:21:05 -0800
> >Received: from groupstudy.com ([66.220.63.9]) by
> mc4-f9.hotmail.com with
> >Microsoft SMTPSVC(5.0.2195.6824); Sun, 8 Feb 2004 10:21:00 -0800
> >Received: from groupstudy.com (localhost [127.0.0.1])by
> groupstudy.com
> >(8.12.10/8.12.10) with ESMTP id i18HvcbM004121GroupStudy
> Mailer; Sun, 8 Feb
> >2004 17:57:38 GMT
> >Received: (from listserver@localhost)by groupstudy.com
> >(8.12.10/8.12.8/Submit) id i18Hvc7x004117GroupStudy
> Submission Server; Sun,
> >8 Feb 2004 17:57:38 GMT
> >Received: from pbassogroup.com (www.pbassogroup.com
> [65.102.86.205] (may
> >be forged)) by groupstudy.com (8.12.10/8.12.10) with ESMTP id
> >i18HvVbM004040; Sun, 8 Feb 2004 17:57:33 GMT
> >Received: from mail pickup service by pbassogroup.com with
> Microsoft
> >SMTPSVC; Sun, 8 Feb 2004 10:45:49 -0700
> >X-Message-Info: xvIU0zNUXCplZL4shTMVS89cYSNE48YFNqwGsLvBQe0=
> >thread-index: AcPua2NIhxpH5KpWSFWOCRpdFf+3nA==
> >Delivered-To: pbassogroup.com%pbasso@pbassogroup.com
> >Delivered-To: pbassogroup.com%postmaster@pbassogroup.com
> >Delivered-To: pbassogroup.com%patrick.basso@pbassogroup.com
> >X-Received: 8 Feb 2004 17:50:35 GMT
> >Message-ID: <000001c3ee6b$634a9750$fe00a8c0@pbassogroup.local>
> >X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
> >In-Reply-To:
> <000601c3ee5e$d2f405d0$64b1a8c0@revolutioncomputersystems.com>
> >X-Authentication-Info: Submitted using SMTP AUTH LOGIN at
> >fep03-mail.bloor.is.net.cable.rogers.com from [24.156.61.98]
> using ID
> ><dmitry.volkov@rogers.com> at Sun, 8 Feb 2004 12:48:52 -0500
> >X-ASK-Info: Whitelist match
> >X-Loop: ccielab@groupstudy.com
> >X-Sequence: 12431
> >X-no-archive: yes
> >List-Id: <ccielab.groupstudy.com>
> >List-Help: <mailto:sympa@groupstudy.com?subject=help>
> >List-Subscribe:
> <mailto:sympa@groupstudy.com?subject=subscribe%20ccielab>
> >List-Unsubscribe:
> ><mailto:sympa@groupstudy.com?subject=unsubscribe%20ccielab>
> >List-Post: <mailto:ccielab@groupstudy.com>
> >List-Owner: <mailto:ccielab-request@groupstudy.com>
> >Content-Class: urn:content-classes:message
> >X-UIDL: QCZ27dHkIG1f@QE
> >X-OriginalArrivalTime: 08 Feb 2004 17:45:49.0328 (UTC)
> >FILETIME=[63699100:01C3EE6B]
> >X-ASK-Info: Our key was found in the mail
> >Precedence: bulk
> >Return-Path: nobody@groupstudy.com
> >
> >when idle time is not equal 0 it doesn't matter whether dialer-group
> >configured (denying all IP) or not configured at all
> >please note: I talk about server
> >
> >with regards to dialer-group on client when we have dialer watch
> >configured - we don't need dialer-group because
> >watched routes are "interesting" traffic, checked every idle
> period (def
> >120
> >sec)
> >
> >if we have dialer group allowing some traffic which
> constantly resets idle
> >timeout - ISDN will stay UP as long as interesting traffic
> (other than
> >watched route) is going through isdn.
> >
> >Dialer watch will still able to notice that Primary route is
> UP via other
> >interface
> >00:48:32: DDR: Dialer Watch: watch-group = 1
> >00:48:32: DDR: network 10.10.10.0/255.255.255.0 UP,
> >00:48:32: DDR: primary UP
> >but it will not disconnect call because of other interesting traffic
> >defined
> >with dialer list/group
> >
> >However my quest was more about psychology/intuition rather than
> >technology
> >:)
> >
> >When I asked to have callback ISDN backup scenario when client calls
> >server,
> >server gets dial string from AAA and calls back to client -
> Should I config
> >dialer group with proper acl on server (callback scenario)
> considering that
> >server is "capable" to initiate call
> >and forget about the fact that server will disconnect call
> after idle timer
> >is expired.
> >I.e. should server be "interesting traffic" aware and participate in
> >maintenance of interesting traffic or it's really client's duty ?
> >I have feeling that lab is graded based on exactly what they
> expect but not
> >on any working config not contradicting with requirements
> >
> >In well known CCO example
> >http://www.cisco.com/en/US/tech/tk713/tk507/technologies_conf
> iguration_examp
> >le09186a00800946ff.shtml
> >author configs idle timeout and dialer group on server. It
> doesn't make
> >much
> >sense for me for any type of isdn BACKUP situations because server's
> >function to call back and since client did initiate call -
> because it lost
> >watched route or because of connected interface was down (or
> whatever else
> >backup situation) - it should be client's function when and why to
> >disconnect call.
> >Server doesn't have even dial string - it gets it from AAA
> during callback
> >only.
> >The same time I agree that in normal remote access (not
> backup) scenario it
> >may be perfectly legitimate to have dialer group and idle >
> 0 on server
> >
> >just interesting to hear diff opinions...
> >
> >Thanks,
> >Dmitry
> >
> > > -----Original Message-----
> > > From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
> > > Sent: Sunday, February 08, 2004 11:16 AM
> > > To: ccielab@groupstudy.com
> > > Cc: 'Dmitry Volkov'
> > > Subject: RE: interesting traffic on server (isdn callback)
> > >
> > >
> > > I've had problems without the dialer-group or at least a
> dialer watch
> > > commands in the bri configs. When I don't need it I
> normally put a
> > > dialer-list 1 protocol ip deny.
> > >
> > > Is there a difference between not having, and denying
> everything with
> > > it?
> > >
> > > At one time I thought there was, and haven't reexamined it since.
> > >
> > >
> > > BTW, someone posted the isdn rollover delay 1 command a few
> > > weeks back.
> > > Thank you. You would not believe how I fought with my
> damn routers
> > > getting multiline dialback to work. I added that command
> and life is
> > > good.
> > >
> > > Speaking of timing with callback, what timing settings do you use?
> > > Carrier wait of 2 on one side, and (can't think of it right
> > > now) of 4 on
> > > the other side?
> > >
> > >
> > > -----Original Message-----
> > > From: Dmitry Volkov [mailto:dmitry.volkov@rogers.com]
> > > Sent: Sunday, February 08, 2004 9:28 AM
> > > To: security@groupstudy.com
> > > Subject: interesting traffic on server (isdn callback)
> > >
> > > Group,
> > >
> > > when we configure isdn callback - what is the common
> > > sense/opinion about
> > > "dialer-group" & "dialer idle-timeout" commands
> > > on Server ?
> > >
> > > I'm asking NOT about real world but about different lab
> > > exercises we all
> > > doing in out test environment targeting to pass lab test.
> > >
> > > My logic - since server usually doesn't suppose to call
> client (only
> > > callback) so server doesn't need "dialer-group" at all and
> > > need "dialer
> > > idle-timeout 0"
> > > It's duty of client to maintain / break call.
> > >
> > > Does anybody have different opinion / approach ?
> > >
> > > Thanks,
> > > Dmitry
> >
> >_____________________________________________________________
> __________
> >Please help support GroupStudy by purchasing your study
> materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Plan your next US getaway to one of the super destinations here.
> http://special.msn.com/local/hotdestinations.armx

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:47 GMT-3