manualshive.com logo in svg

Cisco AS5300 - Universal Access Server, Software Configuration Manual, Page: 107 / 198

Share
Download
Cisco AS5300 - Universal Access Server Software Configuration Manual Download Page 107

C H A P T E R

 Access Service Security 4-1

4

Access Service Security

The access service security paradigm presented in this guide uses the authentication, authorization, 
and accounting (AAA) facility:

Authentication—Requires dial-in users to identify themselves and prove their identity. Requiring 
authentication before users can access the network prevents users from either accessing lines on 
the access server or connecting through the lines directly to network resources. You need to 
secure every access point.

Authorization—Prevents each user from gaining access to services and devices on the network 
that they do not need to or should not access.

Accounting—Provides records for billing and other recording purposes of who is connected and 
how long they have been connected. This chapter does not describe how to configure accounting. 

This chapter describes how to configure security using a local database resident on the access server 
or using a remote security database for Terminal Access Controller Access Control System 
() and Remote Authentication Dial-In User Service (RADIUS). To understand the 
concept of local versus remote authentication, refer to the section “Local Versus Remote Server 
Authentication” later in this chapter. 

This chapter includes the following sections:

Assumptions

Local Versus Remote Server Authentication

Configuring Authentication

Configuring Authorization

Security Examples

Caution

This chapter does not provide a comprehensive security overview. For example, it does not describe 

how to configure TACACS, Extended TACACS, Kerberos, or access lists. It presents the most commonly 
used security mechanisms to prevent unauthenticated and unauthorized access to network resources through 
Cisco access servers. For a comprehensive overview of Cisco security tools, refer to the Security 
Configuration Guide, available online at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/

Summary of Contents for AS5300 - Universal Access Server

Page 1: ...USA http www cisco com Cisco Systems Inc Corporate Headquarters Tel 800 553 NETS 6387 408 526 4000 Fax 408 526 4100 Cisco AS5300 Universal Access Server Software Configuration Guide Customer Order Number DOC AS5300 SCG Text Part Number 78 4534 05 ...

Page 2: ...io Plug the equipment into an outlet that is on a different circuit from the television or radio That is make certain the equipment and the television or radio are on circuits controlled by different circuit breakers or fuses Modifications to this product not authorized by Cisco Systems Inc could void the FCC approval and negate your authority to operate the product The following third party softw...

Page 3: ...bViewer are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn Discover All That s Possible and Empowering the Internet Generation are service marks of Cisco Systems Inc and Aironet ASIST BPX Catalyst Cisco the Cisco Certified Internetwork Expert logo Cisco IOS the Cisco IOS logo Cisco Systems Cisco Systems Capital the Cisco Systems logo Enterprise Solver EtherChannel Eth...

Page 4: ......

Page 5: ...derstanding Command Modes 2 2 How to Find Command Options 2 2 Undoing a Command or Feature 2 4 Saving Configuration Changes 2 4 Where to Go Next 2 4 Chapter 3 Basic Configuration 3 1 Configuring the Host Name and Password 3 2 Configure 3 2 Verify 3 2 Configuring Alarms 3 3 Configure 3 3 Verify 3 4 Configuring Ethernet 10BaseT 3 4 Configure 3 5 Verify 3 5 Configuring Ethernet 100BaseT 3 5 Configure...

Page 6: ...fault Values for Country Codes 3 30 Verify 3 30 Configuring Modem Pooling 3 33 Verify 3 34 Configuring Resource Pooling and Session Counting 3 35 Configure 3 35 Verify 3 38 Configuring Voice Network Data 3 39 Configure 3 39 Verify 3 39 Configuring T1 CAS for VoIP 3 41 Configure 3 41 Verify 3 42 Configuring IP Networks for Real Time Voice Traffic 3 44 Configure 3 44 Verify 3 45 Configuring RLM 3 46...

Page 7: ...curing Access to Privileged EXEC and Configuration Mode 4 4 Communicating Between the Access Server and the Security Server 4 6 Communicating with a TACACS Server 4 7 Communicating with a RADIUS Server 4 8 Configuring Authentication on a TACACS Server 4 9 Enabling AAA Globally on the Access Server 4 9 Defining Authentication Method Lists 4 10 Authentication Method List Examples 4 14 Applying Authe...

Page 8: ...ategy A 10 Modem Code Scenarios A 11 Displaying Modem Code Versions A 13 Upgrading Modem Code from the Cisco CCO TFTP Server A 14 Download Modem Code from the Cisco CCO TFTP Server to a Local TFTP Server A 14 Copy the Modem Code File from Local TFTP Server to Modems A 18 Upgrading Modem Code from Diskettes A 21 Copy the Modem Code to Your PC Hard Disk A 21 Copy the Modem Code from Your PC to the M...

Page 9: ...IP Feature Card Firmware D 2 Determine the number of VFC cards D 2 Identify the VFC ROM Monitor Version D 2 Identify the VFC ROM Monitor Mode D 3 Download Software in VCWare Mode D 3 Download Software in ROM Monitor Mode D 5 New Hardware Features D 7 Index Index ...

Page 10: ...x Book Title ...

Page 11: ...you complete the form click Submit to send it to Cisco We appreciate your comments Document Objectives This configuration guide explains the initial and basic software configuration procedures for the Cisco AS5300 Universal Access Server The guide contains procedures for running the setup script for various Cisco IOS software versions manually configuring the access server setting up basic securit...

Page 12: ...is guide is updated at major releases only and does not always contain the latest material for enhancements occurring between major releases You are shipped separate release notes or configuration notes for spares hardware and software enhancements occurring between major releases ISDN PRI Provides an updated list of the switches and also two new commands used to monitor Non Facility Associated Si...

Page 13: ...ternative but required keywords are grouped in braces and separated by vertical bars Examples use these conventions Terminal sessions and sample console screen displays are in screen font Information you enter is in boldface screen font Nonprinting characters such as passwords are in angle brackets Default responses to system prompts are in square brackets Exclamation points at the beginning of a ...

Page 14: ...nd der Standardpraktiken zur Vermeidung von Unfällen bewußt Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory Compliance and Safety Information Informationen zu behördlichen Vorschriften und Sicherheit das zusammen mit diesem Gerät geliefert wurde Avvertenza Questo simbolo di avvertenza indica un pericolo La situazione potrebbe causare infortun...

Page 15: ...dules and command reference publications These publications are available on the documentation CD that came with your access server on the World Wide Web from Cisco s home page or in orderable printed format Cisco Connection Online Cisco Connection Online CCO is Cisco Systems primary real time support channel Maintenance customers and partners can self register on CCO to obtain additional informat...

Page 16: ...CO s Frequently Asked Questions FAQ contact cco help cisco com For additional information contact cco team cisco com Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract contact Cisco s Technical Assistance Center TAC at 800 553 2447 408 526 7209 or tac cisco com To obtain general information...

Page 17: ...g Cisco IOS Release 11 2 or 11 3 2 T see the appendix Using Setup on Cisco IOS Releases 11 2 or 11 3 2 T for intructions and screen displays Getting Started Before you power on the access server and begin to use the setup script in the System Configuration dialog make sure you have already connected the cables to the access server and configured your PC terminal emulation program for 9600 baud 8 d...

Page 18: ...k similar to the following Note The displayed messages depend on the Cisco IOS software release and feature set you selected The screen displays in this section are for reference only and might not exactly reflect the messages on your console System Bootstrap Version 12 0 3 T RELEASED SOFTWARE Copyright c 1994 1998 by cisco Systems Inc AS5300 processor with 32768 Kbytes of main memory rommon 3 b f...

Page 19: ...sor board System flash partition 2 Read Write 4096K bytes of processor board Boot flash Read Write System Configuration Dialog Step 2 When the following message appears enter yes to continue Continue with configuration dialog yes no yes At any point you may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Step 3 When the ...

Page 20: ...nable password guessme The virtual terminal password is used to protect access to the router over a network interface Step 8 Enter the virtual terminal password which is used for remote console access Enter virtual terminal password guessagain Step 9 Enter yes to the system management prompt if you want the access server to be managed by the system controller If you enter yes you need to also ente...

Page 21: ...If your asynchronous interfaces will be using the same basic configuration parameters we recommend that you group them so that they can be configured as a group Otherwise you will need to configure each interface separately Would you like to put all async interfaces in a group and configure them all at one time yes Note Dynamic IP addresses permit dial in users to choose a static IP address when t...

Page 22: ...ms Do you intend to allow users to dial in yes There are 8 controllers on this access server If you want to use the full capacity of the access server configure all controllers Controller T1 0 1 etc in software corresponds to Port 0 1 etc on the back of the access server PRI configuration can be configured to controllers all at once based on your PRI controllers selection Where as CAS configuratio...

Page 23: ...monitor the access server Configuring interface parameters Do you want to configure Ethernet0 interface no yes Configure IP on this interface no yes IP address for this interface 172 21 40 10 Subnet mask for this interface 255 0 0 0 Class B network is 172 21 0 0 16 subnet bits mask is 16 Configure LAT on this interface no Configure AppleTalk on this interface no Configure IPX on this interface no ...

Page 24: ...6 Configure the PRI D channel signaling channel Do you want to configure Serial0 23 PRI D channel interface no yes Configure IP on this interface no yes Configure IP unnumbered on this interface no IP address for this interface 173 20 30 40 Subnet mask for this interface 255 255 0 0 Class B network is 173 20 0 0 16 subnet bits mask is 16 Configure LAT on this interface no Configure AppleTalk on th...

Page 25: ... network interface Serial1 23 no ipx network interface Serial2 23 no ipx network interface Serial3 23 no ipx network isdn switch type primary 5ess controller T1 0 no shutdown framing esf linecode b8zs cas group 0 timeslots 1 24 type e m fgb dtmf dnis controller T1 1 no shutdown framing esf linecode b8zs cas group 0 timeslots 1 24 type e m fgb dtmf dnis controller T1 2 no shutdown framing esf linec...

Page 26: ...ronous interface Ethernet0 no shutdown ip address 172 21 40 10 255 255 0 0 no lat enabled no mop enabled interface FastEthernet0 duplex full speed 100 ip address 172 22 50 10 255 255 0 0 no lat enabled no mop enabled interface Serial0 no shutdown ip address 173 20 30 40 255 255 0 0 no lat enabled no mop enabled interface Serial1 shutdown no ip address interface Serial2 shutdown no ip address inter...

Page 27: ...config 1 Return back to the setup without saving this config 2 Save this configuration to nvram and exit Enter your selection 2 Use this configuration yes no yes Building configuration Use the enabled mode configure command to modify this configuration Press RETURN to get started LINK 3 UPDOWN Interface Ethernet0 changed state to up LINK 3 UPDOWN Interface Serial0 changed state to down LINK 3 UPDO...

Page 28: ...tware configuration guide and command reference publications Where to Go Next At this point you can proceed to The next chapter Using Cisco IOS Software to learn how to use the CLI to configure additional features The chapter Access Service Security to configure security on the access server The chapter Basic Configuration for step by step instructions to configure the access server manually You c...

Page 29: ... If you have never used the Cisco IOS software or need a refresher take a few minutes to read this chapter now If you are already familiar with the Cisco IOS software proceed to the next chapter Basic Configuration Getting Help Use the question mark and arrow keys to help you enter commands For a list of available commands enter a question mark 5300 To complete a command enter a few known characte...

Page 30: ... immediately return to enable mode 5300 instead of entering exit which returns you to the previous mode How to Find Command Options This section explains how to display options for a command To display options for a command enter a at the configuration prompt or after entering part of a command followed by a space The configuration parser displays options available with the command For example if ...

Page 31: ... configuration commands 5 5300 config controller cas group 0 23 Channel number Display the options for the cas group controller configuration command This command is used to configure the channel associated signaling on a T1 controller 6 5300 config controller cas group 1 timeslots List of timeslots in the cas group Display the only command timeslots available in cas group 1 7 5300 config controll...

Page 32: ...eys to help you enter commands Each command mode restricts you to a set of commands If you are having difficulty entering a command check the prompt and then enter the question mark for a list of available commands You might be in the wrong command mode or using the wrong syntax 9 5300 config controller cas group 1 timeslots 1 24 type e m fgb E M Type II FGB e m fgd E M Type II FGD e m immediate s...

Page 33: ... enter the keyword no before the command for example no ip routing You need to save your configuration changes to NVRAM so that they will not be lost if there is a system reload or power outage Proceed to the next chapter Basic Configuration to begin configuring the access server ...

Page 34: ...Where to Go Next Cisco AS5300 Universal Access Server Software Configuration Guide 2 6 ...

Page 35: ... possible only a small portion of the most commonly used configuration procedures For advanced configuration topics and procedures refer to the topic Configuring Cisco IOS Features online at http www cisco com univercd cc td doc product access acs_serv 5300 index htm You can also view these publications on the Documentation CD ROM that arrived with your access server or you can order printed copie...

Page 36: ...00 2 Router configure terminal Enter configuration commands one per line End with CNTL Z Router config Enter global configuration mode You have entered global configuration mode when the prompt changes to Router config 3 Router config hostname 5300 5300 config Change the name of the access server to a meaningful name Substitute your host name for 5300 4 5300 config enable secret guessme Enter an e...

Page 37: ...ility alarm currently monitors the following failure events Interface down T1 E1 Controller down Modem card failure Redundant Power Supply RPS failure IOS polls every second to detect the failure events that you have configured and will turn ON the alarm when any one of the failure events is detected By default facility alarm in OFF Users have to configure one of the following commands to enable m...

Page 38: ...10BaseT interface of your access server so that it can be recognized as a device on the Ethernet LAN 2 5300 facility alarm detect interface ethernet 0 Turn ON alarm when interface goes down interfaces are ethernet 0 or fastethernet 0 or serial 0 3 3 5300 facility alarm detect controller t1 0 Turn ON alarm when controller goes down values are t1 0 7 or e1 0 7 4 5300 facility alarm detect modem boar...

Page 39: ...Configuring Ethernet 10BaseT Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 configure terminal Enter configuration commands one per line End with CNTL Z 5300 config Enter global configuration mode You have entered the global configuration mode when th...

Page 40: ... This is the default value See Table 3 4 for details on using different combinations of speed and duplex options 6 5300 config if duplex full Sets Fast Ethernet to operate at full duplex Note To use the auto negotiation capability that is detect speed and duplex modes automatically you must set both speed and duplex to auto Setting speed to auto negotiates speed only and setting duplex to auto neg...

Page 41: ..._ds 0x606A0078 registers 0x3C210000 ib 0x4002F75C ring entries 128 rxring 0x4002F844 rxr shadow 0x606F5168 rx_head 47 rx_tail 47 txring 0x4003006C txr shadow 0x606F5388 tx_head 63 tx_tail 63 tx_count 0 tx_size 128 rx_size 128 PHY link up Duplex mode sensed by auto negotiation is half duplex and Fast Ethernet speed is 100 Mbps Enter the show interface fastethernet 0 command to verify the configured...

Page 42: ... e2 clockrate command on serial interface 0 Configure Table 3 6 Configuring Serial Interfaces Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 configure terminal Enter configuration commands one per line End with CNTL Z 5300 config Enter global configur...

Page 43: ...packets sec 392 packets input 33312 bytes 0 no buffer Received 392 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 358 packets output 25157 bytes 0 underruns 0 output errors 0 collisions 1 interface resets 0 output buffer failures 0 output buffers swapped out 0 carrier transitions DCD up DSR up DTR up RTS up CTS up Display the entire system configur...

Page 44: ...d 0 Line Code Violations 0 Path Code Violations Table 3 7 Configuring Channelized T1 or E1 Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 configure terminal Enter configuration commands one per line End with CNTL Z 5300 config Enter global configurati...

Page 45: ...0 152 error threshold of 10 6 bit rate error injection none and total time for the test 20 minutes 5300 config bert profile 1 pattern 211 O 152 threshold 10 6 error injection none duration 20 5300 config end 5300 bert controller e1 0 profile 1 5300 show controller e1 0 bert The TDM subsystem troubleshooting commands are not used during normal system operation Instead the Cisco IOS commands show th...

Page 46: ...as_interface number nfas_group number Configure all the channels for ISDN and the Non Facility Associated Signaling NFAS primary D channel Enter pri group timeslots 1 24 for T1 If E1 enter pri group timeslots 1 31 Note that you also need to configure the NFAS backup D channel to be used if the primary D channel fails on a different channelized T1 controller 6 5300 config controller controller t1 X...

Page 47: ...ed E1 balanced No alarms detected Version info of Slot 0 HW 2 Firmware 4 PLD Rev 0 Manufacture Cookie Info EEPROM Type 0x0001 EEPROM Version 0x01 Board ID 0x43 Board Hardware Version 1 0 Item Number 73 2218 3 Board Revision A0 Serial Number 05823468 PLD ISP Version 0 0 Manufacture Date 9 Oct 1997 Framing is CRC4 Line Code is HDB3 Clock Source is Line Primary Data in current interval 701 seconds el...

Page 48: ...s to appear Layer 3 Status should be No Active Layer 3 Call s The second half of the messages display information for Serial 1 23 Monitor NFAS groups by entering the show isdn nfas group number command 5300 show isdn nfas group 0 ISDN NFAS GROUP 0x0 ENTRIES The primary D is Serial0 23 The backup D is Serial1 23 There are 2 total nfas members There are 24 total available B channels The primary D ch...

Page 49: ...Busy 3 Reserved 4 Restart 5 Maint 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 3 3 3 3 3 3 3 3 Channel 1 31 Service 0 Inservice 1 Maint 2 Outofservice 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 ISDN Se6 23 Channel 1 31 Activated dsl 6 State 0 Idle 1 Propose 2 Busy 3 Reserved 4 Restart 5 Maint 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 0 3 3 3 3 3 3 3 3 Channel 1 31 Service 0 I...

Page 50: ...rd password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 configure terminal Enter configuration commands one per line End with CNTL Z 5300 config Enter global configuration mode You have entered global configuration mode when the prompt changes to 5300 config 3 5300 config controller e1 0 5300 config ...

Page 51: ...cd metering ka kd dnis digits answer signal and nc congestion Sets answer signal group b to the default ITU value Resets answer signal group b 6 to the default value Note The parameters you do not set are automatically set to the ITU default by the Cisco AS5300 After you configure a country with default settings the Cisco AS5300 displays a write term similar to the one displayed here Exits the cas...

Page 52: ...roatia Russia and Slovak Republic easteurope Ecuador ITU ecuador itu Ecuador LME ecuador lme Greece greece Guatemala guatemala Hong Kong China variant hongkong china Indonesia indonesia Israel israel ITU default itu Korea korea Malaysia malaysia New Zealand newzealand Paraguay paraguay Peru peru Philippines philippines Saudi Arabia saudiarabia Singapore singapore South Africa Panafte southafrica p...

Page 53: ...rr Secs 0 Severely Err Secs 12 Unavail Secs Enter the show modem csm slot modem port command to view status for a specific modem 5300 show modem csm 1 0 MODEM_INFO slot 1 port 0 unit 0 tone r2 compelled modem_mask 0x0000 modem_port_offset 0 tty_hwidb 0x60E63E4C modem_tty 0x60C16F04 oobp_info 0x00000000 modem_pool 0x60BC60CC modem_status 0x0002 VDEV_STATUS_ACTIVE_CALL csm_state 0x0205 CSM_IC5_CONNE...

Page 54: ...M_NEAT 04BF EVENT_CALL_DIAL_IN at slot 2 and port 39 May 15 04 05 46 675 CSM_PROC_IDLE CSM_EVENT_DSX0_CALL at slot 2 port 39 May 15 04 05 46 675 Mica Modem 2 39 Configure 0x0 May 15 04 05 46 675 Mica Modem 2 39 Configure 0x3 May 15 04 05 46 675 Mica Modem 2 39 Configure 0x6 May 15 04 05 46 675 Mica Modem 2 39 Call Setup May 15 04 05 46 891 Mica Modem 2 39 State Transition to Call Setup May 15 04 0...

Page 55: ...rameters quickly on all interfaces at one time 4 5300 config if ip unnumbered ethernet 0 To conserve IP addresses configure the asynchronous interfaces as unnumbered and assign the IP address of the Ethernet interface to them 5 5300 config if encapsulation ppp Enable PPP to run on the set of interfaces in the group 6 5300 config if async mode interactive Configure interactive mode on the asynchron...

Page 56: ... 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 33 packets output 1998 bytes 0 underruns 0 output errors 0 collisions 0 interface resets 0 output buffer failures 0 output buffers swapped out 0 carrier transitions Enter the show dialer map command to make sure the dialer map is up 5300 show dialer maps Dynamic dialer map ip 10 10 10 2 name remote isdn on Serial1 Tips ...

Page 57: ... Aug 28 15 40 41 103 ppp config ACK received type 7 CI_PCOMPRESSION Aug 28 15 40 41 103 ppp config ACK received type 8 CI_ACCOMPRESSION Aug 28 15 40 42 271 PPP Async1 received config for type 2 ASYNCMAP value 0xA0000 acked Aug 28 15 40 42 275 PPP Async1 received config for type 5 MAGICNUMBER value 0xA0149 acked Aug 28 15 40 42 275 PPP Async1 received config for type 7 PCOMPRESSION acked Aug 28 15 ...

Page 58: ... You must configure each serial interface to receive incoming and send outgoing modem signaling 4 5300 config if ip address 172 16 253 254 255 255 255 0 Assign an IP address and subnet mask to the interface 5 5300 config if isdn incoming voice modem Configure all incoming voice calls to go to the modems 6 5300 config if dialer group 1 Assign serial interface to dialer group 1 The dialer group numb...

Page 59: ...erial interface and protocol are up by entering the show interface serial command Also check the IP address 5300 config show interface serial 0 23 Serial0 23 is up line protocol is up Hardware is DSX1 Internet address is 61 0 0 2 8 MTU 1500 bytes BW 64 Kbit DLY 20000 usec rely 255 255 load 1 255 Encapsulation PPP loopback not set Last input 00 00 02 output 00 00 02 output hang never Last clearing ...

Page 60: ...g to dial xxxxxxxxxx Indicates that a packet has been received that passes the dial on demand access lists That packet causes dialing of a phone number The xxxxxxxxxx variable is the number being called PRI0 Unable to dial xxxxxxxxxx Displayed if the phone call could not be placed This can be due to a lack of memory full output queues or other problems PRI0 disconnecting call Displayed when the Ci...

Page 61: ...tails about the possible values associated with each field for which this identifier is relevant Channel ID Indicates the Channel Identifier The value 83 indicates any channel 89 indicates the B1 channel and 8A indicates the B2 channel For more information about the Channel Identifier refer to ITU T Q 931 Called Party Number Identifies the called party This field is only present in outgoing SETUP ...

Page 62: ...onfigured with T1 interfaces and e1 default if the access server has E1 interfaces Specify the country to set the modem parameters including encoding for Microcom modems The default is usa Note that the access server will reset the Microcom modems for the command to take effect For a list of country codes see Table 3 17 and Table 3 18 later in this section 4 5300 config if line 1 48 5300 config li...

Page 63: ...k Poland poland Finland Finland Portugal portugal France France Saudi Arabia saudi arabia Germany Germany Singapore singapore Greece Greece South Africa south africa Hong Kong hong kong Spain spain Hungary hungary Sweden sweden India india Switzerland switzerland indonesia indonesia Taiwan taiwan Ireland ireland Thailand thailand Israel israel United Kingdom united kingdom USA usa Table 3 18 MICA ...

Page 64: ...5200 inout 0 0 0 0 6 TTY 115200 115200 inout 0 0 0 0 7 TTY 115200 115200 inout 0 0 0 0 8 TTY 115200 115200 inout 0 0 0 0 9 TTY 115200 115200 inout 0 0 0 0 10 TTY 115200 115200 inout 0 0 0 0 90 VTY 0 0 0 0 Enter the show line command to display a summary for a single line 5300 show line 1 Tty Typ Tx Rx A Modem Roty AccO AccI Uses Noise Overruns I 1 TTY 115200 115200 inout 0 0 0 0 Line 1 Location Ty...

Page 65: ... the previous configuration table and configured for incoming and outgoing calls step 6 in the previous configuration table If the calls are not coming up at all turn on the debug modem debug modem csm and debug isdn q931 commands to check for problems When you finish viewing the messages turn off the messages by entering the no debug modem command 5300 debug modem 5300 debug modem csm 5300 debug ...

Page 66: ... 42bis Mica Modem 2 3 State Transition to EC Negotiating Mica Modem 2 3 State Transition to Steady State This is the sample output for an incoming ISDN voice call on a MICA modem ISDN Se0 23 RX SETUP pd 8 callref 0x0065 Bearer Capability i 0x8090A2 Channel ID i 0xE1808381 Called Party Number i 0xA1 1000 ISDN Se0 23 Incoming call id 0x3 EVENT_FROM_ISDN dchan_idb 0x60DD2D74 call_id 0x3 ces 0x1 bchan...

Page 67: ... can contain a minimum of one modem and a maximum equal to all the modems in the system This section briefly shows how to set up a minimum configuration For detailed information on using this feature refer to the command reference documents shipped with your access server Note To support modem pooling over channelized T1 lines make sure you have configured the lines as described in the section Con...

Page 68: ... Tips If you are having trouble Make sure you have not configured the same called party number for multiple pools Make sure you have not placed modems in multiple pools 4 5300 config modem pool called number phone max conn number Specifies the DNIS to be used for this modem pool The DNIS string can have an integer x to indicate a do not care digit for that position The max conn option specifies th...

Page 69: ...er profiles A DNIS group is a pool of individual DNIS numbers that are grouped together and then assigned a name A resource group is pool of resources such as HDLC framers or modems that are used to provide services to one or more customer profiles Table 3 20 Setting up DNIS and Resource Groups Step Command Purpose 1 5300 configure terminal Enter configuration commands one per line End with CNTL Z...

Page 70: ...les which are configured later in the Table 3 21 6 5300 config resource group range port slot port slot port or 5300 config resource group range limit number For a resource group comprised of modems and V 110 terminal adapters specify a range of modems to include as members in the resource group To do this enter the range port slot port slot port command 2 or For resources that are not pooled and ...

Page 71: ...s data calls that terminate on a HDLC framers such as a ISDN circuit switched data call initiated by a terminal adapter connected to a PC unlike an asynchronous analog modem call using start and stop bits The speech call type specifies normal voice calls such as calls initiated by analog modems The v110 and v120 call types specify V 110 and V 120 calls 4 5300 config customer profile limit size num...

Page 72: ...le you created by entering the show rminfo customer name command 5300 show rminfo customer acme 0 active connections 0 calls accepted 0 calls rejected due to profile limits 0 calls rejected due to resource unavailable Detailed breakup for each resource acmeisdn digita 0 calls accepted 0 calls rejected acmemodem speech 0 calls accepted 0 calls rejected Display call status information for all the ph...

Page 73: ...mber 31001 Macro Exp 14085231001 VoiceOverIpPeer103 tag 103 destination pattern 1408523 answer address group 103 Admin state is up Operation state is up Table 3 22 Configuring Voice Network Data Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 config te...

Page 74: ... the above example the num exp rule maps 31001 to 14085231001 and 14085231001 matches the destination pattern for dial peer 103 If you run show dial plan number without a match you will see something similar to the following example 5300 sh dialplan number 7870 Macro Exp 7870 No match result 1 In this case there is no number expansion for 7870 and there is no dial peer with a 7870 destination patt...

Page 75: ...300 config 3 5300 config controller t1 0 Enter controller configuration mode to configure your controller port The controller ports are labeled 0 through 3 on the Quad T1 PRI and E1 PRI cards 4 5300 config controller cas group 1 timeslots 1 24 type e m fgb dtmf dnis Configure all channels for E M FXS and SAS analog signaling Enter 1 24 for T1 If E1 enter 1 31 Signaling types include e m fgb e m fg...

Page 76: ...voice 4 VoiceEncapPeer4 tag 4 destination pattern 4 answer address group 4 Admin state is up Operation state is up incoming called number connections maximum 0 unlimited 7 5300 config controller dial peer voice 3070 pots destination pattern 30 port 0 1 prefix 30 Enter the dial peer configuration mode to configure a POTS peer Specify destination pattern for this POTS peer 8 5300 config controller d...

Page 77: ...t http www cisco com univercd cc td doc product software ios120 12cgcr np1_c Enter the show dial peer voice command or the test dialplan number command or both on the local and remote routers to verify the data is configured correctly If you have configured number expansion enter the show num exp command to check that the partial number on the local router maps to the correct full E 164 telephone ...

Page 78: ...fic Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 config term Enter configuration commands one per line End with CNTL Z 5300 config Enter global configuration mode You have entered global configuration mode when the prompt changes to 5300 config 3 53...

Page 79: ... ip Target IP address 1 13 23 1 Repeat count 5 100 Datagram size 100 1000 Timeout in seconds 2 0 Extended commands n Sweep range of sizes n Type escape sequence to abort Sending 100 1000 byte ICMP Echos to 1 13 23 1 timeout is 0 seconds Success rate is 0 percent 0 100 7 5300 config if ip rtp header compression passive Enable RTP header compression Enter passive to compress outgoing RTP packets onl...

Page 80: ... mode when the prompt changes to as5300 config 3 5300 config rlm group 1 Specify the rlm group network access server that you want to configure using the rlm group global configuration command 4 5300 config rlm group interface Loopback1 5300 config if ip address 10 1 1 1 255 255 255 255 Specify the IP address of the first interface 5 5300 config if interface Loopback2 5300 config if ip address 10 ...

Page 81: ...link 10 1 1 2 Loopback2 10 1 5 2 socket opening Note the following The link state must report being up No errors should be reported Enter the show isdn status command to view layer status information 5300 show isdn status Global ISDN Switchtype primary ni ISDN Serial0 23 interface dsl 0 interface ISDN Switchtype primary ni Layer 1 Status DEACTIVATED Layer 2 Status TEI 0 Ces 1 SAPI 0 State TEI_ASSI...

Page 82: ... Configuring ISL for VLAN Routing Use the Inter Switch Link ISL to connect multiple Virtual LANs VLANs using the Ethernet Media Access Control MAC and Ethernet media Configure Cpo Table 3 26 Configuring VLAN Routing Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to ...

Page 83: ...e debug vlan packets command When you finish viewing the messages enter the no debug vlan packets command to turn off the messages 5300 debug vlan packets Virtual LAN packet information debugging is on vLAN ISL packet received bearing color ID 16 on FastEthernet0 which has no subinterface configured to route or bridge ID 16 8 5300 config subif Ctrl Z 5300 SYS 5 CONFIG_I Configured from console by ...

Page 84: ... if exit 5300 config interface group Async 1 5300 config if group range 1 48 or for E1 PRI 5300 config if group range 1 60 Building configuration 5300 config if ipx ppp client Loopback 0 5300 config if exit Enable IPX clients to access network resources by dialing through the access server over ISDN 3 5300 config interface dialer 1 5300 config if ipx ppp client Loopback 0 Create a dialer interface...

Page 85: ...utput host access list is not set Netbios Output bytes access list is not set Updates each 60 seconds aging multiples RIP 3 SAP 3 SAP interpacket delay is 55 ms maximum size is 480 bytes RIP interpacket delay is 55 ms maximum size is 432 bytes Watchdog spoofing is disabled SPX spoofing is disabled idle time 60 IPX accounting is disabled IPX fast switching is configured disabled RIP packets receive...

Page 86: ...r global configuration mode You have entered global configuration mode when the prompt changes to 5300 config 2 5300 config appletalk routing 5300 config appletalk virtual net 2 ATCP Zone Enable AppleTalk routing and set the AppleTalk zone ATCP1 on network 2 your network number and zones may differ All users that dial in to the system will belong to the AppleTalk network 2 in the AppleTalk zone AT...

Page 87: ... for type 8 ACCOMPRESSION acked ipcp sending CONFREQ type 2 CI_COMPRESSTYPE slots 15 csid 0 ipcp sending CONFREQ type 3 CI_ADDRESS Address 171 60 199 193 Resetting ATCP atcp sending CONFREQ type 6 CI_AT_SERVERINFO values 119132 6 atcp sending CONFREQ type 7 CI_AT_ZONEINFO values 1191B3 9 atcp sending CONFREQ type 8 CI_AT_DEFAULT_ROUTER values 5 C7 Enter the show interface async 1 command 5300 show...

Page 88: ...f the appletalk debug commands 5300 debug appletalk arp Appletalk address resolution protocol aurp connection AURP connection aurp packet AURP packets aurp update AURP routing updates domain AppleTalk Domain function eigrp all All AT EIGRP functions eigrp external AT EIGRP external functions eigrp hello AT EIGRP hello functions eigrp packet AT EIGRP packet debugging eigrp query AT EIGRP query func...

Page 89: ... group stackq Create a stack group and assign this access server to it 4 5300 config sgbp member systemb 172 16 188 2 5300 config sgbp member systemc 172 16 189 254 Specify the host name and IP address of the peer member of the stack group In this example there are two peers systemb and systemc 5 5300 config sgbp seed bid offload Set the bidding level for a stack group member Offload indicates tha...

Page 90: ...e configured for the sgbp group otherwise the servers will not be able to talk to each other Tips If you are having trouble Enter the debug sgbp command to view a list of available debugging commands 5300 debug sgbp errors SGBP errors events SGBP events hellos SGBP connection hellos messages SGBP messages queries SGBP mastership queries 11 5300 config if ppp multilink Enable Multilink PPP on the v...

Page 91: ...iew event messages When you finish viewing the messages enter the no debug sgbp events to turn off the messages 5300 debug sgbp events Mar 4 12 26 46 441 EST SGBP 7 CLOSE Closing pipe for member 5300 3 Mar 4 12 26 46 445 EST SGBP 5 LEAVING Member 5300 3 leaving grouptest The above event message indicates that the sgbp connection went down and 5300 3 is no longer part of the 5300 7 sgbp group You c...

Page 92: ...ify your VPDN configuration Enter the show vpdn command to make sure the tunnels are active see line 2 in the following example 5300 show vpdn Active L2F tunnels 2 Table 3 30 Configuring VPDN Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 configure te...

Page 93: ...l errors l2f events L2F protocol events l2f packets L2F protocol packets packet VPDN packet Enter debug commands to view error information When you finish viewing the messages enter no debug vpdn command to turn off the debug messages This is sample output for the debug vpdn event command 5300 debug vpdn event VPN events debugging is on May 15 17 55 49 367 LINK 3 UPDOWN Interface Virtual Access239...

Page 94: ...0 channels It is required for North American SS7 compliance Note You must have installed MICA 2 6 1 0 portware which supports the COT feature Configure There are no configuration tasks Verify Use the following commands to verify COT Display information about the COT DSP Digital Signal Processor configuration or current status by entering the show cot dsp status or config command 5300 show cot dsp ...

Page 95: ...st s 0 of restart requests s 0 08 23 24 of successful request s 0 of invalid request s 0 08 23 24 of cot timeout s 0 of dsp error s 0 08 23 24 of no dsp s 0 08 23 24 COT Request Type COT_CUT_OUT_TRANSPONDER 08 23 24 of request s 0 of restart requests s 0 08 23 24 of successful request s 0 of invalid request s 0 08 23 24 of cot timeout s 0 of dsp error s 0 08 23 24 of no dsp s 0 Use the debug cot a...

Page 96: ... 58 Invoke NI2 callback to inform COT request status 00 04 58 In cot_callback 00 04 58 returned key 0xFFF1 status 0 00 04 58 Return from NI2 callback 00 04 58 COT Request Transition to IDLE 00 04 58 COT Received DSP Q Event 00 04 58 COT DSP 1 0 Done 00 04 58 COT DSP 1 0 De allocated 5300 debug cot dsp 00 10 42 COT DSP 1 1 Allocated 00 10 43 In cot_callback 00 10 43 returned key 0xFFF1 status 0 00 ...

Page 97: ...elnino_uut no logging buffered logging monitor notifications enable password lab bert profile default pattern 220 O 151QRSS threshold 10 6 error injection none duration 10 ip subnet zero ip ftp source interface Ethernet0 ip ftp username melai no ip domain lookup ip domain name cisco com isdn switch type primary net5 chat script dial ATDT T TIMEOUT 120 CONNECT p Table 3 31 Saving Configuration Chan...

Page 98: ...ne secondary 2 pri group timeslots 1 31 controller E1 5 clock source line secondary 2 pri group timeslots 1 31 controller E1 6 clock source line secondary 2 pri group timeslots 1 31 controller E1 7 clock source line secondary 2 pri group timeslots 1 31 interface Serial0 ip address 10 1 1 1 255 255 255 0 no ip directed broadcast encapsulation ppp no ip mroute cache no keepalive no fair queue no cdp...

Page 99: ...tion ppp no keepalive dialer idle timeout 4000 dialer load threshold 5 either dialer group 1 isdn switch type primary net5 isdn incoming voice modem no fair queue no cdp enable ppp authentication chap interface Serial2 15 ip address 22 0 0 1 255 0 0 0 no ip directed broadcast encapsulation ppp no keepalive dialer idle timeout 4000 dialer load threshold 5 either dialer group 1 isdn switch type prim...

Page 100: ... incoming voice modem no fair queue no cdp enable ppp authentication chap hold queue 75 in interface Serial6 15 ip address 26 0 0 1 255 0 0 0 no ip directed broadcast encapsulation ppp no keepalive dialer idle timeout 4000 dialer load threshold 5 either dialer group 1 isdn switch type primary net5 isdn incoming voice modem no fair queue no cdp enable ppp authentication chap hold queue 75 in interf...

Page 101: ...ddress no fair queue no cdp enable ppp authentication chap group range 31 60 hold queue 10 in interface Group Async3 ip unnumbered FastEthernet0 no ip directed broadcast encapsulation ppp no ip mroute cache async default routing async mode interactive no peer default ip address no fair queue no cdp enable ppp authentication chap group range 61 90 hold queue 10 in interface Group Async4 ip unnumber...

Page 102: ... encapsulation ppp no ip mroute cache async default routing async mode interactive no peer default ip address no fair queue no cdp enable ppp authentication chap group range 181 210 hold queue 10 in interface Group Async8 ip unnumbered FastEthernet0 no ip directed broadcast encapsulation ppp no ip mroute cache async default routing async mode interactive no peer default ip address no fair queue no...

Page 103: ...tion version 12 0 service timestamps debug uptime service timestamps log uptime no service password encryption hostname elnino_elnino1 boot system flash c5300 js mz 0 13 0 no logging console enable secret 5 1 anWm O2KfOHriUEkgs eu JFfl linecode b8zs pri group timeslots 1 24 controller T1 1 framing esf clock source line secondary 1 linecode b8zs pri group timeslots 1 24 controller T1 2 framing esf ...

Page 104: ...ss 24 1 3 1 255 255 255 0 no ip directed broadcast no ip mroute cache no keepalive interface Serial0 ip address 120 0 0 1 255 0 0 0 no ip directed broadcast no ip mroute cache no fair queue interface Serial1 ip address 26 1 2 5 255 0 0 0 no ip directed broadcast no ip mroute cache no fair queue interface Serial2 ip address 130 4 3 2 255 255 0 0 no ip directed broadcast no ip mroute cache no fair q...

Page 105: ...imeslots 1 24 type e m fgb controller T1 1 framing esf clock source line secondary 1 linecode b8zs cas group 2 timeslots 1 24 type e m fgb controller T1 2 framing esf clock source line secondary 1 linecode b8zs cas group 3 timeslots 1 24 type e m fgb controller T1 3 framing esf clock source line secondary 1 linecode b8zs cas group 4 timeslots 1 24 type e m fgb controller T1 4 framing esf clock sou...

Page 106: ... queue interface FastEthernet0 no ip address no ip directed broadcast shutdown Where to Go Next At this point you can proceed to The chapter Access Server Security to configure security on your access server The Cisco IOS software configuration guide feature modules command reference publications and Dial Solutions Configuration Guide for more advanced configuration topics These publications are a...

Page 107: ...configure security using a local database resident on the access server or using a remote security database for Terminal Access Controller Access Control System TACACS and Remote Authentication Dial In User Service RADIUS To understand the concept of local versus remote authentication refer to the section Local Versus Remote Server Authentication later in this chapter This chapter includes the fol...

Page 108: ...ADIUS Generally the size of the network and type of corporate security policies determines whether you use a local or remote security database Local Security Database If you have one or two access servers providing access to your network you should store username and password security information on the Cisco access server This is referred to as local authentication See Figure 4 1 Figure 4 1 Local...

Page 109: ...mation about the interaction between security servers and access servers refer to the Security Configuration Guide available online at http www cisco com univercd cc td doc product software ios113ed 113ed_cr secur_c Figure 4 2 Remote Security Database A remote centralized security database is useful when you have a large number of access servers providing network access It prevents having to updat...

Page 110: ...re access to privileged EXEC also called enable mode Enable mode provides access to configuration mode which enables any type of configuration change to the access server To secure Privileged EXEC mode use one of the commands listed in Table 4 1 Pri For more information about the enable password and enable secret commands and their complete syntax refer to the Security Command Reference available ...

Page 111: ... configuration mode You have entered global configuration mode when the prompt changes to 5300 config 3 5300 config enable secret guessme Enter a secret enable password This password provides access to privileged EXEC mode Substitute your own enable secret password instead of using guessme 4 5300 config if Ctrl Z 5300 SYS 5 CONFIG_I Configured from console by console 5300 Return to enable mode Thi...

Page 112: ...with a security server This process is similar for communicating with TACACS and RADIUS servers If you are using local authentication refer to the section Enabling AAA Globally on the Access Server later in this chapter If you are using a remote security server for authentication and authorization you must configure the security server before performing the tasks described in this chapter The sect...

Page 113: ...onfig Enter global configuration mode You have entered global configuration mode when the prompt changes to 5300 config 3 5300 config tacacs server host alcatraz Enter the IP address or host name of the remote TACACS server host The host is typically a UNIX system running TACACS software In this example the host name is alcatraz 4 5300 config tacacs server key abra2cad Enter a shared secret text s...

Page 114: ...t http www cisco com univercd cc td doc product software ios113ed 113ed_cr secur_c Table 4 4 Establishing Communication with a RADIUS Security Server Step Command Description 1 5300 enable Password password 5300 Enter enable mode Enter the password You have entered enable mode when the prompt changes to 5300 2 5300 configure terminal Enter configuration commands one per line End with CNTL Z 5300 c...

Page 115: ...d default authentication etc passwd Authenticate using an s key If you have built and linked in an s key library and compiled TACACS to use the s key you can specify that a user be authenticated via the s key as shown in the following example user bbbb login skey On the access server configure authentication on all lines including the vty and console lines by entering the following commands beginn...

Page 116: ...odel Defining Authentication Method Lists After you enable AAA globally on the access server you need to define authentication method lists which you then apply to lines and interfaces These authentication method lists are security profiles that indicate the protocol ARAP or PPP or login and authentication method TACACS RADIUS or local authentication To define an authentication method list follow ...

Page 117: ...uthentication method built into ARA is used The full command is aaa authentication arap Identify a List Name A list name identifies each authentication list You can choose either to use the keyword default or choose any other name that describes the authentication list For example you might give it the name ppp radius if you intend to apply it to interfaces configured for PPP and RADIUS authentica...

Page 118: ... encrypts the entire payload of packets passed across the network whereas RADIUS only encrypts the password when it crosses the network TACACS can query the security server multiple times whereas a RADIUS server gives one response only and is therefore not as flexible regarding per user authentication and authorization attempts Moreover RADIUS does not support authentication of ARA Table 4 6 Authe...

Page 119: ... using the subsequent security methods if the user entered the incorrect password Populate the Local Username Database if Necessary If you specify local as the security method you must specify username profiles for each user who might log in An example of specifying local authentication is as follows 5300 config aaa authentication login deveng local This command specifies that any time a user atte...

Page 120: ...ntosh users dialing in to an AppleTalk network through the access server be authenticated by a TACACS daemon 5300 config aaa authentication arap default tacacs The following example creates an authentication method list that Enables guest access if the guest has been authenticated at the EXEC facility Queries a TACACS daemon for authentication Polls the line login authentication password if the TA...

Page 121: ...fault 5300 config line line vty 0 4 5300 config line login authentication default In the following example the login authentication list named rtp2 office which uses RADIUS authentication is created It is applied to all 54 lines on a Cisco AS5300 access server configured with a dual T1 PRI card including the console CON port the 48 physical asynchronous tty lines the auxiliary AUX port and 5 virtu...

Page 122: ...keting Configuring Authorization You can configure the access server to restrict user access to the network so that users can only perform certain functions after successful authentication As with authentication authorization can be used with either a local or remote security database This guide describes only remote security server authorization A typical configuration probably uses the EXEC faci...

Page 123: ...andatory list If found add the daemon s AV pair to the output e If not found look for the first attribute match in the mandatory list If found add the daemon s AV pair to the output f If no mandatory match exists look for an exact AV pair match among the daemon s optional AV pairs If found add the daemon s matching AV pair to the output g If no exact match exists locate the first attribute match a...

Page 124: ... user to run the EXEC process if the user is already authenticated If the user is not already authenticated the Cisco IOS software defers to a RADIUS server for authorization information 5300 config aaa authorization exec if authenticated radius The following example configures network authorization If the TACACS server does not respond or has no information about the username being authorized the...

Page 125: ...privilege exec level 7 privilege network level 8 password 7 095E470B1110 username bbbb privilege network level 7 password 7 0215055500070C294D username cccc privilege network level 7 password 7 095E4F10140A1916 privilege exec level 8 ppp privilege exec level 8 arap privilege exec level 8 slip line console 0 login authentication default line 1 48 arap authentication default interface Group Async1 p...

Page 126: ... The following example shows how to create authentication lists A RADIUS server named server219 is polled for authentication information so you do not need to define a local username database The shared key between the access server and the RADIUS security server is BaBe218 A login authentication list named fly is created then applied to all lines that users can log in to except the console port I...

Page 127: ...product access acs_serv 5300 hw_inst index htm You can manage your modems using monitoring polling and troubleshooting commands For both Microcom and MICA modems most of the modem management functions are identical This appendix discusses procedures and commands common to both types of modems and procedures and commands that apply to only one type of modem Sections or commands that apply to only o...

Page 128: ...t session Establish the session Table A 1 describes all the steps necessary to enter AT command mode on the access server Table A 1 Entering AT Command Mode for Microcom Modems Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode also called privileged EXEC mode Enter the password You have entered enable mode when the 5300 prompt appears 2 5300 configure terminal Enter confi...

Page 129: ...rl C 5300 When done entering AT commands press Ctrl C to return to enable mode 1 TA Terminal Adapter Table A 2 Entering AT Command Mode for MICA Modems Step Command Purpose 1 5300 telnet ip address line Trying 172 0 0 1 2001 Open Open a reverse Telnet connection to the modem In the command shown here ip address is the IP address of the access server and line is the two digit line number of the mod...

Page 130: ...csm slot modem port group number Show the call switching module status for a single or group of modems show modem group Display group information for the modems show modem log slot modem port group number Show the event log status for a modem or group of modems This command applies to Microcom modems only show modem operational status slot modem group number Display the operational status for all ...

Page 131: ... autoconfigure discovery Check the modem type and configure the modem automatically The modem is identified each time the line is reset If a modem cannot be detected the line continues retrying for 10 seconds When the modem type is determined this information remains stored until the modem is recycled or disconnected Discovery mode is much slower than configuring a line directly Each time the mode...

Page 132: ...atus or statistics enter the following command in global configuration mode the prompt is displayed as 5300 config modem poll retry number Set maximum number of polling attempts The default is three polling attempts The configuration range is from 0 to 10 attempts If the number of attempts to retrieve modem status or statistics exceeds the number you define the out of band port is removed from ope...

Page 133: ...e modem by executing the test modem back to back command The no modem startup test command disables startup testing Test Two Modems Back to Back Perform additional testing on a modem suspected of being inoperable by conducting a series of internal back to back connections and data transfers between two modems All modem test connections occur inside the access server For example if mobile users can...

Page 134: ...g or answering calls enter one of the following commands in line configuration mode the prompt is displayed as 5300 config line modem busyout Gracefully disable a modem from dial up services modem shutdown Abruptly shut down a modem from dial up services The modem busyout command is not executed until the active modem is idle No active connections are interrupted when you use this command In contr...

Page 135: ...ss server 4 Upgrading the modem code Caution Cisco ships the access server with the latest version of modem code installed in the system Flash memory and mapped to the modems If you choose to use the modem code bundled with your installed Cisco IOS software you could be reverting to a previous version of modem code Also note that once you map the bundled modem code using the copy system ucode file...

Page 136: ...e command dir system ucode Choosing an Update Strategy Because of multiple versions of modem code and the way Cisco IOS software processes these versions Cisco suggests that you choose one of the following two strategies Always allow Cisco IOS software to select the version of modem code Always control the version of modem code used by the modules independent of Cisco IOS software selections Cauti...

Page 137: ...See Copy the Modem Code from Your PC to the Modems later in this appendix for details 4 The modems are running a version of modem code from system Flash memory that is different than the version bundled with Cisco IOS software You decide to revert to the bundled version Use the Cisco IOS command copy system ucode filename modem or for Cisco IOS releases earlier than 11 3AA or 12 0 the copy ios bun...

Page 138: ...rsion 2 Cisco IOS Release B Modem Code Version 1 2 You upgrade Cisco IOS software to Release C Cisco IOS software uses mapping from last copy command at Time 1 1 1 This example assumes the last copy command was copy flash modem and Modem Code Version 1 was specified Cisco IOS Release C Modem Code Version 1 You enter the copy system ucode filename modem command or for Cisco IOS releases earlier tha...

Page 139: ... Flash memory After one copy system ucode filename modem command future Cisco IOS upgrades will potentially result in the downloading of new Cisco IOS bundled firmware to the modems If the new Cisco IOS image contains the same modem code as the old one no new code will be downloaded to the modems copy tftp flash filename command Places a copy of the modem code in system Flash memory copy flash mod...

Page 140: ...le Version Firmware Type flash 1 mica modem portware 2 2 3 0 bin 2 3 0 Mica Portware flash 2 mcom modem firmware 3 1 30 bin 3 1 30 Microcom Firmware Upgrading Modem Code from the Cisco CCO TFTP Server Upgrading modem code from the Cisco CCO TFTP server is a two step process Downloading the modem code from Cisco CCO TFTP server to a local TFTP server Copying the modem code file to the access server...

Page 141: ...MICA modems click Download Modem Portware Images Step 6 Click the modem code file you want to download and then follow the remaining download instructions If you are downloading the modem code file to a PC make sure you download it to the c tftpboot directory otherwise the download process will not work Step 7 When the modem code is downloaded to your workstation transfer the file to a TFTP server...

Page 142: ...isco com 230 230 In general ftpeng cisco com is used only for 230 distribution of Cisco Engineering controlled 230 projects such as beta programs early field 230 trials developing standards documents etc 230 230 Be sure to confirm you have connected to 230 the machine you need to interact with 230 230 If you have any odd problems try logging in with a minus sign as 230 the first character of your ...

Page 143: ... 2304 May 27 10 07 README txt r r r 1 ftpadmin ftpint 377112 Jul 10 18 08 mcom modem code x x x bin r r r 1 ftpadmin ftpint 635 Jul 10 18 08 mcom modem code 3 1 30 readme 226 Transfer complete Step 5 Specify a binary image transfer ftp binary 200 Type set to I Step 6 Copy the modem firmware files from the access server to your local environment with the get command The following example downloads ...

Page 144: ...e from Diskettes later in this appendix for details Step 2 Enter the access server enable mode the prompt is displayed as 5300 5300 enable Password password 5300 Step 3 Check the files in the access server system Flash memory 5300 show flash System flash directory File Length Name status 1 4530624 c5300 js mx 498776 bytes used 16278440 available 16777216 total 16384K bytes of processor board Syste...

Page 145: ... 2 0 started firmware download Nov 30 21 17 43 578 MODEM 5 DL_START Modem 2 1 started firmware download Nov 30 21 17 43 578 MODEM 5 DL_START Modem 2 2 started firmware download Nov 30 21 17 43 578 MODEM 5 DL_START Modem 2 3 started firmware download Nov 30 21 17 53 170 MODEM 5 DL_GOOD Modem 2 11 completed firmware download Nov 30 21 17 53 598 MODEM 5 DL_GOOD Modem 2 12 completed firmware download ...

Page 146: ... Length Name status 1 5826036 c5300 js mz 5826100 bytes used 10951116 available 16777216 total Address or name of remote host jurai jurai Source file name mcom modem code 3 1 30 bin Destination file name mcom modem code 3 1 30 bin mcom modem code 3 1 30 bin Accessing file mcom modem code 3 1 30 bin on tftp_server Loading mcom modem code 3 1 30 bin from 223 255 254 254 via Ethernet0 OK Erase flash ...

Page 147: ...ains a TFTP server program for PCs using Microsoft Windows 95 Run the TFTP server program from the directory where you installed the RSL program Remember to set the root directory to the directory where the Cisco AS5300 modem code is located The RSL and the TFTP applications are also available on CCO in the software library in the Access Products section Copy the Modem Code to Your PC Hard Disk Th...

Page 148: ... Set your TFTP server root directory Choose Server Root Directory from the Options menu Choose c tftpboot from the Drives and list boxes Click OK Caution If you do not select the c tftpboot directory as your TFTP server directory you will not be able to perform the copy procedure This also applies if you are using RCP on your system Connect your PC and the Access Server Step 1 Use straight through...

Page 149: ...ts 8 Parity None Stop bits 1 Flow control None Step 7 Click OK The HyperTerminal dialog box appears Step 8 Press Enter to display the 5300 prompt Note If the access server prompt does not appear you might have selected the wrong COM port the cable connections could be incorrect or bad or the access server might not be powered on Ping the PC and Access Server Ping the access server and the PC to ma...

Page 150: ...ch time the access server power cycles The following code examples show a download to MICA modems Use the same steps to download to Microcom modems Step 1 Check the image in the access server Flash memory 5300 show flash System flash directory File Length Name status 1 4530624 c5300 js mx 498776 bytes used 16278440 available 16777216 total 16384K bytes of processor board System flash Read Write St...

Page 151: ...are download Feb 27 21 17 53 598 MODEM 5 DL_GOOD Modem 2 14 completed portware download Note The code is downloaded to the module not the individual slots as shown Using the Modem Code Bundled with Cisco IOS Software Use this procedure to update modem code on the modems in your access server if you decide to use the version of modem code bundled with Cisco IOS software instead of the version alrea...

Page 152: ...lot port group number all 0 0 Copy system ucode microcom_firmware to modems yes no yes 5300 Mar 11 22 55 38 734 MODEM 5 DL_START Modem 0 0 started firmware download Mar 11 22 57 08 699 MODEM 5 DL_GOOD Modem 0 0 completed firmware download MNPClass10V 90ModemRev5 0 40 85 This command does not affect any existing modem code that resides in system Flash memory in case you later want to revert to it I...

Page 153: ...nable the Break key and to default to booting at the ROM monitor while running the system software reset the configuration register to 0x0 by entering configuration mode and enter the following configuration command config reg 0x0 The new configuration register value 0x0 takes effect after the access server is rebooted with the reload command If you set the configuration to 0x0 you will have to ma...

Page 154: ...rn shell The alias command is used to set and view aliased names This allows the user to alias command names to a letter or word Aliasing is often used to shorten command names or automatically invoke command options Aliases are stored in NVRAM and remain intact across periods of no power These are some of the set aliases b boot h history i reset r repeat k stack help ROM Monitor Commands At the R...

Page 155: ...d device name is not recognized by the ROM monitor the system will attempt to boot the image imagename from a network TFTP server Do not insert a space between devid and imagename Options to the boot command are x load image but do not execute and v verbose The form of the boot command follows boot xv devid imagename b Boots the default system software from ROM b filename host Boots using a networ...

Page 156: ...n enable load rom after netboot fails y n n enable use all zero broadcast y n n enable break abort has effect y n n enable ignore system config info y n n change console baud rate y n n yes enter rate 0 9600 1 4800 2 1200 3 2400 0 0 change the boot characteristics y n n yes enter to boot 0 ROM Monitor 1 the boot helper image 2 15 boot system 0 0 Configuration Summary enabled are diagnostic mode co...

Page 157: ...ash PCMCIA slot 1 dir devid Lists the files on the named device For example rommon 11 dir flash File size Checksum File name 65 bytes 0x41 0xb49d clev oddfiles65 2229799 bytes 0x220627 0x469e C5300 k z dlnd xv args Downloads in binary format through the console and executes The x option downloads but does not execute The v option allows you to specify the verbose level The optional arguments are p...

Page 158: ...meminfo main memory information repeat repeat a monitor command reset system reset set display the monitor variables stack produce a stack trace sync write monitor environment to NVRAM sysret print out info from last system return unalias unset an alias unset unset a monitor variable xmodem x y modem download history or h Displays the command history that is the last 16 commands executed in the mo...

Page 159: ...the last booted system image This includes the reason for terminating the image a stack dump of up to eight frames and if an exception is involved the address where the exception occurred For example rommon 8 sysret System Return Info count 19 reason user break pc 0x60043754 error address 0x0 Stack Trace FP 0x80007e78 PC 0x60043754 FP 0x80007ed8 PC 0x6001540c FP 0x80007ef8 PC 0x600087f0 FP 0x80007...

Page 160: ...Cisco AS5300 Universal Access Server Software Configuration Guide ROM Monitor Commands B 8 ...

Page 161: ...onnected the cables to the access server Configured your PC terminal emulation program for 9600 baud 8 data bits no parity and 2 stop bits All configuration will be performed from your PC terminal emulation program window Complete these steps Note If you make a mistake you can exit and run the System Configuration dialog again Press Ctrl c and type setup at the enable mode prompt 5300 Step 1 Power...

Page 162: ...rogram load complete entry point 0x80008000 size 0x415b20 Self decompressing the image OK Restricted Rights Legend Use duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph c of the Commercial Computer Software Restricted Rights clause at FAR sec 52 227 19 and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS sec...

Page 163: ...ace summary yes Any interface listed with OK value NO does not have a valid configuration Interface IP Address OK Method Status Protocol Ethernet0 unassigned NO unset up up FastEthernet0 unassigned NO unset up down Step 5 Enter a host name for the access server this example uses 5300 Configuring global parameters Enter host name Router 5300 The enable secret is a one way cryptographic secret used ...

Page 164: ...ialing in via modems configure these lines Configure Async lines yes Async line speed 115200 Note We recommend that you do not change this speed Will you be using the modems for inbound dialing yes Note If your asynchronous interfaces will be using the same basic configuration parameters we recommend answering yes to the next prompt That way you group the modems so that they can be configured as a...

Page 165: ...ass B network is 172 21 0 0 0 subnet bits mask is 16 Configure AppleTalk on this interface no yes Extended AppleTalk network no AppleTalk network number 0 10 AppleTalk zone name myzone etherzone Configure IPX on this interface no yes IPX network number 1 Step 12 Configure the Fast Ethernet 0 interface Is this interface in use yes Note Full duplex mode enables simultaneous data transfer between a s...

Page 166: ...s server Configuring controller T1 0 Is this controller in use yes Will you be using PRI on this controller yes Would you like to enable multilink PPP yes Note If you want to configure the access server for channelized T1 enter no to the above prompt Configuring controller T1 1 Is this controller in use yes Will you be using PRI on this controller yes Would you like to enable multilink PPP yes Con...

Page 167: ...to prevent network conflicts interface Ethernet0 no ipx network interface FastEthernet0 no ipx network interface Ethernet0 ip address 172 21 40 10 255 255 0 0 appletalk address 10 0 appletalk zone etherzone ipx network 1 no mop enabled interface FastEthernet0 duplex full speed 100 ip address 172 22 50 10 255 255 0 0 appletalk cable range 0 0 0 0 appletalk discovery ipx network 2 no mop enabled Int...

Page 168: ...p pap ppp multilink peer default ip address pool setup_pool dialer group 1 access list 101 permit ip any any dialer list 1 list 101 controller T1 2 pri group timeslots 1 24 framing esf clock source internal linecode b8zs interface serial2 23 isdn incoming voice modem ip unnumbered Ethernet0 encapsulation ppp ppp authentication chap pap ppp multilink peer default ip address pool setup_pool dialer g...

Page 169: ...terface FastEthernet0 changed state to up LINEPROTO 5 UPDOWN Line protocol on Interface Ethernet0 changed state to up Additional messages omitted Step 16 When the messages stop displaying on your screen press Enter to get the prompt 5300 Note If you see the next message it means that no other AppleTalk routers were found on the network attached to the port AT 6 ONLYROUTER Ethernet0 AppleTalk port ...

Page 170: ...oad complete entry point 0x80008000 size 0x415b20 Self decompressing the image OK Restricted Rights Legend Use duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph c of the Commercial Computer Software Restricted Rights clause at FAR sec 52 227 19 and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS sec 252 227...

Page 171: ...does not have a valid configuration Interface IP Address OK Method Status Protocol Ethernet0 unassigned NO unset up up FastEthernet0 unassigned NO unset up Step 20 Enter a host name for the access server Configuring global parameters Enter host name Router 5300 The enable secret is a one way cryptographic secret used instead of the enable password when it exists Step 21 Enter an enable secret pass...

Page 172: ...onfigure Async lines yes Async line speed 115200 Note We recommend that you do not change this speed for modems However for V 110 terminal adapters we recommend that the speed not go above 19200 Will you be using the modems for inbound dialing yes Note If your asynchronous interfaces will be using the same basic configuration parameters we recommend that you group them so that they can be configur...

Page 173: ...about the number of bits in the host portion of the subnet mask Number of bits in subnet field 0 Class B network is 172 21 0 0 0 subnet bits mask is 16 Configure AppleTalk on this interface no yes Extended AppleTalk network no AppleTalk network number 0 10 AppleTalk zone name myzone etherzone Configure IPX on this interface no yes IPX network number 1 Step 27 Configure the Fast Ethernet 0 interfac...

Page 174: ... ISDN or analog modems Do you intend to allow users to dial in yes There are 4 controllers on this access server If you want to use the full capacity of the access server configure all controllers Controller T1 0 1 etc in software corresponds to Port 0 1 etc on the back of the access server PRI configuration can be configured to controllers all at once based on your PRI controllers selection Where...

Page 175: ... T1 lines Do you want to provision DNIS address information yes Step 10 Set the CAS configuration options for the next controller you are configuring Configuring controller T1 3 Will you be using CT1 robbed bit signaling on this controller yes The following framing types are available esf sf Enter the framing type esf The following linecode types are available ami b8zs Enter the line code type b8z...

Page 176: ...ress no ip route cache shutdown interface Serial0 23 ip unnumbered Ethernet0 encapsulation ppp no ip mroute cache dialer group 1 isdn incoming voice modem peer default ip address pool setup_pool ppp authentication chap pap ppp multilink interface Serial1 23 ip unnumbered Ethernet0 encapsulation ppp no ip mroute cache dialer group 1 isdn incoming voice modem peer default ip address pool setup_pool ...

Page 177: ... completed the basic access server configuration However this is not a complete configuration At this point you have two options Run the setup script in the System Configuration dialog again and create another configuration Enter the following commands to repeat the setup script 5300 enable Password password 5300 setup Modify the existing configuration or configure additional features with the CLI...

Page 178: ...llers you will be using for PRI configuration 4 1 Configuring controller parameters Configuring controller E1 0 Configuring PRI on this controller Step 4 Set the CAS configuration options for the first controller you are configuring First enter yes to set channel associated signaling on the controller Configuring controller E1 1 Will you be using CE1 channel associated signaling on this controller...

Page 179: ...columbia 6 costarica 7 easteurope 8 ecuador itu 9 ecuador lme 10 greece 11 guatemala 12 hongkong china 13 indonesia 14 israel 15 korea 16 malaysia 17 newzealand 18 paraguay 19 peru 20 philippines 21 singapore 22 saudiarabia 23 southafrica panaftel 24 telmex 25 telnor 26 thailand 27 uruguay 28 venezuela 29 vietnam Enter the country name 0 Step 11 Set the CAS configuration options for the next contr...

Page 180: ...u 1 argentina 2 australia 3 brazil 4 china 5 columbia 6 costarica 7 easteurope 8 ecuador itu 9 ecuador lme 10 greece 11 guatemala 12 hongkong china 13 indonesia 14 israel 15 korea 16 malaysia 17 newzealand 18 paraguay 19 peru 20 philippines 21 singapore 22 saudiarabia 23 southafrica panaftel 24 telmex 25 telnor 26 thailand 27 uruguay 28 venezuela 29 vietnam Enter the country name 0 15 Configuring ...

Page 181: ...rmation yes R2 signaling is available for the following countries 0 itu 1 argentina 2 australia 3 brazil 4 china 5 columbia 6 costarica 7 easteurope 8 ecuador itu 9 ecuador lme 10 greece 11 guatemala 12 hongkong china 13 indonesia 14 israel 15 korea 16 malaysia 17 newzealand 18 paraguay 19 peru 20 philippines 21 singapore 22 saudiarabia 23 southafrica panaftel 24 telmex 25 telnor 26 thailand 27 ur...

Page 182: ... defaults category 2 answer signal group b 1 controller E1 3 clock source internal cas group 0 timeslots 1 15 17 31 type r2 pulse r2 semi compelled ani cas custom 0 country telnor use defaults category 2 answer signal group b 1 interface Ethernet0 no ip address no ip route cache shutdown interface Serial0 15 ip unnumbered Ethernet0 encapsulation ppp no ip mroute cache dialer group 1 isdn incoming ...

Page 183: ...mpleted the basic access server configuration However this is not a complete configuration At this point you have two options Run the setup script in the System Configuration dialog again and create another configuration Enter the following commands to repeat the setup script 5300 enable Password password 5300 setup Modify the existing configuration or configure additional features with the CLI as...

Page 184: ...Cisco AS5300 Universal Access Server Software Configuration Guide Where to Go Next C 24 ...

Page 185: ...eady running on the access server A compatibility matrix is posted on CCO s Software Center Note In certain countries use of these products or provision of voice telephony over the Internet may be prohibited and or subject to laws regulations or licenses including requirements applicable to the use of the products under telecommunications and other laws and regulations customer must comply with al...

Page 186: ...priate procedure Determine the number of VFC cards To determine the number of VFC in the system and what slot they are on perform the following task in privileged EXEC enable mode Identify the VFC ROM Monitor Version To identify the VFC ROM Monitor software version perform the following task in privileged EXEC enable mode Step Command Purpose 1 5300 enable Password password 5300 Enter enable mode ...

Page 187: ..._number VCWARE running ROMMON board 5300 Shows whether your selected voice card is running in VCWare mode or in ROM Monitor mode Step Command Purpose 1 5300 erase vfc slot_number This will erase the contents of VFC Flash Continue y n yes This will take some time Please wait vfc Erase the contents of the VFC Flash in the selected voice card 2 5300 show vfc slot_number directory Verify that the VFC ...

Page 188: ...300 show vfc 1 default list Invalid input detected at marker 5300 show vfc 1 cap list Capability List for VFC in slot 1 1 fax vfc l 0 13 0 bin 2 bas vfc l 0 13 0 bin 3 cdc g729 l 0 13 0 bin 4 cdc g711 l 0 13 0 bin 5300 5 5300 enable Password password 5300 Re enter enable mode Enter the password You have entered enable mode when the prompt changes to 5300 6 5300 show vfc slot_number board 5300 Chec...

Page 189: ... the contents of the VFC Flash in the selected voice card This may take awhile 2 5300 copy tftp vfc Voice card slot number slot 1 Address or name of remote host UNKNOWN 223 255 212 244 Source file name vcware vcw Destination file name vcware vcw vcware vcw note the destination filename is IMPORTANT Accessing file vcware vcw on 223 255 212 244 Loading vcware vcw from 223 255 212 244 via Ethernet0 O...

Page 190: ...ult list and show vfc slot_number cap list commands to verify that the DSPWare has been unbundled and the default list and cap list have been initialized 5300 show vfc 1 default list Invalid input detected at marker 5300 show vfc 1 cap list Capability List for VFC in slot 1 1 fax vfc l 0 13 0 bin 2 bas vfc l 0 13 0 bin 3 cdc g729 l 0 13 0 bin 4 cdc g711 l 0 13 0 bin 5300 7 5300 unbundle vfc slot_n...

Page 191: ...ce feature card is back up in VCWare mode 5300 show vfc 1 board VFC board state is UP vfc status VCWARE running 0x4 VFC board in slot 1 with 18 dsps 5300 Determine if the VFC ROM version you are running is 1 1 or version1 2 New Hardware Features Hardware features available after the release of this document can be found at the following URL http www cisco com univercd cc td doc product access acs_...

Page 192: ...Cisco AS5300 Universal Access Server Software Configuration Guide New Hardware Features D 8 ...

Page 193: ... 4 11 list examples 4 14 list name 4 11 lists 4 10 local 4 2 local security database 4 2 login authentication 4 11 login examples 4 15 multiple methods specifying 4 13 PPP examples 4 16 privileged EXEC mode 4 4 RADIUS server 4 8 remote 4 2 remote database 4 3 securing access 4 4 security methods 4 12 TACACS server 4 7 authentication accounts MMP 3 57 VPDN 3 60 authorization configuring 4 17 descri...

Page 194: ...ebug sgbp errors command 3 57 debug sgbp events command 3 57 debug vlan packets command 3 49 debug vpdn command 3 59 debug vpdn event command 3 59 debug vpdn l2f errors command 3 59 debug vpdn l2f events command 3 59 debug vpm spi command 3 43 dev command B 5 dialer interface IPX networks 3 50 dialer map 3 50 dialer list command 3 24 dial in access authentication 4 11 dial in protocols authenticat...

Page 195: ...ilink 3 24 serial interface configuration mode 3 24 show interface command 3 25 show interface serial command 3 25 subnet mask 3 24 verifying 3 25 3 39 ISDN PRI channel service states displaying 3 14 configuring 3 11 NFAS groups monitoring 3 14 show controller e1 command 3 13 show controller t1 command 3 13 show isdn status command 3 14 verifying 3 13 K key Break interrupt B 1 L latest version of ...

Page 196: ...link PPP 3 55 multiple LANs 3 48 N NFAS groups monitoring 3 14 no debug isdn q931 command 3 26 no debug modem csm command 3 20 no debug ppp authentiation command 3 23 no debug ppp negotiation command 3 23 no debug sgbp errors command 3 57 no debug sgbp events command 3 57 no debug vlan packets command 3 49 no debug vpdn command 3 59 no modem country mica command 3 30 no modem country microcom hdms...

Page 197: ...tp header compression command 3 45 show ipx interface serial command 3 51 show isdn nfas group command 3 14 show isdn service command 3 14 show isdn status command 3 14 show line command 3 30 show line command 3 30 show modem at mode command A 4 show modem call stats command A 4 show modem command A 4 show modem configuration command A 4 show modem connect speeds command A 4 show modem csm command...

Page 198: ...IP See VoIP voice ports See also VoIP cas group 3 10 Voice over IP See VoIP VoIP call progress tone 3 41 channelized T1 or E1 3 10 codec defaults 3 41 codec values 3 43 E 164 telephone numbers 3 39 fair queuing 3 44 G711 Alaw 3 41 number extension table 3 39 ping command 3 45 real time packet flows 3 44 real time voice traffic 3 44 RSVP for IP 3 44 rtp header compression 3 45 RTP header compressio...

Reviews:

No comments