Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Remote Access with Cisco expert Plamen Nedeltchev. Plamen is a Remote Access Consultant. He works on design, configuration, troubleshooting and service delivery for Cisco users, including ISDN, Frame Relay, VPN, dial-in, DSL and WLAN solutions. Feel free to post any questions relating to Remote Access.
Plamen may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 19. Visit this forum often to view responses to your questions and the questions of other community members.
My name is shankar referred by my friend vinod. I want a solution for load-balancing the two different links with same ISP and in same router.
I have 3640 Router configured as:
In serial 0/0 - configured 512kbps link with frame-relay encapsulation.
In serial 0/1 - Configured 256kbps link with frame-relay encapusulation.
I got the two links in the same ISP. I want to load-balance the link. How do i do this. Guide me or If you send any document which will guide me step by step for doing this I would be more greatful to you..
Kindly send me the reply to : email@example.com.
waiting for your positive response.
My presumption is that you are using EIGRP.
To load balance with EIGRP on unequal cost paths the variance command must be used.
The default with variance is 1; only the path with the best metric would be used.
Set the variance to 2 and the path with the best metric and the next best metric would be used.
This will allow load balancing over multiple paths in proportion to the metrics.
Technical Consultation By: Jim Thomson
I am trying to configure a 3640 channelised E1 ISDN PRI router with 15 channels. I will be much obliged if you guide me, and post a IOS configuration (Example) for this. Look forward to hearing from you.
I hope this configuration helps:
no service single-slot-reload-enable
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
logging buffered 4096 debugging
logging rate-limit console 10 except errors
username sudarshan-isdn password password
clock timezone CET 1
no ip finger
ip tftp source-interface Loopback0
ip domain-name DOMAIN_NAME.com
ip name-server (IP ADDR.1)
ip name-server (IP ADDR.2)
ip name-server (IP ADDR.3)
isdn switch-type primary-net5 (CHECK THE SWITCH-TYPE!!!)
controller E1 0/0
pri-group timeslots 1-31 (HERE YOU CAN DEFINE "TIMESLOTS 1-16" FOR 15 B-CHANNELS+1D-CHANNEL
OR WORK WITH THE LEC TO DISABLE THE TRUNKS FROM N16 UP.)
description Internal interface for SUDARSHAN-isdn
ip summary-address eigrp
description ISDN PRI FOR THE D-CHANNEL
no ip address
no ip route-cache
dialer rotary-group 1
no snmp trap link-status
isdn switch-type primary-net5 (CHECK THE SWITCH TYPE)
no cdp enable
description SUDARSHAN-ISDN POP telnr: YYYYYYYYYYY ID :ZZZZZZZZZ
ip unnumbered Loopback0
no ip route-cache
no ip mroute-cache
dialer idle-timeout 86400
dialer map ip
< OUTPUT OMMITED>
no cdp enable
ppp authentication chap
router eigrp 109
eigrp log-event-type xmit
no ip http server
Cisco's VPN client is compatable with X-Windows. In fact there are many Cisco employess that use X-Windows over VPN. It will work but you should expect some high latency due to the VPN encryption plus translations that X-Windows must do.
Technical Consultation By: Zack Schaefer.
I have a client that wants to add a remote access VPN solution. A 3015 will be a good fit for them. One of their requirements is that logon scripts be able to run that will check the client's pc for the existance of anti-virus software and close the session if there is no anti-virus software on the client PC. Has this been addressed at any level by the concentrators or is this strictly functionality that must be provided by the scripts?
This would have to be functionality of the login scripts. The concentrators are there to give network access based on authentication -- once authenticated, the gates are open and traffic flows. The logon scripts would have to verify whether or not the virus scan is installed, and terminate the VPN client if it is not installed.
As a heads up, while the logon scripts are running, the network is up and the possibility of a virus getting sent through the tunnel exists.
Technical Consultation By: Jered Huegen
we tried to bundle 2 e1-interfaces via multilink-group - command. this works fine but after that the eigrp routing updates no longer passed over this multilink - line - whats wrong ?
I have a question about the VPN 3000 Concentrator. My problem is related to logon validation through the Cisco Concentrator. Somehow logon scripts doesn't run automaticly. I'm using the Cisco Client ver. 3.03 on Windows 2000 Professional. If I run the "set" command in a NT prompt, I can see that the LogonServer is the PC itself. The strange thing is that the home directory gets mapped as it should. We map user's home directory from the UserManager for Domains. I can browse the Domain without any problems, so I'm sure that the Wins server works. I can also do DNS lookups without any problems.
Have you any surgestions ?
/Regards Henrik Nielsen
The SW client on the PC must be set up to run the VPN SW prior to the client logging into the PC or the Windows domain. On the PC, start the SW client, then click "Options", then "Start before logon". Click OK. Then restart Windows. You will be prompted to login with the VPN client prior to logging into your PC or Windows domain.
Technical consultation by: David Iacobacci
I am interested in finding out when Cisco plans on releasing a VPN client compatible with the macintosh OS? We currently are doing VPN through a 3600 with our NT clients but many of our users are on Macintosh.
Unfortunately, we do not have a release date for this at this moment. I'd suggest checking CCO on a regular basis.
I have a couple of problems which I am unsure of. My customer recently purchased a cisco 3640 with 4BRI module and ethernet module on board. This 3640 is connected to the company LAN whereby there is another existing Cisco router connected to Denmark's head office by leased line. The purpose of the 3640 is for accept ISDN call for local remote users to use internal resources. The dial-in users will authenticate themselves with TACACS server back in Denmark's office.. (I have no idea how is this information going to route all the way back)
a) What happens is that he wants to have all the 4 ports of the 4BRI module to have the same network address and subnet as the internal LAN IP address on the ethernet module. I've tried this but I got error saying subnet conflict with the ethernet module. I am not sure if it can be done. What will be a better way to solve this? I heard there is a way to have ip unnumbered service all the 4 ports and bind them together.
b) What will be a better senario of issuing the IP address to the dial-in users? Using the DHCP on the interface or DHCP server within the LAN or using the TACACS server?
Is there any sample scripts which I can reference? Do you see any potential problems on this setup? Pls advise. Thanks in advance.