Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASK THE EXPERT- REMOTE ACCESS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Remote Access with Cisco expert Plamen Nedeltchev. Plamen is a Remote Access Consultant. He works on design, configuration, troubleshooting and service delivery for Cisco users, including ISDN, Frame Relay, VPN, dial-in, DSL and WLAN solutions. Feel free to post any questions relating to Remote Access.

Plamen may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 19. Visit this forum often to view responses to your questions and the questions of other community members.

44 REPLIES
Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Hi,

My name is shankar referred by my friend vinod. I want a solution for load-balancing the two different links with same ISP and in same router.

I have 3640 Router configured as:

In serial 0/0 - configured 512kbps link with frame-relay encapsulation.

In serial 0/1 - Configured 256kbps link with frame-relay encapusulation.

I got the two links in the same ISP. I want to load-balance the link. How do i do this. Guide me or If you send any document which will guide me step by step for doing this I would be more greatful to you..

Kindly send me the reply to : sudshank@sify.com.

waiting for your positive response.

Thanks

A.Shankar

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

My presumption is that you are using EIGRP.

To load balance with EIGRP on unequal cost paths the variance command must be used.

The default with variance is 1; only the path with the best metric would be used.

Set the variance to 2 and the path with the best metric and the next best metric would be used.

This will allow load balancing over multiple paths in proportion to the metrics.

Example:

EIGRP 7

Network x.x.x.x

Variance 2

Technical Consultation By: Jim Thomson

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Hi,

I am trying to configure a 3640 channelised E1 ISDN PRI router with 15 channels. I will be much obliged if you guide me, and post a IOS configuration (Example) for this. Look forward to hearing from you.

Thanks

Sid

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Sid-

I hope this configuration helps:

Host: SUDARSHAN-isdn.cisco.com

!

!

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service linenumber

!

hostname SUDARSHAN-isdn

!

logging buffered 4096 debugging

logging rate-limit console 10 except errors

!

username sudarshan-isdn password password

!

clock timezone CET 1

!

!

no ip finger

ip tftp source-interface Loopback0

ip domain-name DOMAIN_NAME.com

ip name-server (IP ADDR.1)

ip name-server (IP ADDR.2)

ip name-server (IP ADDR.3)

!

!

!

isdn switch-type primary-net5 (CHECK THE SWITCH-TYPE!!!)

!

!

controller E1 0/0

pri-group timeslots 1-31 (HERE YOU CAN DEFINE "TIMESLOTS 1-16" FOR 15 B-CHANNELS+1D-CHANNEL

OR WORK WITH THE LEC TO DISABLE THE TRUNKS FROM N16 UP.)

!

!

!

interface Loopback0

description Internal interface for SUDARSHAN-isdn

ip address

!

interface FastEthernet0/0

description XXXXXXXXXXXXXXXXXX

ip address

ip summary-address eigrp DISTANCE

duplex auto

speed auto

!

interface Serial0/0:15

description ISDN PRI FOR THE D-CHANNEL

no ip address

encapsulation ppp

no ip route-cache

no keepalive

dialer rotary-group 1

dialer-group 1

no snmp trap link-status

isdn switch-type primary-net5 (CHECK THE SWITCH TYPE)

no fair-queue

no cdp enable

!

!

interface Dialer1

description SUDARSHAN-ISDN POP telnr: YYYYYYYYYYY ID :ZZZZZZZZZ

bandwidth 128

ip unnumbered Loopback0

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer in-band

dialer idle-timeout 86400

dialer map ip name USER-isdn 12345678

< OUTPUT OMMITED>

dialer-group 1

no fair-queue

no cdp enable

ppp authentication chap

!

router eigrp 109

redistribute static

network

no auto-summary

eigrp log-event-type xmit

eigrp log-neighbor-changes

!

ip classless

ip route DIALER 1

no ip http server

!

end

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

VPN and X-windows, are they compatible? Not functioning under my configuration.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Cisco's VPN client is compatable with X-Windows. In fact there are many Cisco employess that use X-Windows over VPN. It will work but you should expect some high latency due to the VPN encryption plus translations that X-Windows must do.

Technical Consultation By: Zack Schaefer.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

I have a client that wants to add a remote access VPN solution. A 3015 will be a good fit for them. One of their requirements is that logon scripts be able to run that will check the client's pc for the existance of anti-virus software and close the session if there is no anti-virus software on the client PC. Has this been addressed at any level by the concentrators or is this strictly functionality that must be provided by the scripts?

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

This would have to be functionality of the login scripts. The concentrators are there to give network access based on authentication -- once authenticated, the gates are open and traffic flows. The logon scripts would have to verify whether or not the virus scan is installed, and terminate the VPN client if it is not installed.

As a heads up, while the logon scripts are running, the network is up and the possibility of a virus getting sent through the tunnel exists.

Technical Consultation By: Jered Huegen

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Hi,

we tried to bundle 2 e1-interfaces via multilink-group - command. this works fine but after that the eigrp routing updates no longer passed over this multilink - line - whats wrong ?

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Hi,

I have a question about the VPN 3000 Concentrator. My problem is related to logon validation through the Cisco Concentrator. Somehow logon scripts doesn't run automaticly. I'm using the Cisco Client ver. 3.03 on Windows 2000 Professional. If I run the "set" command in a NT prompt, I can see that the LogonServer is the PC itself. The strange thing is that the home directory gets mapped as it should. We map user's home directory from the UserManager for Domains. I can browse the Domain without any problems, so I'm sure that the Wins server works. I can also do DNS lookups without any problems.

Have you any surgestions ?

/Regards Henrik Nielsen

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

The SW client on the PC must be set up to run the VPN SW prior to the client logging into the PC or the Windows domain. On the PC, start the SW client, then click "Options", then "Start before logon". Click OK. Then restart Windows. You will be prompted to login with the VPN client prior to logging into your PC or Windows domain.

Technical consultation by: David Iacobacci

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

I am interested in finding out when Cisco plans on releasing a VPN client compatible with the macintosh OS? We currently are doing VPN through a 3600 with our NT clients but many of our users are on Macintosh.

Thanks!

Andrea Bishop

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Hi, Andrea-

Unfortunately, we do not have a release date for this at this moment. I'd suggest checking CCO on a regular basis.

Thanks, Plamen

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS

Hi there,

I have a couple of problems which I am unsure of. My customer recently purchased a cisco 3640 with 4BRI module and ethernet module on board. This 3640 is connected to the company LAN whereby there is another existing Cisco router connected to Denmark's head office by leased line. The purpose of the 3640 is for accept ISDN call for local remote users to use internal resources. The dial-in users will authenticate themselves with TACACS server back in Denmark's office.. (I have no idea how is this information going to route all the way back)

a) What happens is that he wants to have all the 4 ports of the 4BRI module to have the same network address and subnet as the internal LAN IP address on the ethernet module. I've tried this but I got error saying subnet conflict with the ethernet module. I am not sure if it can be done. What will be a better way to solve this? I heard there is a way to have ip unnumbered service all the 4 ports and bind them together.

b) What will be a better senario of issuing the IP address to the dial-in users? Using the DHCP on the interface or DHCP server within the LAN or using the TACACS server?

Is there any sample scripts which I can reference? Do you see any potential problems on this setup? Pls advise. Thanks in advance.

66
Views
0
Helpful
44
Replies
CreatePlease to create content