Tuesday, October 8, 2013

Lesson 14 -- Advanced WAN Configurations, Part 1

In Lesson 5 you set up a very simple WAN between your main office 2651 router and the remote site's 3640 router. The configuration for this link was pretty minimalist:

interface Serial0/1
description T1 to lab3640rtr
bandwidth 1544
ip address 192.168.3.5 255.255.255.252


This configuration used HDLC -- the default on Cisco routers -- to establish the WAN link to the 3640 router, set the bandwidth (used by routing protocols that consider bandwidth in their metrics) to 1.544Mbps, and establishes a /30 (two host) subnet between the routers, one IP address for each endpoint. However, you decide that you would like to implement PPP rather than HDLC, since PPP can be configured to use PAP or CHAP to authenticate the routers on each side of the link, and because if you manage to scrounge a couple of new T1 cards (and the funds to buy a second leased line) you can use Multilink PPP to give you a 3Mbps channel between sites. You telnet to the remote router, issue a "reload in 30" command to return the 3640 to its original configuration if you botch the changes (it's saved my backside more than once), then get started on configuring PPP:

lab3640rtr#conf t
lab3640rtr(config)#int serial 0/1
lab3640rtr(config-if)#encapsulation ppp


Your telnet session locks up, but you expected that. Now, configure the local side:

lab2651rtr#conf t
lab2651rtr(config-if)#encapsulation ppp
lab2651rtr(config-if)#exit
lab2651rtr(config)#exit
lab2651rtr#sho int ser0/1
Serial0/1 is up, line protocol is up


You return to your telnet session to the 3640 router, and hit the "Enter" key a couple of times to make sure it's responding again, and it is. Woohoo! You've enabled PPP successfully. You type "reload cancel" and "write mem" on both routers to save the current configurations, then set up PPP authentication using CHAP. To do this, you'll need to configure a user name on each router that matches the host name of the other router and assign the same password to both user names. That is, on the lab3640rtr router, you will create a user "lab2651rtr" and on the lab2651rtr, you will create a user "lab3640rtr":

lab2651rtr#conf t
lab2651rtr(config)#username lab3640rtr password myChapPw


...and on the remote router:

lab3640rtr#conf t
lab3640rtr(config)#username lab2651rtr password myChapPw


Next, in the Serial 0/1 interface configurations, you will tell the routers to authenticate using CHAP (substitute the word "pap" for "chap" in the config if you would rather use PAP):

lab3640rtr(config)#int ser0/1
lab3640rtr(config-if)#ppp authentication chap


...and on the local router:

lab2651rtr(config)#int serial 0/1
lab2651rtr(config-if)#ppp authentication chap


...and that's it!

Note 1: No joke about using the "reload in 30" before making config changes to the management interfaces on a remote router. It can be the difference between being the hero of the day and the idiot who had the misfortune to execute a career-limiting move. True story from the IT trenches: I work in Anchorage, Alaska, but manage network devices in Bethel, Alaska, 500 miles to the west (and there are no roads to Bethel from Anchorage -- it's a one hour flight via Alaska Airlines if you have to go in person). One day, I was working on my LAN router/firewall in Bethel, and fortunately, I heard that little voice inside my head telling me to run the "/sbin/shutdown -r +15 &" command (it's a Linux-based router, but that's the equivalent of Cisco's "reload in 15" command). I did, even though I was sure what I was going to do wouldn't lock me out of the router. I started making changes, and when I restarted the network interfaces, I lost my SSH connection to the router. I tried to create a new SSH session, but no joy. I tried to ping the router...nothing. I even ran "nmap -sP" just to make sure it was really off-line, but I already knew it would be (and it was). About two minutes later, my boss hollers at me from his office, "I think we just lost the Bethel router!" I calmly replied, "Yep, but it should be back in...<...checks watch...>...maybe ten minutes." I explained what happened, and he just said, "Let me know when it's back on-line." It's never good to take a LAN/WAN router off-line in the middle of the business day without arranging a scheduled outage, but, well, (*cough*) excrement occurs sometimes. However, had I not had the foresight ("luck") to tell the router reboot itself in fifteen minutes before I started working on it, I would have been in a much less comfortable position when my boss asked about the router being off-line.

Note 2: Notice how I made changes to the remote router before making changes to the local router every time? That's not by coincidence :) I lost my connection to the remote router when I removed HDLC encapsulation and added PPP encapsulation. If I had made the changes to lab2651rtr first, I would not have been able to reach lab3640rtr to make the changes that would restore the connection. It's obvious in hindsight, but maybe not so obvious the first time you are making changes in the middle of the night so as to not take users off-line during the business day. Yep, been there and done that, too :)

Note 3: Extra-credit: want to make sure that PPP really is doing what you think it's doing? Delete the "username lab3640rtr password myChapPw" from the config, then shut/no shut the interface, and run "sho ip int brief". You should see the hardware up and the line protocol down on the serial interface, indicating that there is a misconfiguration on the layer-2 protocols you are using on the serial interface.

No comments:

Post a Comment