Kostis Netzwerkberatung
Konstantinos Kostis
Talstr. 25, D-63322 R÷dermark
Tel. +49 6074 881056, FAX 881058
kosta@kostis.net, http://www.kostis.net/

You may use this information free of charge at your own risk.

mini-HowTo: Cisco ISDN Dial on Demand Internet

I've been asked a number of times how to configure a Cisco ISDN router to connect to an ISP using ISDN PPP dial on demand. Despite the fact that consultancy is my business and not my hobby, I have decided to give out this information "for free" in order to save us time - both me and those asking anyway. :P

I have compiled this little page using the tons of info material provided by Cisco on their web site free of charge (in other words you can look it up, too). I will from now on ignore any further requests regarding "free of charge" Cisco configuration information. If you want to consult with me, you can hire me. ;)

Introduction

This document describes a Cisco IOS12.0 NAT sample configuration for an ISDN dialup connection using PPP to T-Online, a major ISP in Germany. Cisco IOS 12.0 was the first Cisco IOS version with NAT included in the basic IP Feature Pack (no additional costly feature pack needed). Most of the configuration is generic and should work for any ISDN dialup PPP connection to ISPs.

This sample configuration is based on the following design assumptions:

design assumption remark
LAN IP Subnet 192.168.1.0/24
(/24 aka 255.255.255.0)
this a private network address (RFC1918)
router IP address 192.168.1.1 this can be changed, of course
no routing to other subnets  
no DNS needed on router  
European DSS1 ISDN connection aka Euro-ISDN
clients configured to use router as gateway  
clients configured to use external DNS server(s)  

Using a proxy, your clients won't need DNS servers for Internet access but at least your proxy will need to be configured to use DNS unless your proxy is configured to be a slave of some other proxy. Confused, yet? ;)

Depending on the operating system used on your clients and your infrastructure, your DNS servers may be local DNS servers (eg. Linux/FreeBSD/etc.) or DNS servers run by your ISP (Microsoft machines usually "like" this). If all you have is a number of PCs running a Microsoft OS and your Cisco router, you sure need to configure your clients to use your ISP's DNS servers. This information should be available from them.

T-Online provides DNS on 194.25.2.132 and 194.25.2.131 and 194.25.2.129 and who knows where else. These things can change so check them before you configure them on your clients. Better yet: run your own caching DNS server if you can.

In this sample configuration the router is named risp internally, you can change that to whatever you prefer with no impact on functionality, but please follow rules for hostnames (RFC1035).

Changes needed before use

Some changes must be made before you can use this configuration consisting basically of replacing placeholders for usernames by real usernames and placeholders for passwords by real passwords of your choice or given to you by your ISP. Placeholders that need to be changed are:

Placeholder Function
%enablepassword%   password needed to switch to Cisco enable mode
%consolepassword%   password for console logins
%telnetpassword%   password for telnet logins

Depending on your ISP and the account information given to you by them, there is more to configure. The placeholders that need to be changed for ISP authentication are:

Placeholder Function
%aaaaaaaaaaaa% %tttttttttttt% %mmmm%   username for pap/chap
%pppppassword%   password for pap/chap

T-Online usernames are comprised of three parts:

Placeholder Function
%aaaaaaaaaaaa%   "Anschlu▀kennung" - twelve digits
%tttttttttttt%   "T-Online Nummer" - twelve digits / if shorter, add " #" at the end
%mmmm%   Mitbenutzerkennung" - default is " 0001"

Password Security

After you enter passwords, they will be encrypted in router memory (that's what service password-encryption is for).

A Cisco configuration can only be viewed (eg. using 'write terminal' or 'show running-config') after giving the enable secret on your router so keep this enable secret password a real secret. All other passwords can be decrypted using certain tools (type 7 passwords can easily be decrypted, type 5 are tough to hack), so don't leave printouts of your configuration lying around. Secure all servers storing your configuration files. It's beyond the scope of this document to explain how to do this.

Channel Bundling

In this sample configuration design I assume you want to limit the configuration to use a single B-channel (hence 64000 bps max. bandwidth). If you want to use channel bundling (both B-channels resulting in twice the speed but usually also twice the cost, hence 128000 bps), add the following two lines from the configuration below in the interface Dialer1 section:

dialer load-threshold 10 outbound
ppp multilink

10 is the threshold at which the second channel kicks in. Possible values are from 1 to 255. The higher the value the heavier/longer traffic needs to be there before the second channel kicks in. 10 is a rather low value and is recommended only if you expect heavy use and want to prevent unnecessary delays.

Cisco Configuration Modes

The configuration sample is in a format compatible with the format your router stores its configuration on a TFTP server or what it would show when you do a 'write terminal'. It's not necessarily in the order in which you have to type in things, so if you get any error message that you need to define something before you can do whatever you were just about to do, define that something (most likely listed a few line below) and try again.

In order not to confuse you even more by giving you two versions and since the scope of this document does not include a tutorial on Cisco CLI (Command Line Interface) which is nicely documented by Cisco, I at least want to give you a hint there is something about the bush. You need to be able to navigate around 'enable', 'configure terminal' and such things without my help.

Cisco ISDN Dialup Configuration Sample

The following Cisco ISDN PPP dial on demand configuration sample has been created for IOS 12 and ISP T-Online. It has last been tested on a Cisco 1003 using IOS 12.0(21a) equipped with 2 MB Flash, 8 MB DRAM. Cisco asks for 4 MB Flash but the Cisco 1003 IOS 12.0 "IP Only" image fits into a 2 MB Flash card just fine. This configuration should work with any IOS >= 12.0.


!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname
risp
!
enable secret %enablepassword%
!
ip subnet-zero
no ip finger
no ip domain-lookup
no ip name-server
isdn switch-type basic-net3
!
!
!
interface Ethernet0
description LAN connection
ip address
192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface BRI0
description physical ISDN interface
no ip address
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer rotary-group 1
isdn switch-type basic-net3
no cdp enable
!
interface Dialer1
description connection to Internet via t-online
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
no ip split-horizon
dialer in-band
dialer idle-timeout 300
dialer string
0191011
dialer hold-queue 10
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
%aaaaaaaaaaaa% %tttttttttttt% %mmmm%
ppp chap password
%pppppassword%
ppp pap sent-username
%aaaaaaaaaaaa% %tttttttttttt% %mmmm% password %pppppassword%
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit any
dialer-list 1 protocol ip permit
no cdp run
no ip http server
!
line con 0
password %consolepassword%
login
line vty 0 4
password %telnetpassword%
login
!
end

Saving Configuration Changes

Make sure to store your configuration in NVRAM every time you make changes:

copy running-config startup-config

If you fail to do this, your changes will be lost the next time your router reboots (eg. due to power failure).

Things You May Want to Change

Things you may very likely want to change are highlighted like this:

Configuration Line Potential Change
hostname risp   you may want to change the internal  name of the router
dialer string 0191011   this is the ISP's MSN to call - depends on your ISP

The following line needs to be changed if you want a different IP subnet on your LAN side:

Configuration Line Potential Change
ip address 192.168.1.1 255.255.255.0   you may want to change the router's IP address and subnet mask