作者: memtec 五、ISDN 1. 綜合數字業務網(ISDN) 綜合數字業務網(ISDN)由數字電話和數據傳輸服務兩部分組成,一般由電話局提供這種服務。ISDN的基本速率接口(BRI)服務提供2個B信道和1個D信道(2B+D)。BRI的B信道速率為64Kbps,用于傳輸用戶數據。D信道的速率為16Kbps,主要傳輸控制信號。在北美和日本,ISDN的主速率接口(PRI)提供23個B信道和1個D信道,總速率可達1.544Mbps,其中D信道速率為64Kbps。而在歐洲、澳大利亞等國家,ISDN的PRI提供30個B信道和1個64Kbps D信道,總速率可達2.048Mbps。我國電話局所提供ISDN PRI為30B+D。 2. 基本命令 任務 命令 設置ISDN交換類型 isdn switch-type switch-type1 接口設置 interface bri 0 設置PPP封裝 encapsulation ppp 設置協議地址與電話號碼的映射 dialer map protocol next-hop-address [name hostname] [broadcast] [dial-string] 啟動PPP多連接 ppp multilink 設置啟動另一個B通道的閾值 dialer load-threshold load 顯示ISDN有關信息 show isdn {active history memory services status [dsl interface-type number] timers} 注:1.交換機類型如下表,國內交換機一般為basic-net3。 按區域分要害字 交換機類型 Australia basic-ts013 Australian TS013 switches Europe basic-1tr6 German 1TR6 ISDN switches basic-nwnet3 Norway NET3 switches (phase 1) basic-net3 NET3 ISDN switches (UK, Denmark, and other nations); covers the Euro-ISDN E-DSS1 signalling system primary-net5 NET5 switches (UK and Europe) vn2 French VN2 ISDN switches vn3 French VN3 ISDN switches Japan ntt Japanese NTT ISDN switches primary-ntt Japanese ISDN PRI switches North America basic-5ess AT&T basic rate switches basic-dms100 NT DMS-100 basic rate switches basic-ni1 National ISDN-1 switches primary-4ess AT&T 4ESS switch type for the U.S. (ISDN PRI only) primary-5ess AT&T 5ESS switch type for the U.S. (ISDN PRI only) primary-dms100 NT DMS-100 switch type for the U.S. (ISDN PRI only) New Zealand basic-nznet3 New Zealand Net3 switches 3. ISDN實現DDR(dial-on-demand routing)實例: 設置如下: Router1: hostname router1 user router2 passWord cisco ! isdn switch-type basic-net3 ! interface bri 0 ip address 192.200.10.1 255.255.255.0 encapsulation ppp dialer map ip 192.200.10.2 name router2 572 dialer load-threshold 80 ppp multilink dialer-group 1 ppp authentication chap ! dialer-list 1 protocol ip permit !
Router2: hostname router2 user router1 password cisco ! isdn switch-type basic-net3 ! interface bri 0 ip address 192.200.10.2 255.255.255.0 encapsulation ppp dialer map ip 192.200.10.1 name router1 571 dialer load-threshold 80 ppp multilink dialer-group 1 ppp authentication chap ! dialer-list 1 protocol ip permit ! Cisco路由器同時支持回撥功能,我們將路由器Router1作為Callback Server,Router2作為Callback Client。
與回撥相關命令: 任務 命令 映射協議地址和電話號碼,并在接口上使用在全局模式下定義的PPP回撥的映射類別。 dialer map protocol address name hostname class classname dial-string 設置接口支持PPP回撥 ppp callback accept 在全局模式下為PPP回撥設置映射類別 map-class dialer classname 通過查找注冊在dialer map里的主機名來決定回撥. dialer callback-server [username] 設置接口要求PPP回撥 ppp callback request 設置如下: Router1: hostname router1 user router2 password cisco ! isdn switch-type basic-net3 ! interface bri 0 ip address 192.200.10.1 255.255.255.0 encapsulation ppp dialer map ip 192.200.10.2 name router2 class s3 572 dialer load-threshold 80 ppp callback accept ppp multilink dialer-group 1 ppp authentication chap ! map-class dialer s3 dialer callback-server username dialer-list 1 protocol ip permit !
Router2: hostname router2 user router1 password cisco ! isdn switch-type basic-net3 ! interface bri 0 ip address 192.200.10.2 255.255.255.0 encapsulation ppp dialer map ip 192.200.10.1 name router1 571 dialer load-threshold 80 ppp callback request ppp multilink dialer-group 1 ppp authentication chap ! dialer-list 1 protocol ip permit ! 相關調試命令: debug dialer debug isdn event debug isdn q921 debug isdn q931 debug ppp authentication debug ppp error debug ppp negotiation debug ppp packet show dialer show isdn status 舉例:執行debug dialer命令觀察router2呼叫router1,router1回撥router2的過程. router1#debug dialer router2#ping 192.200.10.1
router1# 00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 00:03:50: BRI0:1PP callback Callback server starting to router2 572 00:03:50: BRI0:1: disconnecting call 00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down 00:03:50: BRI0:1: disconnecting call 00:03:50: BRI0:1: disconnecting call 00:03:51: %LINK-3-UPDOWN: Interface BRI0:2, changed state to up 00:03:52: callback to router2 already started 00:03:52: BRI0:2: disconnecting call 00:03:52: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down 00:03:52: BRI0:2: disconnecting call 00:03:52: BRI0:2: disconnecting call 00:04:05: : Callback timer eXPired 00:04:05: BRI0:beginning callback to router2 572 00:04:05: BRI0: Attempting to dial 572 00:04:05: Freeing callback to router2 572 00:04:05: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up 00:04:05: BRI0:1: No callback negotiated 00:04:05: %LINK-3-UPDOWN: Interface Virtual-access1, changed state to up 00:04:05: dialer Protocol up for Vi1 00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up 00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, chang ed state to up 00:04:11: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 572 #router1 4. ISDN訪問首都在線263網實例: 本地局部網地址為10.0.0.0/24,屬于保留地址,通過NAT地址翻譯功能,局域網用戶可以通過ISDN上263網訪問Internet。 263的ISDN電話號碼為2633,用戶為263,口令為263,所涉及的命令如下表: 任務 命令 指定接口通過PPP/IPCP地址協商獲得IP地址 ip address negotiated 指定內部和外部端口 ip nat {inside outside} 使用ppp/pap作認證 ppp authentication pap callin 指定接口屬于撥號組1 dialer-group 1 定義撥號組1答應所有IP協議 dialer-list 1 protocol ip permit 設定撥號,號碼為2633 dialer string 2633 設定登錄263的用戶名和口令 ppp pap sent-username 263 password 263 設定默認路由 ip route 0.0.0.0 0.0.0.0 bri 0 設定符合訪問列表2的所有源地址被翻譯為bri 0所擁有的地址 ip nat inside source list 2 interface bri 0 overload 設定訪問列表2,答應所有協議 access-list 2 permit any 具體配置如下: hostname Cisco2503 ! isdn switch-type basic-net3 ! ip subnet-zero no ip domain-lookup ip routing ! interface Ethernet 0 ip address 10.0.0.1 255.255.255.0 ip nat inside no shutdown ! interface Serial 0 shutdown no description no ip address ! interface Serial 1 shutdown no description no ip address ! interface bri 0 ip address negotiated ip nat outside encapsulation ppp ppp authentication pap callin ppp multilink dialer-group 1 dialer hold-queue 10 dialer string 2633 dialer idle-timeout 120 ppp pap sent-username 263 password 263 no cdp enable no ip split-horizon no shutdown ! ip classless ! ! Static Routes ! ip route 0.0.0.0 0.0.0.0 bri 0 ! ! Access Control List 2 ! access-list 2 permit any ! dialer-list 1 protocol ip permit ! ! Dynamic NAT ! ip nat inside source list 2 interface bri 0 overload snmp-server community public ro ! line console 0 exec-timeout 0 0 ! line vty 0 4 ! end
>set system c765 c765> set multidestination on c765> set switch net3 c765> set ppp multilink on c765> cd lan c765:LAN> set ip routing on c765:LAN> set ip address 10.0.0.1 c765:LAN> set ip netmask 255.0.0.0 c765:LAN> set briding off c765:LAN>cd c765> set user remotenet New user remotenet being created c765:remotenet> set ip routing on c765:remotenet> set bridging off c765:remotenet> set ip framing none c765:remotenet> set ppp clientname 263 c765:remotenet> set ppp password client Enter new Password: 263 Re-Type new Password: 263 c765:remotenet> set ppp authentication out none c765:remotenet> set ip address 0.0.0.0 c765:remotenet> set ip netmask 0.0.0.0 c765:remotenet> set ppp address negotiation local on c765:remotenet> set ip pat on c765:remotenet> set ip route destination 0.0.0.0/0 gateway 0.0.0.0 c765:remotenet> set number 2633 c765:remotenet> set active 命令描述如下: 任務 命令 設置路由器系統名稱 set system c765 答應路由器呼叫多個目的地 set multidestination on 設置ISDN交換機類型為NET3 set switch net3 答應點到點間多條通道連接實現負載均衡 set ppp multilink on 關掉橋接 set briding off 建立用戶預制文件用于設置撥號連接參數- 可以設置多個用戶預制文件用于相同的物理端口對應于不同的連接。 set user remotenet 使用PPP/IPCP set ip framing none 設置上網用戶帳號 set ppp clientname 263 設置上網口令 set ppp password client Enter new Password: 263 Re-Type new Password: 263 不用PPP/CHAP或PAP做認證 set ppp authentication out none 答應地址磋商 set ppp address negotiation local on 設置地址翻譯 set ip pat on 設置默認路由 set ip route destination 0.0.0.0/0 gateway 0.0.0.0 設置ISP的電話號碼 set number 2633 激活用戶預制文件 set active 六、PSTN 電話網絡(PSTN)是目前普及程度最高、成本最低的公用通訊網絡,它在網絡互連中也有廣泛的應用。電話網絡的應用一般可分為兩種類型,一種是同等級別機構之間以按需撥號(DDR)的方式實現互連,一種是ISP為撥號上網為用戶提供的遠程訪問服務的功能。 1. 遠程訪問 1.1.Access Server基本設置: 選用Cisco2511作為訪問服務器,采用IP地址池動態分配地址.遠程工作站使用WIN95撥號網絡實現連接。 全局設置: 任務 命令 設置用戶名和密碼 username username password password 設置用戶的IP地址池 ip local pool {default pool-name low-ip-address [high-ip-address]} 指定地址池的工作方式 ip address-pool [dhcp-proxy-client local] 基本接口設置命令: 任務 命令 設置封裝形式為PPP encapsulation ppp 啟動異步口的路由功能 async default routing 設置異步口的PPP工作方式 async mode {dedicated interactive} 設置用戶的IP地址 peer default ip address {ip-address dhcp pool [pool-name]} 設置IP地址與Ethernet0相同 ip unnumbered ethernet0 line撥號線設置: 任務 命令 設置modem的工作方式 modem {inoutdialin} 自動配置modem類型 modem autoconfig discovery 設置撥號線的通訊速率 speed speed 設置通訊線路的流控方式 flowcontrol {none software [lock] [in out] hardware [in out]} 連通后自動執行命令 autocommand command 訪問服務器設置如下: Router: hostname Router enable secret 5 $1$EFqU$tYLJLrynNUKzE4bx6fmH// ! interface Ethernet0 ip address 10.111.4.20 255.255.255.0 ! interface Async1 ip unnumbered Ethernet0 encapsulation ppp keepalive 10 async mode interactive peer default ip address pool Cisco2511-Group-142 ! ip local pool Cisco2511-Group-142 10.111.4.21 10.111.4.36 ! line con 0 exec-timeout 0 0 password cisco ! line 1 16 modem InOut modem autoconfigure discovery flowcontrol hardware ! line aux 0 transport input all line vty 0 4 password cisco ! end 相關調試命令: show interface show line
1.2. Access Server通過Tacacs服務器實現安全認證: 使用一臺WINDOWS NT服務器作為Tacacs服務器,地址為10.111.4.2,運行Cisco2511隨機帶的Easy ACS 1.0軟件實現用戶認證功能. 相關設置: 任務 命令 激活AAA訪問控制 aaa new-model 用戶登錄時默認起用Tacacs+做AAA認證 aaa authentication login default tacacs+ 列表名為no_tacacs使用ENABLE口令做認證 aaa authentication login no_tacacs enable 在運行PPP的串行線上采用Tacacs+做認證 aaa authentication ppp default tacacs+ 由TACACS+服務器授權運行EXEC aaa authorization exec tacacs+ 由TACACS+服務器授權與網絡相關的服務請求。 aaa authorization network tacacs+ 為EXEC會話運行記帳.進程開始和結束時發通告給TACACS+服務器。 aaa accounting exec start-stop tacacs+ 為與網絡相關的服務需求運行記帳包括SLIP,PPP,PPP NCPs,ARAP等.在進程開始和結束時發通告給TACACS+服務器。 aaa accounting network start-stop tacacs+ 指定Tacacs服務器地址 tacacs-server host 10.111.4.2 在Tacacs+服務器和訪問服務器設定共享的要害字,訪問服務器和Tacacs+服務器使用這個要害字去加密口令和響應信息。這里使用tac作為要害字。 tacacs-server key tac 訪問服務器設置如下: hostname router ! aaa new-model aaa authentication login default tacacs+ aaa authentication login no_tacacs enable aaa authentication ppp default tacacs+ aaa authorization exec tacacs+ aaa authorization network tacacs+ aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ enable secret 5 $1$kN4g$CvS4d2.rJzWntCnn/0hvE0 ! interface Ethernet0 ip address 10.111.4.20 255.255.255.0 ! interface Serial0 no ip address shutdown interface Serial1 no ip address shutdown ! interface Group-Async1 ip unnumbered Ethernet0 encapsulation ppp async mode interactive peer default ip address pool Cisco2511-Group-142 no cdp enable group-range 1 16 ! ip local pool Cisco2511-Group-142 10.111.4.21 10.111.4.36 tacacs-server host 10.111.4.2 tacacs-server key tac ! line con 0 exec-timeout 0 0 password cisco login authentication no_tacacs line 1 16 login authentication tacacs modem InOut modem autoconfigure type usr_courier autocommand ppp transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 transport input all line vty 0 4 password cisco ! end
Router2: hostname Router2 ! enable secret 5 $1$F6EV$5U8puzNt2/o9g.t56PXHo. ! username Router1 password cisco ! interface Ethernet0 ip address 10.0.1.1 255.255.255.0 ! interface Async1 ip address 192.200.10.2 255.255.255.0 encapsulation ppp async default routing async mode dedicated dialer in-band dialer idle-timeout 60 dialer map ip 192.200.10.1 name Router1 dialer-group 1 ppp authentication chap ! ip route 10.0.0.0 255.255.255.0 192.200.10.1 dialer-list 1 protocol ip permit ! line con 0 line aux 0 modem InOut modem autoconfigure discovery flowcontrol hardware ! 相關調試命令: debug dialer debug ppp authentication debug ppp error debug ppp negotiation debug ppp packet show dialer
3. 異步撥號備份DDN專線: 此例主連接采用DDN專線,備份線路為電話撥號。 當DDN專線連接正常時,主端口S0狀態為up,line protocol亦為up,則備份線路狀態為standby,line protocol為down,此時所有通信均通過主接口進行。當主接口連接發生故障時,端口狀態為down,則激活備份接口,完成數據通信。此方法不適合為X.25做備份。因為,配置封裝為X.25的接口只要和X.25交換機之間的連接正常其接口及line protocol的狀態亦為 up,它并不考慮其它地方需與之通信的路由器的狀態如何,所以若本地路由器狀態正常,而對方路由器連接即使發生故障,本地也不會激活備份線路。例4將會描述如何為X.25做撥號備份。 以下是相關命令: 任務 命令 指定主線路改變后,次線路狀態發生改變的延遲時間 backup delay {enable-delay never} {disable-delay never} 指定一個接口作為備份接口 backup interface type number hostname c2522rb ! enable secret 5 $1$J5vn$ceYDe2FwPhrZi6qsIIz6g0 enable password cisco ! username c4700 password 0 cisco ip subnet-zero chat-script cisco-default "" "AT" TIMEOUT 30 OK "ATDT /T" TIMEOUT 30 CONNECT /c chat-script reset atz ! interface Ethernet0 ip address 16.122.51.254 255.255.255.0 no ip mroute-cache ! interface Serial0 backup delay 10 10 backup interface Serial2 ip address 16.250.123.18 255.255.255.252 no ip mroute-cache no fair-queue ! interface Serial1 no ip address no ip mroute-cache shutdown ! interface Serial2 physical-layer async ip address 16.249.123.18 255.255.255.252 encapsulation ppp async mode dedicated dialer in-band dialer idle-timeout 60 dialer map ip 16.249.123.17 name c4700 6825179 dialer-group 1 ppp authentication chap ! interface Serial3 no ip address shutdown no cdp enable ! interface Serial4 no ip address shutdown no cdp enable ! interface Serial5 no ip address no ip mroute-cache shutdown ! interface Serial6 no ip address no ip mroute-cache shutdown ! interface Serial7 no ip address no ip mroute-cache shutdown ! interface Serial8 no ip address no ip mroute-cache shutdown ! interface Serial9 no ip address no ip mroute-cache shutdown ! interface BRI0 no ip address no ip mroute-cache shutdown ! router eigrp 200 network 16.0.0.0 ! ip classless ! dialer-list 1 protocol ip permit ! line con 0 line 2 script dialer cisco-default script reset reset modem InOut modem autoconfigure discovery rxspeed 38400 txspeed 38400 flowcontrol hardware line aux 0 line vty 0 4 password cisco login ! end c2522rb#
4. 異步撥號備份X.25: 設置X.25的撥號備份,首先X.25連接的端口必須運行動態路由協議,異步撥號口必須使用靜態路由.本例選擇EIGRP作為路由選擇協議,將靜態路由的Metric的值設置為200,由于EIGRP的默認Metric為90,所以當同時有兩條路徑通往同一網段時,其中Metric值小的路徑生效,而當X.25連接出現問題時,路由器無法通過路由協議學習到路由表,則此時靜態路由生效,訪問通過撥號端口實現。 當X.25連接恢復正常時,路由器又可以學習到路由表,則由于 Metric值的不同,靜態路由自動被動態路由所代替,這樣就實現了備份的功能。 路由器Router1配置如下: hostname router1 ! enable secret 5 $1$UTvD$99YiY2XsRMxHudcYeHn.Y. enable password cisco ! username router2 password cisco ip subnet-zero chat-script cisco-default "" "AT" TIMEOUT 30 OK "ATDT /T" TIMEOUT 30 CONNECT /c chat-script reset atz interface Ethernet0 ip address 202.96.38.100 255.255.255.0 ! interface Serial0 ip address 202.96.0.1 255.255.255.0 encapsulation x25 x25 address 10112227 x25 htc 16 x25 map ip 202.96.0.2 10112225 broadcast ! interface Serial1 no ip address shutdown ! ! interface Async 1 ip address 202.96.1.1 255.255.255.252 encapsulation ppp dialer in-band dialer idle-timeout 60 dialer map ip 202.96.1.2 name router2 modem-script cisco-default 2113470 dialer-group 1 ppp authentication chap ! router eigrp 200 redistribute connected network 202.96.0.0 ! ip route 202.96.37.0 255.255.255.0 202.96.1.2 200 dialer-list 1 protocol ip permit line con 0 line aux 0 script dialer cisco-default script reset reset modem InOut modem autoconfigure discovery transport input all rxspeed 38400 txspeed 38400 flowcontrol hardware line vty 0 4 password cisco login ! end 路由器Router2配置如下: hostname router2 ! enable secret 5 $1$T4IU$2cIqak8f/E4Ug6dLT0k.J0 enable password cisco ! username router1 password cisco ip subnet-zero chat-script cisco-default "" "AT" TIMEOUT 30 OK "ATDT /T" TIMEOUT 30 CONNECT /c chat-script reset atz ! interface Ethernet0 ip address 202.96.37.100 255.255.255.0 ! interface Serial0 ip address 202.96.0.2 255.255.255.0 no ip mroute-cache encapsulation x25 x25 address 10112225 x25 htc 16 x25 map ip 202.96.0.1 10112227 broadcast ! interface Serial1 no ip address shutdown ! interface Async1 ip address 202.96.1.2 255.255.255.252 encapsulation ppp keepalive 30 async default routing async mode dedicated dialer in-band dialer idle-timeout 60 dialer wait-for-carrier-time 120 dialer map ip 202.96.1.1 name router1 modem-script cisco-default 2113469 dialer-group 1 ppp authentication chap ! router eigrp 200 redistribute static network 202.96.0.0 ! no ip classless ip route 202.96.38.0 255.255.255.0 202.96.1.1 200 dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line aux 0 script reset reset modem InOut modem autoconfigure discovery transport input all rxspeed 38400 txspeed 38400 flowcontrol hardware line vty 0 4 password cisco login !
