Cisco Routers

Cisco routers provide access to applications and services, and integrate technologies

IP Phone - Cisco

IP phone takes full advantage of converged voice and data networks, while retaining the convenience and user-friendliness you expect from a business phone...

WAN - Cisco Systems

Transform your WAN to deliver high-performance, highly secure, and reliable services to unite campus, data center, and branch networks.

EtherChannel - Cisco Systems

EtherChannel provides incremental trunk speeds between Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet. EtherChannel combines multiple Fast ...

Looking Toward the Future - Cisco Systems

Looking Toward the Future by Vint Cerf. The Internet Corporation for Assigned Names and Numbers (ICANN) was formed 9 years ago....

Pages

Sunday, December 11, 2011

Cisco Telephony Providing...

     Cisco Telephony Providing The Very Best In Communications Hardware. Every modern business has come to depend upon up to date information and communication technology hardware within the last couple of decades. 

      The manner in which businesses operate has noticeably changed due to modern communications having advanced. There are not many aspects of the business world which have not developed with such improvements. For a business to keep up their presence in the market they have to make sure that the their hardware and software is both current and fully maintained.

In-depth Analys Of Network Cabling

     ‘Networking’, is a term that is commonly used for PCs and laptops, which have already become essential parts of our daily lives, nowadays. Because of this, it is not unusual to find a computer or laptop in each and every home and office. And in organizations, where numerous computers are already present, a good network topologies system becomes a must to have in place, because it lets the people work impeccably and accomplish the maximum output. Apart from this, the data cable which is used for networking is the only source for sharing data between various computers at a time.

     Moreover, networking is also termed as the mainstay for any business,

Better network management


     Companies now are looking forward to better network management. Better network management means better and more effective productivity. All problems related to network management are taken care of with great care in all companies.

     Companies are looking forward to tools and software which shall you with your network configuration management. T FTP server for network is a new revolution which is being introduced by Spice-works for all its users in September 2010. The main benefit of this server is it’s built in T FTP server which is completely free.

      There are a number of functional benefits for those who use T FTP server for network.

Wednesday, December 7, 2011

OSI Model to Troubleshoot Networks


       Some of you might be thinking “theoretical models don’t help me” or “the OSI model is just some engineering thing for the nerds”. However, in reality, it is quite the opposite. The OSI model can help you. Let me show you how.
Using the OSI model

       First off, I want you to have a visual image of the OSI mode. It looks like this:
This graphic is courtesy of the Abdus Salam International Centre for Theoretical Physics
       On the left hand side is a user. On the right hand side, you could have a server. Every request AND response has to travel from the left, down every layer, to the physical layer, across the physical layer, up the layers on the right, and up to the server on the top right hand corner.

Voice VLAN QoS Policy


       The following is a basic QoS Policy for a branch office router to prioritize voice traffic . The assumption made is that the voice traffic is marked at source (i.e. ip phones). This is an example of a LLQ (Low Latency Queue) in which voice traffic is placed in a priority queue and all other traffic is placed in a WFQ (Weighted Fair Queue). DMVPN is being used for connectivity back to the main office so we have to use the qos pre-classify command to ensure QoS is applied before data is encrypted and markings on the tunneled packets are preserved. Congestion management and avoidance is implement using a WFQ (Weighted Fair Queue) and WRED (Weighted Random Early Discard) for all non voice traffic.



class-map match-all VOICE
match ip dscp ef
class-map match-any CALL-SIGNALING
match ip dscp cs3
class-map match-any CRITICAL-DATA
match ip dscp cs6
match ip dscp af21 af22
match ip dscp cs2
policy-map WAN-EDGE
class VOICE

priority 256
class CALL-SIGNALING
bandwidth 32
class CRITICAL-DATA

Network Security

       An enterprise network design must include security measures to mitigate network attacks. Fortunately, with the modularity of the Cisco Enterprise Architecture, you can address security concerns on a module-by-module basis. This section introduces the concept of a security policy, reviews various types of network attacks, discusses the elements of the Cisco Self-Defending Network, and helps you select appropriate security design components for the various locations in an enterprise network.

Network Security Concepts
       Organizational requirements and potential threats drive the scope of a security design. At its essence, network security measures should not only defend against attacks and guard against unauthorized access, these measures should also prevent data theft and comply with security legislation, industry standards, and company policy.

       Consider the following threats and risks facing today’s enterprise networks:

Threats:
  • Reconnaissance—A reconnaissance attack gathers information about the target of an attack (for example, the customer’s network). For example, a reconnaissance attack might use a port-scanning utility to determine what ports (for example, Telnet or FTP ports) are open on various network hosts.
  • Gaining system access—After attackers gather information about their target, they often attempt to gain access to the system. One approach is to use social egnineering, where they convince a legitimate user of the system to provide their login credentials. Other approaches for gaining access include exploiting known system vulnerabilities or physically accessing the system.
  • Denial of service (DoS)—A DoS attack can flood a system with traffic, thereby consuming the system’s processor and bandwidth. Even though the attacker does not gain system access with a DoS attack, the system becomes unusable for legitimate users.

Thursday, December 1, 2011

Why Move To IPv6?

       I did a post last week titled Are You Ready for IPv6? where I share some of my thoughts on IPv6 and the allocation of the last IPv4 /8 blocks. Since then, I've done some more reading and found a couple of very useful podcasts by Greg Ferro and Ethan Banks. It is where I first heard about v6RD.

There are real reasons to move to IPv6. I recall a few statistics and examples from years ago that illustrate the need for IPv6. Addressing every school in China would have exhausted the available IPv4 address space even a few years ago when many more IPv4 addresses were available. The other example is addressing all the power meters in the country. Think about all the power meters you see around and the effort that goes into reading them on a regular basis. Addressing each meter and building a way to network them back to the power provider allows them to be read with fully automated mechanisms. That volume of addresses that was required was also bigger than the then-available IPv4 address space (and perhaps even a big chunk of all the IPv4 address space, regardless of whether it is used or not). So we definitely need more address space. And some of the functions within IPv6 are useful, such as auto-configuration, which would be very beneficial for power meter addressing.
  • Training the network staff to handle IPv6 configuration and troubleshooting.
  • Any application that uses IP addresses internally or that sends IP addresses in messages to other systems will need to be modified.
  • pplication developers will need to modify and validate applications to use DNS to translate system names into IPv6 addresses. Some applications are very expensive to modify. I know of several health care applications and products that use hard-coded IP addresses (no DNS) and that the vendor requires payment to modify embedded addresses. Because many of these products are certified by the Food and Drug Administration, they cannot be modified without going through another validation and acceptance process. I don't see this happening anytime soon.
  • Dual-stack support (or a similar mechanism) will be required by the e-commerce sites because many customers will be on legacy IPv4 networks while other customers will have transitioned to IPv6.
  • Firewalls and ACLs will need to be updated to perform equivalent functions for both IPv4 and IPv6. Keeping changes to firewall rules and ACLs in sync will be problematic at best.
  • Network management systems will need to handle IPv6. Address fields will need to be much larger. The NMS databases will grow in size and NMS developers will need to spend time looking at how they display device and interface information. And how is the NMS supposed to display the information about an interface that is configured for both IPv4 and IPv6? Maybe IPv6 will force the industry to start using logical names instead of addresses.
  • What does IPAM in IPv6 look like? Each subnet is a /64, on which there are 2^^64 host addresses. Displaying an IP address map of the entire address space doesn't make sense. Perhaps it should display the locally-assigned part of the address (exclude the site prefix and the host part of the address) and show the number of systems that exist in the subnet. IPAM will still be needed to help track which subnets have been allocated and where they are allocated. If you want to track end stations, the NMS will need to query the routers and switches to find the end station addresses or you'll need to use DHCP for IPv6.
  • Firewall rules and ACL entries need to be replicated into IPv6, with certain exceptions for ICMP that IPv6 uses for neighbor discovery.
In summary, I see a lot of costs and not much economic benefit to offset those costs. However, I'm looking forward to exhaustion of IPv4 space. It is going to create a whole new line of consulting and network management work as companies start to figure out what to do about it. You can think of it as the Y2K event of this decade.

The points I make above are why organizations won't move to IPv6. It is quite possible that I've overlooked some reasons why organizations should aggressively move to IPv6.  The only incentive that I can identify is for organizations to be internationally competitive. Any information that you may have regarding economic incentives to implement IPv6 are greatly appreciated. Please post a comment if you know something that I have overlooked.

For some additional reading, check out the following links:


Thank you to

Why is the Application Slow?

We've all encountered situations where an application is slow and the network gets blamed. I've been having some fun working with our Terry Slattery on consulting work to determine why a specific six applications are slow.  He's come up with some good insights into the applications at this particular site. And we've been talking about some of the reasons why applications might be slow. Yes, it might be the network. It also might be the application, particularly if the application writer or toolkit is oblivious to what it is doing in network terms. 

I started brainstorming to come up with a list of ideas for things that could make an application slow, breaking it out by whether the cause is an application or a network problem. Some of these are items Terry touched upon in his recent blogs. I was thinking about blogging about them individually or in small groups, then decided a check-list of things to consider might be useful.

Wednesday, November 30, 2011

Cisco Monitor Common Mistakes

I am going to touch on common mistakes in cisco network monitoring today. You know for sure that you need a network-monitoring tool for managing your network. There are wide varieties of tools available that range from simple to complex and free to enterprise ones.
If you get one monitoring tool and install it, can you say that everything is under control? Are you going to be aware of what happened in your network? I will try to warn you about common mistakes in Cisco network monitoring. Actually, these mistakes are common for any kind of network however my experience on Cisco environment.

1. Monitoring without documentation
If you are monitoring your network and don’t have the complete network documentation, then it will not be clear whether monitoring is beneficial or not. How can you be sure about reliability of your monitoring system without knowing exact number of devices, their models and their interconnections?

Network Monitoring Tools

What are your daily duties as the network administrator? You have to keep your network up and running. You have to answer calls which may relate to situations like “X location is down” or “Y location is slow”. You should monitor your network as described below to fulfill the tasks.


  • You should monitor your network and take actions with respect to situations like device and line failures.
  • You should analyze line utilizations, errors on the line and be sure about network performance.
  • You should be aware of who talks with whom? How much bandwidth is needed for every single application?
  • And sometimes, you need to see exact data flow over the network.
If you have all these information ready, then people will think twice before they point finger at you. How can you achieve this?

We need a layered approach to understand network monitoring. I am not talking about network layers, but network monitoring layers. We have to involve deeply to monitoring layers before decide about network monitoring software needs. A simple summary could be like below.

  • Preconditions of network monitoring.
  • Up/Down monitoring
  • Performance Monitoring / SNMP monitoring
  • Who talks with whom? / Netflow monitoring
  • Data capture / Data sniffing


Preconditions of Network Monitoring
Network documentation is essential to monitor a network. Trying to set up network monitoring tools before going through the documentation is complete waste of time. You will see everything green on the screen, but this maybe due to one of the redundant lines that are down. You will sit staring without knowing what is happening. Always remember, documentation comes first and everything follows.
Suggested monitoring tools: Powerpoint/Visio, NetViz



Up/Down monitoring
You have a map in which you can see some red and green lights glowing. Green means up and red means down. It is simple yet powerful. You will immediately come to know that there is some problem if the red light glows.
This is based on ping. Almost every IP devices support echo/echo reply. So, you can monitor all IP devices in your network by using ping. You go one step further by monitoring one application at a time present on a device instead of whole device. All network applications utilize TCP/UDP ports. You can monitor the applications by trying to access with telnet to its TCP/UDP ports. The port being open suggests that the application is running

Suggested monitoring tools: WhatsupGold, nmap


Performance monitoring / SNMP monitoring
The lines are up, the devices are up, but life is not perfect. People complain about performance of data lines. Are they saturated? Do we have package losses on the lines? Are routers running out of memory? We need SNMP to monitor heart beat of the network.

Suggested monitoring tools: MRTG, Solarwinds Orion, PRTG


Who talks with whom? / Netflow monitoring
You realized that the line is full. Someone / some applications make increase traffic load enormously. Who are they? Is it necessary traffic? In Cisco devices, by using “ip accounting” command we can get an idea of current traffic sources and destinations. Nevertheless, to analyze and to optimize the traffic we need flow monitoring. We need to know source and destination IP addresses and TCP/UDP ports and number of packages/bytes.
Everyone blames the network speed until you publish the network usage report that clearly shows only 15% of the traffic is ERP traffic and rest comes Internet access.
You should know that flow monitoring tools requires more server resources, since they collect enormous amount of data.

Suggested monitoring tools: Fluke Netflow monitor, Paasler


Data capture / RMON – Sniffer tools
Sometimes you need to observe the exact data flow on the line and not just information about it. Just have a look at this sample scenario. After you find out that the web service causes inappropriately high network traffic, the owner of the application just can say “No, we are not pushing this much of data to network. We just respond Yes or No in this web service and it is just 100 bytes”. Therefore, you should sniff the data flow on the line. Maybe, you will find that web service responds yes or no (100 bytes) and with the definition of web service (6 kilobytes).

Suggested monitoring tools: Wireshark

Advanced SSH settings Cisco IOS

I mentioned about basic SSH setting in SSH@Cisco article. But I saw that there are other questions about SSH settings, so, I decided to dive a bit deeper. The settings mentioned below are tested with IOS 12.4, but I am not sure about exact version that supports below features.

Q1. What happens if I changed hostname or ip domain name after SSH settings has been done?
A1. Nothing. You need them to create rsa keys but, but afterwards, if you change them, only the key name changes and key data remain same.

ciscolab#sh crypto key mypubkey rsa

SSH @ Cisco

       Recently, I had to swap the Internet router of my company. BGP and cef ate up the whole memory and it was not possible to upgrade the memory of Cisco 3725 router beyond 256MB. It was time to change it.

       I had a chance to install a new Cisco 3845 with 1GB memory. Everything was fine except SSH access that I needed because of security policy. I searched the web and found “Configuring Secure Shell on Routers and Switches Running Cisco IOS” document on Cisco web site. It was a little bit different than current one. I made a configuration as explained, but it was not good enough and access to the router via SSH was not possible.

About one week later, I realized that
  • SSH only supports authentication with username/password, but it does not support just access password like telnet
  • So, I had to create a user and set a password with username command
  • I had to enable aaa new-model OR issue login local command under line vty for username/password authentication.
  • Also a hostname and a domain name were required to generate the keys, since router uses its FQDN as the label of the key pair.
  • SSH is enabled by default and I do not need to enable it myself.

Thursday, November 24, 2011

Top five learning tools


  1. Guide to network adminGood network administration is the backbone of today's technology-dependent enterprises. Network administrators are charged with keeping expansive networks and numerous applications running smoothly, and the job can seem overwhelming at times. We're coming to the rescue with this guide that brings you back to basics. We polled our readers about their most common tasks to find out what the heart and soul of network administration consists of

Hardware/Software Life Cycle

Hardware Life Cycle
On lists of hardware recommendations, you will see a status value which may be one of these four options:
Early Adoption – equipment is new and is undergoing validation testing in company's network. Sites installing hardware of this type do so at their own risk but we do encourage a certain amount of creativity and look forward to receiving feedback on the community's experiences.
We recommend early adoption hardware is installed in a low risk part of the network.

Current Recommended – equipment is recommended wherever possible for new installations.
Current Alternati ve – equipment is still current and supported, but the latest Company networking engineering standard

IOS Commands

Privileged Mode
   enable - get to privileged mode
   disable - get to user mode
Configuring the Router
   sh running-config - details the running configuration file (RAM)
   sh startup-config - displays the configuration stored in NVRAM
   setup - Will start the the automatic setup; the same as when you first boot the router
   config t - use to execute configuration commands from the terminal
   config mem - executes configuration commands stored in NVRAM; copies startup-config to running-config
   config net - used to retrieve configuration info from a TFTP server
   copy running-config startup-config - copies saved config in running config (RAM) to NVRAM or "write memory" for IOS under ver.11

Wednesday, November 23, 2011

Troubleshooting Strategy

How do you know when you are having a network problem? The answer to this question depends on your site's network configuration and on your network's normal behavior. See "Knowing Your Network" for more information.

If you notice changes on your network, ask the following questions:
Has this event ever occurred before?
  • Is the change expected or unusual?
  • Does the change involve a device or network path for which you already have a backup solution in place?
  • Does the change interfere with vital network operations?
  • Does the change affect one or many devices or network paths?
After you have an idea of how the change is affecting your network, you can categorize it as critical or noncritical. Both of these categories need
By using a strategy for network troubleshooting, you can approach a problem methodically and resolve it with minimal disruption to network users. It is also important to have an accurate and detailed map of your current network environment.

Knowledge of Networking Practices

1 Implementing the Installation of the Network 
     1.1 Demonstrate awareness that administrative and test accounts, passwords, IP addresses, IP configurations, relevant SOPs, etc., must be obtained prior to network implementation.

    1.2 Explain the impact of environmental factors on computer networks. Given a network installation scenario, identify unexpected or atypical conditions that could either cause problems for the network or signify that a problem condition already exists, including
     ·         room conditions (e.g., humidity, heat, etc.)
     ·      it's important to setup the room with normal humidity to prevent electrostatic discharge (ESD), air conditioning to prevent CPU overheating and system shutdown

Tuesday, November 22, 2011

Troubleshooting the Network

How To Troubleshooting The Network

Recognize the following steps as a systematic approach to identifying the extent of a network problem and, given a problem scenario, select the appropriate next step based on this approach:
   1. determine whether the problem exists across the network,
   2. determine whether the problem is workstation, workgroup, LAN or WAN,
   3. determine whether the problem is consistent and replicable, and
   4. use standard troubleshooting methods.


Identify the following steps as a systematic approach for troubleshooting network problems and, given a problem scenario, select the appropriate next step based on this approach:
   1. identify the exact issue,
   2. recreate the problem,
   3. isolate the cause,
   4. formulate a correction,
   5. implememt the correction,
   6. test,
   7. document the problem and the solution, and
   8. give feedback.

Baseline & network health facts

- Ethernet segments should not exceed 40% Network Utilization
- Token Ring should not exceed 70% Network Utilization
- WAN Links should not exceed 70% Network Utilization
- Response time should be less than 100ms
- Broadcasts/Multicasts should be no more than 20% of all network traffic
- On Ethernet there should be no more than 1 CRC error per 1million bytes of data
- Cisco Router CPU Utilization should not exceed 75%

Saturday, November 19, 2011

Data Center Access/ Visitor

Procedure Background
       In order to reduce physical exposures to data center equipment, production operations and backed up application data files, access controls are required. This is a preventive measure to safeguard the continuous operation of Company Hubs. Data center access audits are performed quarterly and door checks are performed weekly.


· The Data Center Facilities Team Lead is responsible to ensure that all IT personnel adhere to the policy of applying for data center access.
· See contact list for appropriate contacts.
· Any member of the workforce may STOP any WORK in progress due to unsafe work methods, conditions causing the area to be unsafe, emergency, or for any other Data Center operational necessity. 

802.1x Authentication

Figure 1: IOS Version Required
Figure 2: Cisco 3560, 3750, 4500, 6500 802.1x Configuration
Figure 3: Cisco 3560, 2750, 4500, 6500 802.1x Configuration Removal

  
1.  Introduction

          The objective of this content is to provide an overview of the 802.1x capability of the Cisco IOS Switches.  This allows stakeholders to determine whether port-based authentication using 802.1x is a viable option for their specific scenario as well as how the technology works to keep resources secure.
          This content is designed to provide network engineers with the skills and knowledge to effectively deploy and troubleshoot network based authentication using 802.1x.  Configuration examples are provided to assist the engineer in adding 802.1x port security to the Cisco devices.  Known issues and questions are addressed to help educate users and engineers that

802.1x Features
          The 802.1x feature will secure physical network ports or wireless connections by requiring valid authentication.  802.1x is a way to make sure a user is who they say they are by checking their credentials against an authentication server. 
This server can be designed specifically for authenticating users on the network, or can have multi-purposes such as Active Directory authentication or Radius Servers being used for authentication other than networking.

          802.1x uses a supplicant (user), authenticator (switch or access point), and an authentication server (Radius Server).  The supplicant notifies the authenticator that it would like to be authenticated.  Once the authenticator receives this request, it will forward this information to the authentication server for validation.  This information can be in many forms including username/password, machine based certificate, or smart badge based certificate.  These credentials will be checked against the server in order to allow the supplicant access to the authenticator.  Once access is granted to the supplicant, the user is able to make use of the network resources.  If a supplicant is not authorized, the network administrator can determine the access level that is granted.  An unauthorized supplicant can be denied any service on the network, placed into a quarantine network, or into an “Internet-only” vlan.  Administrators have complete control placement of an unauthorized supplicant.

2. Direction
          Company has many sites in which 3rd Party collaboration takes place.  802.1x is one method of securing a network that could possibly be accessed by unauthorized users.  By requiring authentication credentials, a network connection can be locked down protecting corporate resources that would otherwise be available on an unsecured connection. 
Smart Badge capability was initially chosen as the authentication that would be used as it has been deployed globally. All machines have the same image using the Global Information Link 3 () configuration.  Using Smart Badge based certificates has proven to be an obstacle due to the need of a user to input a PIN.  An alternative to using a Smart Badge based certificate is to use a machine based certificate placed on each laptop or workstation.  This machine certificate allows a device to be placed on the Company network without user intervention.  Devices  not containing the machine certificate are not allowed Company network access.  Access to the device and Companys’ network will continue to require Smartbadge authentication – restricting unauthorized users from taking an unattended Company authenticated device and placing them on the network.
          The EAP type was chosen as EAP-TLS that uses certificates on the Smart Badge.  The EAP-TLS protocol is used by the Steel-Belted Radius, which is currently the Company Wireless LAN authentication server.

Requirements
          Connecting Device: Any device connecting to the switch port should be able to perform EAP authentication. This functionality is provided by an EAP supplicant. The  computers have a native Microsoft EAP supplicant that needs to be enabled. A GOP package has been created to enable the EAP supplicant on the  computers.
          The authentication of the EAP enabled  computers has been tested and is working fine.
          Non-EAP devices such as printers and other peripherals will authenticate using their MAC address. The Network Assets team is presently working on the backend MAC based authentication infrastructure for non-EAP enabled devices.
          The Cisco IP Phones have an EAP supplicant, version 8.5.2 of the IP phone load. Network Assets team is presently working on testing the new IP phone image. The Network Assets team is planning to conduct testing on the 6500, 4500, 3K & 2K switches.
          Switches that have been tested working with 802.1x include Cisco 3750, 3560, 4500, and 6500 series Catalyst Switches.
          802.1x has been tested using specific versions of IOS.  A list of required versions to be used can be seen below in table 1.  In most cases, any version higher than what is listed will suffice as a requirement.
Switch
IOS Version
3560

3750
12.2(53)SE
4500
12.2(53)SG1
6500
12.2(33)SXI
3. Configuration
Cisco 3560, 3750, 4500, 6500 Configuration and Troubleshooting

Adding Configuration 802.1x has three parts to the configuration. 
     1. 802.1x Global Configuration
     2. Radius Server Authentication
     3. nterface Configuration


Configuration is detailed in figure 1.
                       (***802.1x Global Configuration***)
                        802.1x-Switch(config)# aaa authentication dot1x default group radius
                        802.1x-Switch(config)# dot1x system-auth-control

                        (***Radius Server Authentication Global Configuration***)
                        802.1x-Switch(config)# radius-server host 146.23.102.28 auth-port 1645
                        acct-port 1646
                        802.1x-Switch(config)# radius-server key 7 011B09110A5D561C2D1F

                        (***Interface Configuration***)
                        802.1x-Switch(config)# interface GigabitEthernet0/1
                        802.1x-Switch(config-if)# dot1x pae authenticator
                        802.1x-Switch(config-if)# dot1x port-control auto
                        802.1x-Switch(config-if)# dot1x violation-mode protect


Figure 2: Cisco 3560, 3750, 4500, 6500 802.1x Configuration

Removing Configuration
  If 802.1x requires removal from an interface, only the interface needs to be changed (See figure 2).  The global configuration for 802.1x and Radius Server authentication can remain on the switch.
                        (***Removing 802.1x Interface Configuration***)
                        802.1x-Switch(config)# interface GigabitEthernet5/27
                        802.1x-Switch(config-if)# no authentication port-control auto
                        802.1x-Switch(config-if)# no authentication violation restrict
                        802.1x-Switch(config-if)# no dot1x pae authenticator

Figure 3: Cisco 3560, 3750, 4500, 6500 802.1x Configuration Removal

References:  Introduction to IEEE 802.1x and Cisco Identity-Based Networking Services

Cisco 3G Aircard Configuration


1. Introduction
      Wireless services offer a compelling alternative to traditional terrestrial services, and with the increasing expansion of the Service Provider offerings in the 3G space, this offers the network designer a new exciting paradigm in Wide Area Network design:
              • a cheap alternative to leased line or satellite services
              • a high-speed wireless option for backup connectivity
              • an alternative to physical wireline infrastructure
              • business continuity and disaster recovery alternatives
       3G is the third generation of mobile technology standards which allow Service Providers the ability to deliver High Speed Packet Access (HSPA) data capabilities.  3G services are commonly associated to cellular phone technology and individual user-based aircard services; however, Cisco offers an integrated 3G interface card which will allow a router to take advantage of 3G services such as those typically only available to a mobile, individual user.
      It should be noted that 3G service is a subscription-based service, and use of that service requires an account with the vendor/provider offering that service.
      The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119


2. Aircard Installation & Activation
      Cisco 3G aircards are part of the HWIC, or High-Speed WAN Interface Card family, and have a part number beginning with HWIC-3G-CDMA.  This is going to be followed by another letter, which will represent the vendor associated with the aircard you have chosen.  For the remainder of this document, we will be referencing the “-V” option, which is associated to the Verizon Wireless service.  It is also worth noting that the RECOMMENDED service for the company in North America is the Verizon Wireless aircard service.
The following parts are used to assist in this configuration guide:
          • Cisco 2811 Integrated Services Router
               o   12.4(15)T7 Software Code (c2800nm-advipservicesk9-mz.124-15.T7.bin) – it should be noted that the 3G cards only work with a select version of IOS software.
               o    256MB DRAM
               o    64MB Compact Flash
          • HWIC-3G-CDMA-V aircard
               o    3G-ANTM1919D antenna (x2) – two antennae are required to achieve maximum throughput

   2.1 Installation
           Since the 3G aircards are part of the HWIC family, they need to be installed in an HWIC slot.  (The appendix of this document includes a table of ISR routers and the number of HWIC slots in each.)  Before installation, record the ESN number off of the aircard; this will be used to request activation of the aircard.
           If you forget to record the ESN, don’t worry about removing the card to record it, as you can also retrieve the information from within the command line interface (CLI).
                    Router2811#sho cellular 0/0/0 hardware
                    !
                    Modem Firmware Version = p2005700
                    Modem Firmware built = 12-14-06
                    Hardware Version = 2.0
                    Electronic Serial Number (ESN) = 0x603C97F6
                    Preferred Roaming List (PRL) Version = 50783
                    Current Modem Temperature = 26 degrees Celsius

   2.1. Activation
           The next step will be to activate the aircard.  In order to activate the aircard, you need to be connected on the Verizon Wireless REV-A (1xRTT/EVDO) network.  You can verify this with the following command/output:

3.Configuring the Aircard.
      For the purposes of this document, a simple configuration is used to establish basic connectivity.  The appendix includes a slightly more detailed configuration option, including local DHCP services for end-user connectivity needs.
The following commands are the minimum required configuration to establish connectivity to the Verizon Wireless 3G / REV-A network. 
         1.chat-script <script name> ”” “ATDT#777” TIMEOUT <timeout value> CONNECT
              The chat script defines the ATDT commands for when the dialer is initiated.  For this document, we use the chat script name of ‘VZW’

         2.interface cellular <slot/wic/port>
              For the sake of this document, we are using slot 0, wic 0, and port 0 – or 0/0/0.

         3.ip address negotiated
              The Cellular interface MUST be configured to retrieve an IP address from the provider via PPP/IPCP negotiation.
         4.dialer in-band
               This enabled dial-on-demand routing, or DDR, and the use of a chat script.

         5.dialer idle-timeout <seconds>
              The ‘dialer idle-timeout’ is the amount of inactive time before the interface is disconnected.  A RECOMMENDED value is 300, or 5 minutes.  If you are on a pay-per-use plan, it would be good to set this value to something more like 30 seconds to reduce the length of time connected without any ‘interesting’ traffic.

         6.dialer string <string>
              The ‘dialer string’ is the number to call – here you will specify the name of the chat script.

         7.dialer group <number>
              Associates the Cellular interface with a dialer access group.

         8.ppp chap hostname <hostname>
              This will specify the wireless hostname to use when authenticating to the 3G network. This username is your aircard 10-digit phone number, appended with
‘@vzw3g.com’.  Or, to find your phone number with the proper sufix already appended, execute the command ‘show cellular x/x/x profile’.  The command output is shortened for brevity.
                     Router2811#sho cellular 0/0/0 network
                     !
                     Current Service = 1xEV-DO (Rev A) and 1xRTT


      Additionally, you need to have a radio signal of better than -90dBm, and better than -80dBm for maximum throughput.  You can verify the received signal strength indication (RSSI) with the following command/output:
                     Router2811#sho cellular 0/0/0 radio
                     !
                     1xRTT related info
                     ------------------

                     Current RSSI = -44 dBm, ECIO = -4 dBm     
                     Note that a value of zero (0) indicates no signal.


       Some aircards may have been shipped with REV-A capabilities disabled.  To ensure that your aircard is REV-A capable, please execute the following commands to ensure that your aircard is REV-A enabled:
                     Router2811#config terminal
                     Enter configuration commands, one per line.  End with CNTL/Z.
                     Router2811(config)#service internal
                     Router2811(config)#exit
                     Router2811#test cellular 0/0/0 cdma rev-a enable
                     EVDO Rev A enabled successfully
                     Router2811#



Your aircard is now activated and ready for configuration.