Exam #642-821: Building Cisco Remote Access Networks (Remote Access) Vendor Cisco Systems Status Live. Available at Pearson Vue and Prometric testing centers worldwide. Reviewer's Rating "The Remote Access exam has been updated again, and it includes all the remote access technologies with simulators." Test Information Approx. 71 questions, 90 minutes, passing score of 790. Cost: $125 (U.S.). Who Should Take This Exam? Candidates for CCNP. Test Objectives Click here

Since the Cisco Certified Network Professional (CCNP) certification was created in 1998, I’ve taken all versions of the required Remote Access exam dating back to December 2001. And while the previous versions of the Remote Access exams were easier for me than other CCNP exams, this new exam considerably ups the ante from its predecessor.

Cisco’s Building Cisco Remote Access Networks (BCRAN 642-821) exam is usually preceded, for most CCNP candidates, with the BSCI (642-801 Routing) and the BCMSN (Switching 642-811), concluding with the CIT (Support 642-831) exam.

For my particular exam, I was given 71 questions and 90 minutes to complete the exam. Passing score was 790. The test is made up of simulations and advanced question types, such as pick-and-place or drag-and-drop; all other questions are of the standard multiple-choice format where you select one or more correct answers as indicated. There are “exhibits of text” in some questions which require you to analyze the output and choose the correct answer.

According to the official Cisco BCRAN exam objectives page, “The exam will certify that the successful candidate has important knowledge and skills necessary to describe, configure, operate, and troubleshoot WAN and remote access solutions. The exam covers topics on general knowledge of WAN technologies, implementation and operation, planning and design, and troubleshooting.” I highly recommend you use this as your template to prepare for the exam.

To master all of the listed exam objectives, there are: self-study guides; the official Cisco BCRAN course, if you prefer instructor-led training; and plenty of resources freely available at Cisco.com. To get you started, here are the general areas covered on the Remote Access exam:

• WAN
• PPP
• Frame relay
• ISDN
• Dial-up
• VPN

As its namesake contends, the Remote Access exam requires knowledge of many remote access technologies. I’ll address the primary things to study for by mapping to the official objectives.

Some of the various remote access concepts covered on this exam include:

• Permanent virtual circuits (PVC) link two routers and a frame relay switch in frame relay networks.
• ISDN comes in two flavors, basic rate interface (BRI) and primary rate interface (PRI).
• PPP offers authentication using PAP or CHAP.
• Port address translation (PAT) is many to one network address translation (NAT).
• Reverse Telnet is used to test the modem connected to a remote access server’s incoming line.
• Typical DSL can reach 18,000 feet from a central office.

There are a few select IOS commands you should be familiar with for the exam. The command encapsulation frame-relay ietf, for example, is used to configure frame relay encapsulation on serial interfaces. Remember, this is done per physical interface, whereas sub-interfaces are used for the specifics of frame relay virtual circuits or connections. HDLC is the default encapsulation on Cisco router serial interfaces.

Tip: Practice configuring a router for frame relay operation. You may be required to exhibit this knowledge on the exam!

Frame Relay
Frame relay LMIs are autosensed but include ansi, cisco (default) and q933i. The frame-relay map command is used to configure static address mappings. The commands used to verify frame relay operation are:

• show interface serial
• show frame-relay pvc
• show frame-relay lmi

  Tip: Frame relay implements two congestion-notification mechanisms: forward-explicit congestion notification (FECN) and backward-explicit congestion notification (BECN).

Establishing a dedicated frame relay connection and control traffic flow is required knowledge for this exam, specifically the commands to configure and troubleshoot frame relay. The frame relay encapsulation, LMIs, map configuration and show commands were previously mentioned so I’ll focus on the ones needed for controlling traffic flow.

The map-class frame-relay map-class-name command allows you to configure shaping. This is where you can define the average and peak rates, specify the data rate based on BECNs received, and specify a custom or priority queue list. Then using the frame-relay traffic-shaping command with frame-relay class map-class-name, you can control traffic flow.

You’ll be expected to understand how to enable a backup to a permanent connection and select from an exhibit list the required commands to configure a backup connection to activate based on a primary link failure or threshold need. Using the commands interface serial X, backup interface interface-type number and backup delay, you can configure a link to provide backup. These could be used in the case of ISDN or dialup when needed; an alternative is to use floating static routes, which sets the administrative distance to a value greater than a dynamic route except for when that network path is unreachable. One of the many commands for verifying and troubleshooting would be show interface dialer.

ISDN
The details of ISDN BRI are essential knowledge, and its possibilities are endless. ISDN is a circuit-switched connection technology requiring call setup and tear-down but operates at a much faster rate than asynchronous analog modems. Dedicated circuits, also known as leased lines (e.g., point-to-point), are not shared and offer longer connect times but at shorter distances. Packet-switched circuits, such as frame relay, use virtual circuits and are well-suited for large geographic distances.

Asynchronous Modems
Configuring asynchronous connections to a central site with modems requires a series of commands for configuring connections to the central site. These include:

1. interface async X (X equals the line number)
2. encapsulation ppp
3. async dynamic address
4. async mode interactive
5. ppp authentication chap

The most commonly used asynchronous line commands are:

1. line X
2. login
3. password
4. flowcontrol
5. speed
6. modem

Modem autoconfigure is used to auto-detect and configure a modem that appears in the modemcap database.

Tip: When configuring asynchronous ports, remember that the interface commands refer to the protocol (logical) aspects of the connection and line refers to the physical aspects.

Modem show commands are also required knowledge.

• Show modemcap shows the modem database built into Cisco access servers.
• Show line will indicate which type of modem is configured.
• Clear line will return a line to idle status.

Reverse Telnet
To make a reverse Telnet connection to a modem connected to an access server you would specify the interface async 7 by using port address 2007, where 2000 is the base TCP port.

Tip: Practice configuring a router and modem for reverse Telnet. This might pop up on the exam!

PPP
Configuring PPP and controlling network access with PAP and CHAP is another objective requiring knowledge of how to configure authentication protocols and parameters at both ends of a remote access connection. PPP includes an encapsulation method, link control protocol (LCP) for establishing, configuring and authenticating the connection and network control protocols (NCPs) to establish and configure the network-layer protocols such as IP.

Encapsulation ppp along with an ip address or ip unnumbered command is required for each remote access connection. For PAP or CHAP authentication, ppp authentication pap or ppp authentication chap is required (of course CHAP is preferred because of its secure authentication process).

PPP multilink provides load balancing over dialer interfaces such as ISDN, synchronous and asynchronous connections. PPP multilink and show ppp multilink are used to configure a connection and verify load balancing.

Tip: The dialer load-threshold load command provides ISDN channel bandwidth on demand when used with PPP multilink. Know that a value of 1 is a higher priority than a value of 100. The second ISDN channel will be used almost immediately.

PPP callback creates a client-server relationship when configured on participating routers. The callback client must be configured to initiate PPP callback requests and the callback server must be configured to accept PPP callback requests and place calls.

• Dialer callback-secure
• ppp callback accept
• ppp authentication pap or chap

The show dialer and debug ppp negotiation commands are very useful when troubleshooting PPP.

Dial-on-demand Routing (DDR)
Configuring and optimizing the use of DDR interfaces is another topic you need to be intimately familiar with. DDR is a solution to expensive WAN links such as ISDN and is defined in the IOS by the following commands:

• Dialer-list identifies interesting traffic along with access lists.
• Dialer-group assigns this traffic to a specific interface.
• Dialer-map defines the destination address, host name and telephone number.
• Dialer idle-timeout and dialer load-threshold are used to disconnect the link when not needed and initiate a call when “queued” traffic is ready for routing.

  Tip: This document from Cisco.com contains invaluable information about how to configure and troubleshoot dial-on-demand routing (DDR) on ISDN networks.

DDR rotary groups and dialer profiles are used to further define and optimize traffic queues. Rotary groups allow inherited configuration of physical interfaces by applying a logical interface configuration, and “this rotary group” can be used for outgoing calls. A hunt group is a series of telephone lines that are programmed to find the next “free line” when a call is received.

Rotary groups are configured with the IOS commands interface dialer group-number and dialer rotary-group rotary-number. To troubleshoot rotary groups and dialer profiles you would use show dialer interface bri.

Tip: RIP and IGRP support DDR snapshot routing because they don’t require the constant hello message exchange of EIGRP and OSPF.

NAT and PAT
Scaling IP addresses with NAT is expected knowledge of the BCRAN exam candidate. Where would we be today without NAT? It allows for private-to-public address translation, but it can also be a roadblock with protocols such as IPsec. NAT does help to hide inside addressing however, and can be further enhanced using PAT, which allows for many inside addresses to be mapped to fewer outside addresses. More operational information can be found here.

The IOS commands used to configure the router for NAT are:

• ip nat inside or outside
• ip nat pool name
• ip nat inside source list
• ip nat inside destination list
• ip nat outside source list

For verifying and troubleshooting, you would use show ip nat translations or clear ip nat translation.

AAA
Using authentication, authorization, and accounting (AAA) network security services to scale access control in an expanding network is an exam topic still present on this revision. You should be able to recognize and describe the features of CiscoSecure and specify the procedures and commands to configure AAA on the remote access router to allow client connections. The first thing you should do is review this Cisco white paper, which defines what the CiscoSecure product can support, such as TACACS+ or RADIUS authentication. You’ll then want to familiarize yourself with the AAA commands in this table.

Managing Network Performance with Queuing and Compression
Managing network performance with queuing and compression is a minor exam topic, but it still requires your attention. Weighted fair queuing, priority queuing and custom queuing are often used to manage and shape network traffic. In this domain, the objectives include determining why queuing is enabled, and using the correct procedures and commands to configure, verify and troubleshoot incorrect configurations. There is also mention of traffic compression procedures and commands.

First-in-first-out (FIFO) was the original queuing method on Cisco router interfaces. With the advent of more advanced techniques, a department or company can define policies that can be used to establish a queuing policy for time-sensitive traffic.

Tip: Low latency queuing (LLQ) of network traffic configured on a router’s interface can starve other queues and traffic.

To better understand priority queuing, let’s look at an example.

Router(config)# priority-list 2 protocol ip high tcp 23
Router(config)# priority-list 2 ip high list 1
Router(config)# priority-list 2 interface ethernet 0 medium
Router(config)# priority-list 2 protocol ip normal
Router(config)# priority-list 2 default low
Router(config)# priority-list 2 15 20 20 30
Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Router(config)# interface serial 0
Router(config)# priority-group 2

Telnet traffic is assigned to the high-priority queue along with traffic from network 172.16.0.0, as defined by the access list statement. All traffic arriving on E0 is sent to the medium-priority queue, while some other traffic is assigned to the normal-priority queue. The rest of the traffic is caught by the next line “default low” and assigned to the low-priority queue.

The priority-list 2 15 20 20 30 statement sets the queue-size limits for the high, medium, normal and low priorities, accordingly. The final two commands assign this custom-queuing priority list to interface serial 0.

Data compression--such as link, payload, TCP header and MPPC--is used to maximize bandwidth and increase WAN link throughput. Compression can be configured on serial interfaces with the IOS commands:

• compress predictor
• stac
• mppc
• frame-relay payload-compress
• ip tcp header-compression

DSL
A new exam topic you may find on your “draw” of this exam’s pool of questions is DSL modem operation. The best reference I could find is here. Pay particular attention to modem startup and configuration procedures. Use this reference for specific details.

Another topic is Cable Access technologies. Go here for more information.

Preparing for the Exam
Personally, I used the BCRAN self-study guide from Cisco Press. Other books I suggest you check out include an updated version of this book, which maps to this new exam, along with other Cisco Press Remote Access books, such as Troubleshooting Remote Access Networks (CCIE Professional Development). For more information, go to Cisco Press' Web site.

Sybex publishes another popular self-study series, which includes CCNP: Building Cisco Remote Access Networks Study Guide (642-821). This book also maps to this exam’s objectives. For more information, go to Sybex's Web site.

After passing this exam, you’ll have a much greater appreciation and understanding of remote access technologies and concepts. If you follow the path most CCNP candidates take and save the CIT exam for last, you’ll be three-quarters of the way to being CCNP-certified, a worthy vendor certification.

Andy Barkl, CCNP, CCDP, CISSP, MCT, MCSE:Security, MCSA:Security, A+, CTT+, i-Net+, Network+, Security+, Server+, CNA, has over 19 years of experience in the IT field. He's the owner of MCT & Associates LLC, a technical training and consulting firm in Phoenix, Arizona. He spends much of his time in the classroom but has also been responsible for many Microsoft Windows 2000, Exchange 2000, and Cisco networking deployments for many clients across Arizona. He's also the online editor for MCPMag.com, TCPMag.com, CertCities.com, and a contributing author and editor for Sybex and Cisco Press. He hosts a multitude of exam preparation chats monthly on MCPmag.com, TCPmag.com and CertCities.com. You can reach him at .

More articles by Andy Barkl:

• 70-623: A Vista Exam for Consumer Support Techs
  
• Securing Networks with PIX and ASA (SNPA 642-522)
  
• Cisco’s IPS Exam (#642-532): Get Your Network Secure
  
• Securing Virtual Private Networks (642-511)