Cisco 1801 Configuration Manual Download Page 87 | Manualshive

Page: 87 / 198

background image

C H A P T E R

7-1

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

7

Configuring VPNs Using an IPSec Tunnel and
Generic Routing Encapsulation

The Cisco 1800 series integrated services fixed-configuration routers support the creation of virtual
private networks (VPNs).

Cisco routers and other broadband devices provide high-performance connections to the Internet, but
many applications also require the security of VPN connections which perform a high level of
authentication and which encrypt the data between two particular endpoints.

Two types of VPNs are supported—site-to-site and remote access. Site-to-site VPNs are used to connect
branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log
in to a corporate network.

The example in this chapter illustrates the configuration of a site-to-site VPN that uses IPSec and the
generic routing encapsulation (GRE) protocol to secure the connection between the branch office and
the corporate network.

Figure 7-1

shows a typical deployment scenario.

Figure 7-1

Site-to-Site VPN Using an IPSec Tunnel and GRE

1

Branch office containing multiple LANs and VLANs

2

Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT)

3

VPN client—Cisco 1800 series integrated services router

4

Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)

5

LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1

6

VPN client—Another router, which controls access to the corporate network

121783

Internet

3

1

2

4

5

7

6

8

9

«
...
85
86
87
88
89
...
»

Summary of Contents for 1801

Page 1: ...ms Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide Text Part Number OL 6426 02 ...

Page 2: ...ES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide Copyright 2005 Cisco Systems Inc All rights reserved CCSP the Cisco Square Bridge logo Follow Me Browsing and...

Page 3: ...sco Products 16 Obtaining Technical Assistance 17 Cisco Technical Support Website 17 Submitting a Service Request 17 Definitions of Service Request Severity 18 Obtaining Additional Publications and Information 18 P A R T 1 Getting Started C H A P T E R 1 Basic Router Configuration 1 Interface Port Labels 1 Viewing the Default Configuration 2 Information Needed for Configuration 4 Configuring Basic...

Page 4: ...n Example 16 Verifying Your Configuration 16 P A R T 2 Configuring Your Router for Ethernet and DSL Access C H A P T E R 2 Sample Network Deployments 1 C H A P T E R 3 Configuring PPP over Ethernet with NAT 1 Configure the Virtual Private Dialup Network Group Number 2 Configure the Fast Ethernet WAN Interfaces 3 Configure the Dialer Interface 5 Configure Network Address Translation 7 Configuration...

Page 5: ...r Port Storm Control 10 Fallback Bridging 10 Separate Voice and Data Subnets 10 IGMP Snooping 10 C H A P T E R 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel 1 Configure the IKE Policy 3 Configure Group Policy Information 4 Apply Mode Configuration to the Crypto Map 5 Enable Policy Lookup 6 Configure IPSec Transforms and Protocols 6 Configure the IPSec Crypto Method and Parameters 7 Apply ...

Page 6: ... R 9 Configuring a Wireless LAN Connection 1 Configure the Root Radio Station 2 Configure Bridging on VLANs 4 Configure Radio Station Subinterfaces 5 Configuration Example 6 C H A P T E R 10 Sample Configuration 1 P A R T 3 Configuring Additional Features and Troubleshooting C H A P T E R 11 Additional Configuration Options 1 C H A P T E R 12 Configuring Security Features 1 Authentication Authoriz...

Page 7: ...erface Configuration 13 Line Configuration 15 C H A P T E R 14 Troubleshooting 1 Getting Started 1 Before Contacting Cisco or Your Reseller 1 ADSL Troubleshooting 2 SHDSL Troubleshooting 2 PortFast Troubleshooting 2 ATM Troubleshooting Commands 3 ping atm interface Command 3 show interface Command 3 show atm interface Command 5 debug atm Commands 6 Guidelines for Using Debug Commands 6 debug atm e...

Page 8: ...swords 5 Entering Global Configuration Mode 5 Using Commands 6 Abbreviating Commands 6 Undoing Commands 6 Command Line Error Messages 6 Saving Configuration Changes 7 Summary 7 Where to Go Next 7 A P P E N D I X B Concepts 1 ADSL 1 SHDSL 2 Network Protocols 2 IP 2 Routing Protocol Options 2 RIP 3 Enhanced IGRP 3 PPP Authentication Protocols 3 PAP 4 CHAP 4 TACACS 5 Network Interfaces 5 Ethernet 5 A...

Page 9: ... Monitor 1 ROM Monitor Commands 2 Command Descriptions 3 Disaster Recovery with TFTP Download 3 TFTP Download Command Variables 3 Required Variables 4 Optional Variables 4 Using the TFTP Download Command 5 Configuration Register 6 Changing the Configuration Register Manually 6 Changing the Configuration Register Using Prompts 6 Console Download 7 Command Description 7 Error Reporting 8 Debug Comma...

Page 10: ...Contents 10 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration GuideCisco 1800 Series Integrated Services Routers Fixed OL 6426 02 ...

Page 11: ... Publications and Information Audience This guide is intended for network administrators whose backgrounds vary from having no or little experience in configuring routers to having a high level of experience You can use this guide in the following situations You have configured the software by using the Cisco Router Web Setup tool and you want to configure additional advanced software features by ...

Page 12: ...N with a secure IP tunnel using the Cisco Easy VPN Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Provides instructions on how to configure a VPN with a secure IP tunnel and generic routing encapsulation GRE Chapter 8 Configuring a Simple Firewall Provides instructions on how to configure a basic firewall on your Cisco router Chapter 9 Configuring a Wireless LAN...

Page 13: ...mage or loss of data Timesaver This symbol means the described action saves time Command Conventions Table 2 describes the command syntax used in this guide Appendix C ROM Monitor Describes the use of the ROM Monitor ROMMON utility Appendix D Common Port Assignments Describes the currently assigned Transmission Control Protocol TCP and User Datagram Protocol UDP port numbers Index Table 1 Document...

Page 14: ... Related and Referenced Documents Cisco Product Document Title Cisco 1800 series fixed configuration routers Cisco 1811 and Cisco 1812 Integrated Services Router Cabling and Installation Cisco 1801 Cisco 1802 and Cisco 1803 Integrated Services Router Cabling and Installation Cisco 1800 Series Integrated Services Router Fixed Hardware Installation Guide Regulatory Compliance and Safety Information ...

Page 15: ...ackage is available as a single unit Registered Cisco com users Cisco direct customers can order a Cisco Documentation DVD product number DOC DOCDVD from the Ordering tool or Cisco Marketplace Cisco Ordering tool http www cisco com en US partner ordering Cisco Marketplace http www cisco com go marketplace Ordering Documentation You can find instructions for ordering documentation at this URL http ...

Page 16: ...lable at this URL http www cisco com go psirt If you prefer to see advisories and notices as they are updated in real time you can access a Product Security Incident Response Team Really Simple Syndication PSIRT RSS feed from this URL http www cisco com en US products products_psirt_rss_feed html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products We test...

Page 17: ... for service You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools Resources link under Documentation Tools Choose Cisco Product Identification Tool from the Alphabetical Index drop down list or click the Cisco Product Identification Tool link under Alerts RMAs The CPI tool offers three search options by product ID or model name by tree view or for certain prod...

Page 18: ... commit resources during normal business hours to restore service to satisfactory levels Severity 4 S4 You require information or assistance with Cisco product capabilities installation or configuration There is little or no effect on your business operations Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is available from vari...

Page 19: ...ogies to help solve them using real world case studies and business strategies to help readers make sound technology investment decisions You can access iQ Magazine at this URL http www cisco com go iqmagazine Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing developing and operating public and private internets and intr...

Page 20: ...20 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Preface Obtaining Additional Publications and Information ...

Page 21: ...P A R T 1 Getting Started ...

Page 22: ......

Page 23: ... for Configuration Configuring Basic Parameters Configuring Static Routes Configuring Dynamic Routes Configuring Enhanced IGRP Each section includes a configuration example and verification steps as available For complete information on how to access global configuration mode see the Entering Global Configuration Mode section in Appendix A Cisco IOS Basic Skills For more information on the command...

Page 24: ...t reset the initial password For details see the Recovering a Lost Password section in Chapter 14 Troubleshooting Cisco 1802 Fast Ethernet LANs SWITCH and FE8 FE5 top FE x and FE4 FE1 bottom Fast Ethernet WANs FE0 ATM WAN ADSLoISDN Wireless LAN LEFT RIGHT PRIMARY BRI ISDN S T Cisco 1803 Fast Ethernet LANs SWITCH and FE8 FE5 top FE x and FE4 FE1 bottom Fast Ethernet WANs FE0 ATM WAN G SHDSL Wireles...

Page 25: ...al 60 no mmi auto configure no mmi pvc mmi snmp timeout 180 no aaa new model ip subnet zero ip cef ip ips po max events 100 no ftp server write enable interface BRI0 no ip address shutdown interface FastEthernet0 no ip address shutdown duplex auto speed auto interface FastEthernet1 no ip address shutdown duplex auto speed auto interface FastEthernet2 no ip address shutdown interface FastEthernet3 ...

Page 26: ... Handshake Authentication Protocol CHAP or Password Authentication Protocol PAP PPP password to access your Internet service provider ISP account DNS server IP address and default gateways If you are setting up a connection to a corporate network you and the network administrator must generate and share the following information for the WAN interfaces of the routers PPP authentication type CHAP or...

Page 27: ... your public telephone service provider For ADSL lines Ensure that the ADSL signaling type is DMT also called ANSI T1 413 or DMT Issue 2 For G SHDSL lines Verify that the G SHDSL line conforms to the ITU G 991 2 standard and supports Annex A North America or Annex B Europe Once you have collected the appropriate information you can perform a full configuration on your router beginning with the tas...

Page 28: ...VLANs if desired For more information about creating VLANs see Chapter 5 Configuring a LAN with DHCP and VLANs Command Purpose Step 1 configure terminal Example Router enable Router configure terminal Router config Enters global configuration mode when using the console port If you are connecting to the router using a remote terminal use the following telnet router name or address Login login id P...

Page 29: ... the Fast Ethernet interfaces beginning in global configuration mode Repeat these steps for the other Fast Ethernet WAN interface if desired Command Purpose Step 1 interface type number Example Router config interface fastethernet 0 Router config int Enters the configuration mode for a Fast Ethernet WAN interface on the router Note Fast Ethernet WAN ports are numbered 0 1 on the Cisco 1800 series ...

Page 30: ...ller mode atm Router config controller exit Router config For routers using the G SHDSL signaling perform these commands Ignore this step for routers using ADSL signaling Step 2 interface type number Example Router config interface atm0 Router config int Enters interface configuration mode Step 3 ip address ip address mask Example Router config int ip address 200 200 100 1 255 255 255 0 Router con...

Page 31: ... configuration is used to support Network Address Translation NAT on the virtual template interface This configuration example shows the loopback interface configured on the Fast Ethernet interface with an IP address of 200 200 100 1 24 which acts as a static IP address The loopback interface points back to virtual template1 which has a negotiated IP address interface loopback 0 ip address 200 200...

Page 32: ...ec 0 packets sec 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 0 packets output 0 bytes 0 underruns 0 output errors 0 collisions 0 interface resets 0 output buffer failures 0 output buffers swapped out Another way to verify the loopback interface is to ping it Router ping 200 200 100 1 Type escape seq...

Page 33: ...ser input is detected The default is 10 minutes Optionally add seconds to the interval value This example shows a timeout of 5 minutes and 30 seconds Entering a timeout of 0 0 specifies never to time out Step 5 line aux console tty vty line number Example Router config line vty 0 4 Router config Specifies a virtual terminal for remote console access Step 6 password password Example Router config p...

Page 34: ...c route must be updated with a new route Static routes are private routes unless they are redistributed by a routing protocol Configuring static routes on the Cisco 1800 series routers is optional Perform these steps to configure static routes beginning in global configuration mode For complete information on the static routing commands see the Cisco IOS Release 12 3 documentation set For more gen...

Page 35: ...fied by the S You should see verification output similar to the following example Router show ip route Codes C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS su IS IS summary L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate de...

Page 36: ...figuration mode and enables RIP on the router Step 2 version 1 2 Example Router config router version 2 Router config router Specifies use of RIP version 1 or 2 Step 3 network ip address Example Router config router network 192 168 1 1 Router config router network 10 10 7 1 Router config router Specifies a list of networks on which RIP is to be applied using the address of the network of directly ...

Page 37: ...static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS su IS IS summary L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate default U per user static route o ODR P periodic downloaded static route Gateway of last resort is not set 10 0 0 0 24 is sub...

Page 38: ... indicated by D You should see verification output similar to the following example Router show ip route Codes C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS su IS IS summary L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate ...

Page 39: ...P A R T 2 Configuring Your Router for Ethernet and DSL Access ...

Page 40: ......

Page 41: ...on which you can pattern your network You can choose not to use features presented in the examples or you can add or substitute features that better suit your needs To verify that a specific feature is compatible with your router you can use the Software Advisor tool You can access this tool at www cisco com Technical Support Documentation Tools Resources with your Cisco username and password For ...

Page 42: ...2 2 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 2 Sample Network Deployments ...

Page 43: ...E session it can be encrypted filtered and so forth Figure 3 1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router Figure 3 1 PPP over Ethernet with NAT 1 Multiple networked devices desktops laptop PCs switches 2 Fast Ethernet LAN interface inside interface for NAT 3 PPPoE client Cisco 1811 or Cisco 1812 integrated services router 4 Point at which NAT occ...

Page 44: ...represented as the dashed line at the edge of the Cisco router signifies two addressing domains and the inside source address The source list defines how the packet travels through the network Configuration Tasks Perform the following tasks to configure this network scenario Configure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces Configure the Dialer In...

Page 45: ...it the traffic capacity to less than 100 Step 3 request dialin Example Router config vpdn grp request dialin Router config vpdn grp Creates a request dialin VPDN subgroup indicating the dialing direction and initiates the tunnel Step 4 initiate to ip ip address Example Router config vpdn grp initiate to 192 168 1 1 Router config vpdn grp Specifies the address to which requests are tunneled For det...

Page 46: ...AN interface The Cisco 1800 integrated services routers have two Fast Ethernet WAN interfaces You can use these steps to configure one or both of them Step 2 pppoe client dial pool number number Example Router config if pppoe client dial pool number 1 Router config if Configures the PPPoE client and specifies the dialer interface to use for cloning Step 3 no shutdown Example Router config if no sh...

Page 47: ... 255 and enters interface configuration mode Step 2 ip address negotiated Example Router config if ip address negotiated Router config if Specifies that the IP address for the interface is obtained through PPP IPCP IP Control Protocol address negotiation Step 3 ip mtu bytes Example Router config if ip mtu 1492 Router config if Sets the size of the IP maximum transmission unit MTU The default minim...

Page 48: ...it deny list access list number access group Example Router config dialer list 1 protocol ip permit Router config Creates a dialer list and associates a dial group with it Packets are then forwarded through the specified interface dialer group For details about this command and additional parameters that can be set see the Cisco IOS Dial Technologies Command Reference Step 10 ip route prefix mask ...

Page 49: ...ad Example 1 Router config ip nat inside source list 1 interface dialer 0 overload or Example 2 Router config ip nat inside source list acl1 pool pool1 Enables dynamic translation of addresses on the inside interface The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the dialer interface 0 The second example shows the addresse...

Page 50: ...t Ethernet WAN interface FE0 or FE1 to be the outside interface for NAT Step 8 ip nat inside outside Example Router config if ip nat outside Router config if Identifies the specified WAN interface as the NAT outside interface For details about this command and additional parameters that can be set as well as information about enabling static translation see the Cisco IOS IP Command Reference Volum...

Page 51: ...k of 255 255 255 0 NAT is configured for inside and outside Note Since the VLAN interface is on LAN we have used a private IP address Note Commands marked by default are generated automatically when you run the show running config command vpdn enable vpdn group 1 request dialin protocol pppoe interface vlan 1 ip address 192 168 1 1 255 255 255 0 no ip directed broadcast default ip nat inside inter...

Page 52: ...rivileged EXEC mode to verify NAT configuration You should see verification output similar to the following example Router show ip nat statistics Total active translations 0 0 static 0 dynamic 0 extended Outside interfaces FastEthernet4 Inside interfaces Vlan1 Hits 0 Misses 0 CEF Translated packets 0 CEF Punted packets 0 Expired translations 0 Dynamic mappings Inside Source Id 1 access list 1 inte...

Page 53: ...PP over ATM provides a network solution with simplified address handling and straight user verification like a dial network Figure 4 1 shows a typical deployment scenario with a PPPoA client and NAT configured on the Cisco router This scenario uses a single static IP address for the ATM connection Figure 4 1 PPP over ATM with NAT 92340 2 3 5 1 6 4 ISP 1 Small business with multiple networked devic...

Page 54: ...or G SHDSL lines The dialer interface is used to connect to the ISP PPPoA The PPPoA Client feature on the router provides PPPoA client support on ATM interfaces A dialer interface must be used for cloning virtual access Multiple PPPoA client sessions can be configured on an ATM interface but each session must use a separate dialer interface and a separate dialer pool A PPPoA session is initiated o...

Page 55: ...mode Step 2 ip address negotiated Example Router config if ip address negotiated Router config if Specifies that the IP address for the dialer interface is obtained through PPP IPCP IP Control Protocol address negotiation Step 3 ip mtu bytes Example Router config if ip mtu 4470 Router config if Sets the size of the IP maximum transmission unit MTU The default minimum is 128 bytes The maximum for A...

Page 56: ... group protocol protocol name permit deny list access list number access group Example Router config dialer list 1 protocol ip permit Router config Creates a dialer list and associates a dial group with it Packets are then forwarded through the specified interface dialer group For details about this command and additional parameters that can be set see the Cisco IOS Dial Technologies Command Refer...

Page 57: ...a PVC is defined AAL5SNAP encapsulation is defined by default Use the encapsulation command to change this as shown in Step 3 The VPI and VCI arguments cannot be simultaneously specified as zero if one is 0 the other cannot be 0 For details about this command and additional parameters that can be set see the Cisco IOS Wide Area Networking Command Reference Step 3 encapsulation aal5auto aal5autoppp...

Page 58: ...SL The default configuration for ADSL signaling is shown in Table 4 1 Step 5 no shutdown Example Router config if atm vc no shutdown Router config if Enables interface and configuration changes just made to the ATM interface Step 6 exit Example Router config if exit Router config Exits configuration mode for the ATM interface Command Purpose Table 4 1 Default ADSL Configuration Attribute Descripti...

Page 59: ...EC mode Configuring SHDSL Complete the following steps to configure the DSL controller in your router to use SHDSL signaling beginning in global configuration mode Command Purpose Step 1 controller dsl port Example Router config controller dsl 0 Router config controller Enters the configuration mode for the DSL controller Step 2 line term co cpe Example Router config controller line term co Router...

Page 60: ...oller UP SLOT 0 Globespan xDSL controller chipset Line Mode Four Wire Standard Mode DSL mode SHDSL Annex A Frame mode Utopia Configured Line rate Auto Line Re activated 6 times after system bootup LOSW Defect alarm ACTIVE CRC per second alarm ACTIVE Line termination CPE Current 15 min CRC 0 Current 15 min LOSW Defect 0 Step 5 line mode 4 wire enhanced 4 wire standard 2 wire Example Router config c...

Page 61: ...2312 Kbps Framer Sync Status In Sync Rcv Clock Status In the Range Loop Attenuation 341 1450 dB Transmit Power 7 5 dB Receiver Gain 22 5420 dB SNR Sampling 36 8590 dB Dying Gasp Present Configure Network Address Translation Network Address Translation NAT translates packets from addresses that match a standard access list using global addresses allocated by the dialer interface Packets that enter ...

Page 62: ...ess list acl1 to be translated to one of the addresses specified in the NAT pool pool1 For details about this command and additional parameters that can be set as well as information about enabling static translation see the Cisco IOS IP Command Reference Volume 1 of 4 Addressing and Services Step 3 interface type number Example Router config interface vlan 1 Router config if Enters configuration ...

Page 63: ...umber Example Router config interface fastethernet 0 Router config if Enters configuration mode for the ATM WAN interface FE0 or FE1 to be the outside interface for NAT Step 8 ip nat inside outside Example Router config if ip nat outside Router config if Identifies the specified WAN interface as the NAT outside interface For details about this command and additional parameters that can be set as w...

Page 64: ... 1 dialer group 1 ppp authentication chap ip classless default ip nat pool pool1 192 168 1 0 192 168 2 0 netmask 0 0 0 255 ip nat inside source list 1 interface Dialer0 overload access list 1 permit 192 168 1 0 0 0 0 255 dialer list 1 protocol ip permit ip route 10 10 25 2 0 255 255 255 dialer 0 Verifying Your Configuration Use the show ip nat statistics command in privileged EXEC mode to verify t...

Page 65: ...ally assign an IP address to each client When you configure a DHCP server you must configure the server properties policies and DHCP options Note Whenever you change server properties you must reload the server with the configuration data from the Network Registrar database VLANs The Cisco 1800 series integrated services routers fixed support eight Fast Ethernet ports on which you can configure VL...

Page 66: ...s the default domain that the router uses to complete unqualified hostnames names without a dotted decimal domain name Step 2 ip name server server address1 server address2 server address6 Example Router config ip name server 192 168 11 12 Router config Specifies the address of one or more Domain Name System DNS servers to use for name and address resolution Step 3 ip dhcp excluded address low add...

Page 67: ...all Example Router config dhcp import all Router config dhcp Imports DHCP option parameters into the DHCP portion of the router database Step 7 default router address address2 address8 Example Router config dhcp default router 10 1 1 1 Router config dhcp Specifies up to 8 default routers for a DHCP client Step 8 dns server address address2 address8 Example Router config dhcp dns server 192 168 35 ...

Page 68: ... pools bindings and so forth Router show ip dhcp import Address Pool Name dpool1 Router show ip dhcp pool Pool dpool1 Utilization mark high low 100 0 Subnet size first next 0 0 Total addresses 254 Leased addresses 0 Pending event none 1 subnet is currently in the pool Current index IP address range Leased addresses 10 10 0 1 10 10 0 1 10 10 0 254 0 Router show ip dhcp server statistics Memory usag...

Page 69: ... VLAN 802 10 Id 100001 State Operational MTU 1500 Translational Bridged VLAN 1002 Translational Bridged VLAN 1003 VLAN ISL Id 1002 Name fddi default Media Type FDDI VLAN 802 10 Id 101002 State Operational MTU 1500 Bridge Type SRB Command Purpose Step 1 vlan Example Router config t Router config vlan WORD ISL VLAN IDs 1 4094 accounting VLAN accounting configuration ifdescr VLAN subinterface ifDescr...

Page 70: ...AN ISL Id 1004 Name fddinet default Media Type FDDI Net VLAN 802 10 Id 101004 State Operational MTU 1500 Bridge Type SRB Bridge Number 1 STP Type IBM VLAN ISL Id 1005 Name trnet default Media Type Token Ring Net VLAN 802 10 Id 101005 State Operational MTU 1500 Bridge Type SRB Bridge Number 1 STP Type IBM Router show vlan switch VLAN Name Status Ports 1 default active Fa0 Fa1 Fa2 Fa3 1002 fddi defa...

Page 71: ...rify Your VLAN Configuration section on page 5 5 Figure 5 1 VLAN Configuration on the Cisco 1800 Fixed Router Showing Three VLAN Segments Other procedures for configuring the switch ports including configuration examples and information on the features and interfaces are in the Cisco HWIC 4ESW and HWIC 9ESW EtherSwitch Interface Cards document on Cisco com See this document to configure the switch...

Page 72: ...ion for the entire VTP domain VTP clients behave the same way as VTP servers but you cannot create change or delete VLANs on a VTP client A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements 802 1x Authentication The switch port determines whether a client is granted access to the network In the default ...

Page 73: ...en the switch resets The Cisco 1800 Fixed Configuration Series supports 100 secure and static MAC addresses General MAC addresses are supported for 50 users Maximum Switched Virtual Interfaces SVIs A switch virtual interface SVI represents a VLAN of switch ports as one interface to the routing or bridging function in the router Only one SVI can be associated with a VLAN it is necessary to configur...

Page 74: ... be assigned to bridge groups All bridges in the same group belong to the same bridge domain Each SVI can be assigned to only one bridge group Separate Voice and Data Subnets For ease of network administration and increased scalability network managers can configure the switch ports to support Cisco IP phones such that the voice and data traffic reside on separate subnets IGMP Snooping By default ...

Page 75: ...m a high level of authentication and which encrypt the data between two particular endpoints Two types of VPNs are supported site to site and remote access Site to site VPNs are used to connect branch offices to corporate offices for example Remote access VPNs are used by remote clients to log in to a corporate network The example in this chapter illustrates the configuration of a remote access VP...

Page 76: ... access network resources on the client site After the IPSec server has been configured a VPN connection can be created with minimal configuration on an IPSec client such as a supported Cisco 1800 integrated services router When the IPSec client initiates the VPN tunnel connection the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection Not...

Page 77: ...e Router config crypto isakmp policy 1 Router config isakmp Creates an IKE policy that is used during IKE negotiation The priority is a number from 1 to 10000 with 1 being the highest Also enters the Internet Security Association Key and Management Protocol ISAKMP policy configuration mode Step 2 encryption des 3des aes aes 192 aes 256 Example Router config isakmp encryption 3des Router config isa...

Page 78: ...ion group group name default Example Router config crypto isakmp client configuration group rtr remote Router config isakmp group Creates an IKE policy group containing attributes to be downloaded to the remote client Also enters the Internet Security Association Key and Management Protocol ISAKMP group policy configuration mode Step 2 key name Example Router config isakmp group key secret passwor...

Page 79: ... 30 20 30 30 30 30 Router config Specifies a local address pool for the group For details about this command and additional parameters that can be set see the Cisco IOS Dial Technologies Command Reference Command or Action Purpose Command or Action Purpose Step 1 crypto map map name isakmp authorization list list name Example Router config crypto map dynmap isakmp authorization list rtr remote Rou...

Page 80: ... Example Router config aaa authentication login rtr remote local Router config Specifies AAA authentication of selected users at login and specifies the method used This example uses a local authentication database You could also use a RADIUS server for this For details see the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference Step 3 aaa authorization network exec com...

Page 81: ... config crypto ipsec transform set vpn1 esp 3des esp sha hmac Router config Defines a transform set an acceptable combination of IPSec security protocols and algorithms See the Cisco IOS Security Command Reference for detail about the valid transforms and combinations Step 2 crypto ipsec security association lifetime seconds seconds kilobytes kilobytes Example Router config crypto ipsec security a...

Page 82: ...es connectivity to the Internet Perform these steps to apply a crypto map to an interface beginning in global configuration mode Step 3 reverse route Example Router config crypto map reverse route Router config crypto map Creates source proxy information for the crypto map entry See the Cisco IOS Security Command Reference for details Step 4 exit Example Router config crypto map exit Router config...

Page 83: ...al configuration mode Command or Action Purpose Command or Action Purpose Step 1 crypto ipsec client ezvpn name Example Router config crypto ipsec client ezvpn ezvpnclient Router config crypto ezvpn Creates a Cisco Easy VPN remote configuration and enters Cisco Easy VPN remote configuration mode Step 2 group group name key group key Example Router config crypto ezvpn group ezvpnclient key secret p...

Page 84: ...e local aaa authorization network rtr remote local aaa session id common username Cisco password 0 Cisco Step 5 exit Example Router config crypto ezvpn exit Router config Returns to global configuration mode Step 6 interface type number Example Router config interface fastethernet 0 Router config if Enters interface configuration mode Note For routers with an ATM WAN interface this command would b...

Page 85: ...ypto ipsec transform set vpn1 esp 3des esp sha hmac crypto ipsec security association lifetime seconds 86400 crypto dynamic map dynmap 1 set transform set vpn1 reverse route crypto map static map 1 ipsec isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key s...

Page 86: ...6 12 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Example ...

Page 87: ...es for example Remote access VPNs are used by remote clients to log in to a corporate network The example in this chapter illustrates the configuration of a site to site VPN that uses IPSec and the generic routing encapsulation GRE protocol to secure the connection between the branch office and the corporate network Figure 7 1 shows a typical deployment scenario Figure 7 1 Site to Site VPN Using a...

Page 88: ...ted source and destination of the GRE tunnel in the outbound direction All packets forwarded to the GRE tunnel are encrypted if no further access control lists ACLs are applied to the tunnel interface VPNs VPN configuration information must be configured on both endpoints for example on your Cisco router and at the remote user or on your Cisco router and on another router You must specify paramete...

Page 89: ...p policy 1 Router config isakmp Creates an IKE policy that is used during IKE negotiation The priority is a number from 1 to 10000 with 1 being the highest Also enters Internet Security Association Key and Management Protocol ISAKMP policy configuration mode Step 2 encryption des 3des aes aes 192 aes 256 Example Router config isakmp encryption 3des Router config isakmp Specifies the encryption alg...

Page 90: ...figuration mode and enters global configuration mode Command or Action Purpose Command or Action Purpose Step 1 crypto isakmp client configuration group group name default Example Router config crypto isakmp client configuration group rtr remote Router config isakmp group Creates an IKE policy group that contains attributes to be downloaded to the remote client Also enters Internet Security Associ...

Page 91: ...p address Example Router config ip local pool dynpool 30 30 30 20 30 30 30 30 Router config Specifies a local address pool for the group For details about this command and additional parameters that can be set see the Cisco IOS Dial Technologies Command Reference Command or Action Purpose Command or Action Purpose Step 1 aaa new model Example Router config aaa new model Router config Enables the A...

Page 92: ...hod used to do so This example uses a local authorization database You could also use a RADIUS server for this See the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for details Step 4 username name nopassword password password password encryption type encrypted password Example Router config username Cisco password 0 Cisco Router config Establishes a username ...

Page 93: ...ter config crypto dynamic map dynmap 1 Router config crypto map Creates a dynamic crypto map entry and enters crypto map configuration mode See the Cisco IOS Security Command Reference for more detail about this command Step 2 set transform set transform set name transform set name2 transform set name6 Example Router config crypto map set transform set vpn1 Router config crypto map Specifies which...

Page 94: ...ginning in global configuration mode Configure a GRE Tunnel Perform these steps to configure a GRE tunnel beginning in global configuration mode Command or Action Purpose Step 1 interface type number Example Router config interface fastethernet 0 Router config if Enters interface configuration mode for the interface to which you want to apply the crypto map Step 2 crypto map map name Example Route...

Page 95: ...tunnel Note Dynamic routing or static routes to the tunnel interface must be configured to establish connectivity between the sites See the Cisco IOS Security Configuration Guide for details Step 6 exit Example Router config if exit Router config Exits interface configuration mode and returns to global configuration mode Step 7 ip access list standard extended access list name Example Router confi...

Page 96: ...p 2 crypto isakmp client configuration group rtr remote key secret password dns 10 50 10 1 10 60 10 1 domain company com pool dynpool crypto ipsec transform set vpn1 esp 3des esp sha hmac crypto ipsec security association lifetime seconds 86400 crypto dynamic map dynmap 1 set transform set vpn1 reverse route crypto map static map 1 ipsec isakmp dynamic dynmap crypto map dynmap isakmp authorization...

Page 97: ...rface ip nat inside source list 102 interface Ethernet1 overload utilize nat overload in order to make best use of the single address provided by the isp ip classless ip route 0 0 0 0 0 0 0 0 210 110 101 1 no ip http server acl 102 associated addresses used for nat access list 102 permit ip 10 1 1 0 0 0 0 255 any acl 103 defines traffic allowed from the peer for the ipsec tunnel access list 103 pe...

Page 98: ...7 12 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configuration Example ...

Page 99: ...e of each packet through the firewall However the use of inspection rules in CBAC allows the creation and use of dynamic temporary access lists These dynamic lists allow temporary openings in the configured access lists at firewall interfaces These openings are created when traffic for a specified user session exits the internal network through the firewall The openings allow returning traffic for...

Page 100: ... Rules to Interfaces An example showing the results of these configuration tasks is shown in the section Configuration Example Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT If you have not performed these configurations tasks see Chapter 1 Basic Router Configuration Chapter 3 Configuring PPP over Ethernet with N...

Page 101: ...es source and destination ports See the Cisco IOS IP Command Reference Volume 1 of 4 Addressing and Services for details about this command Step 2 access list access list number deny permit protocol source source wildcard destination destination wildcard Example Router config access list 105 permit ip 10 1 1 0 0 0 0 255 192 168 0 0 0 0 255 255 Router config Creates an access list that allows netwo...

Page 102: ...ter Step 2 ip inspect inspection name in out Example Router config if ip inspect firewall in Router config if Assigns the set of firewall inspection rules to the inside interface on the router Step 3 exit Example Router config if exit Router config Returns to global configuration mode Step 4 interface type number Example Router config interface fastethernet 0 Router config if Enters interface conf...

Page 103: ...fic as well as specific application protocols as defined by the security policy ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall rtsp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftp ip inspect name firewall sqlnet interface vlan 1 This is the internal home network ip inspect firewall in inspection examines outbound traff...

Page 104: ...8 6 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 8 Configuring a Simple Firewall Configuration Example ...

Page 105: ...nterface CLI the browser based management system or Simple Network Management Protocol SNMP This chapter describes how to configure the router using the CLI Use the interface dot11radio global configuration CLI command to place the device into radio configuration mode See the Cisco Access Router Wireless Configuration Guide for more detailed information about configuring these Cisco routers in a w...

Page 106: ...adio Station Perform these steps to create and configure the root radio station for your wireless LAN beginning in global configuration mode Command Purpose Step 1 interface name number Example Router config interface dot11radio 0 Router config if Enters interface configuration mode for the specified wireless interface Step 2 broadcast key vlan vlan id change secs membership termination capability...

Page 107: ...VLAN Step 6 authentication type Example Router config if ssid authentication open Router config if ssid authentication network eap eap_methods Router config if ssid authentication key management wpa Sets the permitted authentication methods for a user attempting access to the wireless LAN More than one method can be specified as shown in the example Step 7 exit Example Router config if ssid exit R...

Page 108: ...if Optional Specifies the channel on which communication occurs See the Cisco Access Router Wireless Configuration Guide for available channel numbers Step 12 station role repeater root Example Router config if station role root Router config if Optional Specifies the role of this wireless interface You must specify at least one root interface Step 13 exit Example Router config if exit Router conf...

Page 109: ...onfig bridge group spanning disabled Router config Sets other bridge parameters for the bridging interface Step 5 interface name number Example Router config interface bvi 1 Router config Enters configuration mode for the virtual bridge interface Step 6 ip address address mask Example Router config ip address 10 0 1 1 255 255 255 0 Router config Specifies the address for the virtual bridge interfa...

Page 110: ...cation open authentication network eap eap_methods authentication key management wpa ssid ciscowep vlan 2 Step 3 encapsulation dot1q vlanID native second dot1q Example Router config subif encapsulation dot1q 1 native Router config subif Enables IEEE 802 1q encapsulation on the specified subinterface Step 4 no cdp enable Example Router config subif no cdp enable Router config subif Disables the Cis...

Page 111: ...ing no bridge group 1 unicast flooding interface Dot11Radio0 2 encapsulation dot1Q 2 bridge group 2 bridge group 2 subscriber loop control bridge group 2 spanning disabled bridge group 2 block unknown source no bridge group 2 source learning no bridge group 2 unicast flooding interface Dot11Radio0 3 encapsulation dot1Q 3 bridge group 3 bridge group 3 subscriber loop control bridge group 3 spanning...

Page 112: ...sco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 9 Configuring a Wireless LAN Connection Configuration Example interface BVI3 ip address 10 0 3 1 255 255 255 0 ...

Page 113: ...you run the show running config command Example 10 1 Sample Configuration Router show running config Building configuration Current configuration 3781 bytes version 12 3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password encryption hostname retail boot start marker boot end marker enable password cisco123 username jsomeone password 0 cg6 ...

Page 114: ...0 0 1 1 ip dhcp pool vlan2 network 10 0 2 0 255 255 255 0 default router 10 0 2 1 ip dhcp pool vlan3 network 10 0 3 0 255 255 255 0 default router 10 0 3 1 ip ips po max events 100 no ftp server write enable bridge irb interface FastEthernet2 no ip address interface FastEthernet3 no ip address interface FastEthernet4 no ip address interface FastEthernet5 no ip address interface FastEthernet6 no ip...

Page 115: ...set transform set vpn1 reverse route crypto map static map 1 ipsec isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key secret password mode client peer 192 168 100 1 interface Dot11Radio0 no ip address broadcast key vlan 1 change 45 encryption vlan 1 mode c...

Page 116: ...oup 2 unicast flooding interface Dot11Radio0 3 encapsulation dot1Q 3 bridge group 3 bridge group 3 subscriber loop control bridge group 3 spanning disabled bridge group 3 block unknown source no bridge group 3 source learning no bridge group 3 unicast flooding interface Vlan1 ip address 192 168 1 1 255 255 255 0 no ip directed broadcast default ip nat inside crypto ipsec client ezvpn ezvpnclient i...

Page 117: ...all tcp ip inspect name firewall udp ip inspect name firewall rtsp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftp ip inspect name firewall sqlnet access list 103 permit udp host 200 1 1 1 any eq isakmp access list 103 permit udp host 200 1 1 1 eq isakmp any access list 103 permit esp host 200 1 1 1 any access list 103 permit icmp any any access list 103...

Page 118: ...10 6 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 10 Sample Configuration ...

Page 119: ...P A R T 3 Configuring Additional Features and Troubleshooting ...

Page 120: ......

Page 121: ...on options described in this part include Chapter 12 Configuring Security Features Chapter 13 Configuring Dial Backup and Remote Management Chapter 14 Troubleshooting The descriptions contained in these chapters do not describe all of your configuration or troubleshooting needs See the appropriate Cisco IOS configuration guides and command references for additional details Note To verify that a sp...

Page 122: ...11 2 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 11 Additional Configuration Options ...

Page 123: ...AAA network security services provide the primary framework through which you set up access control on your router Authentication provides the method of identifying users including login and password dialog challenge and response messaging support and depending on the security protocol you choose encryption Authorization provides the method for remote access control including one time authorizatio...

Page 124: ...cess Lists Access lists ACLs permit or deny network traffic over an interface based on source IP address destination IP address or protocol Access lists are configured as standard or extended A standard access list either permits or denies passage of packets from a designated source An extended access list allows designation of both the destination and the source and it allows designation of indiv...

Page 125: ...ed internally and the state of network connections is monitored This is superior to static access lists because access lists can only permit or deny traffic based on individual packets not streams of packets Also because CBAC inspects the packets decisions to permit or deny traffic can be made by examining application layer data something static access lists cannot do To configure a CBAC firewall ...

Page 126: ...Internet Cisco 1800 series fixed configuration access routers support site to site VPNs using IP security IPSec tunnels and generic routing encapsulation GRE Permanent VPN connections between two peers or dynamic VPNs using EZVPN or DMVPN which create and tear down VPN connections as needed can be configured Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel and Chapter 7 Configuring V...

Page 127: ... 1803 routers These functions are configured through the V 92 modem port of the Cisco 1811 router This chapter contains the following topics Dial Backup Feature Activation Methods Dial Backup Feature Limitations Configuring Dial Backup and Remote Management Through the ISDN S T Port Configuring Dial Backup and Remote Management Through a V 92 Modem Dial Backup Feature Activation Methods Three meth...

Page 128: ...the data link connection identifier DLCI is inactive Floating static routes are also encapsulation independent Note When static routes are configured the primary interface protocol must go down in order to activate the floating static route Command Purpose Step 1 interface type number Example Router config interface atm 0 Router config if Enters interface configuration mode for the interface for w...

Page 129: ... the primary static route Step 2 ip route prefix mask ip address interface type interface number ip address distance Example Router config ip route 0 0 0 0 0 0 0 0 192 168 2 2 150 Router config Assigns the lower routing administrative distance value for the backup interface route 192 168 2 2 is the peer IP address of the backup interface Step 3 router rip Example Router config router rip Router co...

Page 130: ...ration mode Command Purpose Step 1 interface type number Example Router config interface dialer 2 Router config if Enters configuration mode for the dial backup interface Step 2 dialerwatch group group number Example Router config if dialer watch group 2 Router config if Specifies the group number for the watch list Step 3 exit Example Router config if exit Router config Enters global configuratio...

Page 131: ...t group number ip ip address address mask delay route check initial seconds Example Router config dialer watch list 2 ip 22 0 0 2 255 255 255 255 Router config Assigns an IP address to the watch list If the connection on the primary interface is lost and the IP address is unavailable on the router the dial out feature on the backup interface is triggered 22 0 0 2 is the peer IP address of the prim...

Page 132: ...Cisco 1802 or Cisco 1803 PPP over ATM PPP over Ethernet Yes Backup interfaces Floating static routes Dialer watch Floating static route and dialer watch need a routing protocol to run in the router The dialer watch method brings up the backup interface as soon as the primary link goes down The backup interface is brought down as soon as the dialer timeout is reached and the primary interface is up...

Page 133: ... mtu 1492 encapsulation ppp dialer pool 2 dialer group 2 no cdp enable ip classless Primary and backup interface given route metric ip route 0 0 0 0 0 0 0 0 22 0 0 2 ip route 0 0 0 0 0 0 0 0 192 168 2 2 80 ip http server Specifies interesting traffic to trigger backup ISDN traffic dialer list 1 protocol ip permit Example 13 2 Configuring Dial Backup Using Floating Static Routes vpdn enable vpdn gr...

Page 134: ...up 2 ip classless no cdp enable Primary and backup interface given route metric This example using static routes thus atm0 line protocol must be brought down for backup interface to function ip route 0 0 0 0 0 0 0 0 22 0 0 2 ip route 0 0 0 0 0 0 0 0 192 168 2 2 150 ip http server Specifies interesting traffic to trigger backup ISDN traffic dialer list 1 protocol ip permit Example 13 3 Configuring ...

Page 135: ...n ppp dialer pool 2 dialer group 2 no cdp enable ip classless Primary and backup interface given route metric ip route 0 0 0 0 0 0 0 0 22 0 0 2 ip route 0 0 0 0 0 0 0 0 192 168 2 2 80 ip http server Watch for interesting traffic dialer watch list 1 ip 22 0 0 2 255 255 255 255 Specifies interesting traffic to trigger backup ISDN traffic dialer list 1 protocol ip permit Configuring Dial Backup and R...

Page 136: ...es Command Reference Step 2 interface type number Example Router config interface bri 0 Router config if Enters configuration mode for the ISDN Basic Rate Interface BRI Step 3 encapsulation encapsulation type Example Router config if encapsulation ppp Router config if Sets the BRI0 interface encapsulation type Step 4 dialer pool member number Example Router config if dialer pool member 1 Router co...

Page 137: ...ler 0 interface with the BRI0 interface because the BRI0 dialer pool member value is 1 Step 11 dialer string dial string isdn subaddress Example Router config if dialer string 384040 Router config if Specifies the telephone number to be dialed Step 12 dialer group group number Example Router config if dialer group 1 Router config if Assigns the dialer interface to a dialer group 1 10 Step 13 exit ...

Page 138: ...ork downtime This portion of the example configures the aggregator vpdn enable no vpdn logging vpdn group 1 accept dialin protocol pppoe virtual template 1 interface Ethernet3 description 4700ref 1 ip address 40 1 1 1 255 255 255 0 media type 10BaseT interface Ethernet4 ip address 30 1 1 1 255 255 255 0 media type 10BaseT interface Virtual Template1 ip address 22 0 0 2 255 255 255 0 ip mtu 1492 pe...

Page 139: ...synchronous Interface Configuration Line Configuration Asynchronous Interface Configuration Perform these steps to configure the V 92 modem for use as a backup interface beginning in global configuration mode Command Purpose Step 1 interface type number Example Router config interface async 1 Router config if Enters interface configuration mode for the asynchronous serial interface Enter the numbe...

Page 140: ...ialer interface to a dialer group 1 10 controlling access The number to which the dialer access group belongs is defined with the dialer list command Step 7 async mode interactive Example Router config if async mode interactive Router config if Returns a line that has been placed into dedicated asynchronous network mode to interactive mode thereby enabling the Serial Line Internet Protocol SLIP an...

Page 141: ...ous serial interface Step 2 modem inout Example Router config line modem inout Router config line Configures the line for both incoming and outgoing calls Step 3 autoselect arap ppp slip during login timeout seconds Example Router config line autoselect ppp Router config line Configures the line to automatically start an AppleTalk Remote Access ARA PPP or SLIP session Note We recommend ppp for use...

Page 142: ...o 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through a V 92 Modem ...

Page 143: ...ct a terminal or PC to the router using the light blue console port For information on making this connection see the documentation listed in the Related Documents section on page 14 With a connected terminal or PC you can view status messages from the router and enter commands to troubleshoot a problem You can also remotely access the interface Ethernet ADSL or telephone by using Telnet The Telne...

Page 144: ...following The SHDSL line is connected and using pins 3 and 4 For more information on the G SHDSL connection see the hardware guide for your router The G SHDSL LED is on If it is not on the router may not be connected to the DSL access multiplexer DSLAM For more information on the G SHDSL LED see the hardware installation guide specific for your router The correct asynchronous transfer mode ATM vir...

Page 145: ...ce atm 0 8 35 seg loopback Type escape sequence to abort Sending 5 53 byte segment OAM echoes timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 148 148 148 ms This command sends five OAM F5 loopback packets to the DSLAM segment OAM packets If the PVC is configured at the DSLAM the ping is successful To test whether the PVC is being used at the aggregator enter the followi...

Page 146: ...ions 2 interface resets 0 output buffer failures 0 output buffers swapped out Router show interface fastethernet 0 Ethernet0 is up line protocol is up Hardware is PQUICC Ethernet address is 0000 Oc13 a4db bia0010 9181 1281 Internet address is 170 1 4 101 24 MTU 1500 bytes BW 10000 Kbit DLY 1000 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Keepalive set 10 ...

Page 147: ... down possibly because the ATM line has been disconnected by the service provider For Fast Ethernet Interfaces Fast Ethernet n is up line protocol is up The specified Fast Ethernet interface is connected to the network and operating correctly Fast Ethernet n is up line protocol is down The specified Fast Ethernet interface has been correctly configured and enabled but the Ethernet cable might be d...

Page 148: ...ur router CPU process and it can render your router unusable For this reason use debug commands only to troubleshoot specific problems The best time to use debug commands is during periods of low network traffic so that other activity on the network is not adversely affected You can find additional information and documentation about the debug commands in the Cisco IOS Debug Command Reference debu...

Page 149: ...s up and communicating successfully Example 14 6 shows an ADSL line that is not communicating correctly Note that the modem state does not transition to 0x10 Example 14 5 Viewing ATM Interface Processor Events Success Router debug atm events Router 00 02 57 DSL Send ADSL_OPEN command 00 02 57 DSL Using subfunction 0xA 00 02 57 DSL Using subfunction 0xA 00 02 57 DSL Sent command 0x5 00 02 57 DSL Re...

Page 150: ...ce atm number vcd vcd number vc vpi vci number no debug atm packet interface atm number vcd vcd number vc vpi vci number where the keywords are defined as follows interface atm number Optional ATM interface or subinterface number vcd vcd number Optional Number of the virtual circuit designator VCD vc vpi vci number VPI VCI value of the ATM PVC Example 14 7 shows a sample output Example 14 7 Viewin...

Page 151: ...outer Recovering a Lost Password To recover a lost enable or lost enable secret password 1 Change the Configuration Register 2 Reset the Router 3 Reset the Password and Save Your Changes for lost enable secret passwords only 4 Reset the Configuration Register Value Note Recovering a lost password is only possible when you are connected to the router through the console port These procedures cannot...

Page 152: ...tes and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws By using this product you agree to comply with applicable laws and regulations If you are unable to co...

Page 153: ...ation register is set to 0x142 The router uses the boot ROM system image indicated by the system configuration dialog System Configuration Dialog Step 5 Enter no in response to the prompts until the following message is displayed Press RETURN to get started Step 6 Press Return The following prompt appears Router Step 7 Enter the enable command to enter enable mode Configuration changes can be made...

Page 154: ... Step 4 Save your configuration changes Router copy running config startup config Reset the Configuration Register Value To reset the configuration register value after you have recovered or reconfigured a password follow these steps Step 1 Enter the configure terminal command to enter global configuration mode Router configure terminal Step 2 Enter the configure register command and the original ...

Page 155: ...ing Your Router with SDM Managing Your Router with SDM The Cisco SDM tool is a free software configuration utility supporting the Cisco 1800 series integrated services fixed configuration routers It includes a web based GUI that offers the following features Simplified setup Advanced configuration Router security Router monitoring ...

Page 156: ...14 14 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Chapter 14 Troubleshooting Managing Your Router with SDM ...

Page 157: ...P A R T 4 Reference Information ...

Page 158: ......

Page 159: ...ou are already familiar with Cisco IOS software go to one of the following chapters Chapter 1 Basic Router Configuration Chapter 2 Sample Network Deployments One of the configuration topic chapters in Part 3 Configuring the Router from a PC You can configure your router from a PC connected through the console port using terminal emulation software The PC uses this software to send commands to your...

Page 160: ... on how to enter global configuration mode so that you can configure your router see the Entering Global Configuration Mode section later in this chapter Understanding Command Modes This section describes the Cisco IOS command mode structure Each command mode supports specific Cisco IOS commands For example you can use the interface type number command only from global configuration mode The follo...

Page 161: ...is mode should be protected with a password as described in Enable Secret Passwords and Enable Passwords later in this chapter Global configuration Enter the configure command from privileged EXEC mode Router config To exit to privileged EXEC mode enter the exit or end command or press Ctrl Z To enter interface configuration mode enter the interface command Use this mode to configure parameters th...

Page 162: ...exception exception information To redisplay a command you previously entered press the Up Arrow key You can continue to press the Up Arrow key for more commands Router configuration Enter one of the router commands followed by the appropriate keyword for example router rip from global configuration mode Router config router To exit to global configuration mode enter the exit command To exit to pr...

Page 163: ...rds but warns you that they should be different An enable secret password can contain from 1 to 25 uppercase and lowercase alphanumeric characters An enable password can contain any number of uppercase and lowercase alphanumeric characters In both cases a number cannot be the first character Spaces are also valid password characters for example two words is a valid password Leading spaces are igno...

Page 164: ... encounter while using the CLI to configure your router Table A 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your router to recognize the command Reenter the command followed by a question mark with no space between the command and the question mark The possible keywords that you can enter with the command are ...

Page 165: ...ave the configuration to NVRAM After the configuration has been saved the following message appears Building configuration router Summary Now that you have reviewed some Cisco IOS software basics you can begin to configure your router Remember You can use the question mark and arrow keys to help you enter commands Each command mode restricts you to a set of commands If you are having difficulty en...

Page 166: ...A 8 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Appendix A Cisco IOS Software Basic Skills Where to Go Next ...

Page 167: ...S Access Lists ADSL ADSL is a technology that allows both data and voice to be transmitted over the same line It is a packet based network technology that allows high speed transmission over twisted pair copper wire on the local loop last mile between a network service provider NSP central office and the customer site or on local loops created within either a building or a campus The benefit of AD...

Page 168: ...e internetwork layer is IP which provides the basic packet delivery service for all TCP IP networks In addition to the physical node addresses the IP protocol implements a system of logical host addresses called IP addresses The IP addresses are used by the internetwork and higher layers to identify devices and to perform internetwork routing The Address Resolution Protocol ARP enables IP to ident...

Page 169: ...particular destination does not exist but neighbors advertise the destination the router must recompute a route Each router running Enhanced IGRP sends hello packets every 5 seconds to inform neighboring routers that it is functioning If a particular router does not send a hello packet within a prescribed period Enhanced IGRP assumes that the state of a destination has changed and sends an increme...

Page 170: ...office router accepts the authentication PAP has the following characteristics The password portion of the authentication is sent across the link in clear text not scrambled or encrypted PAP provides no protection from playback or repeated trial and error attacks The remote office router controls the frequency and timing of the authentication attempts CHAP CHAP uses a three way handshake to verify...

Page 171: ...ification was developed in 1980 based on the original Ethernet technology Under the Ethernet CSMA CD media access process any host on a CSMA CD LAN can access the network at any time Before sending data CSMA CD hosts listen for traffic on the network A host wanting to send data waits until it detects no traffic before it transmits Ethernet allows any host on the network to transmit whenever the ne...

Page 172: ...es The routers support the following encapsulation types for ATM PVCs LLC SNAP RFC 1483 VC MUX RFC 1483 PPP RFC 2364 Each PVC is considered a complete and separate link to a destination node Users can encapsulate data as needed across the connection The ATM network disregards the contents of the data The only requirement is that data be sent to the ATM subsystem of the router in a manner that foll...

Page 173: ...DDR with no requirement for traffic of interest By configuring a set of watched routes that define the primary interface you are able to monitor and track the status of the primary interface as watched routes are added and deleted When a watched route is deleted dialer watch checks for at least one valid route for any of the IP addresses or networks being watched If there is no valid route the pri...

Page 174: ...tiplexed NAT functionality within Cisco IOS software IP addresses on the remote LAN are invisible to the Internet The Easy IP Phase 1 feature combines NAT and PPP IPCP With NAT the router translates the nonregistered IP addresses used by the LAN devices into the globally unique IP address used by the dialer interface The ability of multiple LAN devices to use the same globally unique IP address is...

Page 175: ...rk an Internet service provider or an enterprise network IP Precedence You can partition traffic in up to six classes of service using IP Precedence two others are reserved for internal network use The queuing technologies throughout the network can then use this signal to expedite handling Features such as policy based routing and committed access rate CAR can be used to set precedence based on e...

Page 176: ...s are preferred high volume traffic streams share the remaining capacity obtaining equal or proportional bandwidth RSVP RSVP enables routers to reserve enough bandwidth on an interface to ensure reliability and quality performance RSVP allows end systems to request a particular QoS from the network Real time voice traffic requires network consistency Without consistent QoS real time traffic can ex...

Page 177: ...n approximate session filtering by using the established keyword with the permit command The established keyword filters TCP packets based on whether the ACK or RST bits are set Set ACK or RST bits indicate that the packet is not the first in the session and the packet therefore belongs to an established session This filter criterion would be part of an access list applied permanently to an interf...

Page 178: ...B 12 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Appendix B Concepts Access Lists ...

Page 179: ...tains the following sections Entering the ROM Monitor ROM Monitor Commands Command Descriptions Disaster Recovery with TFTP Download Configuration Register Console Download Debug Commands Exiting the ROM Monitor Entering the ROM Monitor To use the ROM monitor you must be using a terminal or PC that is connected to the router over the console port Perform these steps to configure the router to boot...

Page 180: ...nd history meminfo main memory information more Concatenate type file s cat filenames repeat repeat a monitor command reset system reset set display the monitor variables stack produce a stack trace sync write monitor environment to NVRAM sysret print out info from last system return tftpdnld tftp image download unalias unset an alias unset unset a monitor variable xmodem x ymodem image download C...

Page 181: ...iables and optional variables Table C 1 Commonly Used ROM Monitor Commands Command Description help or Displays a summary of all available ROM monitor commands Displays information about command syntax for example rommon 16 dis usage dis addr length The output for this command is slightly different for the xmodem download command rommon 11 xmodem xmodem illegal option usage xmodem cyrxu destinatio...

Page 182: ...address IP address of the default gateway of the router DEFAULT_GATEWAY ip_address Port number of the Fast Ethernet port used to connect to the network FE_PORT fe_port_number IP address of the TFTP server from which the software will be downloaded TFTP_SERVER ip_address Name of the file that will be downloaded to the router TFTP_FILE filename Variable Command Configures how the router displays fil...

Page 183: ...mand You will see output similar to the following IP_ADDRESS 10 3 6 7 IP_SUBNET_MASK 255 255 0 0 DEFAULT_GATEWAY 10 3 0 1 TFTP_SERVER 223 255 254 254 TFTP_FILE c1800 advsecurityk9 mz Do you wish to continue y n n Step 3 If you are sure that you want to continue enter y in response to the question in the output Do you wish to continue y n n y The router begins to download the new file If you mistak...

Page 184: ...s hexadecimal The new virtual configuration register value is written into NVRAM but does not take effect until you reset or reboot the router Changing the Configuration Register Using Prompts Entering the confreg command without an argument displays the contents of the virtual configuration register and a prompt to alter the contents by describing the meaning of each bit In either case the new vi...

Page 185: ...ommend using a speed of 38 400 bps or less when downloading a Cisco IOS image over the console port Command Description The following are the syntax and descriptions for the xmodem console download command xmodem cyrx destination_file_name c Optional Performs the download using 16 bit cyclic redundancy check CRC 16 error checking to validate packets Default is 8 bit CRC y Optional Sets the router ...

Page 186: ...kernel context state is invalid can not proceed The following are ROM monitor debugging commands stack or k Produces a stack trace for example rommon 6 stack Stack trace PC 0x801111b0 Frame 00 FP 0x80005ea8 PC 0x801111b0 Frame 01 FP 0x80005eb4 PC 0x80113694 Frame 02 FP 0x80005f74 PC 0x8010eb44 Frame 03 FP 0x80005f9c PC 0x80008118 Frame 04 FP 0x80005fac PC 0x80008064 Frame 05 FP 0x80005fc4 PC 0xfff...

Page 187: ... PC 0x00000000 meminfo Displays size in bytes starting address available range of main memory the starting point and size of packet memory and size of NVRAM for example rommon 9 meminfo Main memory size 256 MB Available main memory starts at 0x80012000 size 0x3ffb8 KB IO packet memory size 10 percent of main memory NVRAM size 192 KB Exiting the ROM Monitor You must set the configuration register t...

Page 188: ...C 10 Cisco 1800 Series Integrated Services Routers Fixed Software Configuration Guide OL 6426 02 Appendix C ROM Monitor Exiting the ROM Monitor ...

Page 189: ... RJE Remote job entry 7 ECHO Echo 9 DISCARD Discard 11 USERS Active users 13 DAYTIME Daytime 15 NETSTAT Netstat 17 QUOTE Quote of the day 19 CHARGEN Character generator 20 FTP DATA File Transfer Protocol data 21 FTP File Transfer Protocol 23 TELNET Terminal connection 25 SMTP Simple Mail Transport Protocol 37 TIME Time 39 RLP Resource Location Protocol 42 NAMESERVER Hostname server 43 NICNAME Who ...

Page 190: ...Usenet Network News Transfer Protocol 123 NTP Network Time Protocol 126 SNMP Simple Network Management Protocol 137 NETBIOS NS NetBIOS name service 138 NETBIOS DGM NetBIOS datagram service 139 NETBIOS SSN NetBIOS session service 161 SNMP Simple Network Management Protocol 162 SNMP TRAP Simple Network Management Protocol traps 512 rexec UNIX remote execution control 513 TCP rlogin UDP rwho TCP UNIX...

Page 191: ...iew 1 troubleshooting 2 aggregator configuring 12 ARP 2 Asymmetric Digital Line Subscriber Line See ADSL asynchronous interface configuring 13 ATM configuring the ATM interface 8 errors displaying 6 events displaying 7 interface configuration scenario 5 overview 5 packets displaying 8 PVC encapsulation types 6 queues 10 troubleshooting commands 3 to 9 WAN interface 5 ATM adaptation layer See AAL A...

Page 192: ...leged EXEC accessing 5 redisplaying 4 ROM monitor debugging 9 undoing 6 command variables listing 4 TFTP download 3 committed access rate See CAR configuration changes making 5 saving 12 7 configuration examples command line access 12 DHCP server 3 dynamic routes 15 EIGRP 16 PPPoA with NAT 11 PPPoE with NAT 9 simple firewall 5 static routes 13 VPN with IPSec and GRE 10 VPN with IPSec tunnel 10 wir...

Page 193: ...mands ROM monitor 8 9 default configuration viewing 2 DHCP configuring DHCP server 2 IP address assignment 1 DHCP and Easy IP Phase 2 8 DHCP server configuration example 3 configuring as 1 verify configuration 4 dial backup configuring 1 9 13 dialer watch 4 feature limitations and configuration 1 floating static routes 2 dialer interface configuring 5 3 description 6 dialer watch 4 7 dir device co...

Page 194: ...ying access lists to interfaces 4 applying inspection rules to interfaces 4 configuration example 5 configuration tasks 2 configuring 1 configuring inspection rules 3 floating static routes configuring 3 description 7 flowcontrol command 2 fragmentation PPP 9 frame command 8 G G SHDSL configuring 7 ordering 5 overview 2 troubleshooting 2 global configuration mode entering 5 summary 2 3 global para...

Page 195: ...N peer router configuring 12 ISDN S T port for dial backup 9 K k command 8 L LAN with DHCP and VLANs configuring 1 Layer 2 interfaces 9 LCP 4 LFQ 10 line configuration for V 92 modem 15 line configuration mode 4 Link Control Protocol See LCP LLC 6 loopback interface configuring 9 to 10 low latency queuing See LFQ M MAC table manipulation 9 meminfo command 9 metrics EIGRP 3 RIP 3 mode configuration...

Page 196: ...nabling 6 4 5 port assignments common 1 to 2 port labels for interfaces 1 port numbers currently assigned 1 to 2 PPP 9 authentication protocols 3 to 4 fragmentation 9 interleaving 9 overview 3 PPP Internet Protocol Control Protocol See IPCP PPPoA configuration example 11 PPPoE configuration example 9 configuring 1 verify configuration 10 PPPoE client 1 prerequisites for configuration 4 privileged ...

Page 197: ...ow controllers dsl command 8 show dsl interface atm command 7 show interface command 3 site to site VPN with GRE and IPSec tunnel 1 software upgrading methods 9 stack command 8 static routes configuration example 13 configuring 12 Switch 7 Switched Port Analyzer SPAN 9 Switched Virtual Interfaces SVIs 9 Switch Port Configurations 7 Switch port configurations 7 Switch Ports Configuration Cisco 1800...

Page 198: ...iguration 4 Easy VPN configuration 10 PPPoE with NAT configuration 10 VLAN configuration 5 viewing default configuration 2 virtual configuration register 6 virtual private dialup network group number configuring 2 VLANs configuring 1 verify configuration 5 VLAN trunking protocol VTP 8 VPDN 2 VPNs configuration example 10 configuration tasks 2 3 configuring 1 4 W WAN interfaces configuring 7 3 5 wi...

Reviews:

No comments

Related manuals for 1801

Brand: Aztech Pages: 2

Magic WiFi mini Ek

Brand: Devolo Pages: 22

Brand: QuickLink Pages: 8

Brand: 3Com Pages: 32

Brand: Kramer Pages: 2

Brand: CalAmp Pages: 115

Brand: TP-Link Pages: 37

Brand: Ubiquiti Pages: 13

VIGI NVR1004H-4P

Brand: TP-Link Pages: 2

Brand: JAKA Pages: 37

Brand: Socket Pages: 28

Brand: RR-Concepts Pages: 12

Brand: 8e6 Technologies Pages: 94

Brand: Paradyne Pages: 46

Brand: Axis Pages: 30

Brand: IEI Technology Pages: 119

Brand: Axis Pages: 10

Brand: Westermo Pages: 13

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands