manualshive.com logo in svg

Cisco 850 Series, Configuration Manual, Page: 89 / 196

Share
Download
Cisco 850 Series Configuration Manual Download Page 89

 

7-11

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01 

Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

  Configuration Example

!

! Utilize NAT overload in order to make best use of the 

! single address provided by the ISP.

ip nat inside source list 102 interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 210.110.101.1

no ip http server

!

!

! acl 102 associated addresses used for NAT.

access-list 102 permit ip 10.1.1.0 0.0.0.255 any

! acl 103 defines traffic allowed from the peer for the IPSec tunnel.

access-list 103 permit udp host 200.1.1.1 any eq isakmp

access-list 103 permit udp host 200.1.1.1 eq isakmp any

access-list 103 permit esp host 200.1.1.1 any

! Allow ICMP for debugging but should be disabled because of security implications.

access-list 103 permit icmp any any 

access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.

! acl 105 matches addresses for the IPSec tunnel to or from the corporate network.

access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255

no cdp run

Summary of Contents for 850 Series

Page 1: ...ms Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide Text Part Number OL 5332 01 ...

Page 2: ...S INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCSP the Cisco Square Bridge logo Follow Me Browsing and StackWise are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn and iQuick Study are service marks of Cisco...

Page 3: ...Information Needed for Configuration 4 Configuring Basic Parameters 5 Configure Global Parameters 5 Configure Fast Ethernet LAN Interfaces 6 Configure WAN Interfaces 6 Configure the Fast Ethernet WAN Interface 6 Configure the ATM WAN Interface 7 Configure the Wireless Interface 7 Configuring a Loopback Interface 8 Configuration Example 8 Verifying Your Configuration 9 Configuring Command Line Acce...

Page 4: ...anslation 6 Configuration Example 8 Verifying Your Configuration 9 C H A P T E R 4 Configuring PPP over ATM with NAT 1 Configure the Dialer Interface 3 Configure the ATM WAN Interface 5 Configure DSL Signaling Protocol 6 Configuring ADSL 6 Verify the Configuration 7 Configuring SHDSL 7 Verify the Configuration 8 Configure Network Address Translation 9 Configuration Example 11 Verifying Your Config...

Page 5: ...ure a VPN 2 Configure the IKE Policy 3 Configure Group Policy Information 4 Enable Policy Lookup 5 Configure IPSec Transforms and Protocols 5 Configure the IPSec Crypto Method and Parameters 6 Apply the Crypto Map to the Physical Interface 7 Configure a GRE Tunnel 8 Configuration Example 9 C H A P T E R 8 Configuring a Simple Firewall 1 Configure Access Lists 3 Configure Inspection Rules 3 Apply A...

Page 6: ...ion Methods 1 Backup Interfaces 2 Configuring Backup Interfaces 2 Floating Static Routes 2 Configuring Floating Static Routes 3 Dialer Watch 4 Configuring Dialer Watch 4 Dial Backup Feature Limitations 5 Configuration Example 6 Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port 9 Configuration Tasks 10 Configuration Example 13 Configuring Dial Backup and Remote Man...

Page 7: ...Reset the Password and Save Your Changes 12 Reset the Configuration Register Value 12 Managing Your Router with SDM 13 P A R T 4 Reference Information A P P E N D I X A Cisco IOS Software Basic Skills 1 Configuring the Router from a PC 1 Understanding Command Modes 2 Getting Help 4 Enable Secret Passwords and Enable Passwords 5 Entering Global Configuration Mode 5 Using Commands 6 Abbreviating Com...

Page 8: ... Easy IP Phase 1 8 Easy IP Phase 2 8 QoS 9 IP Precedence 9 PPP Fragmentation and Interleaving 9 CBWFQ 10 RSVP 10 Low Latency Queuing 10 Access Lists 11 A P P E N D I X C ROM Monitor 1 Entering the ROM Monitor 1 ROM Monitor Commands 2 Command Descriptions 3 Disaster Recovery with TFTP Download 3 TFTP Download Command Variables 4 Required Variables 4 Optional Variables 5 Using the TFTP Download Comm...

Page 9: ...nd Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Console Download 7 Command Description 8 Error Reporting 8 Debug Commands 8 Exiting the ROM Monitor 10 A P P E N D I X D Common Port Assignments 1 I N D E X ...

Page 10: ...Contents 10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 ...

Page 11: ...g a Service Request Audience This guide is intended for network administrators whose backgrounds vary from having no or little experience in configuring routers to having a high level of experience You can use this guide in the following situations You have configured the software by using the Cisco Router Web Setup tool and you want to configure additional advanced software features by using the ...

Page 12: ...Generic Routing Encapsulation Provides instructions on how to configure a VPN with a secure IP tunnel and generic routing encapsulation GRE Chapter 8 Configuring a Simple Firewall Provides instructions on how to configure a basic firewall on your Cisco router Chapter 9 Configuring a Wireless LAN Connection Provides instructions on how to configure a wireless LAN connection on your Cisco router Cha...

Page 13: ...der be careful In this situation you might do something that could result in equipment damage or loss of data Timesaver This symbol means the described action saves time Command Conventions Table 1 describes the command syntax used in this guide Table 1 Command Syntax Conventions Convention Description boldface Commands and keywords italic Command input that is supplied by you Optional keywords an...

Page 14: ...ion for Cisco 800 Series and SOHO Series Routers Declarations of Conformity and Regulatory Information for Cisco Access Products with 802 11a b g and 802 11b g Radios Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which als...

Page 15: ...P A R T 1 Getting Started ...

Page 16: ......

Page 17: ...tion Information Needed for Configuration Configuring Basic Parameters Configuring Static Routes Configuring Dynamic Routes Configuring Enhanced IGRP Each section includes a configuration example and verification steps as available For complete information on how to access global configuration mode see the Entering Global Configuration Mode section in Appendix A Cisco IOS Basic Skills For more inf...

Page 18: ... configuration Current configuration 1090 bytes version 12 3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password encryption hostname Router boot start marker boot end marker Cisco 871 Fast Ethernet LAN FE0 FE3 Fast Ethernet WAN FE4 Wireless LAN LEFT RIGHT PRIMARY USB 1 0 Cisco 857 Fast Ethernet LAN LAN top FE0 FE3 bottom ATM WAN ADSLoPOTS ...

Page 19: ...tdown interface FastEthernet3 no ip address shutdown interface FastEthernet4 no ip address duplex auto speed auto interface Dot11Radio0 no ip address shutdown speed basic 1 0 basic 2 0 basic 5 5 6 0 9 0 basic 11 0 12 0 18 0 24 0 36 0 48 0 54 0 rts threshold 2312 station role root interface Vlan1 no ip address ip classless no ip http server no ip http secure server control plane line con 0 no modem...

Page 20: ...ing parameter information including IP address and ATM permanent virtual circuits PVCs These PVC parameters are typically virtual path identifier VPI virtual circuit identifier VCI and traffic shaping parameters Determine the number of PVCs that your service provider has given you along with their VPIs and VCIs For each PVC determine the type of AAL5 encapsulation supported It can be one of the fo...

Page 21: ...mmand Purpose Step 1 configure terminal Example Router enable Router configure terminal Router config Enters global configuration mode when using the console port If you are connecting to the router using a remote terminal use the following telnet router name or address Login login id Password Router enable Step 2 hostname name Example Router config hostname Router Router config Specifies the name...

Page 22: ...ng one of the following procedures Configure the Fast Ethernet WAN Interface Configure the ATM WAN Interface Configure the Fast Ethernet WAN Interface This procedure applies only to the Cisco 851 and Cisco 871 router models Perform these steps to configure the Fast Ethernet interface beginning in global configuration mode Command Purpose Step 1 interface type number Example Router config interface...

Page 23: ... signaling Step 2 interface type number Example Router config interface atm0 Router config int Identifies and enters the configuration mode for an ATM interface Step 3 ip address ip address mask Example Router config int ip address 10 10 10 100 255 255 255 0 Router config int Sets the IP address and subnet mask for the ATM interface Step 4 no shutdown Example Router config int no shutdown Router c...

Page 24: ...g int ip address 10 108 1 1 255 255 255 0 Router config int Sets the IP address and subnet mask for the loopback interface Step 3 exit Example Router config int exit Router config Exits configuration mode for the loopback interface and returns to global configuration mode Configuration Example The loopback interface in this sample configuration is used to support Network Address Translation NAT on...

Page 25: ...ec 0 packets sec 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 0 packets output 0 bytes 0 underruns 0 output errors 0 collisions 0 interface resets 0 output buffer failures 0 output buffers swapped out Another way to verify the loopback interface is to ping it Router ping 10 10 10 100 Type escape sequ...

Page 26: ...ser input is detected The default is 10 minutes Optionally add seconds to the interval value This example shows a timeout of 5 minutes and 30 seconds Entering a timeout of 0 0 specifies never to time out Step 5 line aux console tty vty line number Example Router config line vty 0 4 Router config Specifies a virtual terminal for remote console access Step 6 password password Example Router config p...

Page 27: ...e must be updated with a new route Static routes are private routes unless they are redistributed by a routing protocol Configuring static routes on the Cisco 850 and Cisco 870 series routers is optional Perform these steps to configure static routes beginning in global configuration mode Command Purpose Step 1 ip route prefix mask ip address interface type interface number ip address Example Rout...

Page 28: ...fied by the S You should see verification output similar to the following example Router show ip route Codes C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS su IS IS summary L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate de...

Page 29: ... 3 network ip address Example Router config router network 192 168 1 1 Router config router network 10 10 7 1 Router config router Specifies a list of networks on which RIP is to be applied using the address of the network of directly connected networks Step 4 no auto summary Example Router config router no auto summary Router config router Disables automatic summarization of subnet routes into ne...

Page 30: ...static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS su IS IS summary L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate default U per user static route o ODR P periodic downloaded static route Gateway of last resort is not set 10 0 0 0 24 is sub...

Page 31: ...cated by D You should see verification output similar to the following example Router show ip route Codes C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS su IS IS summary L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate defau...

Page 32: ...1 16 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 1 Basic Router Configuration Configuring Enhanced IGRP ...

Page 33: ...P A R T 2 Configuring Your Router for Ethernet and DSL Access ...

Page 34: ......

Page 35: ...not address all of the possible network needs instead they provide models on which you can pattern your network You can choose not to use features presented in the examples or you can add or substitute features that better suit your needs Note To verify that a specific feature is compatible with your router you can use the Software Advisor tool You can access this tool at www cisco com Technical S...

Page 36: ...sco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 2 Sample Network Deployments Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Chapter 8 Configuring a Simple Firewall ...

Page 37: ...E session it can be encrypted filtered and so forth Figure 3 1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router Figure 3 1 PPP over Ethernet with NAT 121753 2 3 5 6 1 7 4 Internet 1 Multiple networked devices Desktops laptop PCs switches 2 Fast Ethernet LAN interface inside interface for NAT 3 PPPoE client Cisco 851 or Cisco 871 access router 4 Point a...

Page 38: ...AT NAT represented as the dashed line at the edge of the Cisco router signifies two addressing domains and the inside source address The source list defines how the packet travels through the network Configuration Tasks Perform the following tasks to configure this network scenario Configure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces Configure the Di...

Page 39: ...on and initiates the tunnel Step 4 protocol l2tp pppoe Example Router config vpdn req in protocol pppoe Router config vpdn req in Specifies the type of sessions the VPDN subgroup can establish Step 5 exit Example Router config vpdn req in exit Router config vpdn Exits request dialin VPDN group configuration Step 6 exit Example Router config vpdn exit Router config Exits VPDN configuration returnin...

Page 40: ... Fast Ethernet interface and the configuration changes just made to it Step 4 exit Example Router config if exit Router config Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode Command Purpose Command Purpose Step 1 interface dialer dialer rotary group number Example Router config interface dialer 0 Router config if Creates a dialer interface numbere...

Page 41: ...e to a dialer group 1 10 Tip Using a dialer group controls access to your router Step 8 exit Example Router config if exit Router config Exits the dialer 0 interface configuration Step 9 dialer list dialer group protocol protocol name permit deny list access list number access group Example Router config dialer list 1 protocol ip permit Router config Creates a dialer list and associates a dial gro...

Page 42: ... Example 1 Router config ip nat inside source list 1 interface dialer 0 overload or Example 2 Router config ip nat inside source list acl1 pool pool1 Enables dynamic translation of addresses on the inside interface The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the dialer interface 0 The second example shows the addresses ...

Page 43: ...ast Ethernet WAN interface FE4 to be the outside interface for NAT Step 8 ip nat inside outside Example Router config if ip nat outside Router config if Identifies the specified WAN interface as the NAT outside interface For details about this command and additional parameters that can be set as well as information about enabling static translation see the Cisco IOS IP Command Reference Volume 1 o...

Page 44: ...utside Note Commands marked by default are generated automatically when you run the show running config command vpdn enable vpdn group 1 request dialin protocol pppoe interface vlan 1 ip address 192 168 1 1 255 255 255 0 no ip directed broadcast default ip nat inside interface FastEthernet 4 no ip address no ip directed broadcast default ip nat outside pppoe enable group global pppoe client dial p...

Page 45: ...ed EXEC mode to verify the PPPoE with NAT configuration You should see verification output similar to the following example Router show ip nat statistics Total active translations 0 0 static 0 dynamic 0 extended Outside interfaces FastEthernet4 Inside interfaces Vlan1 Hits 0 Misses 0 CEF Translated packets 0 CEF Punted packets 0 Expired translations 0 Dynamic mappings Inside Source Id 1 access lis...

Page 46: ...3 10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example ...

Page 47: ...PP over ATM provides a network solution with simplified address handling and straight user verification like a dial network Figure 4 1 shows a typical deployment scenario with a PPPoA client and NAT configured on the Cisco router This scenario uses a single static IP address for the ATM connection Figure 4 1 PPP over ATM with NAT 92340 2 3 5 1 6 4 ISP 1 Small business with multiple networked devic...

Page 48: ...DSL lines The dialer interface is used to connect to the ISP PPPoA The PPPoA Client feature on the router provides PPPoA client support on ATM interfaces A dialer interface must be used for cloning virtual access Multiple PPPoA client sessions can be configured on an ATM interface but each session must use a separate dialer interface and a separate dialer pool A PPPoA session is initiated on the c...

Page 49: ...mode Step 2 ip address negotiated Example Router config if ip address negotiated Router config if Specifies that the IP address for the dialer interface is obtained through PPP IPCP IP Control Protocol address negotiation Step 3 ip mtu bytes Example Router config if ip mtu 4470 Router config if Sets the size of the IP maximum transmission unit MTU The default minimum is 128 bytes The maximum for A...

Page 50: ...r group protocol protocol name permit deny list access list number access group Example Router config dialer list 1 protocol ip permit Router config Creates a dialer list and associates a dial group with it Packets are then forwarded through the specified interface dialer group For details about this command and additional parameters that can be set see the Cisco IOS Dial Technologies Command Refe...

Page 51: ...en a PVC is defined AAL5SNAP encapsulation is defined by default Use the encapsulation command to change this as shown in Step 3 The VPI and VCI arguments cannot be simultaneously specified as zero if one is 0 the other cannot be 0 For details about this command and additional parameters that can be set see the Cisco IOS Wide Area Networking Command Reference Step 3 encapsulation aal5auto aal5auto...

Page 52: ...iguring ADSL The default configuration for ADSL signaling is shown in Table 4 1 Table 4 1 Default ADSL Configuration Attribute Description Default Value Operating mode Specifies the operating mode of the digital subscriber line DSL for an ATM interface ADSL over POTS ANSI or ITU full rate or automatic selection ADSL over ISDN ITU full rate ETSI or automatic selection Auto Loss of margin Specifies ...

Page 53: ...your router to use SHDSL signaling beginning in global configuration mode Command Purpose Step 1 controller dsl port Example Router config controller dsl 0 Router config controller Enters the configuration mode for the DSL controller Step 2 line term co cpe Example Router config controller line term co Router config controller Specifies if the DSL line is terminated at a central office CO or at cu...

Page 54: ... LOSW Defect alarm ACTIVE CRC per second alarm ACTIVE Line termination CPE Current 15 min CRC 0 Current 15 min LOSW Defect 0 Current 15 min ES Defect 0 Current 15 min SES Defect 0 Current 15 min UAS Defect 33287 Previous 15 min CRC Defect 0 Previous 15 min LOSW Defect 0 Previous 15 min ES Defect 0 Previous 15 min SES Defect 0 Previous 15 min UAS Defect 0 Line 0 status Chipset Version 0 Firmware Ve...

Page 55: ...pool pool1 192 168 1 0 192 168 2 0 netmask 255 255 255 0 Router config Creates pool of global IP addresses for NAT Step 2 ip nat inside source list access list number interface type number pool name overload Example 1 Router config ip nat inside source list 1 interface dialer 0 overload or Example 2 Router config ip nat inside source list acl1 pool pool1 Enables dynamic translation of addresses on...

Page 56: ...ion changes just made to the Ethernet interface Step 6 exit Example Router config if exit Router config Exits configuration mode for the Fast Ethernet interface Step 7 interface type number Example Router config interface atm 0 Router config if Enters configuration mode for the ATM WAN interface ATM0 to be the outside interface for NAT Step 8 ip nat inside outside Example Router config if ip nat o...

Page 57: ... VLAN interface has an IP address of 192 168 1 1 with a subnet mask of 255 255 255 0 NAT is configured for inside and outside Note Commands marked by default are generated automatically when you run the show running config command interface Vlan1 ip address 192 168 1 1 255 255 255 0 ip nat inside ip virtual reassembly default interface ATM0 no ip address ip nat outside ip virtual reassembly no atm...

Page 58: ...t 1 permit 192 168 1 0 0 0 0 255 dialer list 1 protocol ip permit ip route 10 10 25 2 0 255 255 255 dialer 0 Verifying Your Configuration Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoA client with NAT configuration You should see verification output similar to the following example Router show ip nat statistics Total active translations 0 0 static 0 dynamic 0 ex...

Page 59: ...l LANs connected by the router and two VLANs Figure 5 1 Physical and Virtual LANs with DHCP Configured on the Cisco Router 92339 1 2 3 4 1 Fast Ethernet LAN with multiple networked devices 2 Router and DHCP server Cisco 870 series access router connected to the Internet 3 VLAN 1 4 VLAN 2 DHCP DHCP which is described in RFC 2131 uses a client server model for address allocation As an administrator ...

Page 60: ...VLANs Note The procedures in this chapter assume you have already configured basic router features as well as PPPoE or PPPoA with NAT If you have not performed these configurations tasks see Chapter 1 Basic Router Configuration Chapter 3 Configuring PPP over Ethernet with NAT and Chapter 4 Configuring PPP over ATM with NAT as appropriate for your router Configure DHCP Perform these steps to config...

Page 61: ... The name argument can be a string or an integer Step 5 network network number mask prefix length Example Router config dhcp network 10 10 0 0 255 255 255 0 Router config dhcp Defines subnet number IP address for the DHCP address pool optionally including the mask Step 6 import all Example Router config dhcp import all Router config dhcp Imports DHCP option parameters into the DHCP portion of the ...

Page 62: ...ys the optional parameters imported into the DHCP server database show ip dhcp pool Displays information about the DHCP address pools show ip dhcp server statistics Displays the DHCP server statistics such as the number of address pools bindings and so forth Router show ip dhcp import Address Pool Name dpool1 Router show ip dhcp pool Pool dpool1 Utilization mark high low 100 0 Subnet size first ne...

Page 63: ... Perform these steps to configure VLANs on your router beginning in global configuration mode Command Purpose Step 1 vlan Example Router config t Router config vlan WORD ISL VLAN IDs 1 4094 accounting VLAN accounting configuration ifdescr VLAN subinterface ifDescr Router config vlan Enters VLAN configuration mode Step 2 ISL VLAN ID Example Router config vlan 2 Router config vlan Adds VLANs with id...

Page 64: ...er config if Assigns a port to the VLAN Step 3 end Example Router config if end Router Exits interface mode and returns to privileged EXEC mode Verify Your VLAN Configuration Use the following commands to view your VLAN configuration show Entered from VLAN database mode Displays summary configuration information for all configured VLANs show vlan switch Entered from privileged EXEC mode Displays d...

Page 65: ...rational MTU 1500 Bridge Type SRB Ring Number 0 Bridge Number 1 Parent VLAN 1005 Maximum ARE Hop Count 7 Maximum STE Hop Count 7 Backup CRF Mode Disabled Translational Bridged VLAN 1 Translational Bridged VLAN 1002 VLAN ISL Id 1004 Name fddinet default Media Type FDDI Net VLAN 802 10 Id 101004 State Operational MTU 1500 Bridge Type SRB Bridge Number 1 STP Type IBM VLAN ISL Id 1005 Name trnet defau...

Page 66: ... Configuring a LAN with DHCP and VLANs Configure VLANs VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 1 enet 100001 1500 1002 1003 2 enet 100002 1500 0 0 1002 fddi 101002 1500 1 1003 1003 tr 101003 1500 1005 0 srb 1 1002 1004 fdnet 101004 1500 1 ibm 0 0 1005 trnet 101005 1500 1 ibm 0 0 ...

Page 67: ...pt the data between two particular endpoints Two types of VPNs are supported site to site and remote access Site to site VPNs are used to connect branch offices to corporate offices for example Remote access VPNs are used by remote clients to log in to a corporate network The example in this chapter illustrates the configuration of a remote access VPN that uses the Cisco Easy VPN and an IPSec tunn...

Page 68: ...co VPN 3000 series concentrator that is acting as an IPSec server An Easy VPN server enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs Easy VPN server enabled devices allow remote routers to act as Easy VPN Remote nodes The Cisco Easy VPN client feature can be configured in one of two modes client mode or network e...

Page 69: ...PSec Crypto Method and Parameters Apply the Crypto Map to the Physical Interface Create an Easy VPN Remote Configuration An example showing the results of these configuration tasks is provided in the Configuration Example section on page 6 11 Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT DCHP and VLANs If you ha...

Page 70: ...fies the encryption algorithm used in the IKE policy The example specifies 168 bit data encryption standard DES Step 3 hash md5 sha Example Router config isakmp hash md5 Router config isakmp Specifies the hash algorithm used in the IKE policy The example specifies the Message Digest 5 MD5 algorithm The default is Secure Hash standard SHA 1 Step 4 authentication rsa sig rsa encr pre share Example R...

Page 71: ...assword Router config isakmp group Specifies the IKE pre shared key for the group policy Step 3 dns primary server Example Router config isakmp group dns 10 50 10 1 Router config isakmp group Specifies the primary Domain Name System DNS server for the group Note You may also want to specify Windows Internet Naming Service WINS servers for the group by using the wins command Step 4 domain name Exam...

Page 72: ...ypto map tag client configuration address initiate respond Example Router config crypto map dynmap client configuration address respond Router config Configures the router to reply to mode configuration requests from remote clients Enable Policy Lookup Perform these steps to enable policy lookup through AAA beginning in global configuration mode Command or Action Purpose Step 1 aaa new model Examp...

Page 73: ...ers configurations Step 3 aaa authorization network exec commands level reverse access configuration default list name method1 method2 Example Router config aaa authorization network rtr remote local Router config Specifies AAA authorization of all network related service requests including PPP and specifies the method of authorization This example uses a local authorization database You could als...

Page 74: ... when IPSec security associations are negotiated See the Cisco IOS Security Command Reference for details Note With manually established security associations there is no negotiation with the peer and both sides must specify the same transform set Configure the IPSec Crypto Method and Parameters A dynamic crypto map policy processes negotiation requests for new security associations from remote IP...

Page 75: ...es connectivity to the Internet Perform these steps to apply a crypto map to an interface beginning in global configuration mode Step 3 reverse route Example Router config crypto map reverse route Router config crypto map Creates source proxy information for the crypto map entry See the Cisco IOS Security Command Reference for details Step 4 exit Example Router config crypto map exit Router config...

Page 76: ...bal configuration mode Command or Action Purpose Command or Action Purpose Step 1 crypto ipsec client ezvpn name Example Router config crypto ipsec client ezvpn ezvpnclient Router config crypto ezvpn Creates a Cisco Easy VPN remote configuration and enters Cisco Easy VPN remote configuration mode Step 2 group group name key group key Example Router config crypto ezvpn group ezvpnclient key secret ...

Page 77: ...mote local aaa session id common Step 5 exit Example Router config crypto ezvpn exit Router config Returns to global configuration mode Step 6 interface type number Example Router config interface fastethernet 4 Router config if Enters the interface configuration mode for the interface to which you want the Cisco Easy VPN remote configuration applied Note For routers with an ATM WAN interface this...

Page 78: ...m pool dynpool crypto ipsec transform set vpn1 esp 3des esp sha hmac crypto ipsec security association lifetime seconds 86400 crypto dynamic map dynmap 1 set transform set vpn1 reverse route crypto map static map 1 ipsec isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect a...

Page 79: ...e network The example in this chapter illustrates the configuration of a site to site VPN that uses IPSec and the generic routing encapsulation GRE protocol to secure the connection between the branch office and the corporate network Figure 7 1 shows a typical deployment scenario Figure 7 1 Site to Site VPN Using an IPSec Tunnel and GRE 121783 Internet 3 1 2 4 5 7 6 8 9 1 Branch office containing ...

Page 80: ...rwarded to the GRE tunnel are encrypted if no further access control lists ACLs are applied to the tunnel interface VPNs VPN configuration information must be configured on both endpoints for example on your Cisco router and at the remote user or on your Cisco router and on another router You must specify parameters such as internal IP addresses internal subnet masks DHCP server addresses and Netw...

Page 81: ...mp Specifies the encryption algorithm used in the IKE policy The example uses 168 bit Data Encryption Standard DES Step 3 hash md5 sha Example Router config isakmp hash md5 Router config isakmp Specifies the hash algorithm used in the IKE policy The example specifies the Message Digest 5 MD5 algorithm The default is Secure Hash standard SHA 1 Step 4 authentication rsa sig rsa encr pre share Exampl...

Page 82: ...rd Router config isakmp group Specifies the IKE pre shared key for the group policy Step 3 dns primary server Example Router config isakmp group dns 10 50 10 1 Router config isakmp group Specifies the primary Domain Name Service DNS server for the group Note You may also want to specify Windows Internet Naming Service WINS servers for the group by using the wins command Step 4 domain name Example ...

Page 83: ...t name method1 method2 Example Router config aaa authorization network rtr remote local Router config Specifies AAA authorization of all network related service requests including PPP and the method used to do so This example uses a local authorization database You could also use a RADIUS server for this See the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference fo...

Page 84: ... negotiating IPSec security associations See the Cisco IOS Security Command Reference for details Note With manually established security associations there is no negotiation with the peer and both sides must specify the same transform set Configure the IPSec Crypto Method and Parameters A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peer...

Page 85: ...ctivity to the Internet Perform these steps to apply a crypto map to an interface beginning in global configuration mode Step 3 reverse route Example Router config crypto map reverse route Router config crypto map Creates source proxy information for the crypto map entry See the Cisco IOS Security Command Reference for details Step 4 exit Example Router config crypto map exit Router config Enters ...

Page 86: ...uter config Enters global configuration mode Command or Action Purpose Command or Action Purpose Step 1 interface type number Example Router config interface tunnel 1 Router config if Creates a tunnel interface and enters interface configuration mode Step 2 ip address subnet mask Example Router config if ip address 10 62 1 193 255 255 255 255 Router config if Assigns an address to the tunnel Step ...

Page 87: ...o the tunnel Note Dynamic routing or static routes to the tunnel interface must be configured to establish connectivity between the sites See the Cisco IOS Security Configuration Guide for details Step 6 exit Example Router config if exit Router config Exits interface configuration mode and returns to global configuration mode Step 7 ip access list standard extended access list name Example Router...

Page 88: ... client configuration address respond Defines the key association and authentication for IPSec tunnel crypto isakmp policy 1 hash md5 authentication pre share crypto isakmp key cisco123 address 200 1 1 1 Defines encryption and transform set for the IPSec tunnel crypto ipsec transform set set1 esp 3des esp md5 hmac Associates all crypto values and peering address for the IPSec tunnel crypto map to_...

Page 89: ...esses used for NAT access list 102 permit ip 10 1 1 0 0 0 0 255 any acl 103 defines traffic allowed from the peer for the IPSec tunnel access list 103 permit udp host 200 1 1 1 any eq isakmp access list 103 permit udp host 200 1 1 1 eq isakmp any access list 103 permit esp host 200 1 1 1 any Allow ICMP for debugging but should be disabled because of security implications access list 103 permit icm...

Page 90: ...7 12 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configuration Example ...

Page 91: ...ge of each packet through the firewall However the use of inspection rules in CBAC allows the creation and use of dynamic temporary access lists These dynamic lists allow temporary openings in the configured access lists at firewall interfaces These openings are created when traffic for a specified user session exits the internal network through the firewall The openings allow returning traffic fo...

Page 92: ... router on the Fast Ethernet WAN interface FE4 Note that in this example the network traffic originating from the corporate network network address 10 1 1 0 is considered safe traffic and is not filtered Configuration Tasks Perform the following tasks to configure this network scenario Configure Access Lists Configure Inspection Rules Apply Access Lists and Inspection Rules to Interfaces A configu...

Page 93: ...nation ports See the Cisco IOS IP Command Reference Volume 1 of 4 Addressing and Services for details about this command Configure Inspection Rules Perform these steps to configure firewall inspection rules for all TCP and UDP traffic as well as specific application protocols as defined by the security policy beginning in global configuration mode Command or Action Purpose Step 1 ip inspect name i...

Page 94: ...ter Step 2 ip inspect inspection name in out Example Router config if ip inspect firewall in Router config if Assigns the set of firewall inspection rules to the inside interface on the router Step 3 exit Example Router config if exit Router config Returns to global configuration mode Step 4 interface type number Example Router config interface fastethernet 4 Router config if Enters interface conf...

Page 95: ...c as well as specific application protocols as defined by the security policy ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall rtsp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftp ip inspect name firewall sqlnet interface vlan 1 This is the internal home network ip inspect firewall in Inspection examines outbound traffic...

Page 96: ...8 6 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 8 Configuring a Simple Firewall Configuration Example ...

Page 97: ...er based management system or Simple Network Management Protocol SNMP This chapter describes how to configure the router using the CLI Use the interface dot11radio global configuration CLI command to place the device into radio configuration mode See the Cisco Access Router Wireless Configuration Guide for more detailed information about configuring these Cisco routers in a wireless LAN applicatio...

Page 98: ...LANs and secure tunnels Configure the Root Radio Station Perform these steps to create and configure the root radio station for your wireless LAN beginning in global configuration mode Command Purpose Step 1 interface name number Example Router config interface dot11radio 0 Router config if Enters interface configuration mode for the radio interface Step 2 broadcast key vlan vlan id change seconds...

Page 99: ...a VLAN Step 6 authentication type Example Router config if ssid authentication open Router config if ssid authentication network eap eap_methods Router config if ssid authentication key management wpa Sets the permitted authentication methods for a user attempting access to the wireless LAN More than one method can be specified as shown in the example Step 7 exit Example Router config if ssid exit...

Page 100: ...g if Optional Specifies the channel on which communication occurs See the Cisco Access Router Wireless Configuration Guide for available channel numbers Step 12 station role repeater root Example Router config if station role root Router config if Optional Specifies the role of this radio interface You must specify at least one root interface Step 13 exit Example Router config if exit Router confi...

Page 101: ...number parameter Example Router config bridge group 1 spanning disabled Router config Sets other bridge parameters for the bridging interface Step 5 interface name number Example Router config interface bvi 1 Router config Enters configuration mode for the virtual bridge interface Step 6 bridge number route protocol Example Router config bridge 1 route ip Router config Specifies the protocol for t...

Page 102: ...outer config subif Enters subinterface configuration mode for the root station interface Step 2 description string Example Router config subif description Cisco open Router config subif Provides a description of the subinterface for the administrative user Step 3 encapsulation dot1q vlanID native second dot1q Example Router config subif encapsulation dot1q 1 native Router config subif Specifies th...

Page 103: ...wpa psk ascii 0 cisco123 authentication key management wpa ssid ciscowep vlan 2 authentication open ssid ciscowpa vlan 3 authentication open Step 5 bridge group number Example Router config subif bridge group 1 Router config subif Assigns a bridge group to the subinterface Note When the bridge group command is enabled the following commands are automatically enabled and cannot be disabled If you d...

Page 104: ...adio0 2 encapsulation dot1Q 2 bridge group 2 bridge group 2 subscriber loop control bridge group 2 spanning disabled bridge group 2 block unknown source no bridge group 2 source learning no bridge group 2 unicast flooding interface Dot11Radio0 3 encapsulation dot1Q 3 bridge group 3 bridge group 3 subscriber loop control bridge group 3 spanning disabled bridge group 3 block unknown source no bridge...

Page 105: ...ally when you run the show running config command Example 10 1 Sample Configuration Router show running config Building configuration Current configuration 3781 bytes version 12 3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password encryption hostname retail boot start marker boot end marker enable password cisco123 username jsomeone passw...

Page 106: ... 0 1 0 255 255 255 0 default router 10 0 1 1 ip dhcp pool vlan2 network 10 0 2 0 255 255 255 0 default router 10 0 2 1 ip dhcp pool vlan3 network 10 0 3 0 255 255 255 0 default router 10 0 3 1 ip ips po max events 100 no ftp server write enable bridge irb interface FastEthernet0 no ip address interface FastEthernet1 no ip address interface FastEthernet2 no ip address interface FastEthernet3 switch...

Page 107: ...nt connect auto group 2 key secret password mode client peer 192 168 100 1 interface Dot11Radio0 no ip address broadcast key vlan 1 change 45 encryption vlan 1 mode ciphers tkip ssid cisco vlan 1 authentication open authentication network eap eap_methods authentication key management wpa optional ssid ciscowep vlan 2 authentication open ssid ciscowpa vlan 3 authentication open speed basic 1 0 basi...

Page 108: ... ip directed broadcast default ip nat inside crypto ipsec client ezvpn ezvpnclient inside ip inspect firewall in no cdp enable bridge group 1 bridge group 1 spanning disabled interface Vlan2 no ip address bridge group 2 bridge group 2 spanning disabled interface Vlan3 no ip address bridge group 3 bridge group 3 spanning disabled interface BVI1 ip address 10 0 1 1 255 255 255 0 interface BVI2 ip ad...

Page 109: ...ect name firewall sqlnet access list 103 permit udp host 200 1 1 1 any eq isakmp access list 103 permit udp host 200 1 1 1 eq isakmp any access list 103 permit esp host 200 1 1 1 any access list 103 permit icmp any any access list 103 deny ip any any access list 105 permit ip 10 1 1 0 0 0 0 255 192 168 0 0 0 0 255 255 no cdp run line con 0 password cisco123 no modem enable transport preferred all ...

Page 110: ...10 6 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 10 Sample Configuration ...

Page 111: ...P A R T 3 Configuring Additional Features and Troubleshooting ...

Page 112: ......

Page 113: ...n options described in this part include Chapter 12 Configuring Security Features Chapter 13 Configuring Dial Backup and Remote Management Chapter 14 Troubleshooting The descriptions contained in these chapters do not describe all of your configuration or troubleshooting needs See the appropriate Cisco IOS configuration guides and command references for additional details Note To verify that a spe...

Page 114: ...11 2 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 11 Additional Configuration Options ...

Page 115: ...twork security services provide the primary framework through which you set up access control on your router Authentication provides the method of identifying users including login and password dialog challenge and response messaging support and depending on the security protocol you choose encryption Authorization provides the method for remote access control including one time authorization or a...

Page 116: ...cess Lists Access lists ACLs permit or deny network traffic over an interface based on source IP address destination IP address or protocol Access lists are configured as standard or extended A standard access list either permits or denies passage of packets from a designated source An extended access list allows designation of both the destination and the source and it allows designation of indiv...

Page 117: ...s are inspected internally and the state of network connections is monitored This is superior to static access lists because access lists can only permit or deny traffic based on individual packets not streams of packets Also because CBAC inspects the packets decisions to permit or deny traffic can be made by examining application layer data something static access lists cannot do To configure a C...

Page 118: ...virtual private network VPN connection provides a secure connection between two networks over a public network such as the Internet Cisco 850 and Cisco 870 series access routers support site to site VPNs using IP security IPSec tunnels and generic routing encapsulation GRE Permanent VPN connections between two peers or dynamic VPNs using EZVPN or DMVPN which create and tear down VPN connections as...

Page 119: ...mz image Remote management functions can be configured as follows Through the auxiliary port on any Cisco 850 or Cisco 870 series router Through the ISDN S T port on the Cisco 876 and Cisco 878 routers Note The console port and the auxiliary port in the Cisco IOS software configuration are on the same physical RJ 45 port therefore both ports cannot be activated simultaneously and the command line ...

Page 120: ...e for the interface for which you want to configure backup This can be a serial interface ISDN interface or asynchronous interface The example shows the configuration of a backup interface for an ATM WAN connection Step 2 backup interface interface type interface number Example Router config if backup interface bri 0 Router config if Assigns an interface as the secondary or backup interface This c...

Page 121: ...g Assigns the primary static route Step 2 ip route prefix mask ip address interface type interface number ip address distance Example Router config ip route 0 0 0 0 0 0 0 0 192 168 2 2 150 Router config Assigns the lower routing administrative distance value for the backup interface route 192 168 2 2 is the peer IP address of the backup interface Step 3 router rip Example Router config router rip ...

Page 122: ... steps to configure a dialer watch on your router beginning in global configuration mode Command Purpose Step 1 interface type number Example Router config interface dialer 2 Router config if Enters configuration mode for the dial backup interface Step 2 dialerwatch group group number Example Router config if dialer watch group 2 Router config if Specifies the group number for the watch list Step ...

Page 123: ...er config ip route 0 0 0 0 0 0 0 0 192 168 2 2 150 Router config Assigns the lower routing administrative distance value for the backup interface route 192 168 2 2 is the peer IP address of the backup interface Step 6 dialerwatch list group number ip ip address address mask delay route check initial seconds Example Router config dialer watch list 2 ip 22 0 0 2 255 255 255 255 Router config Assigns...

Page 124: ...co 876 877 or 878 PPP over ATM PPP over Ethernet Yes Backup interfaces Floating static routes Dialer watch Floating static route and dialer watch need a routing protocol to run in the router The dialer watch method brings up the backup interface as soon as the primary link goes down The backup interface is brought down as soon as the dialer timeout is reached and the primary interface is up The ro...

Page 125: ...mtu 1492 encapsulation ppp dialer pool 2 dialer group 2 no cdp enable ip classless Primary and backup interface are given route metric ip route 0 0 0 0 0 0 0 0 22 0 0 2 ip route 0 0 0 0 0 0 0 0 192 168 2 2 80 ip http server Specifies interesting traffic to trigger backup ISDN traffic dialer list 1 protocol ip permit Example 13 2 Configuring Dial Backup Using Floating Static Routes vpdn enable vpdn...

Page 126: ...p 2 ip classless no cdp enable Primary and backup interface are given route metric This example uses static routes thus atm0 line protocol must be brought down for backup interface to function ip route 0 0 0 0 0 0 0 0 22 0 0 2 ip route 0 0 0 0 0 0 0 0 192 168 2 2 150 ip http server Specifies interesting traffic to trigger backup ISDN traffic dialer list 1 protocol ip permit Example 13 3 Configurin...

Page 127: ...ted ip mtu 1492 encapsulation ppp dialer pool 2 dialer group 2 no cdp enable ip classless Primary and backup interface are given route metric ip route 0 0 0 0 0 0 0 0 22 0 0 2 ip route 0 0 0 0 0 0 0 0 192 168 2 2 80 ip http server Watch for interesting traffic dialer watch list 1 ip 22 0 0 2 255 255 255 255 Specifies interesting traffic to trigger backup ISDN traffic dialer list 1 protocol ip perm...

Page 128: ...ters when primary line goes down 3 PC C Remote management serves as dial in access to allow changes or updates to Cisco IOS configurations Configuration Tasks Perform these steps to configure dial backup and remote management for these routers beginning in global configuration mode Command Purpose Step 1 ip name server server address Example Router config ip name server 192 168 28 12 Router config...

Page 129: ...defined script is used to place a call over a modem Step 5 interface type number Example Router config interface Async 1 Router config if Creates and enters configuration mode for the asynchronous interface Configure the asynchronous interface For sample commands you can use in async interface configuration mode see the Configuration Example section on page 13 13 Step 6 exit Example Router config ...

Page 130: ...ess list number deny permit source source wildcard Example Router config access list 1 permit 192 168 0 0 0 0 255 255 any Defines an extended access list that indicates which addresses need translation Step 13 dialerwatch list group number ip ip address address mask delay route check initial seconds Example Router config dialer watch list 1 ip 22 0 0 2 255 255 255 255 Router config Evaluates the s...

Page 131: ... number modemcap entry MY USER_MODEM MSC F1S0 1 chat script Dialout ABORT ERROR ABORT BUSY AT OK ATDT 5555102 T TIMEOUT 45 CONNECT c interface vlan 1 ip address 192 168 1 1 255 255 255 0 ip nat inside ip tcp adjust mss 1452 hold queue 100 out Dial backup and remote management physical interface interface Async1 no ip address encapsulation ppp dialer in band dialer pool member 3 async default routi...

Page 132: ...anagement PC IP address peer default ip address 192 168 2 2 no cdp enable Need to use your own ISP account and password ppp pap sent username account password 7 pass ppp ipcp dns request ppp ipcp wins request ppp ipcp mask request IP NAT over Dialer interface using route map ip nat inside source route map main interface Dialer1 overload ip nat inside source route map secondary interface Dialer3 ov...

Page 133: ...25 91 254 255 255 255 255 Dial backup will kick in if primary link is not available 5 minutes after CPE starts up dialer watch list 1 delay route check initial 300 dialer list 1 protocol ip permit Direct traffic to an interface only if the dialer is assigned an IP address route map main permit 10 match ip address 101 match interface Dialer1 route map secondary permit 10 match ip address 103 match ...

Page 134: ... the dial backup link goes through a customer premises equipment CPE splitter a digital subscriber line access multiplexer DSLAM and a central office CO splitter before connecting to the ISDN switch In Figure 13 3 the dial backup link goes directly from the Cisco router to the ISDN switch Figure 13 2 Dial Backup Through CPE Splitter DSLAM and CO Splitter 82892 ATM network Internet B 2 3 4 8 7 6 5 ...

Page 135: ... goes down 3 DSLAM 4 Aggregator 5 ISDN switch C Administrator remote management through the ISDN interface when the primary DSL link is down serves as dial in access to allow changes or updates to Cisco IOS configuration 6 Web server 7 Administrator Configuration Tasks Perform the following tasks to configure dial backup and remote management through the ISDN S T port of your router Configure ISDN...

Page 136: ...ogies Command Reference Step 2 interface type number Example Router config interface bri 0 Router config if Enters configuration mode for the ISDN Basic Rate Interface BRI Step 3 encapsulation encapsulation type Example Router config if encapsulation ppp Router config if Sets the BRI0 interface encapsulation type Step 4 dialer pool member number Example Router config if dialer pool member 1 Router...

Page 137: ...dialer 0 interface with the BRI0 interface because the BRI0 dialer pool member value is 1 Step 11 dialer string dial string isdn subaddress Example Router config if dialer string 384040 Router config if Specifies the telephone number to be dialed Step 12 dialer group group number Example Router config if dialer group 1 Router config if Assigns the dialer interface to a dialer group 1 10 Step 13 ex...

Page 138: ...ss for your Cisco router during the ATM network downtime This portion of the example configures the aggregator vpdn enable no vpdn logging vpdn group 1 accept dialin protocol pppoe virtual template 1 interface Ethernet3 description 4700ref 1 ip address 40 1 1 1 255 255 255 0 media type 10BaseT interface Ethernet4 ip address 30 1 1 1 255 255 255 0 media type 10BaseT interface Virtual Template1 ip a...

Page 139: ...ackup and Remote Management Through the ISDN S T Port interface Dialer0 ip address 192 168 2 2 255 255 255 0 encapsulation ppp dialer pool 1 dialer string 384020 dialer group 1 peer default ip address pool isdn ip local pool isdn 192 168 2 1 ip http server ip classless ip route 0 0 0 0 0 0 0 0 192 168 2 1 ip route 40 0 0 0 255 0 0 0 30 1 1 1 dialer list 1 protocol ip permit ...

Page 140: ...50 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through the ISDN S T Port ...

Page 141: ...ht blue console port For information on making this connection see the documentation listed in the Related Documents section on page 14 With a connected terminal or PC you can view status messages from the router and enter commands to troubleshoot a problem You can also remotely access the interface Ethernet ADSL or telephone by using Telnet The Telnet option assumes that the interface is up and r...

Page 142: ...UTP cable Using regular telephone cable can introduce line errors SHDSL Troubleshooting Symmetrical high data rate digital subscriber line SHDSL is available on Cisco 878 and Cisco 1803 router models If you experience trouble with the SHDSL connection verify the following The SHDSL line is connected and using pins 3 and 4 For more information on the G SHDSL connection see the hardware guide for yo...

Page 143: ...Success rate is 100 percent 5 5 round trip min avg max 400 401 404 ms This command sends end to end OAM F5 packets which are echoed back by the aggregator show interface Command Use the show interface command to display the status of all physical ports Ethernet and ATM and logical interfaces on the router Table 14 1 describes messages in the command output Example 14 2 Viewing Status of Selected I...

Page 144: ...possible command output for the show interface command Table 14 1 show interface Command Output Description Output Cause For ATM Interfaces ATM 0 is up line protocol is up The ATM line is up and operating correctly ATM 0 is down line protocol is down The ATM interface has been disabled with the shutdown command or The ATM line is down possibly because the ADSL cable is disconnected or because the ...

Page 145: ...et interface has been disabled with the shutdown command and the interface is disconnected For Dialer Interfaces Dialer n is up line protocol is up The specified dialer interface is up and operating correctly Dialer n is down line protocol is down This is a standard message and may not indicate anything is actually wrong with the configuration or If you are having problems with the specified diale...

Page 146: ...n your router CPU process and it can render your router unusable For this reason use debug commands only to troubleshoot specific problems The best time to use debug commands is during periods of low network traffic so that other activity on the network is not adversely affected You can find additional information and documentation about the debug commands in the Cisco IOS Debug Command Reference ...

Page 147: ...DSL_OPEN command 00 02 57 DSL Using subfunction 0xA 00 02 57 DSL Using subfunction 0xA 00 02 57 DSL Sent command 0x5 00 02 57 DSL Received response 0x26 00 02 57 DSL Unexpected response 0x26 00 02 57 DSL Send ADSL_OPEN command 00 02 57 DSL Using subfunction 0xA 00 02 57 DSL Using subfunction 0xA 00 02 57 DSL Sent command 0x5 00 03 00 DSL 1 Modem state 0x8 00 03 02 DSL 2 Modem state 0x10 00 03 05 D...

Page 148: ...tional Number of the virtual circuit designator VCD vc vpi vci number VPI VCI value of the ATM PVC Example 14 7 shows sample output for the debug atm packet command Example 14 7 Viewing ATM Packet Processing Router debug atm packet Router 01 23 48 ATM0 O VCD 0x1 VPI 0x1 VCI 0x64 DM 0x0 SAP AAAA CTL 03 OUI 000000 TYPE 0800 Length 0x70 01 23 48 4500 0064 0008 0000 FF01 9F80 0E00 0010 0E00 0001 0800 ...

Page 149: ...st be on the same LAN as the router Recovering a Lost Password To recover a lost enable or lost enable secret password 1 Change the Configuration Register 2 Reset the Router 3 Reset the Password and Save Your Changes for lost enable secret passwords only 4 Reset the Configuration Register Value Note Recovering a lost password is only possible when you are connected to the router through the consol...

Page 150: ...er on System image file is flash c870 adventerprisek9 mz pcbu_wireless 041110 This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply use Delivery of Cisco cryptographic products does not imply Importers exporters distributors and users are responsible for co...

Page 151: ... does not have a Break key see the documentation that came with the terminal for instructions on how to send a break Step 2 Press break The terminal displays the following prompt rommon 2 Step 3 Enter confreg 0x2142 to reset the configuration register rommon 2 confreg 0x2142 Step 4 Initialize the router by entering the reset command rommon 2 reset The router cycles its power and the configuration ...

Page 152: ... global configuration mode Router configure terminal Step 2 Enter the enable secret command to reset the enable secret password in the router Router config enable secret password Step 3 Enter exit to exit global configuration mode Router config exit Step 4 Save your configuration changes Router copy running config startup config Reset the Configuration Register Value To reset the configuration reg...

Page 153: ...ting Managing Your Router with SDM Managing Your Router with SDM The Cisco SDM tool is a free software configuration utility supporting the Cisco 850 and Cisco 870 series access routers It includes a web based GUI that offers the following features Simplified setup Advanced configuration Router security Router monitoring ...

Page 154: ...14 14 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Chapter 14 Troubleshooting Managing Your Router with SDM ...

Page 155: ...P A R T 4 Reference Information ...

Page 156: ......

Page 157: ...sswords Entering Global Configuration Mode Using Commands Saving Configuration Changes Summary Where to Go Next If you are already familiar with Cisco IOS software go to one of the following chapters Chapter 1 Basic Router Configuration Chapter 2 Sample Network Deployments One of the configuration topic chapters described in Chapter 11 Additional Configuration Options Configuring the Router from a...

Page 158: ...tion see Appendix C ROM Monitor To change the router flow control setting use the flowcontrol line configuration command For information on how to enter global configuration mode so that you can configure your router see the Entering Global Configuration Mode section later in this chapter Understanding Command Modes This section describes the Cisco IOS command mode structure Each command mode supp...

Page 159: ...is mode should be protected with a password as described in Enable Secret Passwords and Enable Passwords later in this chapter Global configuration Enter the configure command from privileged EXEC mode Router config To exit to privileged EXEC mode enter the exit or end command or press Ctrl Z To enter interface configuration mode enter the interface command Use this mode to configure parameters th...

Page 160: ...xception information To redisplay a command you previously entered press the Up Arrow key You can continue to press the Up Arrow key for more commands Router configuration Enter one of the router commands followed by the appropriate keyword for example router rip from global configuration mode Router config router To exit to global configuration mode enter the exit command To exit to privileged EX...

Page 161: ...rds but warns you that they should be different An enable secret password can contain from 1 to 25 uppercase and lowercase alphanumeric characters An enable password can contain any number of uppercase and lowercase alphanumeric characters In both cases a number cannot be the first character Spaces are also valid password characters for example two words is a valid password Leading spaces are igno...

Page 162: ...unter while using the CLI to configure your router Table A 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your router to recognize the command Reenter the command followed by a question mark with no space between the command and the question mark The possible keywords that you can enter with the command are displ...

Page 163: ...save the configuration to NVRAM After the configuration has been saved the following message appears Building configuration Router Summary Now that you have reviewed some Cisco IOS software basics you can begin to configure your router Remember You can use the question mark and arrow keys to help you enter commands Each command mode restricts you to a set of commands If you are having difficulty e...

Page 164: ...A 8 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Appendix A Cisco IOS Software Basic Skills Where to Go Next ...

Page 165: ...S Access Lists ADSL ADSL is a technology that allows both data and voice to be transmitted over the same line It is a packet based network technology that allows high speed transmission over twisted pair copper wire on the local loop last mile between a network service provider NSP central office and the customer site or on local loops created within either a building or a campus The benefit of AD...

Page 166: ...he internetwork layer is IP which provides the basic packet delivery service for all TCP IP networks In addition to the physical node addresses the IP protocol implements a system of logical host addresses called IP addresses The IP addresses are used by the internetwork and higher layers to identify devices and to perform internetwork routing The Address Resolution Protocol ARP enables IP to iden...

Page 167: ...its destination By default RIP routing updates are broadcast every 30 seconds You can reconfigure the interval at which the routing updates are broadcast You can also configure triggered extensions to RIP so that routing updates are sent only when the routing database is updated For more information on triggered extensions to RIP see the Cisco IOS Release 12 3 documentation set Enhanced IGRP Enhan...

Page 168: ...hed the remote office router repeatedly sends a configured username and password until the corporate office router accepts the authentication PAP has the following characteristics The password portion of the authentication is sent across the link in clear text not scrambled or encrypted PAP provides no protection from playback or repeated trial and error attacks The remote office router controls t...

Page 169: ...ification was developed in 1980 based on the original Ethernet technology Under the Ethernet CSMA CD media access process any host on a CSMA CD LAN can access the network at any time Before sending data CSMA CD hosts listen for traffic on the network A host wanting to send data waits until it detects no traffic before it transmits Ethernet allows any host on the network to transmit whenever the ne...

Page 170: ...wing encapsulation types for ATM PVCs LLC SNAP RFC 1483 VC MUX RFC 1483 PPP RFC 2364 Each PVC is considered a complete and separate link to a destination node Users can encapsulate data as needed across the connection The ATM network disregards the contents of the data The only requirement is that data be sent to the ATM subsystem of the router in a manner that follows the specific AAL format Dial...

Page 171: ...DDR with no requirement for traffic of interest By configuring a set of watched routes that define the primary interface you are able to monitor and track the status of the primary interface as watched routes are added and deleted When a watched route is deleted dialer watch checks for at least one valid route for any of the IP addresses or networks being watched If there is no valid route the pri...

Page 172: ...tiplexed NAT functionality within Cisco IOS software IP addresses on the remote LAN are invisible to the Internet The Easy IP Phase 1 feature combines NAT and PPP IPCP With NAT the router translates the nonregistered IP addresses used by the LAN devices into the globally unique IP address used by the dialer interface The ability of multiple LAN devices to use the same globally unique IP address is...

Page 173: ...rk an Internet service provider or an enterprise network IP Precedence You can partition traffic in up to six classes of service using IP Precedence two others are reserved for internal network use The queuing technologies throughout the network can then use this signal to expedite handling Features such as policy based routing and committed access rate CAR can be used to set precedence based on e...

Page 174: ...s are preferred high volume traffic streams share the remaining capacity obtaining equal or proportional bandwidth RSVP RSVP enables routers to reserve enough bandwidth on an interface to ensure reliability and quality performance RSVP allows end systems to request a particular QoS from the network Real time voice traffic requires network consistency Without consistent QoS real time traffic can ex...

Page 175: ...an approximate session filtering by using the established keyword with the permit command The established keyword filters TCP packets based on whether the ACK or RST bits are set Set ACK or RST bits indicate that the packet is not the first in the session and the packet therefore belongs to an established session This filter criterion would be part of an access list applied permanently to an inter...

Page 176: ...B 12 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 Appendix B Concepts Access Lists ...

Page 177: ...e ROM monitor runs the router This appendix contains the following sections Entering the ROM Monitor ROM Monitor Commands Command Descriptions Disaster Recovery with TFTP Download Configuration Register Console Download Debug Commands Exiting the ROM Monitor Entering the ROM Monitor To use the ROM monitor you must be using a terminal or PC that is connected to the router over the console port Perf...

Page 178: ... a program module format Format a filesystem format filessystem frame print out a selected stack frame fsck Check filesystem consistency fsck filesystem help monitor builtin command help history monitor command history meminfo main memory information mkdir Create dir s mkdir dirnames more Concatenate type file s cat filenames rename Rename a file rename old_name new_name repeat repeat a monitor co...

Page 179: ...wnload completion u upgrade ROMMON System will reboot after upgrade reset or i Resets and initializes the router similar to a power up dir device Lists the files on the named device for example flash memory files rommon 4 dir flash Directory of flash 2 rwx 10283208 date c870 advsecurityk9 mz 9064448 bytes available 10289152 bytes used boot commands For more information about the ROM monitor boot c...

Page 180: ...riables Note The commands described in this section are case sensitive and must be entered exactly as shown Required Variables These variables must be set with these commands before you use the tftpdnld command Variable Command IP address of the router IP_ADDRESS ip_address Subnet mask of the router IP_SUBNET_MASK ip_address IP address of the default gateway of the router DEFAULT_GATEWAY ip_addres...

Page 181: ...the router attempts ARP and TFTP download The default is 7 TFTP_RETRY_COUNT retry_times Length of time in seconds before the download process times out The default is 2 400 seconds 40 minutes TFTP_TIMEOUT time Whether or not the router performs a checksum test on the downloaded image 1 Checksum test is performed 0 No checksum test is performed TFTP_CHECKSUM setting Using the TFTP Download Command ...

Page 182: ... software Within the ROM monitor you can change the configuration register by entering the register value in hexadecimal format or by allowing the ROM monitor to prompt you for the setting of each bit Changing the Configuration Register Manually To change the virtual configuration register from the ROM monitor manually enter the confreg command followed by the new value of the register in hexadeci...

Page 183: ...ostic mode console baud 9600 boot the ROM Monitor do you wish to change the configuration y n n You must reset or power cycle for new config to take effect Console Download You can use console download a ROM monitor function to download either a software image or a configuration file over the router console port After download the file is either saved to the mini flash memory module or to main mem...

Page 184: ...emory x Optional Image is loaded into DRAM without being executed destination_ file_name Name of the system image file or the system configuration file In order for the router to recognize it the name of the configuration file must be router_confg Follow these steps to run Xmodem Step 1 Move the image file to the local drive where Xmodem will execute Step 2 Enter the xmodem command Error Reporting...

Page 185: ...R15 0xffffffff R16 0xffffffff R17 0xffffffff R18 0xffffffff R19 0xffffffff R20 0xffffffff R21 0xffffffff R22 0xffffffff R23 0xffffffff R24 0xffffffff R25 0xffffffff R26 0xffffffff R27 0xffffffff R28 0xffffffff R29 0xffffffff R30 0xffffffff R31 0xffffffff frame Displays an individual stack frame sysret Displays return information from the last booted system image This information includes the reaso...

Page 186: ...oot a Cisco IOS image from flash memory upon startup or reloading The following example shows how to reset the configuration register and cause the router to boot a Cisco IOS image stored in flash memory rommon 1 confreg 0x2101 You must reset or power cycle for new config to take effect rommon 2 boot The router will boot the Cisco IOS image in flash memory The configuration register will change to...

Page 187: ...emote job entry 7 ECHO Echo 9 DISCARD Discard 11 USERS Active users 13 DAYTIME Daytime 15 NETSTAT Who is up or NETSTAT 17 QUOTE Quote of the day 19 CHARGEN Character generator 20 FTP DATA File Transfer Protocol data 21 FTP File Transfer Protocol 23 TELNET Terminal connection 25 SMTP Simple Mail Transport Protocol 37 TIME Time 39 RLP Resource Location Protocol 42 NAMESERVER Hostname server 43 NICNA...

Page 188: ...Usenet Network News Transfer Protocol 123 NTP Network Time Protocol 126 SNMP Simple Network Management Protocol 137 NETBIOS NS NetBIOS name service 138 NETBIOS DGM NetBIOS datagram service 139 NETBIOS SSN NetBIOS session service 161 SNMP Simple Network Management Protocol 162 SNMP TRAP Simple Network Management Protocol traps 512 rexec UNIX remote execution control 513 TCP rlogin UDP rwho TCP UNIX...

Page 189: ... Digital Line Subscriber Line See ADSL ATM errors displaying 6 events displaying 7 interface configuring basic parameters 7 interface configuring for PPPoA 5 overview 5 packets displaying 8 PVC encapsulation types 6 queues 10 troubleshooting commands 2 to 9 ATM adaptation layer See AAL ATM interface See ATM audience user 11 authentication protocols See PPP authentication protocols AutoSecure 2 aux...

Page 190: ...lp 3 help with 4 i 3 k 9 meminfo 9 permit 11 ping atm interface 3 privileged EXEC accessing 5 redisplaying 4 reset 3 ROM monitor 2 to 3 ROM monitor debugging 8 9 show atm interface 5 6 show controllers dsl 8 show dsl interface atm 7 show interface 3 stack 9 sysret 9 tftpdnld 3 5 undoing 6 xmodem 8 command variables listing 4 TFTP download 4 committed access rate See CAR configuration changes makin...

Page 191: ...onsole download 7 to 8 console port for dial backup 9 context command 9 conventions command 13 copy running config startup config command 7 copy tftp flash command 3 corporate network connecting to 4 crypto map applying to interface 9 7 D debug atm commands 6 debug atm errors command 6 debug atm events command 7 debug atm packet command 8 debug commands ROM monitor 8 9 default configuration viewin...

Page 192: ...ew 11 F Fast Ethernet LAN interfaces configuring 6 Fast Ethernet WAN interface configuring 6 3 filtering See access lists firewalls access list configuration 3 2 applying access lists to interfaces 4 applying inspection rules to interfaces 4 configuration example 5 configuration tasks 2 configuring inspection rules 3 floating static routes description 7 for dial backup 2 flowcontrol command 2 frag...

Page 193: ...N peer router configuring 20 K k command 9 L LAN with DHCP and VLANs configuring 1 to 8 LCP 4 LFQ 10 line configuration mode 4 Link Control Protocol See LCP LLC 6 loopback interface configuring 8 to 9 low latency queuing See LFQ M meminfo command 9 metrics EIGRP 3 RIP 3 mode configuration applying to crypto map 6 modes See command modes N NAT configuration example 8 11 configuring with PPPoA 9 con...

Page 194: ...t Protocol Control Protocol See IPCP PPPoA configuration example 11 PPPoE client 1 configuration example 8 configuring 1 verifying your configuration 9 prerequisites for configuration 4 privileged EXEC commands accessing 5 privileged EXEC mode 2 3 protocols ATM 5 Ethernet 5 network 2 network interface 5 to 6 PPP authentication 3 to 4 routing overview 2 to 3 PVC encapsulation types 6 overview 6 Q Q...

Page 195: ...guring 11 symmetrical high data rate digital subscriber line See G SHDSL sysret command 9 T TACACS 5 TCP IP oriented configuration 1 TCP port numbers 1 to 2 terminal emulation software 1 tftpdnld command 3 5 TFTP download 3 to 6 See also console download Timesaver defined 13 transform set configuring 7 translation See NAT triggered extensions to RIP 3 troubleshooting commands ATM 2 to 9 U UDP port...

Page 196: ... and Cisco 870 Series Access Routers Software Configuration Guide OL 5332 01 configuration example 11 configuration tasks 3 2 configuring 1 4 W WAN interface configuring 6 3 wireless LAN configuration example 7 X xmodem command 8 ...

Reviews:

No comments