Cisco 819 Series Integrated Services Routers Software Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS CHAPTER 1 Product Overview 1-1 General Description SKU Information 1-1 1-3 New Features 1-3 3G Features 1-3 WLAN Features 1-4 4G LTE Features 1-4 Platform Features 1-4 Security Features 1-4 CHAPTER 2 Wireless Device Overview ScanSafe 2-1 2-1 TFTP support with Ethernet WAN interface LEDs CHAPTER 3 2-2 2-2 Wireless Local Area Network 3-1 WLAN Features 3-1 Dual-Radio 3-1 Images Supported 3-2 CleanAir Technology 3-2 Dynamic Frequency Selection LEDs 3-2 3-2 3-3 CHAPTER 4 4G LTE
Contents Configuring WAN Interfaces 5-9 Configuring a Gigabit Ethernet WAN Interface 5-9 Configuring the Cellular Wireless WAN Interface 5-10 Prerequisites for Configuring the 3G Wireless Interface 5-11 Restrictions for Configuring the Cellular Wireless Interface 5-11 Data Account Provisioning 5-12 Configuring a Cellular Interface 5-16 Configuring DDR 5-17 Examples for Configuring Cellular Wireless Interfaces 5-20 Configuring Dual SIM for Cellular Networks 5-22 Configuring Router for Image and Config Recov
Contents CHAPTER 7 Environmental and Power Management Cisco EnergyWise Support CHAPTER 8 7-1 7-2 Configuring the Serial Interface Legacy Protocol Transport 8-1 8-2 Configuring Serial Interfaces 8-2 Information About Configuring Serial Interfaces Cisco HDLC Encapsulation 8-3 PPP Encapsulation 8-3 Multilink PPP 8-4 Keepalive Timer 8-4 Frame Relay Encapsulation 8-5 LMI on Frame Relay Interfaces 8-6 8-3 How to Configure Serial Interfaces 8-6 Configuring a Synchronous Serial Interface 8-6 Specifyi
Contents Configuring AutoSecure 9-2 Configuring Access Lists 9-2 Access Groups 9-3 Configuring Cisco IOS Firewall Configuring Cisco IOS IPS URL Filtering 9-3 9-4 9-4 Configuring VPN 9-4 Remote Access VPN 9-5 Site-to-Site VPN 9-6 Configuration Examples 9-7 Configure a VPN over an IPSec Tunnel 9-7 Configure the IKE Policy 9-7 Configure Group Policy Information 9-9 Apply Mode Configuration to the Crypto Map 9-10 Enable Policy Lookup 9-11 Configure IPSec Transforms and Protocols 9-12 Configure the IPSec
Contents MAC Address Notification 10-5 How to Configure Ethernet Switches 10-6 Configuring VLANs 10-6 VLANs on the FE Ports 10-6 VLANs on the GE Port 10-7 Configuring Layer 2 Interfaces 10-7 Configuring 802.
Contents CHAPTER 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Cisco Easy VPN 13-1 13-2 Configuration Tasks 13-3 Configure the IKE Policy 13-3 Configure Group Policy Information 13-5 Apply Mode Configuration to the Crypto Map 13-6 Enable Policy Lookup 13-7 Configure IPSec Transforms and Protocols 13-8 Configure the IPSec Crypto Method and Parameters 13-8 Apply the Crypto Map to the Physical Interface 13-10 Create an Easy VPN Remote Configuration 13-10 Verifying Your Easy VPN Configuration 13
Contents TACACS+ Ethernet B-4 B-4 Dial Backup B-5 Backup Interface B-5 Floating Static Routes B-5 Dialer Watch B-5 NAT B-6 Easy IP (Phase 1) B-6 Easy IP (Phase 2) B-7 QoS B-7 IP Precedence B-8 PPP Fragmentation and Interleaving CBWFQ B-8 RSVP B-8 Low Latency Queuing B-9 Access Lists APPENDIX C ROM Monitor B-8 B-9 C-1 Entering the ROM Monitor ROM Monitor Commands Command Descriptions C-1 C-2 C-3 Disaster Recovery with TFTP Download C-3 TFTP Download Command Variables C-4 Required Variabl
Contents Cisco 819 Series Integrated Services Routers Software Configuration Guide 8 OL-23590-02
CH A P T E R 1 Product Overview This chapter provides an overview of the features available for the Cisco 819 Integrated Services Routers (ISRs) and contains the following sections: • General Description, page 1-1 • SKU Information, page 1-3 • New Features, page 1-3 General Description The Cisco 819 ISRs provide Internet, VPN, data, and backup capability to corporate teleworkers and remote and small offices of fewer than 20 users.
Chapter 1 Product Overview General Description Figure 1-1 shows the Cisco 819HG ISR. Cisco 819HG Integrated Services Router 283010 Figure 1-1 Figure 1-2 shows the Cisco 819HGW ISR.
Chapter 1 Product Overview SKU Information SKU Information For the complete list of SKUs available in Cisco 819 ISRs, see SKU Information. New Features This section lists the software, platform, and security features supported by the Cisco 819 ISRs. Note • 3G Features, page 1-3 • WLAN Features, page 1-4 • 4G LTE Features, page 1-4 • Platform Features, page 1-4 • Security Features, page 1-4 The WAAS Express feature is not supported.
Chapter 1 Product Overview New Features WLAN Features • Dual Radio • CleanAir Technology • Dynamic Frequency Selection 4G LTE Features • IPv4 bearer • MIPv4, NEMOv4, RFC 3025 • IPv4 subnet behind LTE UE interface • Evolved High-Rate Packet Data (EHRPD), which allows seamless handoff between 4G LTE and 3G services (C819(H)G-4G-V-K9 only) • Seamless hand-off between LTE and EHRPD network (C819(H)G-4G-V-K9 only) • Support for UMTS service as a fallback option from LTE service (C819(H)G-4G-A
CH A P T E R 2 Wireless Device Overview The Cisco 819 ISRs provide Internet, VPN, data, and backup capability to corporate teleworkers and remote and small offices of fewer than 20 users. These fixed routers are capable of bridging and multiprotocol routing between LAN and WAN ports and provide advanced features such as antivirus protection. The fixed 3G routers can be used as the primary WAN connectivity and as a backup for critical applications and can also be used as the primary WAN connection.
Chapter 2 Wireless Device Overview TFTP support with Ethernet WAN interface TFTP support with Ethernet WAN interface Trivial File Transfer Protocol (TFTP) is a file transfer protocol notable for its simplicity. It is generally used for automated transfer of configuration or boot files between machines in a local environment. The Cisco 819H ISR supports TFTP with Ethernet WAN interface that supports data transfer rate of 10 Mbps.
Chapter 2 Wireless Device Overview LEDs Table 2-1 3G LED Descriptions (continued) LED Color Description RSSI Green (solid) Signal > –60 Very strong signal Green (four blinks and then a long pause) Signal <= –60 to 74 Green (two blinks and then a long pause) Signal <= –75 to –89 Green (one blink and then a long pause) Signal <= –90 to –109 Off Signal <= –110 Strong signal Fair signal Marginal signal Unusable signal SIM 1,2 Green / Yellow (one SIM in slot 0 active, SIM in slot 1 is not.
Chapter 2 Wireless Device Overview LEDs LED STATUS: ========== LEDS : SYSTEM STATUS: GREEN LEDS : STATUS: WWAN GREEN ACTIVITY OFF RSSI GREEN(2 BLINK) SIM(slot0 GREEN LAN PORTS : LINK/ENABLE LED : SPEED LED : FE0 OFF Unknown PORT : LINK/ENABLE LED : SPEED LED : GE-WAN0 OFF Unknown / slot1) / YELLOW FE1 OFF Unknown FE2 OFF Unknown GPS OFF 3G GREEN FE3 OFF Unknown The following is a sample output from the show controllers cellular command showing the 3G LED status: router# show controllers cel
CH A P T E R 3 Wireless Local Area Network A Wireless Local Area Network (WLAN) implements a flexible data communication system frequently augmenting rather than replacing a wired LAN within a building or campus. WLANs use radio frequency to transmit and receive data over the air, minimizing the need for wired connections. The Cisco 819HGW and Cisco 819HWD ISRs have a Host router software running on the first core. The second core runs the WLAN Access Point software.
Chapter 3 Wireless Local Area Network WLAN Features AP802 Dual Radio contains two different types of wireless radio that can support connections on both 2.4 GHz used by 802.11b, 802.11g, and 802.11n and 5 GHz used by 802.11a and 802.11n. With the dual-radio/dual-band IEEE 802.11n access point, the Cisco 819HGW and Cisco 819HWD ISRs offer a secure, integrated access point in a single device. The ISRs support both autonomous and unified modes and are backward compatible with 802.11a/b/g.
Chapter 3 Wireless Local Area Network WLAN Features Table 3-1 WLAN LED Descriptions WLAN LED Color Description Boot loader status sequence Blinking Green Board initialization in progress. Initializing FLASH file system. Initializing Ethernet. Ethernet is OK. Starting Cisco IOS. Initialization successful. Association status Operating status Green Normal operating condition with no wireless client associated. Blue Normal operating condition with at least one wireless client associated.
Chapter 3 Wireless Local Area Network WLAN Features Cisco 819 Series Integrated Services Routers Software Configuration Guide 3-4 OL-23590-02
CH A P T E R 4 4G LTE Wireless WAN The Cisco 819HG-4G and Cisco 819G-4G LTE ISRs support 4G LTE and 3G cellular networks. For instructions on how to configure the 4G LTE features on your Cisco 819 ISR, see the Cisco 4G LTE Software Installation Guide.
Chapter 4 4G LTE Wireless WAN Cisco 819 Series Integrated Services Routers Software Configuration Guide 4-2 OL-23590-02
CH A P T E R 5 Basic Router Configuration This chapter provides procedures for configuring the basic parameters of your Cisco router, including global parameter settings, routing protocols, interfaces, and command-line access. It also describes the default configuration on startup.
Chapter 5 Basic Router Configuration Interface Ports Interface Ports Table 5-1 lists the interfaces that are supported for each router and their associated port labels on the equipment.
Chapter 5 Basic Router Configuration Information Needed for Configuration speed auto interface FastEthernet0 interface FastEthernet1 interface FastEthernet2 interface FastEthernet3 interface Serial0 no ip address shutdown no fair-queue clock rate 2000000 ! interface Vlan1 no ip address ! ip forward-protocol nd no ip http server no ip http secure-server logging esm config control-plane line con 0 no modem enable line aux 0 line 3 no exec line 7 stopbits 1 speed 115200 line vty 0 4 login transport input all
Chapter 5 Basic Router Configuration Information Needed for Configuration • If you are setting up IP routing: – Generate the addressing scheme for your IP network. • If you are setting up the serial interface: – Mode of operation (sync, async, bisync) – Clock rate depending on the mode – IP address depending on the mode • If you are setting up 3G: – You must have service availability on the Cisco 819 ISR from a carrier, and you must have network coverage where your router will be physically placed.
Chapter 5 Basic Router Configuration Configuring Command-Line Access Configuring Command-Line Access To configure parameters to control access to the router, perform the following steps, beginning in global configuration mode: SUMMARY STEPS 1. line [aux | console | tty | vty] line-number 2. password password 3. login 4. exec-timeout minutes [seconds] 5. line [aux | console | tty | vty] line-number 6. password password 7. login 8.
Chapter 5 Basic Router Configuration Configuring Command-Line Access DETAILED STEPS Step 1 Command Purpose line [aux | console | tty | vty] line-number Enters line configuration mode and specifies the type of line. Example: This example specifies a console terminal for access. Router(config)# line console 0 Router(config-line)# Step 2 password password Specifies a unique password for the console terminal line.
Chapter 5 Basic Router Configuration Configuring Command-Line Access Step 7 Command Purpose login Enables password checking at the virtual terminal session login. Example: Router(config-line)# login Router(config-line)# Step 8 Exits line configuration mode and returns to privileged EXEC mode. end Example: Router(config-line)# end Router# Example The following configuration shows the command-line access commands. You do not need to input the commands marked “default.
Chapter 5 Basic Router Configuration Configuring Global Parameters Configuring Global Parameters To configure selected global parameters for your router, perform these steps: SUMMARY STEPS 1. configure terminal 2. hostname name 3. enable secret password 4. no ip domain-lookup DETAILED STEPS Step 1 Command Purpose configure terminal Enters global configuration mode when using the console port.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Configuring WAN Interfaces Configure the WAN interface for your router using one of the following as appropriate: • Configuring a Gigabit Ethernet WAN Interface, page 5-9 • Configuring the Cellular Wireless WAN Interface, page 5-10 • Configuring Dual SIM for Cellular Networks, page 5-22 • Configuring Router for Image and Config Recovery Using Push Button, page 5-23 • Configuring Router for Image and Config Recovery Using Push Button,
Chapter 5 Basic Router Configuration Configuring WAN Interfaces DETAILED STEPS Step 1 Command Purpose interface type number Enters the configuration mode for a Gigabit Ethernet WAN interface on the router. Example: Router(config)# interface gigabitethernet 0 Router(config-if)# Step 2 ip address ip-address mask Sets the IP address and subnet mask for the specified Gigabit Ethernet interface. Example: Router(config-if)# ip address 192.168.12.2 255.255.255.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Prerequisites for Configuring the 3G Wireless Interface The following are prerequisites to configuring the 3G wireless interface: • You must have wireless service from a carrier, and you must have network coverage where your router will be physically placed. For a complete list of supported carriers, see the data sheet at: www.cisco.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Data Account Provisioning Note To provision your modem, you must have an active wireless account with a service provider. A SIM card must be installed in a GSM 3G wireless card.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Step 4 Command or Action Purpose show cellular 0 gps Displays the cellular gps information. Example: Router# show cellular 0 gps Step 5 Shows the radio signal strength. show cellular 0 radio Note Example: The RSSI should be better than –90 dBm for steady and reliable connection. Router# show cellular 0 radio Step 6 Shows information about the modem data profiles created.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Table 5-2 lists the modem data profile parameters. Table 5-2 Modem Data Profile Parameters profile number Number for the profile that you are creating. You can create up to 16 profiles. apn Access point name. You must get this information from the service provider. authentication Type of authentication, for example, CHAP, PAP. Username Username provided by your service provider. Password Password provided by your service provider.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Account activation - Step 1 of 5 Account activation - Step 2 of 5 Account activation - Step 3 of 5 Account activation - Step 4 of 5 Account activation - Step 5 of 5 Secure Commit Result: Succeed Done Configuring - Resetting the modem The activation of the account is Complete Waiting for modem to be ready to start IOTA Beginning IOTA router# *Feb 6 23:29:08.459: IOTA Status Message Received. Event: IOTA Start, Result: SUCCESS *Feb 6 23:29:08.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Configuring a Cellular Interface To configure the cellular interface, enter the following commands, beginning in privileged EXEC mode. SUMMARY STEPS Note 1. configure terminal 2. interface cellular 0 3. encapsulation ppp 4. ppp chap hostname hostname 5. ppp chap password 0 password 6. asynchronous mode interactive 7.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Step 6 Command or Action Purpose asynchronous mode interactive Returns a line from dedicated asynchronous network mode to interactive mode, enabling the slip and ppp commands in privileged EXEC mode. Example: Router (config-if)# asynchronous mode interactive Step 7 Specifies that the IP address for a particular interface is obtained via PPP and IPCP address negotiation.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces DETAILED STEPS Step 1 Command or Action Purpose configure terminal Enters global configuration mode. Example: Router# configure terminal Step 2 interface cellular 0 Specifies the cellular interface. Example: Router (config)# interface cellular 0 Step 3 dialer in-band Enables DDR and configures the specified serial interface for in-band dialing.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Step 10 Command or Action Purpose line 3 Specifies the line configuration mode. It is always 3. Example: Router (config-line)# line 3 Step 11 Specifies a default modem chat script. script dialer Example: Router (config-line)# script-dialer gsm Step 12 Exits line configuration mode.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Examples for Configuring Cellular Wireless Interfaces This section provides the following configuration examples: • Basic Cellular Interface Configuration, page 5-20 • Tunnel over Cellular Interface Configuration, page 5-21 • Configuration for 8705 modem, page 5-21 Basic Cellular Interface Configuration The following example shows how to configure a gsm cellular interface to be used as a primary WAN connection.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces line 3 exec-timeout 0 0 script dialer cdma login modem InOut Tunnel over Cellular Interface Configuration The following example shows how to configure the static IP address when a tunnel interface is configured with the ip address unnumbered command: interface Tunnel2 ip unnumbered Cellular0 tunnel source Cellular0 tunnel destination 128.107.248.254 interface Cellular0 bandwidth receive 1400000 ip address 23.23.0.1 255.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces line 3 script dialer hspa+ modem InOut no exec transport input all Configuring Dual SIM for Cellular Networks The Dual SIM feature implements auto-switch and failover between two cellular networks on a Cisco 819 ISR. This feature is enabled by default with SIM slot 0 being the primary slot and slot 1 being the secondary (failover) slot.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces The following example shows you how to configure the SIM card in slot 0 to use profile 10: router(config-controller)# gsm sim profile 10 slot 0 Perform the following commands to manually switch the SIM: Command Syntax Description cellular GSM SIM cellular GSM SIM {lock | unlock} Locks or unlocks the SIM. gsm sim cellular gsm sim [lock | unlock] Locks or unlocks the gsm SIM.
Chapter 5 Basic Router Configuration Configuring WAN Interfaces Table 5-4 Push Button Functionality during ROMMON Initialization ROMMON Behavior IOS Behavior • Boots using default baud rate. • Performs auto-boot. • Loads the *.default image if available on compact flash Note If no *.default image is available, the ROMMON will boot up with the first Cisco IOS image on flash. If the configuration named *.
Chapter 5 Basic Router Configuration Configuring a Loopback Interface Push Button in WLAN AP When the push button on the front panel is pressed, WLAN AP will perform both image and configuration recovery. To perform image recovery, WLAN will go into the boot loader so that the user can download the image from the bootloader prompt. To perform configuration recovery, WLAN AP will overwrite the contents of flash:/config.txt with the contents of flash:/cpconfig-ap802.cfg file if available in flash drive.
Chapter 5 Basic Router Configuration Configuring a Loopback Interface DETAILED STEPS Step 1 Command Purpose interface type number Enters configuration mode for the loopback interface. Example: Router(config)# interface Loopback 0 Router(config-if)# Step 2 ip address ip-address mask Sets the IP address and subnet mask for the loopback interface. Example: Router(config-if)# ip address 10.108.1.1 255.255.255.
Chapter 5 Basic Router Configuration Configuring Static Routes Output queue 0/0, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out An
Chapter 5 Basic Router Configuration Configuring Dynamic Routes Example In the following configuration example, the static route sends out all IP packets with a destination IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Fast Ethernet interface to another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured PVC. You do not need to enter the command marked “(default).
Chapter 5 Basic Router Configuration Configuring Dynamic Routes Configuring Routing Information Protocol To configure the RIP routing protocol on the router, perform these steps, beginning in global configuration mode: SUMMARY STEPS 1. router rip 2. version {1 | 2} 3. network ip-address 4. no auto-summary 5. end DETAILED STEPS Step 1 Command Task router rip Enters router configuration mode and enables RIP on the router.
Chapter 5 Basic Router Configuration Configuring Dynamic Routes Example The following configuration example shows RIP version 2 enabled in IP network 10.0.0.0 and 192.168.1.0. To see this configuration, use the show running-config command from privileged EXEC mode. ! Router# show running-config router rip version 2 network 10.0.0.0 network 192.168.1.
Chapter 5 Basic Router Configuration Configuring Dynamic Routes DETAILED STEPS Step 1 Command Purpose router eigrp as-number Enters router configuration mode and enables EIGRP on the router. The autonomous-system number identifies the route to other EIGRP routers and is used to tag the EIGRP information. Example: Router(config)# router eigrp 109 Router(config)# Step 2 Specifies a list of networks on which EIGRP is to be applied, using the IP address of the network of directly connected networks.
Chapter 5 Basic Router Configuration Configuring Dynamic Routes Cisco 819 Series Integrated Services Router Software Configuration Guide 5-32 OL-23590-02
CH A P T E R 6 Configuring Backup Data Lines and Remote Management This chapter describes configuring backup data lines and remote management in the following sections: • Configuring Backup Interfaces, page 6-1 • Configuring Cellular Dial-on-Demand Routing Backup, page 6-3 • Configuring Dial Backup and Remote Management Through the Console Port, page 6-8.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Backup Interfaces To configure your router with a backup interface, perform these steps, beginning in global configuration mode: SUMMARY STEPS 1. interface type number 2. backup interface interface-type interface-number 3. exit DETAILED STEPS Step 1 Command Purpose interface type number Enters interface configuration mode for the interface for which you want to configure backup.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing Backup Configuring Cellular Dial-on-Demand Routing Backup To monitor the primary connection and initiate the backup connection over the cellular interface when needed, the router can use one of the following methods: Note • Backup Interface—The backup interface that stays in standby mode until the primary interface line protocol is detected as down and then is brought up.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing Backup DETAILED STEPS Step 1 Command or Action Purpose configure terminal Enters global configuration mode. Example: Router# configure terminal Step 2 Specifies the interface. interface type number Example: Router (config)# interface 0 Step 3 Enables dialer watch on the backup interface.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing Backup Configuring DDR Backup Using Floating Static Route To configure a floating static default route on the secondary interface, use the following commands, beginning in the global configuration mode. Note Make sure you have ip classless enabled on your router. SUMMARY STEPS 1. configure terminal 2.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing Backup ! ! no aaa new-model ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key gsm address 128.107.241.234 ! ! crypto ipsec transform-set gsm ah-sha-hmac esp-3des ! crypto map gsm1 10 ipsec-isakmp set peer 128.107.241.234 set transform-set gsm match address 103 ! ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.4.0.254 ! ip dhcp pool gsmpool network 10.4.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing Backup ! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp no ip mroute-cache dialer in-band dialer idle-timeout 0 dialer string gsm dialer-group 1 async mode interactive no ppp lcp fast-start ppp chap hostname chunahayev@wwan.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port ! route-map track-primary-if permit 10 match ip address 102 set interface Dialer2 ! route-map nat2cell permit 10 match ip address 101 match interface Cellular0 ! ! control-plane ! ! line con 0 no modem enable line aux 0 line 3 exec-timeout 0 0 script dialer gsm login modem InOut no exec line vty 0 4 login ! scheduler max-task-time 5000 ! webvpn cef end Configuring Dial Bac
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port Figure 6-1 shows the network configuration used for remote management access and for providing backup to the primary WAN line.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port To configure dial backup and remote management for these routers, perform these steps, beginning in global configuration mode: SUMMARY STEPS 1. ip name-server server-address 2. ip dhcp pool name 3. exit 4. chat-script script-name expect-send 5. interface type number 6. exit 7. interface type number 8. dialer watch-group group-number 9. exit 10.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port DETAILED STEPS Step 1 Command Purpose ip name-server server-address Enters your ISP DNS IP address. Tip Example: Router(config)#ip name-server 192.168.28.12 Router(config)# Step 2 Creates a DHCP address pool on the router and enters DHCP pool configuration mode. The name argument can be a string or an integer.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port Step 8 Command Purpose dialer watch-group group-number Specifies the group number for the watch list. Example: Router(config-if)# dialer watch-group 1 Router(config-if)# Step 9 exit Exits the interface configuration mode.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port Step 15 Command Purpose modem enable Switches the port from console to auxiliary port function. Example: Router(config-line)# modem enable Router(config-line)# Step 16 Exits the configure interface mode.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port ! Dial backup and remote management physical interface. interface Async1 no ip address encapsulation ppp dialer in-band dialer pool-member 3 async default routing async dynamic routing async mode dedicated ppp authentication pap callin ! interface ATM0 mtu 1492 no ip address no atm ilmi-keepalive pvc 0/35 pppoe-client dial-pool-number 1 ! ! Primary WAN link.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port ip route 0.0.0.0 0.0.0.0 63.203.35.137 80 ip route 0.0.0.0 0.0.0.0 63.203.35.138 80 ip route 0.0.0.0 0.0.0.0 63.203.35.139 80 ip route 0.0.0.0 0.0.0.0 63.203.35.140 80 ip route 0.0.0.0 0.0.0.0 63.203.35.141 80 ip route 0.0.0.0 0.0.0.0 Dialer1 150 no ip http server ip pim bidir-enable ! ! PC IP address behind CPE. access-list 101 permit ip 192.168.0.0 0.0.255.
Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Dial Backup and Remote Management Through the Console Port Cisco 819 Series Integrated Services Routers Software Configuration Guide 6-16 OL-23590-02
CH A P T E R 7 Environmental and Power Management The Cisco 819 integrated services routers are equipped with sensors in the router body for monitoring the environment temperature and logging the temperature every 30 seconds.There are four sensors located on the four corners of the router chassis. There is an additonal System Ambient sensor and a 3G sensor.
Chapter 7 Environmental and Power Management Cisco EnergyWise Support Sensor 1 Sensor 2 Sensor 3 Sensor 4 System Ambient Sensor 3G Modem Sensor 36 34 40 38 35 33 Normal Normal Normal Normal Normal Normal 60/0 60/0 60/0 60/0 60/0 85/0 Environmental information last updated 00:00:26 ago Note If the modem temperature goes up to 85 degrees for non-hardened or 90 degrees for hardened version, a warning message appears. The router automatically shuts down if the temperature goes higher than 108 degrees.
CH A P T E R 8 Configuring the Serial Interface This chapter describes configuring serial interface management in the following sections: • Legacy Protocol Transport, page 8-2 • Configuring Serial Interfaces, page 8-2 • Information About Configuring Serial Interfaces, page 8-3 • How to Configure Serial Interfaces, page 8-6 • Configuration Examples, page 8-19 The Cisco 819 Integrated Services Router (ISR) supports synchronous by default and asynchronous serial interface protocols.
Chapter 8 Configuring the Serial Interface Legacy Protocol Transport Legacy Protocol Transport Serial and synchronous/asynchronous ports are ideally suited to transport legacy traffic across a TCP/IP network, facilitating network convergence. Legacy protocols supported by Cisco IOSR Software include: • Synchronous Data Link Control (SDLC) Protocol • Binary Synchronous Communications Protocol (Bisync) • X.
Chapter 8 Configuring the Serial Interface Information About Configuring Serial Interfaces Information About Configuring Serial Interfaces To configure serial interfaces, you must understand the following concept: • Cisco HDLC Encapsulation, page 8-3 • PPP Encapsulation, page 8-3 • Keepalive Timer, page 8-4 • Frame Relay Encapsulation, page 8-5 Cisco HDLC Encapsulation Cisco High-Level Data Link Controller (HDLC) is the Cisco proprietary protocol for sending data over synchronous serial links usin
Chapter 8 Configuring the Serial Interface Information About Configuring Serial Interfaces PPP uses keepalives to monitor the link state, as described in the “Keepalive Timer” section on page 8-4. PPP supports the following authentication protocols, which require a remote device to prove its identity before allowing data traffic to flow over a connection: • Challenge Handshake Authentication Protocol (CHAP)—CHAP authentication sends a challenge message to the remote device.
Chapter 8 Configuring the Serial Interface Information About Configuring Serial Interfaces Note The keepalive command applies to serial interfaces using HDLC or PPP encapsulation. It does not apply to serial interfaces using Frame Relay encapsulation. For each encapsulation type, a certain number of keepalives ignored by a peer triggers the serial interface to transition to the down state. For HDLC encapsulation, three ignored keepalives causes the interface to be brought down.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces Frame Relay interfaces support two types of encapsulated frames: • Cisco (default) • IETF Use the encap command in PVC configuration mode to configure Cisco or IETF encapsulation on a PVC. If the encapsulation type is not configured explicitly for a PVC, then that PVC inherits the encapsulation type from the main serial interface. Note Cisco encapsulation is required on serial main interfaces that are configured for MPLS.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces • Configuring Half-Duplex and Bisync for Synchronous Serial Port Adapters on Cisco 819 ISRs, page 8-8 (Optional) • Configuring Compression of HDLC Data, page 8-9 (Optional) • Using the NRZI Line-Coding Format, page 8-9 (Optional) • Enabling the Internal Clock, page 8-10 (Optional) • Inverting the Transmit Clock Signal, page 8-10 (Optional) • Setting Transmit Delay, page 8-11 (Optional) • Configuring DTR Signal Pulsi
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces Note You cannot use the physical-layer async command for frame-relay encapsulation. Encapsulation methods are set according to the type of protocol or application you configure in the Cisco IOS software. • PPP is described in Configuring Media-Independent PPP and Multilink PPP. • The remaining encapsulation methods are defined in their respective books and chapters describing the protocols or applications.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces Configuring Compression of HDLC Data You can configure point-to-point software compression on serial interfaces that use HDLC encapsulation. Compression reduces the size of a HDLC frame via lossless data compression. The compression algorithm used is a Stacker (LZS) algorithm. Compression is performed in software and might significantly affect system performance.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces DETAILED STEPS Step 1 Command or Action Purpose nrzi-encoding Enables NRZI encoding format. Example: Router(config-if)# nrzi-encoding or Router(config-if)# nrzi-encoding [mark] Enables NRZI encoding format for router.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces DETAILED STEPS Step 1 Command or Action Purpose invert txclock Inverts the clock signal on an interface. Example: Router(config-if)# invert txclock Step 2 Inverts the phase of the RX clock on the UIO serial interface, which does not use the T1/E1 interface.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces SUMMARY STEPS 1. ignore-dcd DETAILED STEPS Step 1 Command or Action Purpose ignore-dcd Configures the serial interface to monitor the DSR signal as the line up/down indicator. Example: Router(config-if)# ignore-dcd Caution Unless you know for certain that you really need this feature, be very careful using this command. It will hide the real status of the interface.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces SUMMARY STEPS 1. dte-invert-txc DETAILED STEPS Step 1 Command or Action Purpose dte-invert-txc Specifies timing configuration to invert TXC clock signal.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces Configuring Low-Speed Serial Interfaces This section describes how to configure low-speed serial interfaces and contains the following sections: • Understanding Half-Duplex DTE and DCE State Machines, page 8-14 • Changing Between Synchronous and Asynchronous Modes, page 8-18 For configuration examples, see the “Low-Speed Serial Interface: Examples” section on page 8-20.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces Once there are no more frames to transmit, the state machine transitions to the wait transmit finish state. The machine waits for the transmit FIFO in the serial controller to empty, starts a delay timer with a value defined by the half-duplex timer rts-drop-delay interface command, and transitions to the wait RTS drop delay state.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces Figure 5 Half-Duplex DCE Transmit State Machine After the transmit delay state, the next state depends on whether the interface is in constant-carrier mode (the default) or controlled-carrier mode. If the interface is in constant-carrier mode, it passes through the following states: 1. The state machine passes to the transmit state when the transmit-delay timer expires.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces 4. The DCE transitions to the wait DCD drop delay state. This state causes a time delay between the transmission of the last frame and the deassertion of DCD in the controlled-carrier mode for DCE transmits. 5. When the timer expires, the DCE deasserts DCD and transitions back to the ready state and stays there until there is a frame to transmit on that interface.
Chapter 8 Configuring the Serial Interface How to Configure Serial Interfaces Tuning Half-Duplex Timers To optimize the performance of half-duplex timers, use the following command in interface configuration mode. Command Purpose Router(config-if)# half-duplex timer {cts-delay value | cts-drop-timeout value | dcd-drop-delay value | dcd-txstart-delay value | rts-drop-delay value | rts-timeout value | transmit-delay value} Tunes half-duplex timers.
Chapter 8 Configuring the Serial Interface Configuration Examples When placed in asynchronous mode, low-speed serial interfaces support all commands available for standard asynchronous interfaces. The default is synchronous mode. Note When you use this command, it does not appear in the output of the show running-config and show startup-config commands because the command is a physical-layer command.
Chapter 8 Configuring the Serial Interface Configuration Examples Low-Speed Serial Interface: Examples The section includes the following configuration examples for low-speed serial interfaces: • Synchronous or Asynchronous Mode: Examples, page 8-20 • Half-Duplex Timers: Example, page 8-20 Synchronous or Asynchronous Mode: Examples The following example shows how to change a low-speed serial interface from synchronous to asynchronous mode: interface serial 2 physical-layer async The following exampl
CH A P T E R 9 Configuring Security Features This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the primary Cisco framework for implementing selected security features that can be configured on the Cisco 819 Integrated Services Routers (ISRs).
Chapter 9 Configuring Security Features Configuring AutoSecure For information about configuring AAA services and supported security protocols, see Securing User Services Configuration Guide Library, Cisco IOS Release 12.4T. Configuring AutoSecure The AutoSecure feature disables common IP services that can be exploited for network attacks and enables IP services and features that can aid in the defense of a network when under attack.
Chapter 9 Configuring Security Features Configuring Cisco IOS Firewall To create, refine, and manage access lists, see Security Configuration Guide: Access Control Lists, Cisco IOS Release 12.4T. Access Groups An access group is a sequence of access list definitions bound together with a common name or number. An access group is enabled for an interface during interface configuration. Use the following guidelines when creating access groups. • The order of access list definitions is significant.
Chapter 9 Configuring Security Features Configuring Cisco IOS IPS Configuring Cisco IOS IPS Cisco IOS Intrusion Prevention System (IPS) technology is available on Cisco 819 ISRs and enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity. Cisco IOS IPS identifies attacks using “signatures” to detect patterns of misuse in network traffic.
Chapter 9 Configuring Security Features Configuring VPN Remote Access VPN The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to configure and secure the connection between the remote client and the corporate network. Figure 9-1 shows a typical deployment scenario.
Chapter 9 Configuring Security Features Configuring VPN After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 819 ISR. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection. Note The Cisco Easy VPN client feature supports configuration of only one destination peer.
Chapter 9 Configuring Security Features Configuring VPN Configuration Examples Each example configures a VPN over an IPSec tunnel, using the procedure given in the “Configure a VPN over an IPSec Tunnel” section on page 9-7. Then, the specific procedure for a remote access configuration is given, followed by the specific procedure for a site-to-site configuration. The examples shown in this chapter apply only to the endpoint configuration on the Cisco 819 ISRs.
Chapter 9 Configuring Security Features Configuring VPN DETAILED STEPS Step 1 Command or Action Purpose crypto isakmp policy priority Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest. Example: Step 2 Router(config)# crypto isakmp policy 1 Router(config-isakmp)# Also enters the Internet Security Association Key and Management Protocol (ISAKMP) policy configuration mode.
Chapter 9 Configuring Security Features Configuring VPN Configure Group Policy Information To configure the group policy, perform these steps, beginning in global configuration mode: SUMMARY STEPS 1. crypto isakmp client configuration group {group-name | default} 2. key name 3. dns primary-server 4. domain name 5. exit 6.
Chapter 9 Configuring Security Features Configuring VPN Step 5 Command or Action Purpose exit Exits IKE group policy configuration mode and enters global configuration mode. Example: Router(config-isakmp-group)# exit Router(config)# Step 6 ip local pool {default | pool name} [low-ip-address {high-ip-address]] Example: Router(config)# ip local pool dynpool 30.30.30.20 30.30.30.30 Router(config)# Specifies a local address pool for the group.
Chapter 9 Configuring Security Features Configuring VPN Enable Policy Lookup To enable policy lookup through AAA, perform these steps, beginning in global configuration mode: SUMMARY STEPS 1. aaa new-model 2. aaa authentication login {default | list-name} method1 [method2...] 3. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1 [method2...]] 4.
Chapter 9 Configuring Security Features Configuring VPN Configure IPSec Transforms and Protocols A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow. During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers.
Chapter 9 Configuring Security Features Configuring VPN SUMMARY STEPS 1. crypto dynamic-map dynamic-map-name dynamic-seq-num 2. set transform-set transform-set-name [transform-set-name2...transform-set-name6] 3. reverse-route 4. exit 5.
Chapter 9 Configuring Security Features Configuring VPN Apply the Crypto Map to the Physical Interface The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites.
Chapter 9 Configuring Security Features Configuring VPN Create a Cisco Easy VPN Remote Configuration The router acting as the Cisco Easy VPN client must create a Cisco Easy VPN remote configuration and assign it to the outgoing interface. To create the remote configuration, perform these steps, beginning in global configuration mode: SUMMARY STEPS 1. crypto ipsec client ezvpn name 2. group group-name key group-key 3. peer {ip address | hostname} 4.
Chapter 9 Configuring Security Features Configuring VPN Step 4 Command or Action Purpose mode {client | network-extension | network extension plus} Specifies the VPN mode of operation. Example: Router(config-crypto-ezvpn)# mode client Router(config-crypto-ezvpn)# Step 5 exit Returns to global configuration mode. Example: Router(config-crypto-ezvpn)# exit Router(config)# Step 6 crypto isakmp keepalive seconds Example: Enables dead peer detection messages.
Chapter 9 Configuring Security Features Configuring VPN ! crypto isakmp policy 1 encryption 3des authentication pre-share group 2 lifetime 480 ! crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1 domain company.
Chapter 9 Configuring Security Features Configuring VPN DETAILED STEPS Step 1 Command or Action Purpose interface type number Creates a tunnel interface and enters interface configuration mode. Example: Router(config)# interface tunnel 1 Router(config-if)# Step 2 ip address ip-address mask Assigns an address to the tunnel. Example: Router(config-if)# 10.62.1.193 255.255.255.
Chapter 9 Configuring Security Features Configuring VPN Step 8 Command or Action Purpose permit protocol source source-wildcard destination destination-wildcard Specifies that only GRE traffic is permitted on the outbound interface. Example: Router(config-acl)# permit gre host 192.168.100.1 host 192.168.101.1 Router(config-acl)# Step 9 Returns to global configuration mode.
Chapter 9 Configuring Security Features Configuring VPN crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond ! ! Defines the key association and authentication for IPsec tunnel. crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.1.1 ! ! ! Defines encryption and transform set for the IPsec tunnel.
CH A P T E R 10 Configuring the Ethernet Switches This chapter gives an overview of configuration tasks for the 4-port Fast Ethernet (FE) switch and for the Gigabit Ethernet (GE) switch that services the embedded wireless access point on the Cisco 819 Integrated Services Routers (ISRs). The FE switches are 10/100Base T Layer 2 Fast Ethernet switches. Traffic between different VLANs on a switch is routed through the router platform with the switched virtual interface (SVI).
Chapter 10 Configuring the Ethernet Switches Information About Ethernet Switches Information About Ethernet Switches To configure Ethernet switches, you should understand the following concept: • VLANs and VLAN Trunk Protocol, page 10-2 • Layer 2 Ethernet Switching, page 10-2 • 802.
Chapter 10 Configuring the Ethernet Switches Overview of SNMP MIBs CDP runs on all LAN and WAN media that support Subnetwork Access Protocol (SNAP). Each CDP-configured device sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain the time-to-live, or hold-time information, which indicates the length of time a receiving device should hold CDP information before discarding it.
Chapter 10 Configuring the Ethernet Switches Overview of SNMP MIBs sense is more accurately called a MIB module and is usually defined in a single document. In the other sense, a MIB is a collection of such branches. Such a collection might comprise, for example, all the MIB modules implemented by a given agent or the entire collection of MIB modules defined for SNMP. A MIB is a tree where the leaves are individual items of data called objects.
Chapter 10 Configuring the Ethernet Switches Overview of SNMP MIBs Use the following syntax to query the SNMP BRIDGE-MIB details: snmpwalk -v2c snmpwalk -v2c snmpwalk -v2c Note public .1.3.6.1.2.1.17 public@2 .1.3.6.1.2.1.17 public@3 .1.3.6.1.2.1.17 When you create a VLAN “x”, the logical entity public@x is added. If you query with the public community, the L3 MIB is displayed.
Chapter 10 Configuring the Ethernet Switches How to Configure Ethernet Switches How to Configure Ethernet Switches See the following sections for configuration tasks for Ethernet switches. • Configuring VLANs, page 10-6 • Configuring Layer 2 Interfaces, page 10-7 • Configuring 802.
Chapter 10 Configuring the Ethernet Switches How to Configure Ethernet Switches Step 3 Command Purpose switchport Configures the Fast Ethernet port for Layer 2 switching. Note You must enter the switchport command once without any keywords to configure the Fast Ethernet port as a Layer 2 port before you can enter additional switchport commands with keywords. This command creats a Cisco default VLAN.
Chapter 10 Configuring the Ethernet Switches How to Configure Ethernet Switches This section contains information on the following topics: • Configuring a range of interfaces • Defining a range macro • Configuring Layer 2 optional interface features Configuring 802.1x Authentication For information on how to configure 802.1x port-based authentication, see Configuring IEEE 802.1x Port-Based Authentication. This section contains information on the following topics: • Understanding the default 802.
Chapter 10 Configuring the Ethernet Switches How to Configure Ethernet Switches Configuring MAC Table Manipulation For information on how to configure MAC table manipulation, see Configuring MAC Table Manipulation. Port Security The topic of enabling known MAC address traffic deals with port security. Port security can be either static or dynamic. Static port security allows the user to specify which devices are allowed access through a given switch port.
Chapter 10 Configuring the Ethernet Switches How to Configure Ethernet Switches Configuring the Switched Port Analyzer For information on how to configure a switched port analyzer (SPAN) session, see Configuring the Switched Port Analyzer (SPAN).
Chapter 10 Configuring the Ethernet Switches How to Configure Ethernet Switches This section contains information on the following topics: • Enabling per-port storm-control • Disabling per-port storm-control Configuring Fallback Bridging For information on how to configure fallback bridging, see Configuring Fallback Bridging.
Chapter 10 Configuring the Ethernet Switches How to Configure Ethernet Switches Managing the Switch For information on management of the switch, see Managing the EtherSwitch HWIC.
CH A P T E R 11 Configuring PPP over Ethernet with NAT This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and Network Address Translation (NAT) that can be configured on the Cisco 819 Integrated Services Routers (ISRs). Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth.
Chapter 11 Configuring PPP over Ethernet with NAT PPPoE PPPoE The PPPoE Client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool. A PPPoE session is initiated on the client side by the Cisco 819 ISRs.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Tasks DETAILED STEPS Step 1 Command or Action Purpose vpdn enable Enables VPDN on the router. Example: Router(config)# vpdn enable Router(config)# Step 2 Creates and associates a VPDN group with a customer or VPDN profile. vpdn-group name Example: Router(config)# vpdn-group 1 Router(config-vpdn)# Step 3 Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Tasks SUMMARY STEPS Step 1 1. interface type number 2. pppoe-client dial-pool-number number 3. no shutdown 4. exit Command Purpose interface type number Enters interface configuration mode for a Fast Ethernet WAN interface. Example: Router(config)# interface fastethernet 4 Router(config-if)# Step 2 pppoe-client dial-pool-number number Configures the PPPoE client and specifies the dialer interface to use for cloning.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Tasks SUMMARY STEPS 1. interface dialer dialer-rotary-group-number 2. ip address negotiated 3. ip mtu bytes 4. encapsulation encapsulation-type 5. ppp authentication {protocol1 [protocol2...]} 6. dialer pool number 7. dialer-group group-number 8. exit 9. dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group} 10.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Tasks Step 6 Command Purpose dialer pool number Specifies the dialer pool to use to connect to a specific destination subnetwork. Example: Router(config-if)# dialer pool 1 Router(config-if)# Step 7 dialer-group group-number Example: Router(config-if)# dialer-group 1 Router(config-if)# Step 8 exit Assigns the dialer interface to a dialer group (1 to 10). Tip Using a dialer group controls access to your router.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Tasks SUMMARY STEPS 1. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} 2. ip nat inside source {list access-list-number} {interface type number | pool name} [overload] 3. interface type number 4. ip nat {inside | outside} 5. no shutdown 6. exit 7. interface type number 8. ip nat {inside | outside} 9. no shutdown 10. exit 11.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Tasks DETAILED STEPS Step 1 Command Purpose ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Creates pool of global IP addresses for NAT. Example: Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Example Step 7 Command Purpose interface type number Enters configuration mode for the Fast Ethernet WAN interface (FE4) to be the outside interface for NAT. Example: Router(config)# interface fastethernet 4 Router(config-if)# Step 8 Identifies the specified WAN interface as the NAT outside interface.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Example Note Commands marked by “(default)” are generated automatically when you run the show running-config command. vpdn enable vpdn-group 1 request-dialin protocol pppoe ! interface vlan 1 ip address 192.168.1.1 255.255.255.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Example Verifying Your Configuration Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoE with NAT configuration.
Chapter 11 Configuring PPP over Ethernet with NAT Configuration Example Cisco 819 Series Integrated Services Routers Software Configuration Guide 11-12 OL-23590-02
CH A P T E R 12 Configuring a LAN with DHCP and VLANs The Cisco 819 Integrated Services Routers (ISRs) support clients on both physical LANs and virtual LANs (VLANs). The routers can use the Dynamic Host Configuration Protocol (DHCP) to enable automatic assignment of IP configurations for nodes on these networks. Figure 12-1 shows a typical deployment scenario with two physical LANs connected by the router and two VLANs.
Chapter 12 Configuring a LAN with DHCP and VLANs VLANs When you configure a DHCP server, you must configure the server properties, policies, and DHCP options. Note Whenever you change server properties, you must reload the server with the configuration data from the Network Registrar database. VLANs The Cisco 819 routers support four Fast Ethernet ports on which you can configure VLANs.
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks DETAILED STEPS Step 1 Command Purpose ip domain name name Identifies the default domain that the router uses to complete unqualified hostnames (names without a dotted-decimal domain name). Example: Router(config)# ip domain name smallbiz.com Router(config)# Step 2 ip name-server server-address1 [server-address2...
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Step 8 Command Purpose dns-server address [address2...address8] Specifies up to eight DNS servers available to a DHCP client. Example: Router(config-dhcp)# dns-server 192.168.35.2 Router(config-dhcp)# Step 9 Specifies the domain name for a DHCP client. domain-name domain Example: Router(config-dhcp)# domain-name cisco.com Router(config-dhcp)# Step 10 Exits DHCP configuration mode and enters global configuration mode.
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Leased addresses : 0 Pending event : none 1 subnet is currently in the pool : Current index IP address range 10.10.0.1 10.10.0.1 - 10.10.0.
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks DETAILED STEPS Step 1 Command Purpose vlan ? Enters VLAN configuration mode. Example: Router# config t Router(config)# vlan database? WORD accounting ifdescr ISL VLAN IDs 1-4094 VLAN accounting configuration VLAN subinterface ifDescr Router(config)# vlan 2 Step 2 ISL VLAN ID Adds VLANs, with identifiers ranging from 1 to 4094.
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks DETAILED STEPS Step 1 Command Purpose interface switch port id Specifies the switch port that you want to assign to the VLAN. Example: Router(config)# interface FastEthernet 2 Router(config-if)# Step 2 Assigns a port to the VLAN. switchport access vlan vlan-id Example: Router(config-if)# switchport access vlan 2 Router(config-if)# Step 3 Exits interface mode and returns to privileged EXEC mode.
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Router# vlan database Router(vlan)# show VLAN ISL Id: 1 Name: default Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Translational Bridged VLAN: 1002 Translational Bridged VLAN: 1003 VLAN ISL Id: 2 Name: VLAN0002 Media Type: Ethernet VLAN 802.10 Id: 100002 State: Operational MTU: 1500 VLAN ISL Id: 3 Name: red-vlan Media Type: Ethernet VLAN 802.
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Media Type: Token Ring Net VLAN 802.
Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Cisco 819 Integrated Services Routers Software Configuration Guide 12-10 OL-23590-02
CH A P T E R 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel This chapter provides an overview of the creation of Virtual Private Networks (VPNs) that can be configured on the Cisco 819 Integrated Services Routers (ISRs). Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Cisco Easy VPN Figure 13-1 Remote Access VPN Using IPSec Tunnel 5 3 2 4 6 121782 Internet 1 1 Remote, networked users 2 VPN client—Cisco 819 ISRs 3 Router—Providing the corporate office network access 4 VPN server—Easy VPN server 5 Corporate office with a network address of 10.1.1.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires the creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks 6. lifetime seconds 7. exit DETAILED STEPS Step 1 Command or Action Purpose crypto isakmp policy priority Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks Configure Group Policy Information Perform these steps to configure the group policy, beginning in global configuration mode: SUMMARY STEPS 1. crypto isakmp client configuration group {group-name | default} 2. key name 3. dns primary-server 4. domain name 5. exit 6.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks Step 5 Command or Action Purpose exit Exits IKE group policy configuration mode and enters global configuration mode. Example: Router(config-isakmp-group)# exit Router(config)# Step 6 ip local pool {default | poolname} [low-ip-address [high-ip-address]] Example: Router(config)# ip local pool dynpool 30.30.30.20 30.30.30.30 Router(config)# Specifies a local address pool for the group.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks Enable Policy Lookup Perform these steps to enable policy lookup through AAA, beginning in global configuration mode: SUMMARY STEPS 1. aaa new-model 2. aaa authentication login {default | list-name} method1 [method2...] 3. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1 [method2...]] 4.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks Configure IPSec Transforms and Protocols A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow. During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks SUMMARY STEPS 1. crypto dynamic-map dynamic-map-name dynamic-seq-num 2. set transform-set transform-set-name [transform-set-name2...transform-set-name6] 3. reverse-route 4. exit 5.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks Apply the Crypto Map to the Physical Interface The crypto maps must be applied to each interface through which IP Security (IPSec) traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Tasks 4. mode {client | network-extension | network extension plus} 5. exit 6. interface type number 7. crypto ipsec client ezvpn name [outside | inside] 8. exit DETAILED STEPS Step 1 Command or Action Purpose crypto ipsec client ezvpn name Creates a Cisco Easy VPN remote configuration and enters Cisco Easy VPN remote configuration mode.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Example Command or Action Step 7 crypto ipsec client ezvpn name inside] Purpose [outside | Example: Router(config-if)# crypto ipsec client ezvpn ezvpnclient outside Router(config-if)# Step 8 exit Assigns the Cisco Easy VPN remote configuration to the WAN interface, causing the router to automatically create the NAT or port address translation (PAT) and access list configuration needed for the VPN connection.
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Example ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto ipsec security-association lifetime seconds 86400 ! crypto dynamic-map dynmap 1 set transform-set vpn1 reverse-route ! crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key secret-password
Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Example Cisco 819 Integrated Services Routers Software Configuration Guide 13-14 OL-23590-02
A P P E N D I X A Cisco IOS Software Basic Skills Understanding how to use Cisco IOS software can save you time when you are configuring your router.
Appendix A Cisco IOS Software Basic Skills Understanding Command Modes Table A-1 Types of Terminal Emulation Software PC Operating System Terminal Emulation Software Windows 95, Windows 98, Windows 2000, Windows NT, Windows XP HyperTerm (included with Windows software), ProComm Plus Windows 3.1 Terminal (included with Windows software) Macintosh ProComm, VersaTerm You can use the terminal emulation software to change settings for the router that is connected to the PC.
Appendix A Cisco IOS Software Basic Skills Understanding Command Modes Table A-2 Command Modes Summary Mode Access Method Prompt Mode Exit and Entrance User EXEC Begin a session with your router. Router> To exit a router session, enter Use this mode to: the logout command. • Change terminal settings. Privileged EXEC Enter the enable command from user EXEC mode. Router# • • Global configuration Enter the configure command from privileged EXEC mode.
Appendix A Cisco IOS Software Basic Skills Getting Help Table A-2 Command Modes Summary (continued) Mode Access Method Router configuration Enter one of the router Router commands followed by (configrouter)# the appropriate keyword—for example router rip—from global configuration mode. • To exit to global Use this mode to configure an IP configuration mode, routing protocol. enter the exit command. • To exit to privileged EXEC mode, enter the end command or press Ctrl-Z.
Appendix A Cisco IOS Software Basic Skills Enable Secret Passwords and Enable Passwords Enable Secret Passwords and Enable Passwords By default, the router ships without password protection. Because many privileged EXEC commands are used to set operating parameters, you should password-protect these commands to prevent unauthorized use. You can use two commands to do this: • enable secret password—A very secure, encrypted password. • enable password—A less secure, unencrypted local password.
Appendix A Cisco IOS Software Basic Skills Using Commands Using Commands This section provides some tips about entering Cisco IOS commands at the command-line interface (CLI). Abbreviating Commands You only have to enter enough characters for the router to recognize the command as unique.
Appendix A Cisco IOS Software Basic Skills Saving Configuration Changes Saving Configuration Changes You must enter the copy running-config startup-config command to save your configuration changes to NVRAM so that they are not lost if there is a system reload or power outage.
Appendix A Cisco IOS Software Basic Skills Where to Go Next Cisco 819 Integrated Services Routers Software Configuration Guide A-8 OL-18906-02
A P P E N D I X B Concepts This appendix contains conceptual information that may be useful to Internet service providers or network administrators when they configure Cisco routers.
Appendix B Concepts Routing Protocol Options IP is a connectionless protocol, which means that IP does not exchange control information (called a handshake) to establish an end-to-end connection before transmitting data. In contrast, a connection-oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it. When the handshaking is successful, the computers have established a connection.
Appendix B Concepts PPP Authentication Protocols Enhanced IGRP Enhanced IGRP is an advanced Cisco-proprietary distance-vector and link-state routing protocol, which means it uses a metric more sophisticated than distance (hop count) for route selection. Enhanced IGRP uses a metric based on a successor, which is a neighboring router that has a least-cost path to a destination that is guaranteed not to be part of a routing loop.
Appendix B Concepts TACACS+ CHAP CHAP uses a three-way handshake to verify passwords. To understand how CHAP works, imagine a network topology in which a remote office Cisco router is connected to a corporate office Cisco router. After the PPP link is established, the corporate office router sends a challenge message to the remote office router. The remote office router responds with a variable value. The corporate office router checks the response against its own calculation of the value.
Appendix B Concepts Dial Backup Dial Backup Dial backup provides protection against WAN downtime by allowing a user to configure a backup modem line connection. The following can be used to bring up the dial backup feature in Cisco IOS software: • Backup Interface, page B-5 • Floating Static Routes, page B-5 • Dialer Watch, page B-5 Backup Interface A backup interface is an interface that stays idle until certain circumstances occur, such as WAN downtime, at which point it is activated.
Appendix B Concepts NAT NAT Network Address Translation (NAT) provides a mechanism for a privately addressed network to access registered networks, such as the Internet, without requiring a registered subnet address. This mechanism eliminates the need for host renumbering and allows the same IP address range to be used in multiple intranets.
Appendix B Concepts Easy IP (Phase 2) Easy IP (Phase 2) The Easy IP (Phase 2) feature combines Dynamic Host Configuration Protocol (DHCP) server and relay. DHCP is a client-server protocol that enables devices on an IP network (the DHCP clients) to request configuration information from a DHCP server. DHCP allocates network addresses from a central pool on an as-needed basis.
Appendix B Concepts QoS IP Precedence You can partition traffic in up to six classes of service using IP Precedence (two others classes are reserved for internal network use). The queuing technologies throughout the network can then use this signal to expedite handling. Features such as policy-based routing and committed access rate (CAR) can be used to set precedence based on extended access-list classification.
Appendix B Concepts Access Lists insufficient bandwidth, delay variations, or information loss. RSVP works in conjunction with current queuing mechanisms. It is up to the interface queuing mechanism (such as CBWFQ) to implement the reservation. RSVP works well on PPP, HDLC, and similar serial-line interfaces. It does not work well on multi-access LANs. RSVP can be equated to a dynamic access list for packet flows.
Appendix B Concepts Access Lists Cisco 860 Series, Cisco 880 Series, and Cisco 890 Series Integrated Services Routers Software Configuration Guide B-10 OL-18906-02
A P P E N D I X C ROM Monitor The ROM monitor firmware runs when the router is powered up or reset. The firmware helps to initialize the processor hardware and boot the operating system software. You can use the ROM monitor to perform certain configuration tasks, such as recovering a lost password or downloading software over the console port. If there is no Cisco IOS software image loaded on the router, the ROM monitor runs the router.
Appendix C ROM Monitor ROM Monitor Commands Command Purpose Step 4 exit Exits global configuration mode. Step 5 reload Reboots the router with the new configuration register value. The router remains in ROM monitor and does not boot the Cisco IOS software. As long as the configuration value is 0x0, you must manually boot the operating system from the console. See the boot command in the “Command Descriptions” section on page C-3. After the router reboots, it is in ROM monitor mode.
Appendix C ROM Monitor Command Descriptions Commands are case sensitive. You can halt any command by pressing the Break key on a terminal. If you are using a PC, most terminal emulation programs halt a command when you press the Ctrl and the Break keys at the same time. If you are using another type of terminal emulator or terminal emulation software, see the documentation for that product for information on how to send a Break command.
Appendix C ROM Monitor Disaster Recovery with TFTP Download TFTP Download Command Variables This section describes the system variables that can be set in ROM monitor mode and that are used during the TFTP download process. There are both required variables and optional variables. Note The commands described in this section are case sensitive and must be entered exactly as shown.
Appendix C ROM Monitor Disaster Recovery with TFTP Download Optional Variables These variables can be set with these commands before using the tftpdnld command: Variable Command Configures how the router displays file download progress. TFTP_VERBOSE=setting 0—No progress is displayed. 1—Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting. 2—Detailed progress is displayed during the file download process; for example: • Initializing interface.
Appendix C ROM Monitor Disaster Recovery with TFTP Download You will see an output similar to the following: IP_ADDRESS: 10.3.6.7 IP_SUBNET_MASK: 255.255.0.0 DEFAULT_GATEWAY: 10.3.0.1 TFTP_SERVER: 192.168.254.254 TFTP_FILE: c880-advsecurityk9-mz Do you wish to continue? y/n: [n]: Step 3 If you are sure that you want to continue, enter y in response to the question in the output: Do you wish to continue? y/n: [n]:y The router begins to download the new file.
Appendix C ROM Monitor Disaster Recovery with TFTP Download Receiving c800-universalk9-mz.SPA.152-3.16.M0.1 from 209.165.200.225 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!! File reception completed. IOS Image Load Test ___________________ Digitally Signed Production Software Validating checksum. loading image c800-universalk9-mz.SPA.152-3.16.M0.
Appendix C ROM Monitor Disaster Recovery with TFTP Download export@cisco.com. Installed image archive Cisco C819HGW+7-A-A-K9 (revision 4.0) with 883788K/33715K bytes of memory. Processor board ID FAC15455YYZ 4 FastEthernet interfaces 2 Gigabit Ethernet interfaces 1 Serial(sync/async) interface 2 terminal lines 1 Virtual Private Network (VPN) Module 1 Cellular interface 1 cisco Embedded AP (s) DRAM configuration is 32 bits wide 255K bytes of non-volatile configuration memory.
Appendix C ROM Monitor Disaster Recovery with TFTP Download Jul 13 23:00:57.303: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 100.100.100.100 port 520 started - CLI initiated Jul 13 23:00:58.059: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up Jul 13 23:00:58.079: %LINK-3-UPDOWN: Interface FastEthernet1, changed state to up Jul 13 23:00:58.099: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to up Jul 13 23:00:58.
Appendix C ROM Monitor Configuration Register System Bootstrap, Version 15.2(2r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2012 by cisco Systems, Inc. WLAN AP Boot loader (bundled): AP802 Boot Loader (AP802-BOOT-M) Version 12.4(25e)JA1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Compiled Wed 30-May-12 03:46 by prod_rel_team router# Jul 13 23:01:25.
Appendix C ROM Monitor Configuration Register Changing the Configuration Register Manually To change the virtual configuration register from the ROM monitor manually, enter the confreg command followed by the new value of the register in hexadecimal format, as shown in the following example: rommon 1 > confreg 0x2101 You must reset or power cycle for new config to take effect rommon 2 > The value is always interpreted as hexadecimal.
Appendix C ROM Monitor Console Download Console Download You can use console download, which is a ROM monitor function, to download either a software image or a configuration file over the router console port. After download, the file is either saved to the mini-flash memory module or to main memory for execution (image files only). Use console download when you do not have access to a TFTP server.
Appendix C ROM Monitor Debug Commands Error Reporting Because the ROM monitor console download uses the console to perform the data transfer, when an error occurs during a data transfer, error messages are only displayed on the console once the data transfer is terminated. If you have changed the baud rate from the default rate, the error message is followed by a message telling you to restore the terminal to the baud rate specified in the configuration register.
Appendix C ROM Monitor Exiting the ROM Monitor FP: FP: FP: FP: FP: • 0x80005f9c, 0x80005fac, 0x80005fc4, 0x80005ffc, 0x00000000, PC: PC: PC: PC: PC: 0x80008118 0x80008064 0xfff03d70 0x00000000 0x00000000 meminfo—Displays size in bytes, starting address, available range of main memory, the starting point and size of packet memory, and size of NVRAM; for example: rommon 9> meminfo Main memory size: 40 MB.
A P P E N D I X D Common Port Assignments Table D-1 lists currently assigned Transmission Control Protocol (TCP) port numbers. To the extent possible, the User Datagram Protocol (UDP) uses the same numbers.
Appendix D Table D-1 Currently Assigned TCP and UDP Port Numbers (continued) Port Keyword Description 77 — Any private RJE service 79 FINGER Finger 95 SUPDUP SUPDUP Protocol 101 HOST NAME Network interface card (NIC) hostname server 102 ISO-TSAP ISO-Transport Service Access Point (TSAP) 103 X400 X400 104 X400-SND X400-SND 111 SUNRPC Sun Microsystems Remote Procedure Call 113 AUTH Authentication service 117 UUCP-PATH UNIX-to-UNIX Copy Protocol (UUCP) Path Service 119 NNTP
