Cisco 1800 Series Integrated Services Router (Fixed) Software Installation Guide Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface 11 Audience 1-11 Organization 1-12 Conventions 1-13 Notes, Cautions, and Timesavers Command Conventions 1-13 Related Documents 1-13 1-14 Obtaining Documentation 1-14 Cisco.
Contents Configure the Wireless Interface 1-9 Configuring a Loopback Interface 1-9 Configuration Example 1-9 Verifying Your Configuration 1-10 Configuring Command-Line Access to the Router Configuration Example 1-12 1-10 Configuring Static Routes 1-12 Configuration Example 1-13 Verifying Your Configuration 1-13 Configuring Dynamic Routes 1-13 Configuring RIP 1-14 Configuration Example 1-15 Verifying Your Configuration 1-15 Configuring Enhanced IGRP 1-15 Configuration Example 1-16 Verifying Your Configura
Contents Configuration Example 4-11 Verifying Your Configuration CHAPTER 5 4-12 Configuring a LAN with DHCP and VLANs Configure DHCP 5-2 Configuration Example 5-3 Verify Your DHCP Configuration 5-4 Configure VLANs 5-5 Verify Your VLAN Configuration 5-5 5-1 Switch Port Configurations 5-7 VLAN Trunking Protocol (VTP) 5-8 802.
Contents Enable Policy Lookup 7-5 Configure IPSec Transforms and Protocols 7-6 Configure the IPSec Crypto Method and Parameters 7-7 Apply the Crypto Map to the Physical Interface 7-8 CHAPTER 8 Configure a GRE Tunnel 7-8 Configuration Example 7-10 Configuring a Simple Firewall Configure Access Lists 8-1 8-3 Configure Inspection Rules 8-3 Apply Access Lists and Inspection Rules to Interfaces Configuration Example CHAPTER 9 8-5 Configuring a Wireless LAN Connection Configure the Root Radio Sta
Contents Backup Interfaces 13-1 Configuring Backup Interfaces 13-2 Floating Static Routes 13-2 Configuring Floating Static Routes 13-3 Dialer Watch 13-4 Configuring Dialer Watch 13-4 Dial Backup Feature Limitations 13-5 Configuration Example 13-6 Configuring Dial Backup and Remote Management Through the ISDN S/T Port Configure ISDN Settings 13-9 Configure the Aggregator and ISDN Peer Router 13-12 Configuring Dial Backup and Remote Management Through a V.
Contents PART Reference Information 3 APPENDIX A Cisco IOS Software Basic Skills A-1 Configuring the Router from a PC A-1 Understanding Command Modes A-2 Getting Help A-4 Enable Secret Passwords and Enable Passwords Entering Global Configuration Mode A-5 Using Commands A-6 Abbreviating Commands A-6 Undoing Commands A-6 Command-Line Error Messages A-6 Saving Configuration Changes Summary B Concepts B-1 ADSL B-1 SHDSL A-7 A-7 Where to Go Next APPENDIX A-5 A-7 B-2 Network Protoc
Contents NAT B-7 Easy IP (Phase 1) B-8 Easy IP (Phase 2) B-8 QoS B-9 IP Precedence B-9 PPP Fragmentation and Interleaving CBWFQ B-10 RSVP B-10 Low Latency Queuing B-10 Access Lists APPENDIX C ROM Monitor B-9 B-11 C-1 Entering the ROM Monitor ROM Monitor Commands Command Descriptions C-1 C-2 C-3 Disaster Recovery with TFTP Download C-3 TFTP Download Command Variables C-3 Required Variables C-4 Optional Variables C-4 Using the TFTP Download Command C-5 Configuration Register C-6 Changing th
Contents Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 10 OL-6426-02
Preface This software configuration guide provides instructions for using the Cisco command-line interface (CLI) to configure features of the following Cisco 1800 series integrated services fixed-configuration routers: • Cisco 1801, Cisco 1802, and Cisco 1803 DSL Access Routers • Cisco 1811 and Cisco 1812 Ethernet Access Routers This preface describes the intended audience, the organization of this guide, and the text and command conventions used throughout the guide.
Organization See the “Organization” section of this preface to help you decide which chapters contain the information you need to configure your router. Organization Table 1 lists the topics covered by this guide. Table 1 Document Organization Chapter Title Description Chapter 1 Basic Router Configuration Describes how to configure basic router features and interfaces. Chapter 2 Sample Network Deployments Provides a road map for possible network deployments.
Conventions Conventions This guide uses the conventions described in the following sections for instructions and information. Notes, Cautions, and Timesavers Notes, cautions and time-saving tips use the following conventions and symbols: Note Caution Timesaver Means reader take note. Notes contain helpful suggestions or references to materials not contained in this guide. This caution symbol means reader be careful.
Related Documents Related Documents Table 3 lists publications that provide related information on these routers: Table 3 Related and Referenced Documents Cisco Product Document Title Cisco 1800 series Cisco 1811 and Cisco 1812 Integrated Services Router Cabling and fixed-configuration routers Installation Cisco 1801, Cisco 1802, and Cisco 1803 Integrated Services Router Cabling and Installation Cisco 1800 Series Integrated Services Router (Fixed) Hardware Installation Guide Regulatory Compliance and S
Documentation Feedback Documentation DVD Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit. Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Obtaining Technical Assistance • Obtain assistance with security incidents that involve Cisco products. • Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.
Obtaining Technical Assistance Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service.
Obtaining Additional Publications and Information Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
PART 1 Getting Started
CH APT ER 1 Basic Router Configuration This chapter provides procedures for configuring the basic parameters of your Cisco router, including global parameter settings, routing protocols, interfaces, and command-line access. It also describes the default configuration on startup. Note that individual router models may not support every feature described throughout this guide. Features not supported by a particular router are indicated whenever possible.
Chapter 1 Basic Router Configuration Viewing the Default Configuration Table 1-1 Supported Interfaces and Associated Port Labels by Cisco Router (continued) Router Interface Port Label Cisco 1802 Fast Ethernet LANs SWITCH and FE8–FE5 (top), FE x and FE4–FE1 (bottom) Fast Ethernet WANs FE0 ATM WAN ADSLoISDN Wireless LAN LEFT, RIGHT/PRIMARY BRI ISDN S/T Fast Ethernet LANs SWITCH and FE8–FE5 (top), FE x and FE4–FE1 (bottom) Fast Ethernet WANs FE0 ATM WAN G.
Chapter 1 Basic Router Configuration Viewing the Default Configuration Example 1-1 Cisco 1812 Default Configuration on Startup version 12.
Chapter 1 Basic Router Configuration Information Needed for Configuration interface FastEthernet8 no ip address shutdown ! interface FastEthernet9 no ip address shutdown ! interface Vlan1 no ip address ! ip classless ! no ip http server no ip http secure-server ! control-plane ! line con 0 line aux 0 line vty 0 4 ! no scheduler allocate end Information Needed for Configuration You need to gather some or all of the following information, depending on your planned network scenario, prior to configuring yo
Chapter 1 Basic Router Configuration Configuring Basic Parameters AAL5SNAP—This can be either routed RFC 1483 or bridged RFC 1483. For routed RFC 1483, the service provider must provide you with a static IP address. For bridged RFC 1483, you may use DHCP to obtain your IP address, or you may obtain a static IP address from your service provider. AAL5MUX PPP—With this type of encapsulation, you need to determine the PPP-related configuration items. • If you plan to connect over an ADSL or G.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Configure Global Parameters Perform these steps to configure selected global parameters for your router: Step 1 Command Purpose configure terminal Enters global configuration mode, when using the console port.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Configure WAN Interfaces The Cisco 1811 and Cisco 1812 routers each have two Fast Ethernet interfaces for WAN connection. The Cisco 1801, Cisco 1802, and Cisco 1803 routers each have one ATM interface for WAN connection.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Configure the ATM WAN Interface This procedure applies only to the Cisco 1801, Cisco 1802, and Cisco 1803 models. Perform these steps to configure the ATM interface, beginning in global configuration mode: Step 1 Command Purpose For the Cisco 1803 only: For routers using the G.SHDSL signaling, perform these commands. Ignore this step for routers using ADSL signaling.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Configure the Wireless Interface The wireless interface enables connection to the router through a wireless LAN connection. For more information about configuring a wireless connection, see Chapter 9, “Configuring a Wireless LAN Connection” and the Cisco Access Router Wireless Configuration Guide.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Verifying Your Configuration To verify that you have properly configured the loopback interface, enter the show interface loopback command. You should see verification output similar to the following example. Router# show interface loopback 0 Loopback0 is up, line protocol is up Hardware is Loopback Internet address is 200.200.100.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Step 3 Command Purpose login Enables password checking at terminal session login. Example: Router(config)# login Router(config)# Step 4 exec-timeout minutes [seconds] Example: Router(config)# exec-timeout 5 30 Router(config)# Step 5 line [aux | console | tty | vty] line-number Sets the interval that the EXEC command interpreter waits until user input is detected. The default is 10 minutes.
Chapter 1 Basic Router Configuration Configuring Static Routes Configuration Example The following configuration shows the command-line access commands. You do not need to input the commands marked “default.” These commands appear automatically in the configuration file generated when you use the show running-config command.
Chapter 1 Basic Router Configuration Configuring Dynamic Routes Configuration Example In the following configuration example, the static route sends out all IP packets with a destination IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Fast Ethernet interface to another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured PVC. You do not need to enter the commands marked “(default).
Chapter 1 Basic Router Configuration Configuring Dynamic Routes Configuring RIP Perform these steps to configure the RIP routing protocol on the router, beginning in global configuration mode: Step 1 Command Task router rip Enters router configuration mode, and enables RIP on the router. Example: Router> configure terminal Router(config)# router rip Router(config-router)# Step 2 version {1 | 2} Specifies use of RIP version 1 or 2.
Chapter 1 Basic Router Configuration Configuring Enhanced IGRP Configuration Example The following configuration example shows RIP version 2 enabled in IP network 10.0.0.0 and 192.168.1.0. Execute the show running-config command from privileged EXEC mode to see this configuration. ! router rip version 2 network 10.0.0.0 network 192.168.1.
Chapter 1 Basic Router Configuration Configuring Enhanced IGRP Step 2 Command Purpose network ip-address Specifies a list of networks on which EIGRP is to be applied, using the IP address of the network of directly connected networks. Example: Router(config)# network 192.145.1.0 Router(config)# network 10.10.12.115 Router(config)# Step 3 end Exits router configuration mode, and enters privileged EXEC mode.
PART 2 Configuring Your Router for Ethernet and DSL Access
CH APT ER 2 Sample Network Deployments This part of the software configuration guide presents a variety of possible Ethernet- and Digital Subscriber Line (DSL)-based network configurations using Cisco 1800 series routers. Each scenario is described with a network topology, a step-by-step procedure that is used to implement the network configuration, and a configuration example that shows the results of the configuration.
Chapter 2 Sample Network Deployments Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 2-2 OL-6426-02
CH APT ER 3 Configuring PPP over Ethernet with NAT The Cisco 1811 and Cisco 1812 integrated services fixed-configuration routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT). Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 3-1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Virtual Private Dialup Network Group Number PPPoE The PPPoE Client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool. A PPPoE session is initiated on the client side by the Cisco 1800 series router.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Fast Ethernet WAN Interfaces Step 3 Command or Action Purpose request-dialin Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel. Example: Router(config-vpdn-grp)# request-dialin Router(config-vpdn-grp)# Step 4 initiate to ip ip-address Specifies the address to which requests are tunneled.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Fast Ethernet WAN Interfaces Perform these steps to configure the Fast Ethernet WAN interfaces, starting in global configuration mode: Step 1 Command Purpose interface type number Enters interface configuration mode for a Fast Ethernet WAN interface. Example: The Cisco 1800 integrated services routers have two Fast Ethernet WAN interfaces. You can use these steps to configure one or both of them.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Dialer Interface Configure the Dialer Interface The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Dialer Interface Step 7 Command Purpose dialer-group group-number Assigns the dialer interface to a dialer group (1–10). Example: Tip Router(config-if)# dialer group 1 Router(config-if)# Step 8 exit Using a dialer group controls access to your router. Exits the dialer 0 interface configuration.
Chapter 3 Configuring PPP over Ethernet with NAT Configure Network Address Translation Configure Network Address Translation Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation.
Chapter 3 Configuring PPP over Ethernet with NAT Configure Network Address Translation Step 5 Command Purpose no shutdown Enables the configuration changes just made to the Ethernet interface. Example: Router(config-if)# no shutdown Router(config-if)# Step 6 exit Exits configuration mode for the Fast Ethernet interface.
Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example For complete information on the NAT commands, see the Cisco IOS Release 12.3 documentation set. For more general information on NAT concepts, see Appendix B, “Concepts.” Configuration Example The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter. The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0.
Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example Verifying Your Configuration Use the show ip nat statistics command in privileged EXEC mode to verify NAT configuration.
B E TA D R A F T - C I S C O C O N F I D E N T I A L CH APT ER 4 Configuring PPP over ATM with NAT The Cisco 1801, Cisco 1802, and Cisco 1803 access routers support Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) clients and network address translation (NAT). Multiple PCs can be connected to the LAN behind the router. Before traffic from the PCs is sent to the PPPoA session, it can be encrypted, filtered, and so forth.
Chapter 4 Configuring PPP over ATM with NAT B E TA D R A F T - C I S C O C O N F I D E N T I A L In this scenario, the small business or remote user on the Fast Ethernet LAN can connect to an Internet Service Provider (ISP) using the following protocols on the WAN connection: • Asymmetric digital subscriber line (ADSL) over plain old telephone service (POTS) using the Cisco 1801 router • ADSL over integrated services digital network (ISDN) using the Cisco 1802 router • Single-pair high-speed digital
Chapter 4 Configuring PPP over ATM with NAT Configure the Dialer Interface B E TA D R A F T - C I S C O C O N F I D E N T I A L Configure the Dialer Interface The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. It is also used for cloning virtual access.
Chapter 4 Configuring PPP over ATM with NAT Configure the Dialer Interface B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 7 Command Purpose dialer-group group-number Assigns the dialer interface to a dialer group (1–10). Example: Tip Router(config-if)# dialer-group 1 Router(config-if)# Step 8 exit Using a dialer group controls access to your router. Exits the dialer 0 interface configuration.
Chapter 4 Configuring PPP over ATM with NAT Configure the ATM WAN Interface B E TA D R A F T - C I S C O C O N F I D E N T I A L Configure the ATM WAN Interface Perform these steps to configure the ATM interface, beginning in global configuration mode. Step 1 Command Purpose interface type number Enters interface configuration mode for the ATM interface (labeled ADSLoPOTS or G.SHDSL on the back of your router).
Chapter 4 Configuring PPP over ATM with NAT Configure DSL Signaling Protocol B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 5 Command Purpose no shutdown Enables interface and configuration changes just made to the ATM interface. Example: Router(config-if-atm-vc)# no shutdown Router(config-if)# Step 6 exit Exits configuration mode for the ATM interface.
Chapter 4 Configuring PPP over ATM with NAT Configure DSL Signaling Protocol B E TA D R A F T - C I S C O C O N F I D E N T I A L If you wish to change any of these settings, use one of the following commands in global configuration mode. • dsl operating-mode (from the ATM interface configuration mode) • dsl lom integer • dsl enable-training-log See the Cisco IOS Wide-Area Networking Command Reference for details of these commands.
Chapter 4 Configuring PPP over ATM with NAT Configure DSL Signaling Protocol B E TA D R A F T - C I S C O C O N F I D E N T I A L Command Step 5 line-mode {4-wire enhanced | 4-wire standard | Specifies whether this DSL connection is 2-wire} operating in 2-wire, 4-wire standard, or 4-wire enhanced mode. Example: Router(config-controller)# line-mode 4-wire standard Router(config-controller)# Step 6 Purpose ignore-error-duration number Note line mode 4-wire will default to 4-wire enhanced mode.
Chapter 4 Configuring PPP over ATM with NAT Configure Network Address Translation B E TA D R A F T - C I S C O C O N F I D E N T I A L Current Current Current Current Previous Previous Previous Previous Previous 15 15 15 15 15 15 15 15 15 min min min min min min min min min LOSW Defect: 0 ES Defect: 0 SES Defect: 0 UAS Defect: 33287 CRC Defect: 0 LOSW Defect: 0 ES Defect: 0 SES Defect: 0 UAS Defect: 0 Line-0 status Chipset Version: 0 Firmware Version: A388 Modem Status: Data, Status 1 Last Fail Mode:
Chapter 4 Configuring PPP over ATM with NAT Configure Network Address Translation B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 1 Command Purpose ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Creates pool of global IP addresses for NAT. Example: Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.
Chapter 4 Configuring PPP over ATM with NAT Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 7 Command Purpose interface type number Enters configuration mode for the ATM WAN interface (FE0 or FE1) to be the outside interface for NAT. Example: Router(config)#interface fastethernet 0 Router(config-if)# Step 8 ip nat {inside | outside} Identifies the specified WAN interface as the NAT outside interface.
Chapter 4 Configuring PPP over ATM with NAT Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Note Commands marked by “(default)” are generated automatically when you run the show running-config command. ! interface Vlan1 ip address 192.168.1.1 255.255.255.
CH APT ER 5 Configuring a LAN with DHCP and VLANs The Cisco 1800 series integrated services fixed-configuration routers support clients on both physical LANs and virtual LANs (VLANs). The routers can use the Dynamic Host Configuration Protocol (DHCP) to enable automatic assignment of IP configurations for nodes on these networks. Other interfaces and configurations of the VLANs are described in the “Switch Port Configurations” section on page 5-7.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure DHCP • Note Configure VLANs The procedures in this chapter assume you have already configured basic router features as well as PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, “Configuring PPP over ATM with NAT” as appropriate for your router.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure DHCP Step 6 Command Purpose import all Imports DHCP option parameters into the DHCP portion of the router database. Example: Router(config-dhcp)# import all Router(config-dhcp)# Step 7 default-router address [address2...address8] Specifies up to 8 default routers for a DHCP client. Example: Router(config-dhcp)# default-router 10.1.1.1 Router(config-dhcp)# Step 8 dns-server address [address2...
Chapter 5 Configuring a LAN with DHCP and VLANs Configure DHCP Verify Your DHCP Configuration Use the following commands to view your DHCP configuration. • show ip dhcp import—Displays the optional parameters imported into the DHCP server database. • show ip dhcp pool—Displays information about the DHCP address pools. • show ip dhcp server statistics—Displays the DHCP server statistics, such as the number of address pools, bindings, and so forth.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure VLANs Configure VLANs Perform these steps to configure VLANs on your router, beginning in global configuration mode: Step 1 Command Purpose vlan ? Enters VLAN configuration mode.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure VLANs Translational Bridged VLAN: 1 Translational Bridged VLAN: 1003 VLAN ISL Id: 1003 Name: token-ring-default Media Type: Token Ring VLAN 802.
Chapter 5 Configuring a LAN with DHCP and VLANs Switch Port Configurations Switch Port Configurations The 8 high speed Ethernet ports on the Cisco 1800 (fixed) integrated router supports 8 VLANs per port. To configure and verify VLANs on the switch ports see the the “Configure VLANs” section on page 5-5 and the “Verify Your VLAN Configuration” section on page 5-5.
Chapter 5 Configuring a LAN with DHCP and VLANs Switch Port Configurations • Configuring VLANs (required) • Configuring VLAN Trunking Protocol (optional) • Configuring 802.
Chapter 5 Configuring a LAN with DHCP and VLANs Switch Port Configurations Layer 2 Interfaces The integrated switch ports support Layer 2 switching across Ethernet ports based on Cisco IOS Catalyst Software. They support simultaneous, parallel connections between Layer 2 Ethernet segments. Switched connections between Ethernet segments last only for the duration of the packet. Different connections can be made for different segments for the next packet.
Chapter 5 Configuring a LAN with DHCP and VLANs Switch Port Configurations Note Per-Port enabling and disabling of unknown multicast and unicast packets is not supported on the Cisco 1800 (Fixed) configuration router. Per-Port Storm Control You can use these per-port storm control techniques to block the forwarding of unnecessary, flooded traffic.
B E TA D R A F T - C I S C O C O N F I D E N T I A L CH APT ER 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel The Cisco 1800 series integrated services fixed-configuration routers support the creation of Virtual Private Networks (VPNs).
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel B E TA D R A F T - C I S C O C O N F I D E N T I A L 1 Remote, networked users 2 VPN client—Cisco 1800 series integrated services router 3 Router—Providing the corporate office network access 4 VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside interface address 192.168.101.1 5 Corporate office with a network address of 10.1.1.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configure the IKE Policy B E TA D R A F T - C I S C O C O N F I D E N T I A L An example showing the results of these configuration tasks is shown in the section “Configuration Example.” Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT, DCHP and VLANs.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configure Group Policy Information B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 6 Command or Action Purpose lifetime seconds Specifies the lifetime, 60–86400 seconds, for an IKE security association (SA). Example: Router(config-isakmp)# lifetime 480 Router(config-isakmp)# Step 7 exit Exits IKE policy configuration mode, and enters global configuration mode.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Apply Mode Configuration to the Crypto Map B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 5 Command or Action Purpose exit Exits IKE group policy configuration mode, and enters global configuration mode. Example: Router(config-isakmp-group)# exit Router(config)# Step 6 ip local pool {default | poolname} [low-ip-address [high-ip-address]] Example: Specifies a local address pool for the group.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Enable Policy Lookup B E TA D R A F T - C I S C O C O N F I D E N T I A L Enable Policy Lookup Perform these steps to enable policy lookup through AAA, beginning in global configuration mode: Step 1 Command or Action Purpose aaa new-model Enables the AAA access control model. Example: Router(config)# aaa new-model Router(config)# Step 2 aaa authentication login {default | list-name} method1 [method2...
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configure the IPSec Crypto Method and Parameters B E TA D R A F T - C I S C O C O N F I D E N T I A L Perform these steps to specify the IPSec transform set and protocols, beginning in global configuration mode: Step 1 Command or Action Purpose crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4] Defines a transform set—an acceptable combination of IPSec security protocols and algorithms.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Apply the Crypto Map to the Physical Interface B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 3 Command or Action Purpose reverse-route Creates source proxy information for the crypto map entry. Example: See the Cisco IOS Security Command Reference for details. Router(config-crypto-map)# reverse-route Router(config-crypto-map)# Step 4 exit Returns to global configuration mode.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Create an Easy VPN Remote Configuration B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 2 Command or Action Purpose crypto map map-name Applies the crypto map to the interface. Example: See the Cisco IOS Security Command Reference for more detail about this command. Router(config-if)# crypto map static-map Router(config-if)# Step 3 exit Returns to global configuration mode.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Verifying Your Easy VPN Configuration B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 5 Command or Action Purpose exit Returns to global configuration mode. Example: Router(config-crypto-ezvpn)# exit Router(config)# Step 6 interface type number Example: Enters interface configuration mode. Note For routers with an ATM WAN interface, this command would be interface atm 0.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L ! crypto isakmp policy 1 encryption 3des authentication pre-share group 2 lifetime 480 ! crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1 domain company.
Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 6-12 OL-6426-02
B E TA D R A F T - C I S C O C O N F I D E N T I A L 7 CH APT ER Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation The Cisco 1800 series integrated services fixed-configuration routers support the creation of virtual private networks (VPNs).
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation B E TA D R A F T - C I S C O C O N F I D E N T I A L 7 LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1 8 Corporate office network 9 IPSec tunnel with GRE GRE Tunnels GRE tunnels are typically used to establish a VPN between the Cisco router and a remote device that controls access to a private network, such as a corporate network.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configure a VPN B E TA D R A F T - C I S C O C O N F I D E N T I A L Configure a VPN Perform the following tasks to configure a VPN over an IPSec tunnel: • Configure the IKE Policy • Configure Group Policy Information • Enable Policy Lookup • Configure IPSec Transforms and Protocols • Configure the IPSec Crypto Method and Parameters • Apply the Crypto Map to the Physical Interface Configure the IKE Policy Perfo
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configure a VPN B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 5 Command or Action Purpose group {1 | 2 | 5} Specifies the Diffie-Hellman group to be used in the IKE policy. Example: Router(config-isakmp)# group 2 Router(config-isakmp)# Step 6 lifetime seconds Specifies the lifetime, 60–86400 seconds, for an IKE security association (SA).
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configure a VPN B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 4 Command or Action Purpose domain name Specifies group domain membership. Example: Router(config-isakmp-group)# domain company.com Router(config-isakmp-group)# Step 5 exit Exits IKE group policy configuration mode, and enters global configuration mode.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configure a VPN B E TA D R A F T - C I S C O C O N F I D E N T I A L Command or Action Step 3 aaa authorization {network | exec | commands Specifies AAA authorization of all level | reverse-access | configuration} {default | network-related service requests, including PPP, list-name} [method1 [method2...]] and the method used to do so.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configure a VPN B E TA D R A F T - C I S C O C O N F I D E N T I A L Note With manually established security associations, there is no negotiation with the peer, and both sides must specify the same transform set.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configure a GRE Tunnel B E TA D R A F T - C I S C O C O N F I D E N T I A L Apply the Crypto Map to the Physical Interface The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configure a GRE Tunnel B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 3 Command or Action Purpose tunnel source interface-type number Specifies the source endpoint of the router for the GRE tunnel. Example: Router(config-if)# tunnel source fastethernet 2 Router(config-if)# Step 4 tunnel destination default-gateway-ip-address Specifies the destination endpoint of the router for the GRE tunnel.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Configuration Example The following configuration example shows a portion of the configuration file for a VPN using a GRE tunnel scenario described in the preceding sections.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L ip address 10.1.1.1 255.255.255.0 ip nat inside ip inspect firewall in ! inspection examines outbound traffic crypto map static-map no cdp enable ! interface fastethernet 0! FE0 is the outside or internet exposed interface ip address 210.110.101.21 255.255.255.0 ip access-group 103 in ! acl 103 permits ipsec traffic from the corp.
Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 7-12 OL-6426-02
B E TA D R A F T - C I S C O C O N F I D E N T I A L CH APT ER 8 Configuring a Simple Firewall The Cisco 1800 integrated services routers support network traffic filtering by means of access lists. The router also supports packet inspection and dynamic temporary access lists by means of Context-Based Access Control (CBAC).
Chapter 8 Configuring a Simple Firewall B E TA D R A F T - C I S C O C O N F I D E N T I A L 1 Multiple networked devices—Desktops, laptop PCs, switches 2 Fast Ethernet LAN interface (the inside interface for NAT) 3 PPPoE or PPPoA client and firewall implementation—Cisco 1811/1812 or Cisco 1801/1802/1803 series integrated services router, respectively 4 Point at which NAT occurs 5 Protected network 6 Unprotected network 7 Fast Ethernet or ATM WAN interface (the outside interface for NAT) In
Chapter 8 Configuring a Simple Firewall Configure Access Lists B E TA D R A F T - C I S C O C O N F I D E N T I A L Configure Access Lists Perform these steps to create access lists for use by the firewall, beginning in global configuration mode: Step 1 Command Purpose access-list access-list-number {deny | permit} protocol source source-wildcard [operator [port]] destination Creates an access list which prevents Internetinitiated traffic from reaching the local (inside) network of the router, and w
Chapter 8 Configuring a Simple Firewall Apply Access Lists and Inspection Rules to Interfaces B E TA D R A F T - C I S C O C O N F I D E N T I A L Apply Access Lists and Inspection Rules to Interfaces Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in global configuration mode: Step 1 Command Purpose interface type number Enters interface configuration mode for the inside network interface on your router.
Chapter 8 Configuring a Simple Firewall Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Configuration Example A telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the home network is accomplished through firewall inspection. The protocols that are allowed are all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore, no traffic is allowed that is initiated from outside.
Chapter 8 Configuring a Simple Firewall Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 8-6 OL-6426-02
B E TA D R A F T - C I S C O C O N F I D E N T I A L CH APT ER 9 Configuring a Wireless LAN Connection The Cisco 1800 series integrated services fixed-configuration routers support a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, the Cisco routers act as access points, and are Wi-Fi certified, IEEE 802.
Chapter 9 Configuring a Wireless LAN Connection B E TA D R A F T - C I S C O C O N F I D E N T I A L Configuration Tasks Perform the following tasks to configure this network scenario: • Configure the Root Radio Station • Configure Bridging on VLANs • Configure Radio Station Subinterfaces An example showing the results of these configuration tasks is shown in the section “Configuration Example.
Chapter 9 Configuring a Wireless LAN Connection Configure the Root Radio Station B E TA D R A F T - C I S C O C O N F I D E N T I A L Configure the Root Radio Station Perform these steps to create and configure the root radio station for your wireless LAN, beginning in global configuration mode: Step 1 Command Purpose interface name number Enters interface configuration mode for the specified wireless interface.
Chapter 9 Configuring a Wireless LAN Connection Configure the Root Radio Station B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 5 Command Purpose vlan number Binds the SSID with a VLAN. Example: Router(config-if-ssid)# vlan 1 Router(config-if-ssid)# Step 6 authentication type Sets the permitted authentication methods for a user attempting access to the wireless LAN. Example: More than one method can be specified, as shown in the example.
Chapter 9 Configuring a Wireless LAN Connection Configure Bridging on VLANs B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 12 Command Purpose station-role [repeater | root] (Optional) Specifies the role of this wireless interface. Example: You must specify at least one root interface. Router(config-if)# station-role root Router(config-if)# Step 13 exit Exits interface configuration mode, and enters global configuration mode.
Chapter 9 Configuring a Wireless LAN Connection Configure Radio Station Subinterfaces B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 5 Command or Action Purpose interface name number Enters configuration mode for the virtual bridge interface. Example: Router(config)# interface bvi 1 Router(config)# Step 6 ip address address mask Specifies the address for the virtual bridge interface. Example: Router(config)# ip address 10.0.1.1 255.255.255.
Chapter 9 Configuring a Wireless LAN Connection Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L Step 5 Command Purpose bridge-group number Assigns a bridge group to the subinterface. Example: Router(config-subif)# bridge-group 1 Router(config-subif)# Step 6 exit Exits subinterface configuration mode, and enters global configuration mode. Example: Router(config-subif)# exit Router(config)# Repeat these steps to configure more subinterfaces, as needed.
Chapter 9 Configuring a Wireless LAN Connection Configuration Example B E TA D R A F T - C I S C O C O N F I D E N T I A L bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.
B E TA D R A F T - C I S C O C O N F I D E N T I A L CH APT ER 10 Sample Configuration This chapter collects the results of the Ethernet WAN interface, DHCP, VLAN, Easy VPN, and wireless interface configurations made in previous chapters. This allows you to view what a basic configuration provided by this guide looks like in a single sample, Example 10-1. Note Commands marked by “(default)” are generated automatically when you run the show running-config command.
Chapter 10 Sample Configuration B E TA D R A F T - C I S C O C O N F I D E N T I A L ip address negotiated ppp authentication chap dialer pool 1 dialer-group 1 ! dialer-list 1 protocol ip permit ip nat inside source list 1 interface dialer 0 overload ip classless (default) ip route 10.10.25.2 0.255.255.255 dialer 0 ! ip dhcp excluded-address 10.0.1.1 10.0.1.10 ip dhcp excluded-address 10.0.2.1 10.0.2.10 ip dhcp excluded-address 10.0.3.1 10.0.3.10 ! ip dhcp pool vlan1 network 10.0.1.0 255.255.255.
Chapter 10 Sample Configuration B E TA D R A F T - C I S C O C O N F I D E N T I A L duplex auto speed auto ! interface FastEthernet1 no ip address duplex auto speed auto ! crypto isakmp policy 1 encryption 3des authentication pre-share group 2 lifetime 480 ! crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1 domain company.
Chapter 10 Sample Configuration B E TA D R A F T - C I S C O C O N F I D E N T I A L station-role root ! interface Dot11Radio0.1 description Cisco Open encapsulation dot1Q 1 native no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.
Chapter 10 Sample Configuration B E TA D R A F T - C I S C O C O N F I D E N T I A L no ip http secure-server ! radius-server local nas 10.0.1.1 key 0 cisco123 group rad_eap ! user jsomeone nthash 7 0529575803696F2C492143375828267C7A760E1113734624452725707C010B065B user AMER\jsomeone nthash 7 0224550C29232E041C6A5D3C5633305D5D560C09027966167137233026580E0B0D ! radius-server host 10.0.1.
Chapter 10 Sample Configuration B E TA D R A F T - C I S C O C O N F I D E N T I A L Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 10-6 OL-6426-02
CH APT ER 11 Additional Configuration Options This part of the software configuration guide describes additional configuration options and troubleshooting tips for the Cisco 1800 series integrated services fixed configuration routers (Cisco 1801, Cisco 1802, Cisco 1803, Cisco 1811, and Cisco 1812).
Chapter 11 Additional Configuration Options Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 11-2 OL-6426-02
PART 3 Configuring Additional Features and Troubleshooting
CH APT ER 12 Configuring Security Features This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary Cisco framework for implementing selected security features that can be configured on the Cisco 1800 integrated services fixed-configuration routers. Note Individual router models may not support every feature described throughout this guide. Features not supported by a particular router are indicated whenever possible.
Chapter 12 Configuring Security Features Configuring AutoSecure For information about configuring AAA services and supported security protocols, see the following sections of the Cisco IOS Security Configuration Guide: • Configuring Authentication • Configuring Authorization • Configuring Accounting • Configuring RADIUS • Configuring TACACS+ • Configuring Kerberos Configuring AutoSecure The AutoSecure feature disables common IP services that can be exploited for network attacks and enables IP
Chapter 12 Configuring Security Features Configuring a CBAC Firewall Access Groups A sequence of access list definitions bound together with a common name or number is called an access group. An access group is enabled for an interface during interface configuration with the following command: ip access-group number | name [in | out] where in | out refers to the direction of travel of the packets being filtered.
Chapter 12 Configuring Security Features Configuring Cisco IOS Firewall IDS Configuring Cisco IOS Firewall IDS Cisco IOS Firewall Intrusion Detection System (IDS) technology enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity. Cisco IOS Firewall IDS identifies 59 of the most common attacks using “signatures” to detect patterns of misuse in network traffic.
CH APT ER 13 Configuring Dial Backup and Remote Management The Cisco 1800 integrated services fixed-configuration routers support dial-in (for remote management) and dial-out (for dial backup) capabilities. By allowing you to configure a backup modem line connection, the Cisco 1800 integrated services fixed-configuration routers provide protection against WAN downtime. Dial backup is inactive by default, and must be configured to be active.
Chapter 13 Configuring Dial Backup and Remote Management Dial Backup Feature Activation Methods Note Even if the backup interface comes out of standby mode (is brought up), the router does not trigger the backup call unless it receives the specified traffic for that backup interface.
Chapter 13 Configuring Dial Backup and Remote Management Dial Backup Feature Activation Methods Configuring Floating Static Routes Static and dynamic routes are the two components of floating static routes. Perform these steps to configure the static and dynamic routes on your router, beginning in global configuration mode: Step 1 Command Purpose ip route prefix mask {ip-address | interface-type interface-number [ip-address]} Assigns the primary static route. Example: Router(config)# ip route 0.0.0.
Chapter 13 Configuring Dial Backup and Remote Management Dial Backup Feature Activation Methods Dialer Watch The dialer watch method only supports the Extended Interior Gateway Routing Protocol (EIGRP) link-state dynamic routing protocols. Configuring Dialer Watch Perform these steps to configure a dialer watch on your router, beginning in global configuration mode: Step 1 Command Purpose interface type number Enters configuration mode for the dial backup interface.
Chapter 13 Configuring Dial Backup and Remote Management Dial Backup Feature Limitations Step 5 Command Purpose ip route prefix mask {ip-address | interface-type interface-number [ip-address]} [distance] Assigns the lower routing administrative distance value for the backup interface route. 192.168.2.2 is the peer IP address of the backup interface. Example: Router(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.
Chapter 13 Configuring Dial Backup and Remote Management Dial Backup Feature Limitations Table 13-1 Dial Backup Feature Support and Limitations Summary (continued) WAN Encapsulation Type Dial Backup Possible? Dial Backup Method Limitations Backup interfaces Floating static route and dialer watch need a routing protocol to run in the router. The dialer watch method brings up the backup interface as soon as the primary link goes down.
Chapter 13 Configuring Dial Backup and Remote Management Dial Backup Feature Limitations ! dsl operating-mode auto ! ! Dial backup interface, associated with physical BRI0 interface.
Chapter 13 Configuring Dial Backup and Remote Management Dial Backup Feature Limitations dsl operating-mode auto ! ! Dial backup interface, associated with physical BRI0 interface.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through the ISDN S/T Port dsl operating-mode auto ! ! Dial backup interface, associated with physical BRI0 interface. Dialer pool 1 associates it with BRI0’s dialer pool member 1.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through the ISDN S/T Port Perform these steps to configure your router ISDN interface for use as a backup interface, beginning in global configuration mode: Step 1 Command Purpose isdn switch-type switch-type Specifies the ISDN switch type. The example specifies a switch type used in Australia, Europe, and the United Kingdom.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through the ISDN S/T Port Step 8 Command Purpose ip address negotiated Specifies that the IP address for the interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation. The IP address is obtained from the peer. Example: Router(config-if)# ip address negotiated Router(config-if)# Step 9 encapsulation encapsulation-type Sets the encapsulation type to PPP for the interface.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through the ISDN S/T Port Configure the Aggregator and ISDN Peer Router The aggregator is typically a concentrator router where your Cisco router ATM PVC terminates. In the configuration example shown below, the aggregator is configured as a PPPoE server to correspond with the Cisco 876 router configuration example that is given in this chapter.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through a V.92 Modem dialer string 384020 dialer-group 1 peer default ip address pool isdn ! ip local pool isdn 192.168.2.1 ip http server ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 40.0.0.0 255.0.0.0 30.1.1.1 ! dialer-list 1 protocol ip permit ! Configuring Dial Backup and Remote Management Through a V.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through a V.92 Modem Step 4 Command Purpose dialer in-band Specifies support for dial-on-demand routing (DDR) and chat scripts on this asynchronous interface. Example: Router(config-if)# dialer in-band Router(config-if)# Step 5 dialer string dial-string Specifies the telephone number to be dialed.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through a V.92 Modem Line Configuration Perform these steps to configure the line on the V.92 modem, beginning in global configuration mode: Step 1 Command Purpose line line-number Identifies a specific line for configuration and enters line configuration collection mode.
Chapter 13 Configuring Dial Backup and Remote Management Configuring Dial Backup and Remote Management Through a V.
B E TA D R A F T - C I S C O C O N F I D E N T I A L CH APT ER 14 Troubleshooting Use the information in this chapter to help isolate problems you might encounter or to rule out the router as the source of a problem.
Chapter 14 Troubleshooting ADSL Troubleshooting B E TA D R A F T - C I S C O C O N F I D E N T I A L • Brief description of the steps you have taken to isolate the problem ADSL Troubleshooting If you experience trouble with the ADSL connection, verify the following: • The ADSL line is connected and is using pins 3 and 4. For more information on the ADSL connection, see the hardware guide for your router. • The ADSL CD LED is on.
Chapter 14 Troubleshooting ATM Troubleshooting Commands B E TA D R A F T - C I S C O C O N F I D E N T I A L For details, see the “PortFast Configuration Error” section in the Spanning Tree Protocol Problems and Related Design Considerations document. ATM Troubleshooting Commands Use the following commands to troubleshoot your ATM interface.
Chapter 14 Troubleshooting ATM Troubleshooting Commands B E TA D R A F T - C I S C O C O N F I D E N T I A L Hardware is PQUICC_SAR (with Alcatel ADSL Module) Internet address is 14.0.0.
Chapter 14 Troubleshooting ATM Troubleshooting Commands B E TA D R A F T - C I S C O C O N F I D E N T I A L Table 14-1 show interface Command Output Description (continued) Output Cause ATM 0.n is up, line protocol is up The specified ATM subinterface is up and operating correctly. ATM 0.n is administratively down, line protocol The specified ATM subinterface has been disabled is down with the shutdown command. ATM 0.
Chapter 14 Troubleshooting ATM Troubleshooting Commands B E TA D R A F T - C I S C O C O N F I D E N T I A L Table 14-2 describes some of the fields shown in the command output. Table 14-2 show atm interface Command Output Description Field Description ATM interface Interface number. Always 0 for the Cisco 1800 fixed-configuration routers. AAL enabled Type of AAL enabled. The Cisco 1800 fixed-configuration routers support AAL5.
Chapter 14 Troubleshooting ATM Troubleshooting Commands B E TA D R A F T - C I S C O C O N F I D E N T I A L Example 14-4 Viewing ATM Errors Router# debug atm errors ATM errors debugging is on Router# 01:32:02:ATM(ATM0.2):VC(3) 01:32:04:ATM(ATM0.2):VC(3) 01:32:06:ATM(ATM0.2):VC(3) 01:32:08:ATM(ATM0.2):VC(3) 01:32:10:ATM(ATM0.
Chapter 14 Troubleshooting ATM Troubleshooting Commands B E TA D R A F T - C I S C O C O N F I D E N T I A L 00:02:57: 00:02:57: 00:02:57: 00:02:57: 00:02:57: 00:02:57: 00:02:57: 00:03:00: 00:03:00: 00:03:00: 00:03:00: 00:03:00: 00:03:00: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: Sent command 0x5 Received response: 0x26 Unexpected response 0x26 Send ADSL_OPEN command.
Chapter 14 Troubleshooting Software Upgrade Methods B E TA D R A F T - C I S C O C O N F I D E N T I A L Table 14-3 describes some of the fields shown in the debug atm packet command output. Table 14-3 debug atm packet Command Output Description Field Description ATM0 Interface that is generating the packet. (O) Output packet. (I) would mean receive packet. VCD: 0xn Virtual circuit associated with this packet, where n is some value.
Chapter 14 Troubleshooting Recovering a Lost Password B E TA D R A F T - C I S C O C O N F I D E N T I A L Change the Configuration Register To change a configuration register, follow these steps: Step 1 Connect an ASCII terminal or a PC running a terminal emulation program to the CONSOLE port on the rear panel of the router. Step 2 Configure the terminal to operate at 9600 baud, 8 data bits, no parity, and 1 stop bit.
Chapter 14 Troubleshooting Recovering a Lost Password B E TA D R A F T - C I S C O C O N F I D E N T I A L Reset the Router To reset the router, follow these steps: Step 1 If break is enabled, go to Step 2. If break is disabled, turn the router off (O), wait 5 seconds, and turn it on (|) again. Within 60 seconds, press the Break key. The terminal displays the ROM monitor prompt. Go to Step 3. Note Step 2 Some terminal keyboards have a key labeled Break.
Chapter 14 Troubleshooting Recovering a Lost Password B E TA D R A F T - C I S C O C O N F I D E N T I A L Reset the Password and Save Your Changes To reset your password and save the changes, follow these steps: Step 1 Enter the configure terminal command to enter global configuration mode: Router# configure terminal Step 2 Enter the enable secret command to reset the enable secret password in the router: Router(config)# enable secret password Step 3 Enter exit to exit global configuration mode: R
Chapter 14 Troubleshooting Managing Your Router with SDM B E TA D R A F T - C I S C O C O N F I D E N T I A L Managing Your Router with SDM The Cisco SDM tool is a free software configuration utility, supporting the Cisco 1800 series integrated services fixed-configuration routers.
Chapter 14 Troubleshooting Managing Your Router with SDM B E TA D R A F T - C I S C O C O N F I D E N T I A L Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide 14-14 OL-6426-02
PART 4 Reference Information
A P P E N D I X A Cisco IOS Software Basic Skills Understanding how to use Cisco IOS software can save you time when you are configuring your router. If you need a refresher, take a few minutes to read this appendix.
Appendix A Cisco IOS Software Basic Skills Understanding Command Modes You can use the terminal emulation software to change settings for the type of device that is connected to the PC, in this case a router. Configure the software to the following standard VT-100 emulation settings so that your PC can communicate with your router: • 9600 baud • 8 data bits • No parity • 1 stop bit • No flow control These settings should match the default settings of your router.
Appendix A Cisco IOS Software Basic Skills Understanding Command Modes Table A-2 Command Modes Summary Mode Access Method Prompt Exit and Entrance Method User EXEC Begin a session with your router. Router> To exit a router session, enter Use this mode for these tasks: the logout command. • Change terminal settings. Privileged EXEC Enter the enable command from user EXEC mode. Router# • • Global configuration Interface configuration Enter the configure command from privileged EXEC mode.
Appendix A Cisco IOS Software Basic Skills Getting Help Table A-2 Command Modes Summary (continued) Mode Access Method Router configuration Enter one of the router Router commands followed by (configrouter)# the appropriate keyword, for example router rip, from global configuration mode. • Use this mode to configure an IP To exit to global routing protocol. configuration mode, enter the exit command. • To exit to privileged EXEC mode, enter the end command, or press Ctrl-Z.
Appendix A Cisco IOS Software Basic Skills Enable Secret Passwords and Enable Passwords Enable Secret Passwords and Enable Passwords By default, the router ships without password protection. Because many privileged EXEC commands are used to set operating parameters, you should password-protect these commands to prevent unauthorized use.
Appendix A Cisco IOS Software Basic Skills Using Commands Using Commands This section provides some tips about entering Cisco IOS commands at the command-line interface (CLI). Abbreviating Commands You only have to enter enough characters for the router to recognize the command as unique.
Appendix A Cisco IOS Software Basic Skills Saving Configuration Changes Saving Configuration Changes You need to enter the copy running-config startup-config command to save your configuration changes to nonvolatile RAM (NVRAM) so that they are not lost if there is a system reload or power outage.
Appendix A Cisco IOS Software Basic Skills Where to Go Next Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide A-8 OL-6426-02
A P P E N D I X B Concepts This appendix contains conceptual information that may be useful to Internet service providers or network administrators when they configure Cisco routers. To review some typical network scenarios, see Chapter 2, “Sample Network Deployments.” For information on additional details or configuration topics, see Chapter 11, “Additional Configuration Options.
Appendix B Concepts SHDSL SHDSL SHDSL is a technology based on the G.SHDSL (G.991.2) standard that allows both data and voice to be transmitted over the same line. SHDSL is a packet-based network technology that allows high-speed transmission over twisted-pair copper wire between a network service provider (NSP) central office and a customer site, or on local loops created within either a building or a campus. G.
Appendix B Concepts PPP Authentication Protocols RIP and Enhanced IGRP differ in several ways, as shown in Table B-1. Table B-1 RIP and Enhanced IGRP Comparison Protocol Ideal Topology Metric Routing Updates RIP Suited for topologies with Hop count. Maximum hop By default, every 30 seconds. 15 or fewer hops. count is 15. Best route is one You can reconfigure this value with lowest hop count. and also use triggered extensions to RIP. Enhanced IGRP Suited for large topologies Distance information.
Appendix B Concepts PPP Authentication Protocols (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation. PPP supports these functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities.
Appendix B Concepts TACACS+ TACACS+ Cisco 1800 fixed-configuration routers support the Terminal Access Controller Access Control System Plus (TACACS+) protocol through Telnet. TACACS+ is a Cisco proprietary authentication protocol that provides remote access authentication and related network security services, such as event logging. User passwords are administered in a central database rather than in individual routers.
Appendix B Concepts Dial Backup PVC A PVC is a connection between remote hosts and routers. A PVC is established for each ATM end node with which the router communicates. The characteristics of the PVC that are established when it is created are set by the ATM adaptation layer (AAL) and the encapsulation type. An AAL defines the conversion of user information into cells. An AAL segments upper-layer information into cells at the transmitter and reassembles the cells at the receiver.
Appendix B Concepts NAT line is up, the backup interface is placed in standby mode. In standby mode, the backup interface is effectively shut down until it is enabled. Any route associated with the backup interface does not appear in the routing table. Because the backup interface command is dependent on the router’s identifying that an interface is physically down, it is commonly used to back up ISDN BRI connections, asynchronous lines, and leased lines.
Appendix B Concepts Easy IP (Phase 1) Translations can be static or dynamic. A static address translation establishes a one-to-one mapping between the inside network and the outside domain. Dynamic address translations are defined by describing the local addresses to be translated and the pool of addresses from which to allocate outside addresses. Allocation occurs in numeric order, and multiple pools of contiguous address blocks can be defined.
Appendix B Concepts QoS QoS This section describes Quality of Service (QoS) parameters, including the following: • IP Precedence • PPP Fragmentation and Interleaving • CBWFQ • RSVP • Low Latency Queuing QoS refers to the capability of a network to provide better service to selected network traffic over various technologies, including ATM, Ethernet and IEEE 802.1 networks, and IP-routed networks that may use any or all of these underlying technologies.
Appendix B Concepts QoS In general, multilink PPP with interleaving is used in conjunction with CBWFQ and RSVP or IP Precedence to ensure voice packet delivery. Use multilink PPP with interleaving and CBWFQ to define how data is managed; use Resource Reservation Protocol (RSVP) or IP Precedence to give priority to voice packets. CBWFQ In general, class-based weighted fair queuing (CBWFQ) is used in conjunction with multilink PPP and interleaving and RSVP or IP Precedence to ensure voice packet delivery.
Appendix B Concepts Access Lists Access Lists With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session and the packet therefore belongs to an established session.
Appendix B Concepts Access Lists Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide B-12 OL-6426-02
A P P E N D I X C ROM Monitor The ROM monitor firmware runs when the router is powered up or reset. The firmware helps to initialize the processor hardware and boot the operating system software. You can use the ROM monitor to perform certain configuration tasks, such as recovering a lost password or downloading software over the console port. If there is no Cisco IOS software image loaded on the router, the ROM monitor runs the router.
Appendix C ROM Monitor ROM Monitor Commands Command Purpose Step 4 exit Exits global configuration mode. Step 5 reload Reboots the router with the new configuration register value. The router remains in ROM monitor and does not boot the Cisco IOS software. As long as the configuration value is 0x0, you must manually boot the operating system from the console. See the boot command in the “Command Descriptions” section in this appendix. After the router reboots, it is in ROM monitor mode.
Appendix C ROM Monitor Command Descriptions Command Descriptions Table C-1 describes the most commonly used ROM monitor commands. Table C-1 Commonly Used ROM Monitor Commands Command Description help or ? Displays a summary of all available ROM monitor commands.
Appendix C ROM Monitor Disaster Recovery with TFTP Download Note The commands described in this section are case sensitive and must be entered exactly as shown. Required Variables These variables must be set with these commands before you use the tftpdnld command: Variable Command IP address of the router. IP_ADDRESS= ip_address Subnet mask of the router. IP_SUBNET_MASK= ip_address IP address of the default gateway of the router.
Appendix C ROM Monitor Disaster Recovery with TFTP Download Number of times the router attempts ARP and TFTP download. The default is 7. TFTP_RETRY_COUNT= retry_times Length of time, in seconds, before the download TFTP_TIMEOUT= time process times out. The default is 2,400 seconds (40 minutes). Whether or not the router performs a checksum TFTP_CHECKSUM=setting test on the downloaded image: 1—Checksum test is performed. 0—No checksum test is performed.
Appendix C ROM Monitor Configuration Register Configuration Register The virtual configuration register is in nonvolatile RAM (NVRAM) and has the same functionality as other Cisco routers. You can view or modify the virtual configuration register from either the ROM monitor or the operating system software. Within the ROM monitor, you can change the configuration register by entering the register value in hexadecimal format, or by allowing the ROM monitor to prompt you for the setting of each bit.
Appendix C ROM Monitor Console Download enabled are: diagnostic mode console baud: 9600 boot: the ROM Monitor do you wish to change the configuration? y/n [n]: You must reset or power cycle for new config to take effect Console Download You can use console download, a ROM monitor function, to download either a software image or a configuration file over the router console port. After download, the file is either saved to the CompactFlash memory module or to main memory for execution (image files only).
Appendix C ROM Monitor Debug Commands Follow these steps to run Xmodem: Step 1 Move the image file to the local drive where Xmodem will execute. Step 2 Enter the xmodem command. Error Reporting Because the ROM monitor console download uses the console to perform the data transfer, when an error occurs during a data transfer, error messages are only displayed on the console once the data transfer is terminated.
Appendix C ROM Monitor Exiting the ROM Monitor • sysret—Displays return information from the last booted system image.
Appendix C ROM Monitor Exiting the ROM Monitor Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide C-10 OL-6426-02
A P P E N D I X D Common Port Assignments Table D-1 lists currently assigned Transmission Control Protocol (TCP) port numbers. To the extent possible, the User Datagram Protocol (UDP) uses the same numbers.
Appendix D Table D-1 Currently Assigned TCP and UDP Port Numbers (continued) Port Keyword Description 77 – Any private RJE service 79 FINGER Finger 95 SUPDUP SUPDUP Protocol 101 HOST NAME Network interface card (NIC) hostname server 102 ISO-TSAP ISO-Transport Service Access Point (TSAP) 103 X400 X400 104 X400-SND X400-SND 111 SUNRPC Sun Microsystems Remote Procedure Call 113 AUTH Authentication service 117 UUCP-PATH UNIX-to-UNIX Copy Protocol (UUCP) Path Service 119 NNTP
INDEX See ADSL Symbols asynchronous interface -? command ? command C-3 configuring A-4, C-3 13-13 ATM configuring the ATM interface Numerics 802.
Index configuring configuration changes 1-10, 9-5 broadcast intervals, RIP making B-3 saving A-5 14-12, A-7 configuration examples C command-line access CAR DHCP server B-9 caution, described EIGRP CBAC firewall configuring CBWFQ 12-3 B-9 1-15 1-16 PPPoA with NAT 4-11 PPPoE with NAT 3-9 simple firewall Challenge Handshake Authentication Protocol static routes See CHAP CHAP 5-3 dynamic routes 1-13 1-12 8-5 1-13 VPN with IPSec and GRE B-4, B-4 Cisco IOS firewall IDS Cisco
Index IP EIGRP IPSec tunnel 1-9 to 1-10 4-9 PPPoE with NAT RIP static routes dialer watch 13-4 1-12 3-5, 4-3 description B-6 13-2 13-4, B-7 dir device command 1-7 your network, preparing for confreg command configuring dialer watch 6-1, 7-3 WAN interfaces 13-1 dialer interface A-1 5-1 disaster recovery 1-4 C-3 C-3 to C-5 DSL signaling protocol C-6 connections setting up 13-1, 13-9, 13-13 floating static routes router from PC VPNs configuring feature limitations and confi
Index recovering setting 14-12 G A-5 encapsulation G.
Index interface port labels (table) 1-1 interfaces ATM B-4 LFQ B-10 line configuration displaying status for dialer for V.
Index network protocols interleaving B-2 nonvolatile RAM overview See NVRAM note, described B-9 B-3 PPP/Internet Protocol Control Protocol See IPCP 1-13 NVRAM, saving changes to PPPoA, configuration example A-7 4-11 PPPoE configuration example O configuring overloading, defined 3-1 verify configuration B-8 PPPoE client 3-9 3-10 3-1, 4-1 prerequisites, for configuration P 1-4 privileged EXEC commands, accessing packets, ATM, displaying PAP privileged EXEC mode 14-8 A-2, A-3
Index configuring with GRE and IPSec tunnel 13-9, 13-13 reset command software, upgrading methods C-3 resetting stack command configuration register value passwords router 14-12 configuring Switch overview Switch port configurations C-2 5-7 5-7 5-7 See G.
Index upgrading software, methods for 14-9 X User Datagram Protocol xmodem command See UDP user EXEC mode C-7 A-2, A-3 V V.