Cisco 1710 Security Router Software Configuration Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners.
C O N T E N T S Preface xi Objectives xi Audience xi Organization xii Conventions xii Related Documentation xiii Obtaining Documentation xiv World Wide Web xiv Documentation CD-ROM xiv Ordering Documentation xiv Documentation Feedback xv Obtaining Technical Assistance xv Cisco.
Contents Using Commands 1-9 Abbreviating Commands 1-9 Command-Line Error Messages 1-9 Undoing Commands 1-10 Saving Configuration Changes 1-10 Using Debug Commands 1-11 Where to Go Next 1-12 CHAPTER 2 Cisco 1710 Security Router Configuration 2-1 Before You Configure Your Network 2-2 Configuring a Virtual Private Dialup Network 2-2 Configuring IP Security 2-3 Disabling Hardware Encryption 2-4 Configuring the Dialer Interface 2-6 Configuring the Ethernet Interfaces 2-7 Configuring Dynamic Host Configuratio
Contents CHAPTER 3 Overview of Routing Between Virtual LANs 3-1 What Is a VLAN? 3-1 LAN Segmentation 3-2 Security 3-3 Broadcast Control 3-3 Performance 3-4 Network Management 3-4 Communication Between VLANs 3-4 VLAN Colors 3-4 Why Implement VLANs? 3-5 Communicating Between VLANs 3-5 VLAN Translation 3-6 Designing Switched VLANs 3-6 CHAPTER 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation 4-1 IEEE 802.
Contents Examples of IEEE 802.1Q Encapsulation Configuration 4-6 Configuring AppleTalk over IEEE 802.1Q 4-7 Configuring IP Routing over IEEE 802.1Q 4-7 Configuring IPX Routing over IEEE 802.
Contents Disaster Recovery with TFTP Download A-5 TFTP Download Command Variables A-5 Required Variables A-6 Optional Variables A-7 Using the TFTP Download Command A-8 Configuration Register A-9 Console Download A-10 Command Description A-11 Error Reporting A-12 Debug Commands A-12 INDEX Cisco 1710 Security Router Software Configuration Guide 78-12696-01 ix
Contents Cisco 1710 Security Router Software Configuration Guide x 78-12696-01
Preface This preface describes the objectives, audience, organization, and conventions of the Cisco 1710 Security Router Software Configuration Guide. It also provides information about additional documentation and how to obtain technical assistance. Objectives This software configuration guide explains how to configure the Cisco 1710 router. It does not cover every feature, but does describe, in detail, the tasks most commonly required to configure the router.
Preface Organization • Service providers offering VPN services to enterprise and small-to-medium sized businesses. Service providers can bundle Cisco VPN hardware with their service offerings. • Providers of Internet connections to the whole multi-tenant office building. Organization This document contains the following chapters and appendix: • Chapter 1, “Introduction to Router Configuration”—Describes briefly the configuration of a router through Cisco IOS.
Preface Related Documentation Examples use these conventions: • Examples that contain system prompts denote interactive sessions, indicating that you enter commands at the prompt. The system prompt indicates the current command mode. For example, the following prompt indicates global configuration mode: Router(config)# Note • Terminal sessions and information the system displays are in • Information you enter is in boldface • Nonprinting characters, such as passwords, are in angle brackets (< >).
Preface Obtaining Documentation • Cisco 1710 Security Router Hardware Installation Guide describes router features, how to install and cable the router, and how to troubleshoot common problems you may have with it. Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com • http://www-china.cisco.
Preface Obtaining Technical Assistance • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387).
Preface Obtaining Technical Assistance Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.
Preface Obtaining Technical Assistance P3 and P4 level problems are defined as follows: • P3—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. • P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.
Preface Obtaining Technical Assistance Cisco 1710 Security Router Software Configuration Guide xviii 78-12696-01
C H A P T E R 1 Introduction to Router Configuration If you understand Cisco IOS software (the software that runs your router) and you are experienced in configuring network devices, you can use the Cisco IOS command-line interface (CLI) to configure your router. The purpose of this guide is to help you use Cisco IOS software to configure your Cisco 1710 Security router. This chapter describes what you need to know before you begin configuring your router with Cisco IOS software.
Chapter 1 Introduction to Router Configuration Configuring the Router from a PC Configuring the Router from a PC If you are configuring your router from a PC (not a dumb terminal), you need a type of communications software called terminal emulation software. The PC uses this software to send commands to your router. Table 1-1 lists some common names for this software, based on the type of PC you are using.
Chapter 1 Introduction to Router Configuration Understanding Command Modes You use the following Cisco IOS command modes when configuring the scenarios described in this document: Note • User EXEC • Privileged EXEC • Global configuration • Interface configuration • Router configuration • Line configuration Throughout the examples in this guide, there are steps for verifying your router configuration by using different Cisco IOS commands.
Chapter 1 Introduction to Router Configuration Understanding Command Modes Table 1-2 Command Modes Summary Mode Access Method Prompt Exit Method About This Mode1 User EXEC Begin a session with your router. 1710> Enter the logout command. A subset of the commands available in this mode. Use this mode to Privileged EXEC Enter the enable command while in user EXEC mode. 1710# • • To exit to user EXEC mode, enter the disable command.
Chapter 1 Introduction to Router Configuration Understanding Command Modes Table 1-2 Command Modes Summary (continued) Mode Access Method Prompt Global configuration Enter the configure command while in privileged EXEC mode. 1710(config)# Interface configuration Enter the interface command (with a specific interface) while in the global configuration mode. Exit Method 1710(config-i f)# • To exit to privileged EXEC mode, enter the exit or end command, or press Ctrl-Z.
Chapter 1 Introduction to Router Configuration Getting Help Table 1-2 Command Modes Summary (continued) Mode Access Method Prompt Router configuration Enter your router command followed by the appropriate keyword while in global configuration mode. 1710(config-r outer)# Specify a line with the line vty command while in the global configuration mode. 1710(config-l ine)# Line configuration Exit Method • To exit to global configuration mode, enter the end command.
Chapter 1 Introduction to Router Configuration Enable Secret and Enable Passwords • Enter a command, a space, and a question mark to list the available keywords (and a short definition of the keywords) that can be used with the command: Router (config-if)# snapshot ? client Enable client control of Snapshot routing server Send routing updates out this link when updates are received • Enter a command, a keyword, a space, and a question mark to list the range of values (and a short definition of the valu
Chapter 1 Introduction to Router Configuration Entering Configuration Mode An enable secret password can contain from 1 to 25 uppercase and lowercase alphanumeric characters. An enable password can contain any number of uppercase and lowercase alphanumeric characters. In both cases, a number cannot be the first character. Spaces are also valid password characters; for example, “two words” is a valid password. Leading spaces are ignored; trailing spaces are recognized.
Chapter 1 Introduction to Router Configuration Using Commands Using Commands This section provides some tips about entering Cisco IOS commands at the command-line interface (CLI). Abbreviating Commands You only have to enter enough characters for the router to recognize the command as unique. This example show how to enter the show configuration command: 1710# show conf Using 385 out of 7506 bytes ! version 12.2 no service udp-small-servers no service tcp-small-servers . . .
Chapter 1 Introduction to Router Configuration Saving Configuration Changes Table 1-3 Common CLI Error Messages (continued) Error Message Meaning How to Get Help % Incomplete command. You did not enter all of the Reenter the command followed by a keywords or values required by this question mark (?) with no space command. between the command and the question mark. The possible keywords that you can enter with the command are displayed. % Invalid input detected at ‘^’ marker.
Chapter 1 Introduction to Router Configuration Using Debug Commands Using Debug Commands Debug command are provided for most of the configurations in this document. You can use the debug commands to troubleshoot any configuration problems that you might be having on your network. Debug commands provide extensive, informative displays to help you interpret any possible problems. Table 1-4 contains important information about debug commands.
Chapter 1 Introduction to Router Configuration Where to Go Next Where to Go Next Now that you have learned some Cisco IOS software basics, you can begin to configure your router. Remember that • You can use the question mark (?) and arrow keys to help you enter commands. • Each command mode restricts you to a set of commands. If you are having difficulty entering a command, check the prompt, and then enter the question mark (?) for a list of available commands.
C H A P T E R 2 Cisco 1710 Security Router Configuration This chapter presents basic configuration procedures for features of the Cisco 1710 Security router. For a full description of these features and their configurations, please refer to Cisco IOS Software Configuration: Cisco IOS Release 12.2.
Chapter 2 Cisco 1710 Security Router Configuration Before You Configure Your Network Before You Configure Your Network Before you configure your network, you must do the following: • Arrange for a digital subscriber line (DSL) or cable connection with your corporate network or service provider.
Chapter 2 Cisco 1710 Security Router Configuration Configuring IP Security Command Task Step 5 protocol pppoe Specify the tunneling protocol as PPPoE. Step 6 end Exit router configuration mode. Configuring IP Security IP Security (IPSec) is a framework of open standards for ensuring secure private communications over IP networks.
Chapter 2 Cisco 1710 Security Router Configuration Configuring IP Security Command Task Step 9 crypto mib ipsec flowmib history failure size size Set the size of the failure history table. Step 10 crypto map name local-address Ethernet 0 Specify and name an identifying interface to be used by the crypto map for IPSec traffic Step 11 crypto map name seq-num ipsec-isakmp Create a crypto map entry in IPSec ISAKMP mode, and enter crypto map configuration mode.
Chapter 2 Cisco 1710 Security Router Configuration Configuring IP Security After this command is executed, it is necessary to perform the following procedures to bring up all encryption tunnels appropriately. Step 1 On all involved routers, shut down the interfaces that have crypto maps applied to them. Step 2 Enter the following commands on each of the involved routers. Command Task clear crypto sa Clears the security associations applied to the router.
Chapter 2 Cisco 1710 Security Router Configuration Configuring the Dialer Interface Statistics for Virtual Private Network (VPN) Module: 0 packets in 0 packets out 0 paks/sec in 0 paks/sec out 0 Kbits/sec in 0 Kbits/sec out rx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0 invalid_sa: 0 invalid_flow: 0 cgx_errors 0 fw_qs_filled: 0 fw_resource_lock:0 lotx_full_err: 0 null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0 esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0 ah_prot_absent: 0 ah_seq_failure:
Chapter 2 Cisco 1710 Security Router Configuration Configuring the Ethernet Interfaces Command Task Step 6 dialer-group 1 Assign this interface to a dialer list. Step 7 ppp authentication chap Optional. Set the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP). Step 8 exit Exit Dialer 0 interface configuration. Configuring the Ethernet Interfaces Configure the Ethernet interfaces by performing the following tasks. Begin in the global configuration mode.
Chapter 2 Cisco 1710 Security Router Configuration Configuring Dynamic Host Configuration Protocol Configuring Dynamic Host Configuration Protocol The Dynamic Host Configuration Protocol (DHCP) is used to enable hosts (DHCP clients) on an IP network to obtain their configurations from a server (DHCP server). This reduces the work necessary to administer an IP network. The most significant configuration option the client receives from the server is its IP address.
Chapter 2 Cisco 1710 Security Router Configuration Configuring Dynamic Host Configuration Protocol 172.16.1.0 and 172.16.2.0. In each pool, clients are granted 30-day leases and all addresses in each subnetwork, except the excluded addresses, are available to the DHCP server for assigning to clients. ip dhcp database ftp://user:password@172.16.4.253/router-dhcp write-delay 120 ip dhcp excluded-address 172.16.1.100 172.16.1.103 ip dhcp excluded-address 172.16.2.100 172.16.2.
Chapter 2 Cisco 1710 Security Router Configuration Configuring Network Address Translation dns-server 172.16.1.102 172.16.2.102 netbios-name-server 172.16.1.103 172.16.2.103 netbios-node-type h-node Configuring Network Address Translation Network Address Translation (NAT) translates IP addresses within private “internal” networks to “legal” IP addresses for transport over public “external” networks (such as the Internet). Incoming traffic is translated back for delivery within the inside network.
Chapter 2 Cisco 1710 Security Router Configuration Configuring Network Address Translation Configuration Example In this example, we want NAT to allow certain devices on the inside to originate communication with devices on the outside by translating their internal addresses to valid outside addresses or a pool of addresses. The pool in this example is defined as the range of addresses 172.16.10.1 through 172.16.10.63. In order to accomplish this translation, we need to use dynamic NAT.
Chapter 2 Cisco 1710 Security Router Configuration Configuring Firewalls Then indicate that any packet received on the inside interface, as permitted by access list 7, will have its source address translated to an address from the NAT pool “no-overload.” ip nat inside source list 7 pool no-overload Alternatively, to handle the case where all inside addresses are translated to a single outside address, define a NAT pool named “ovrld,” which has a range of a single IP address: 172.16.10.1.
Chapter 2 Cisco 1710 Security Router Configuration Configuring Firewalls Access Lists Access lists are configured as standard or extended. A standard access list either permits or denies passage of packets from a designated source. An extended access list allows designation of both the destination and the source, and it allows designation of individual protocols to be permitted or denied passage. An access list is a series of commands with a common tag to bind them together.
Chapter 2 Cisco 1710 Security Router Configuration Configuring Firewalls • All matching parameters must be true before a command permits or denies access to a packet. • There is an implicit “deny all” at the end of the sequence. Configuration Examples The following examples illustrate the configuration of standard numbered access lists and extended numbered access lists.
Chapter 2 Cisco 1710 Security Router Configuration Complete Sample Configuration The following commands tie the access group to a specific interface on the router and specify that incoming packets are to be permitted or denied passage: interface ethernet 0 ip access-group 102 in Inspection Rules Specify which protocols to examine by using the ip inspect name command.
Chapter 2 Cisco 1710 Security Router Configuration Complete Sample Configuration In this example, both the Cisco 1710 Security router and the network access router have inside and outside interfaces. The outside interfaces have global IP addresses while the inside interfaces have local IP addresses. These addresses are as follows: • Cisco 1710 Security router outside interface: 24.119.216.150 255.255.255.0 • Cisco 1710 Security router inside interface: 192.168.1.0 255.255.255.
Chapter 2 Cisco 1710 Security Router Configuration Complete Sample Configuration Cisco 1710 Security Router Configuration The following commands configure the router so that it provides a secure connection to the network access router. ip domain-name cisco.com ip name-server 24.1.64.33 ip name-server 24.1.64.34 ip dhcp excluded-address 192.168.1.1 192.168.1.5 ! ip dhcp pool home-pool network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 domain-name cisco.com dns-server 24.1.64.
Chapter 2 Cisco 1710 Security Router Configuration Complete Sample Configuration ! crypto map tag local-address Ethernet0 crypto map tag 10 ipsec-isakmp set peer 16.0.0.2 set security-association level per-host set transform-set proposal1 set pfs group2 match address 100 ! interface Dialer0 ip unnumbered Ethernet0 no ip route-cache encapsulation ppp ip mtu 1492 dialer pool 1 dialer-group 1 ip nat outside ip inspect fw_all in ip access-group 102 in crypto map tag ! interface FastEthernet0 ip address 192.
Chapter 2 Cisco 1710 Security Router Configuration Complete Sample Configuration Network Access Router Configuration The following commands configure the network access router so that it provides a secure connection to the Cisco 1710 Security router. crypto isakmp key 12abcjhrweit345 address 24.19.216.
Chapter 2 Cisco 1710 Security Router Configuration Complete Sample Configuration Cisco 1710 Security Router Software Configuration Guide 2-20 78-12696-01
C H A P T E R 3 Overview of Routing Between Virtual LANs This chapter provides an overview of virtual LANs (VLANs). It describes the encapsulation protocols used for routing between VLANs and provides some basic information about designing VLANs.
Chapter 3 Overview of Routing Between Virtual LANs What Is a VLAN? A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment; for example, LAN switches that operate bridging protocols between them with a separate bridge group for each VLAN.
Chapter 3 Overview of Routing Between Virtual LANs What Is a VLAN? Figure 3-1 LAN Segmentation and VLAN Segmentation Traditional LAN segmentation VLAN segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 Shared hub Floor 1 Router Catalyst VLAN switch S6619 Router Security VLANs also improve security by isolating groups.
Chapter 3 Overview of Routing Between Virtual LANs VLAN Colors Performance The logical grouping of users allows an accounting group to make intensive use of a networked accounting system assigned to a VLAN that contains just that accounting group and its servers. That group’s work will not affect other users. The VLAN configuration improves general network performance by not slowing down other users sharing the network. Network Management The logical grouping of users allows easier network management.
Chapter 3 Overview of Routing Between Virtual LANs Why Implement VLANs? The VLAN ID allows VLAN switches and routers to selectively forward packets to ports with the same VLAN ID. The switch that receives the frame from the source station inserts the VLAN ID, and the packet is switched onto the shared backbone network. When the frame exits the switched LAN, a switch strips the header and forwards the frame to interfaces that match the VLAN color.
Chapter 3 Overview of Routing Between Virtual LANs Designing Switched VLANs Procedures for configuring routing between VLANs with IEEE 802.1Q encapsulation are provided in the “Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation” chapter later in this publication. VLAN Translation VLAN translation refers to the ability of the Cisco IOS software to translate between different virtual LANs or between VLAN and non-VLAN encapsulating interfaces at Layer 2.
C H A P T E R 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation This chapter describes the required and optional tasks for configuring routing between VLANs with IEEE 802.1Q encapsulation. For complete descriptions of the VLAN commands used in this chapter, refer to the “Cisco IOS Switching Commands” chapter in the Cisco IOS Switching Services Command Reference.
Chapter 4 IEEE 802.1Q Encapsulation Configuration Task List Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation • Defining the encapsulation format as IEEE 802.1Q • Customizing the protocol according to the requirements for your environment The configuration processes documented in this chapter include the following: • Configuring AppleTalk Routing over IEEE 802.1Q • Configuring IP Routing over IEEE 802.1Q • Configuring IPX Routing over IEEE 802.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation IEEE 802.1Q Encapsulation Configuration Task List Configuring AppleTalk on the Subinterface After you enable AppleTalk globally and define the encapsulation format, you need to enable it on the subinterface by specifying the cable range and naming the AppleTalk zone for each interface.
Chapter 4 IEEE 802.1Q Encapsulation Configuration Task List Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation To route IP over IEEE 802.1Q between VLANs, you need to customize the subinterface to create the environment in which it will be used.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation IEEE 802.1Q Encapsulation Configuration Task List Assigning an IP Address to a Network Interface An interface can have one primary IP address. To assign a primary IP address and a network mask to a network interface, use the following command in interface configuration mode: Command Purpose ip address ip-address mask Sets a primary IP address for an interface.
Chapter 4 Examples of IEEE 802.1Q Encapsulation Configuration Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation Defining the VLAN Encapsulation Format To define the encapsulation format as IEEE 802.1Q, use the following commands in interface configuration mode: Command Purpose Step 1 interface fastethernet port.subinterface-number Specifies the subinterface on which IEEE 802.1Q will be used. Step 2 encapsulation dot1q vlan-identifier Defines the encapsulation format as IEEE 802.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation Examples of IEEE 802.1Q Encapsulation Configuration Configuring AppleTalk over IEEE 802.1Q This configuration example shows AppleTalk being routed on VLAN 100: ! appletalk routing ! interface fastethernet 0.100 encapsulation dot1q 100 appletalk cable-range 100-100 100.1 appletalk zone eng ! Configuring IP Routing over IEEE 802.1Q This configuration example shows IP being routed on VLAN 101: ! ip routing ! interface fastethernet 0.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation VLAN Commands VLAN Commands This section provides an alphabetical listing of all the VLAN commands that are new or specific to the Cisco 1710 router. All other commands used with this feature are documented in the Cisco IOS Release 12.1T command reference documents.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation VLAN Commands debug vlan packets Use the debug vlan packets privileged EXEC command to display general information on virtual LAN (VLAN) packets that the router received but is not configured to support: debug vlan packets The no form of this command disables debugging output: no debug vlan packets Syntax Description This command has no arguments or keywords. Command Mode Privileged EXEC.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation VLAN Commands encapsulation dot1q To enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in virtual LANs, use the encapsulation dot1q command in subinterface configuration mode. IEEE 802.1Q is a standard protocol for interconnecting multiple switches and routers and for defining VLAN topologies. The command is as follows: encapsulation dot1q vlan-id Syntax Description vlan-id Virtual LAN identifier.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation VLAN Commands show vlans To view virtual LAN (VLAN) subinterfaces, use the show vlans privileged EXEC command: show vlans Syntax Description This command has no arguments or keywords. Command Mode Privileged EXEC. Example The following is sample output from the show vlans command: 1710_2# show vlans Virtual LAN ID:1 (IEEE 802.
Chapter 4 Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation VLAN Commands Table 4-1 describes the fields shown in the output.
A P P E N D I X A ROM Monitor This appendix describes the Cisco 1710 Security router ROM monitor (also called the bootstrap program). The ROM monitor firmware runs when the router is powered up or reset and helps to initialize the processor hardware and boot the operating system software. You can perform certain configuration tasks, such as recovering a lost password or downloading software over the console port, by using ROM monitor.
Appendix A ROM Monitor Entering the ROM Monitor Follow these steps to configure the router to boot up in ROM monitor mode the next time it is rebooted: Step Task Router Prompt Command 1. If there is an enable password configured, enter the enable command and the enable password to enter privileged EXEC mode. 1700> enable 2. Enter global configuration mode. 1700# configure terminal 3. Reset the configuration register. 1700(config)# config-reg 0x0 4. Exit global configuration mode.
Appendix A ROM Monitor ROM Monitor Commands ROM Monitor Commands Enter ? or help at the ROM monitor prompt to display a list of available commands and options, as follows: rommon 1 > alias boot break confreg cont context cookie dev dir dis dnld frame help history meminfo repeat reset set stack sync sysret tftpdnld unalias unset xmodem ? set and display aliases command boot up an external process set/show/clear the breakpoint configuration register utility continue executing a downloaded image display the
Appendix A ROM Monitor Command Descriptions Command Descriptions This section describes the most commonly used ROM monitor commands: Table A-1 Most Commonly Used ROM Monitor Commands Command Description help or ? Displays a summary of all available ROM monitor commands.
Appendix A ROM Monitor Disaster Recovery with TFTP Download Table A-1 Most Commonly Used ROM Monitor Commands (continued) Command Description b flash: [filename] Attempts to boot the image directly from the first partition of Flash memory. If you do not enter a filename, this command will boot this first image in Flash. b flash:2: [filename] Attempts to boot the image directly from the second partition of Flash memory.
Appendix A ROM Monitor Disaster Recovery with TFTP Download Required Variables The following variables must be set with the commands shown before using the tftpdnld command: Variable Command IP address of the router. IP_ADDRESS= ip_address Subnet mask of the router. IP_SUBNET_MASK= ip_address IP address of the default gateway of the router. DEFAULT_GATEWAY= ip_address IP address of the TFTP server from which the software will be downloaded.
Appendix A ROM Monitor Disaster Recovery with TFTP Download Optional Variables The folowing variables can be set with the commands shown before using the tftpdnld command: Variable Command Configures how the router displays file download progress. TFTP_VERBOSE= setting 0—No progress is displayed. 1—Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting. 2—Detailed progress is displayed during the file download process.
Appendix A ROM Monitor Disaster Recovery with TFTP Download Using the TFTP Download Command The steps described in this section should be performed while in ROM monitor mode. Step 1 Use the appropriate commands to enter all the required variables and any optional variables described earlier in this section. Step 2 Enter the tftpdnld command as follows: rommon 1 > tftpdnld [ -r ] Note The -r variable is optional.
Appendix A ROM Monitor Configuration Register Configuration Register The virtual configuration register is in NVRAM and has the same functionality as other Cisco routers. You can view or modify the virtual configuration register from either the ROM monitor or the operating system software. To change the virtual configuration register from the ROM monitor, enter confreg by itself for menu mode, or enter the new value of the register in hexadecimal.
Appendix A ROM Monitor Console Download boot: the ROM Monitor do you wish to change the configuration? y/n [n]: You must reset or power cycle for new config to take effect Console Download You can use console download, a ROM monitor function, to download over the router console port either a software image or a configuration file. After download, the file is either saved to the mini-Flash module or to main memory for execution (image files only).
Appendix A ROM Monitor Console Download Command Description Following are the syntax and argument descriptions for the xmodem console download command. The syntax is as follows: xmodem [-cyrx] destination_file_name The argument descriptions are as follows: Argument Description c Optional. Performs the download using CRC-16 error checking to validate packets. Default is 8-bit CRC. y Optional. Sets the router to perform the download using ymodem protocol. Default is xmodem protocol.
Appendix A ROM Monitor Debug Commands Error Reporting Because the ROM monitor console download uses the console to perform the data transfer, error messages are displayed on the console only when the data transfer is terminated. If an error does occur during a data transfer, the transfer is terminated, and an error message is displayed.
Appendix A ROM Monitor Debug Commands R4 = 0x8fab0d76 0x80570000 R8 = 0x00000000 0x00000000 R12 = 0x00000080 0xffffffff R16 = 0xffffffff 0xffffffff R20 = 0xffffffff 0xffffffff R24 = 0xffffffff 0xffffffff R28 = 0xffffffff 0xffffffff R5 = 0x80657d00 R6 R9 = 0x80570000 = 0x80570000 R7 = R10 = 0x0000954c R11 = R13 = 0xffffffff R14 = 0xffffffff R15 = R17 = 0xffffffff R18 = 0xffffffff R19 = R21 = 0xffffffff R22 = 0xffffffff R23 = R25 = 0xffffffff R26 = 0xffffffff R27 = R29 = 0xffffff
Appendix A ROM Monitor Debug Commands Cisco 1710 Security Router Software Configuration Guide A-14 78-12696-01
I N D E X A clear vlan statistics command 4-8 command modes access-group command 2-13 Cisco IOS 1-2 access-list commands 2-13 summary (table) 1-4 access lists commands configuration 2-13 access-group 2-13 examples 2-14 access-list 2-13 accounting appletalk cable-range 4-3 per VLAN 3-4 appletalk routing eigrp 4-2 Quality of Service (QoS) 3-4 appletalk zone 4-3 appletalk cable-range command 4-3 clear vlan statistics 4-8 appletalk routing eigrp command 4-2 context A-12 appletalk zone com
Index reset A-4 DHCP show vlans 4-9, 4-11 configuration 2-8 stack A-12 example 2-8 sysret A-13 manual binding example 2-9 tftpdnld A-5 dialer interface configuration 2-6 commands, abbreviating 1-9 dir command A-4 common error messages 1-9 disabling hardware encryption 2-4 configuration register A-9 domain bridging 3-2 configuring the router broadcast 3-2 basic configuration procedures 2-1 preliminaries 2-2 Dynamic Host Configuration Protocol saving your configuration 1-10 See DHCP con
Index frame command A-13 M frame tagging, VLANs 3-4 meminfo command A-13 H N hardware encryption disabling 2-4 NAT configuration 2-10 re-enabling 2-5 configuration example 2-11 help, how to get it 1-6 hybrid switching environments 3-6 network design concerns 3-5 management 3-4 I services inspection rules 2-15 accounting 3-4 inspect name command 2-15 quality of service (QoS) 3-4 interface command 2-7, 4-3, 4-4, 4-6 security filtering 3-4 topology 3-5 inter-VLAN communication 3-4 IPSec confi
Index prompts security for command modes (table) 1-4 filtering 3-4 VLANs 3-3 Security, IP R See IPSec reset command A-4 segmentation 3-2, 3-3 resources, sharing between VLANs 3-6 show vlans command 4-9, 4-11 ROM monitor software commands A-3 to A-5 conventions xii to xiii console download A-10 terminal emulation 1-2 debug commands A-12 stack command A-12 diagnostics A-12 to A-13 sysret command A-13 entering A-1 ROM monitor commands context A-12 T dev (device) A-4 terminal emulation s
Index VLANs broadcast domain 3-2 colors 3-4 communication between 3-4 debug vlan packet command 4-9 description 3-1 designing switched VLANs 3-6 frame tagging 3-4 hybrid switching environments 3-6 identifier 3-5 isolation between 3-3 monitoring 4-11 network design concerns 3-5 management 3-4 performance 3-4 routers in 3-6 routing between 3-6 scalability 3-2 security 3-3 segmenting LANs with 3-2, 3-3 sharing resources between 3-6 translation 3-6 VlanDirector 3-5 VPDN configuration 2-2 Cisco 1710 Router Sof
Index Cisco 1710 Router Software Configuration Guide IN-6 78-12696-01
