Cisco CISCO876-SEC-I-K9 Configuration Guide

Cisco CISCO876-SEC-I-K9 - 876 Security Bundle Router Manual

Get Cisco CISCO876-SEC-I-K9 - 876 Security Bundle Router PDF manuals and user guides
UPC - 882658021800
View all Cisco CISCO876-SEC-I-K9 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco CISCO876-SEC-I-K9 manual content summary:

  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 1
    Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 2
    are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R) Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide Copyright © 2005, Cisco Systems, Inc. All rights reserved.
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 3
    a Service Request 14 Getting Started Basic Router Configuration 1 Interface Port Labels 1 Viewing the Default Configuration 2 Information Needed for Configuration 4 Configuring Basic Parameters 5 Configure Global Parameters 5 Configure Fast Ethernet LAN Interfaces 6 Configure WAN Interfaces
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 4
    Your DHCP Configuration 4 Configure VLANs 5 Assign a Switch Port to a VLAN 6 Verify Your VLAN Configuration 6 6 C H A P T E R Configuring a VPN Using Easy VPN and an IPSec Tunnel 1 Configure the IKE Policy 4 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 4 OL
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 5
    Interfaces 4 Configuration Example 5 Configuring a Wireless LAN Connection 1 Configure the Root Radio Station 2 Configure Bridging on VLANs 4 Configure Radio Station Subinterfaces 6 Configuration Example 7 Sample Configuration 1 Configuring Additional Features and Troubleshooting OL-5332-01 Cisco
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 6
    ISDN Peer Router 20 Troubleshooting 1 Getting Started 1 Before Contacting Cisco or Your Reseller 1 ADSL Troubleshooting 2 SHDSL Troubleshooting 2 ATM Troubleshooting Commands 2 ping atm interface Command 3 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 6 OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 7
    6 Abbreviating Commands 6 Undoing Commands 6 Command-Line Error Messages 6 Saving Configuration Changes 7 Summary 7 Where to Go Next 7 Concepts 1 ADSL 1 SHDSL 2 Network Protocols 2 IP 2 Routing Protocol Options 2 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 7
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 8
    4 Required Variables 4 Optional Variables 5 Using the TFTP Download Command 5 Configuration Register 6 Changing the Configuration Register Manually 6 Changing the Configuration Register Using Prompts 6 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 8 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 9
    D A P P E N D I X INDEX Console Download 7 Command Description 8 Error Reporting 8 Debug Commands 8 Exiting the ROM Monitor 10 Common Port Assignments 1 Contents OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 9
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 10
    Contents Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 10 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 11
    with minimal familiarity with Cisco routers use the Cisco Router and Security Device Manager (SDM)-a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Address Translation (NAT), firewalls, VPNs, and other features on your router. To obtain the SDM
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 12
    "-Provides instructions on how to configure your Cisco router for dial backup and remote management. • Chapter 14, "Troubleshooting"-Provides information on identifying and solving problems with the ADSL line and the telephone interface. Also explains how to recover a lost software password. Part
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 13
    and User Datagram Protocol (UDP) port numbers. • Index Conventions This guide uses the conventions described in the following sections for instructions and of information that you must enter. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 13
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 14
    a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 14 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 15
    PART 1 Getting Started
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 16
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 17
    of your Cisco router, including global parameter settings, routing protocols, interfaces, and command-line access. It also describes the default configuration on startup. Note Individual router models may not support every feature described throughout this guide. Features not supported by
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 18
    Viewing the Default Configuration Chapter 1 Basic Router Configuration Table 1-1 Supported Interfaces and Associated Port Labels by Cisco Router (continued) Router Cisco 871 Cisco 857 Cisco 876 Cisco 877 Cisco 878 Interface Fast Ethernet LAN Fast Ethernet WAN Wireless LAN USB Fast Ethernet LAN
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 19
    Router Configuration Viewing the Default Configuration no aaa new-model ip subnet-zero ! ip cef ip ips po max-events 100 no ftp-server write-enable ! interface FastEthernet0 no ip address shutdown ! interface FastEthernet1 no ip address shutdown ! interface FastEthernet2 no ip address shutdown
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 20
    ) - PPP password to access your Internet service provider (ISP) account - DNS server IP address and default gateways • If you are setting up a connection to a corporate network, you and the network administrator must generate and share the following information for the WAN interfaces of the routers
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 21
    router. Disables the router from translating unfamiliar words (typos) into IP addresses. For complete information on the global parameter commands, see the Cisco IOS Release 12.3 documentation set. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 1-5
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 22
    and Cisco 871 router models. Perform these steps to configure the Fast Ethernet interface, beginning in global configuration mode: Step 1 Command interface type number Example: Router(config)# interface fastethernet 4 Router(config-int)# Step 2 ip address ip-address mask Example: Router(config
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 23
    type number Example: Router(config)# interface atm0 Router(config-int)# Identifies and enters the configuration mode for an ATM interface. Step 3 ip address ip-address mask Example: Router(config-int)# ip address 10.10.10.100 255.255.255.0 Router(config-int)# Sets the IP address and subnet mask
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 24
    static IP address and provides default routing information. For complete information on the loopback commands, see the Cisco IOS Release 12.3 documentation set. Perform these steps to configure a loopback interface: Step 1 Command interface type number Example: Router(config)# interface Loopback
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 25
    Router(config)# Purpose Enters line configuration mode, and specifies the type of line. This example specifies a console terminal for access. Specifies a unique password for the console terminal line. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 26
    aldf2ad1 Router(config)# Step 7 login Example: Router(config)# login Router(config)# Step 8 end Example: Router(config)# end Router# Purpose Enables password checking at terminal session login. Sets the interval that the EXEC command interpreter waits until user input is detected. The default is
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 27
    static routes on the Cisco 850 and Cisco 870 series routers is optional. Perform these steps to configure static routes, beginning in global configuration mode: Step 1 Command ip route prefix mask {ip-address | interface-type interface-number [ip-address]} Example: Router(config)# ip route 192.168
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 28
    interface to another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured PVC. You do not need to enter the commands marked "(default)." These commands appear automatically in the configuration file generated when you use the show running-config command. ! ip
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 29
    Router(config)# router rip Router(config-router)# Task Enters router configuration mode, and enables RIP on the router. Step 2 version {1 | 2} Specifies use of RIP version 1 or 2. Example: Router(config-router)# version 2 Router(config-router)# Step 3 network ip-address Example: Router(config
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 30
    109 Router(config)# Purpose Enters router configuration mode, and enables EIGRP on the router. The autonomous-system number identifies the route to other EIGRP routers and is used to tag the EIGRP information. 1-14 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 31
    (config-router)# end Router# Purpose Specifies a list of networks on which EIGRP is to be applied, using the IP address of the network of directly connected networks. Exits router configuration mode, and enters privileged EXEC mode. For complete information on the IP EIGRP commands, see the Cisco
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 32
    Configuring Enhanced IGRP Chapter 1 Basic Router Configuration 1-16 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 33
    PART 2 Configuring Your Router for Ethernet and DSL Access
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 34
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 35
    your router for DSL-based networks. • Chapter 4, "Configuring PPP over ATM with NAT" • Chapter 5, "Configuring a LAN with DHCP and VLANs" • Chapter 6, "Configuring a VPN Using Easy VPN and an IPSec Tunnel" OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 36
    Chapter 2 Sample Network Deployments • Chapter 7, "Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation" • Chapter 8, "Configuring a Simple Firewall" Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 2-2 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 37
    WAN interface (outside interface for NAT) 121753 6 Cable modem or other server (for example, a Cisco 6400 server) that is connected to the Internet 7 PPPoE se1ssion between the client and a PPPoE server Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 3-1
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 38
    single IP address. Complete the following steps to configure a VPDN, starting from the global configuration mode. See the "Configure Global Parameters" section on page 1-5 for details about entering this mode. Step 1 Command or Action vpdn enable Example: Router(config)# vpdn enable Router(config
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 39
    dial-pool-number 1 Router(config-if)# Purpose Enters interface configuration mode for a Fast Ethernet WAN interface. Configures the PPPoE client and specifies the dialer interface to use for cloning. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 3-3
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 40
    of the IP maximum transmission unit (MTU). The default minimum is 128 bytes. The maximum for Ethernet is 1492 bytes. Sets the encapsulation type to PPP for the data packets being transmitted and received. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 3-4 OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 41
    IP route for the default gateway for the dialer 0 interface. For details about this command and additional parameters that can be set, see the Cisco IOS IP Command Reference, Volume 2; Routing Protocols. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 42
    that can be set, as well as information about enabling static translation, see the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services. interface type number Example: Router(config)# interface vlan 1 Router(config-if)# Enters configuration mode for the VLAN (on which the
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 43
    be set, as well as information about enabling static translation, see the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services. Enables the configuration changes just made to the Ethernet interface. Step 10 exit Example: Router(config-if)# exit Router(config)# Exits configuration
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 44
    is configured for inside and outside Note Commands marked by "(default)" are generated automatically when you run the show running-config command. vpdn enable vpdn-group 1 request-dialin protocol pppoe ! interface vlan 1 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast (default) ip nat
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 45
    Vlan1 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 1] access-list 1 interface Dialer0 refcount 0 Queued Packets: 0 OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 3-9
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 46
    Configuration Example Chapter 3 Configuring PPP over Ethernet with NAT 3-10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 47
    ATM provides a network solution with simplified address handling and straight user verification like a dial network. Figure 4-1 shows a typical deployment scenario with a PPPoA client and NAT configured on the Cisco router. This scenario uses a single static IP address for the ATM connection. Figure
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 48
    old telephone service (POTS) using the Cisco 857 or Cisco 877 router • ADSL over integrated services digital network (ISDN) using the Cisco 876 router • Single-pair high-speed digital subscriber line (G.SHDSL) using the Cisco 878 router The Fast Ethernet interface carries the data packet through
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 49
    Router(config-if)# Specifies that the IP address for the dialer interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation. Step 3 ip mtu bytes Example: Router(config-if)# ip mtu 4470 Router(config-if)# Sets the size of the IP maximum transmission unit (MTU). The default
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 50
    can be set, see the Cisco IOS Dial Technologies Command Reference. Step 10 ip route prefix mask {interface-type interface-number} Example: Router(config)# ip route 10.10.25.2 0.255.255.255 dialer 0 Router(config)# Sets the IP route for the default gateway for the dialer 0 interface. For details
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 51
    ppp dialer Router(config-if-atm-vc)# Purpose Enters interface configuration mode for the ATM interface (labeled ADSLoPOTS or G.SHDSL on the back of your router). Note This interface was initially configured during basic router configuration. See the "Configure WAN Interfaces" section on page
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 52
    Cisco 876 supports ADSL signaling over ISDN, and the Cisco 878 supports SHDSL signaling. Based on the router you are configuring, see one of the following sections to configure the appropriate DSL signaling protocol. • Configuring ADSL • Configuring SHDSL Configuring ADSL The default configuration
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 53
    the show dsl interface atm command from privileged EXEC mode. Configuring SHDSL Complete the following steps to configure the DSL controller in your router to use SHDSL signaling, beginning in global configuration mode. Step 1 Command controller dsl port Example: Router(config)# controller dsl
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 54
    mode. Note If you are integrating your Cisco router into a European network, use the dsl dsl-mode shdsl symmetric annex {A | B} command to choose annex B. The router uses annex A by default (United States). Verify the Configuration You can verify that the configuration is set the way you want by
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 55
    IOS IP Command Reference, Volume 1 of 4: Addressing and Services. Enters configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces [FE0-FE3] reside) to be the inside interface for NAT. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 56
    can be set, as well as enabling static translation, see the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services. Enables the configuration changes just made to the Ethernet interface. 4-10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 57
    (default) ! interface ATM0 no ip address ip nat outside ip virtual-reassembly no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 4-11
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 58
    Chapter 4 Configuring PPP over ATM with NAT interface Dialer0 ip address negotiated ip mtu 1492 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap ! ip classless (default) ! ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255 ip nat inside source list 1 interface Dialer0
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 59
    as a DHCP server, providing IP address assignment and other TCP/IP-oriented configuration information to your workstations. DHCP frees you from having to manually assign an IP address to each client. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 5-1
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 60
    with the configuration data from the Network Registrar database. VLANs The Cisco 870 series access routers support four Fast Ethernet ports on which you can configure VLANs. VLANs enable networks to be segmented and formed into logical groups of users, regardless of the user's physical location
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 61
    Chapter 5 Configuring a LAN with DHCP and VLANs Configure DHCP Step 3 Command ip dhcp excluded-address low-address [high-address] Example: Router(config)# ip dhcp excluded-address 192.168.9.0 Purpose Specifies IP addresses that the DHCP server should not assign to DHCP clients. In this example,
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 62
    in this chapter. ip dhcp excluded-address 192.168.9.0 ! ip dhcp pool dpool1 import all network 10.10.0.0 255.255.255.0 default-router 10.10.10.10 dns-server 192.168.35.2 domain-name cisco.com ! ip domain name smallbiz.com ip name-server 192.168.11.12 Verify Your DHCP Configuration Use the following
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 63
    Chapter 5 Configuring a LAN with DHCP and VLANs Configure VLANs Router# show ip dhcp server statistics Memory usage 15419 Address pools 1 Database agents 0 Automatic bindings 0 Manual bindings 0 Expired bindings 0 Malformed messages 0 Secure arp entries 0 Message BOOTREQUEST
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 64
    Configure VLANs Chapter 5 Configuring a LAN with DHCP and VLANs Assign a Switch Port to a VLAN Perform these steps to assign a switch port to a VLAN, beginning in global configuration mode: Command Step 1 interface switch port id Example: Router(config)# interface FastEthernet 2 Router(config-if
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 65
    vlan-switch VLAN Name Status Ports 1 default active Fa0, Fa1, Fa3 2 VLAN0002 active Fa2 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 66
    Configure VLANs Chapter 5 Configuring a LAN with DHCP and VLANs VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 1 ibm - 0 0 1005 trnet 101005 1500 - - 1 ibm - 0 0 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 5-8 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 67
    corporate network. Figure 6-1 shows a typical deployment scenario. Note The material in this chapter does not apply to Cisco 850 series routers. Cisco 850 series routers do not support Cisco Easy VPN. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 6-1
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 68
    supported Cisco 870 series access router. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 69
    6 Configuring a VPN Using Easy VPN and an IPSec Tunnel Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network Address Translation/Peer Address
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 70
    , 60-86400 seconds, for an IKE security association (SA). Step 7 exit Example: Router(config-isakmp)# exit Router(config)# Exits IKE policy configuration mode, and enters global configuration mode. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 6-4 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 71
    6 ip local pool {default | poolname} [low-ip-address [high-ip-address]] Example: Router(config)# ip local pool dynpool 30.30.30.20 30.30.30.30 Router(config)# Specifies a local address pool for the group. For details about this command and additional parameters that can be set, see the Cisco IOS
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 72
    login rtr-remote local Router(config)# Specifies AAA authentication of selected users at login, and specifies the method used. This example uses a local authentication database. You could also use a RADIUS server for this. For details, see the Cisco IOS Security Configuration Guide and Cisco IOS
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 73
    . For details, see the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference. username name {nopassword | password password | password encryption-type encrypted-password} Example: Router(config)# username Cisco password 0 Cisco Router(config)# Establishes a username-based
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 74
    -set-name [transform-set-name2...transform-set-name6] Specifies which transform sets can be used with the crypto map entry. Example: Router(config-crypto-map)# set transform-set vpn1 Router(config-crypto-map)# Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 75
    interface type number Example: Router(config)# interface fastethernet 4 Router(config-if)# Purpose Enters the interface configuration mode for the interface to which you want the crypto map applied. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 76
    Example: Router(config-crypto-ezvpn)# mode client Router(config-crypto-ezvpn)# Purpose Creates a Cisco Easy VPN remote configuration, and enters Cisco Easy VPN remote configuration mode. Specifies the IPSec group and IPSec key value for the VPN connection. Specifies the peer IP address or hostname
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 77
    )# exit Router(config)# Verifying Your Easy VPN Configuration Router# show crypto ipsec client ezvpn Tunnel name :ezvpnclient Inside interface list:vlan 1 Outside interface:fastethernet 4 Current State:IPSEC_ACTIVE Last Event:SOCKET_UP Address:8.0.0.5 Mask:255.255.255.255 Default Domain:cisco.com
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 78
    secret-password mode client peer 192.168.100.1 ! interface fastethernet 4 crypto ipsec client ezvpn ezvpnclient outside crypto map static-map ! interface vlan 1 crypto ipsec client ezvpn ezvpnclient inside ! 6-12 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 79
    VPN client-Another router, which controls access to the corporate network 7 LAN interface-Connects to the corporate network, with inside interface address of 10.1.1.1 8 Corporate office network 9 IPSec tunnel with GRE Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 80
    tunnel interface. VPNs VPN configuration information must be configured on both endpoints; for example, on your Cisco router and at the remote user, or on your Cisco router and on another router. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 81
    , 60-86400 seconds, for an IKE security association (SA). Step 7 exit Example: Router(config-isakmp)# exit Router(config)# Exits IKE policy configuration mode, and enters global configuration mode. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 7-3
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 82
    6 ip local pool {default | poolname} [low-ip-address [high-ip-address]] Example: Router(config)# ip local pool dynpool 30.30.30.20 30.30.30.30 Router(config)# Specifies a local address pool for the group. For details about this command and additional parameters that can be set, see the Cisco IOS
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 83
    users at method1 [method2...] login, and specifies the method used. Example: Router(config)# aaa authentication login rtr-remote local Router(config)# This example uses a local authentication database. You could also use a RADIUS server for this. See the Cisco IOS Security Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 84
    -set-name [transform-set-name2...transform-set-name6] Specifies which transform sets can be used with the crypto map entry. Example: Router(config-crypto-map)# set transform-set vpn1 Router(config-crypto-map)# Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 85
    Action interface type number Example: Router(config)# interface fastethernet 4 Router(config-if)# Purpose Enters interface configuration mode for the interface to which you want to apply the crypto map. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 86
    Step 4 tunnel destination default-gateway-ip-address Example: Router(config-if)# tunnel destination 192.168.101.1 Router(config-if)# Specifies the destination endpoint of the router for the GRE tunnel. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 7-8 OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 87
    aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common ! username cisco password 0 cisco ! interface tunnel 1 ip address 10.62.1.193 255.255.255.252 OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 7-9
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 88
    the corp. router as well as ! denies Internet-initiated traffic inbound. ip access-group 103 in ip nat outside no cdp enable crypto map to_corporate ! Applies the IPSec tunnel to the outside interface. 7-10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 89
    Internet-initiated traffic inbound. ! acl 105 matches addresses for the IPSec tunnel to or from the corporate network. access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 7-11
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 90
    Configuration Example Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation 7-12 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 91
    interfaces. These openings are created when traffic for a specified user session exits the internal network through the firewall. The openings allow returning traffic for the specified session (that would normally be blocked) back through the firewall. See the Cisco IOS Security Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 92
    Configuration," Chapter 3, "Configuring PPP over Ethernet with NAT," and Chapter 4, "Configuring PPP over ATM with NAT," as appropriate for your router. You may have also configured DHCP, VLANs, and secure tunnels. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 93
    Router(config)# ip inspect name firewall h323 Router(config)# ip inspect name firewall netshow Router(config)# ip inspect name firewall ftp Router(config)# ip inspect name firewall sqlnet Router(config)# OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 94
    configuration mode: Step 1 Command interface type number Example: Router(config)# interface vlan 1 Router(config-if)# Step 2 ip inspect inspection-name {in | out} Example: Router(config-if)# ip inspect firewall in Router(config-if)# Step 3 exit Example: Router(config-if)# exit Router(config
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 95
    Internet-initiated traffic inbound. ! acl 105 matches addresses for the ipsec tunnel to or from the corporate network. access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run ! OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 8-5
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 96
    Configuration Example Chapter 8 Configuring a Simple Firewall Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 8-6 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 97
    the Internet 3 VLAN 1 4 VLAN 2 In the configuration example that follows, a remote user is accessing the Cisco 850 or Cisco 870 series access router using a wireless connection. Each remote user has his own VLAN. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 9-1
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 98
    DHCP, VLANs, and secure tunnels. Configure the Root Radio Station Perform these steps to create and configure the root radio station for your wireless LAN, beginning in global configuration mode: Step 1 Command interface name number Example: Router(config)# interface dot11radio 0 Router(config
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 99
    used to access the wireless interface. The example uses the VLAN with optional encryption method of data ciphers. Step 4 ssid name Example: Router(config-if)# ssid cisco Router(config-if-ssid)# Step 5 vlan number Creates a Service Set ID (SSID), the public name of a wireless network. Note All of
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 100
    : Router(config)# interface vlan 1 Router(config)# Purpose Specifies the type of bridging. The example specifies integrated routing and bridging. Enters interface configuration mode. We want to set up bridging on the VLANs, so the example enters the VLAN interface configuration mode. Cisco 850
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 101
    bridge interface. Specifies the protocol for the bridge group. Specifies the address for the virtual bridge interface. Repeat Step 2 through Step 7 above for each VLAN that requires a wireless interface. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 102
    is used on the specified subinterface. Step 4 no cdp enable Example: Router(config-subif)# no cdp enable Router(config-subif)# Disables the Cisco Discovery Protocol (CDP) on the wireless interface. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 9-6 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 103
    example shows a portion of the configuration file for the wireless LAN scenario described in the preceding sections. ! bridge irb ! interface Dot11Radio0 no ip address ! broadcast-key vlan 1 change 45 ! ! encryption vlan 1 mode ciphers tkip ! ssid cisco vlan 1 authentication open wpa-psk ascii
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 104
    no ip address bridge-group 3 bridge-group 3 spanning-disabled ! interface BVI1 ip address 10.0.1.1 255.255.255.0 ! interface BVI2 ip address 10.0.2.1 255.255.255.0 ! interface BVI3 ip address 10.0.3.1 255.255.255.0 ! Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 105
    of the Ethernet WAN interface, DHCP, VLAN, Easy VPN, and wireless interface configurations made in previous chapters. This allows you to view what a basic configuration provided by this guide looks like in a single sample, Example 10-1. Note Commands marked by "(default)" are generated automatically
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 106
    Sample Configuration interface dialer 1 ip address negotiated ppp authentication chap dialer pool 1 dialer-group 1 ! dialer-list 1 protocol ip permit ip nat inside source list 1 interface dialer 0 overload ip classless (default) ip route 10.10.25.2 0.255.255.255 dialer 0 ! ip dhcp excluded-address
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 107
    dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key secret-password mode client peer 192.168.100.1 ! interface Dot11Radio0 no ip address ! broadcast-key vlan 1 change 45 ! encryption vlan 1 mode ciphers tkip ! ssid cisco vlan 1 authentication
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 108
    user AMER\jsomeone nthash 7 0224550C29232E041C6A5D3C5633305D5D560C09027966167137233026580E0B0D ! radius-server host 10.0.1.1 auth-port 1812 acct-port 1813 key cisco123 ! control-plane ! 10-4 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 109
    transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 password cisco123 transport preferred all transport input all transport output all ! OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 10-5
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 110
    Chapter 10 Sample Configuration 10-6 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 111
    PART 3 Configuring Additional Features and Troubleshooting
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 112
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 113
    or troubleshooting needs. See the appropriate Cisco IOS configuration guides and command references for additional details. Note To verify that a specific feature is compatible with your router, you can use the Software Advisor tool. You can access this tool at www.cisco.com > Technical Support
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 114
    Chapter 11 Additional Configuration Options 11-2 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 115
    , and Accounting AAA network security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 116
    greatly simplifying security configuration on your router. For a complete description of the AutoSecure feature, see the AutoSecure feature document. Configuring Access Lists Access lists (ACLs) permit or deny network traffic over an interface based on source IP address, destination IP address, or
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 117
    configuration. For additional information about configuring a CBAC firewall, see the "Configuring Context-Based Access Control" section of the Cisco IOS Release 12.3 Security Configuration Guide. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 12
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 118
    the Cisco IOS Release 12.3 Security Configuration Guide. Configuring VPNs A virtual private network (VPN) connection provides a secure connection between two networks over a public network such as the Internet. Cisco 850 and Cisco 870 series access routers support site-to-site VPNs using IP security
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 119
    the ISDN S/T port on the Cisco 876 and Cisco 878 routers Note The console port and the auxiliary port in the Cisco IOS software configuration are on the same physical RJ-45 port; therefore, both ports cannot be activated simultaneously, and the command-line interface (CLI) must be used to enable
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 120
    . For example, a serial 1 interface could be configured to back up a serial 0 interface. The example shows a Basic Rate Interface configured as the backup interface for the ATM 0 interface. Enters global configuration mode. Example: Router(config-if)# exit Router(config)# Floating Static Routes
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 121
    ip route 0.0.0.0 0.0.0.0 192.168.2.2 150 Router(config)# Assigns the lower routing administrative distance value for the backup interface route. 192.168.2.2 is the peer IP address of the backup interface. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 122
    -type Assigns the primary route. 22.0.0.2 is the peer IP interface-number [ip-address]} address of the primary interface. Example: Router(config)# ip route 0.0.0.0 0.0.0.0 22.0.0.2 Router(config)# 13-4 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 123
    IP static route. The IP addresses of the peers are needed for dialer watch to work properly. If a lease time obtained by DHCP is not set short enough (1 or 2 minutes), dial backup will not be supported. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 124
    ppp dialer pool-member 1 isdn switch-type basic-net3 ! interface ATM0 backup interface BRI0 no ip address no atm ilmi-keepalive pvc 1/40 encapsulation aal5snap pppoe-client dial-pool-number 2 13-6 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 125
    no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ! interface ATM0 no ip address no atm ilmi-keepalive pvc 1/40 encapsulation aal5snap pppoe-client dial-pool-number 2 OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 13
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 126
    BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ! interface ATM0 no ip address no atm ilmi-keepalive pvc 1/40 encapsulation aal5snap pppoe-client dial-pool-number 2 13-8 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 127
    -list 1 protocol ip permit ! Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port When customer premises equipment, such as a Cisco 850 or Cisco 870 series router is connected to an ISP, an IP address is dynamically assigned to the router, or the IP address may be
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 128
    IOS configurations Configuration Tasks Perform these steps to configure dial backup and remote management for these routers, beginning in global configuration mode: Step 1 Command ip name-server server-address Example: Router(config)# ip name-server 192.168.28.12 Router(config)# Step 2 ip dhcp
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 129
    interface configuration mode, see the "Configuration Example" section on page 13-13. Enters global configuration mode. Example: Router(config-if)# exit Router(config)# Step 7 interface type number Enters interface configuration mode. Example: Router(config)# interface Dialer 3 Router(config
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 130
    interface. Example: Router(config)# ip nat inside source list 101 interface Dialer 3 overload Step 11 ip route prefix mask {ip-address | interface-type Sets the IP route to point to the dialer interface as interface-number [ip-address]} a default gateway. Example: Router(config)# ip route
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 131
    physical interface. interface Async1 no ip address encapsulation ppp dialer in-band dialer pool-member 3 async default routing async dynamic routing async mode dedicated ppp authentication pap callin ! OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 13
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 132
    management PC IP address. peer default ip address 192.168.2.2 no cdp enable ! ! Need to use your own ISP account and password. ppp pap sent-username account password 7 pass ppp ipcp dns request ppp ipcp wins request ppp ipcp mask request ! ! IP NAT over Dialer interface using route-map. ip nat
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 133
    modem InOut modem autoconfigure discovery transport input all stopbits 1 speed 115200 flowcontrol hardware line vty 0 4 exec-timeout 0 0 password cisco login ! scheduler max-task-time 5000 end OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 13-15
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 134
    Splitter, DSLAM, and CO Splitter A 2 3 ATM network 1 B 4 6 5 Internet C 8 7 82892 1 Cisco 876 or Cisco 878 router 2 DSLAM 3 ATM aggregator 4 ISDN switch 5 ISDN 6 ISDN peer router 7 Web server 8 Administrator A Primary DSL interface B Dial backup and remote management through the ISDN
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 135
    interface when the primary DSL link is down; serves as dial-in access to allow changes or updates to Cisco IOS configuration Configuration Tasks Perform the following tasks to configure dial backup and remote management through the ISDN S/T port of your router: • Configure ISDN Settings • Configure
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 136
    on other switch types supported, see the Cisco IOS Dial Technologies Command Reference. interface type number Example: Enters configuration mode for the ISDN Basic Rate Interface (BRI). Router(config)# interface bri 0 Router(config-if)# Step 3 encapsulation encapsulation-type Sets the BRI0
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 137
    Configuring Dial Backup and Remote Management Through the ISDN S/T Port Step 8 Command ip address negotiated Example: Router(config-if)# ip address negotiated Router(config-if)# Purpose Specifies that the IP address for the interface is obtained through PPP/IPCP (IP Control Protocol) address
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 138
    peer default ip address pool adsl ! interface ATM0 no ip address pvc 1/40 encapsulation aal5snap protocol pppoe ! no atm limi-keepalive ! ip local pool adsl 22.0.0.1 ip classless ip route 0.0.0.0 0.0.0.0 22.0.0.1 50 ip route 0.0.0.0 0.0.0.0 30.1.1.2.80 ! This portion of the example configures the
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 139
    peer default ip address pool isdn ! ip local pool isdn 192.168.2.1 ip http server ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1 ip route 40.0.0.0 255.0.0.0 30.1.1.1 ! dialer-list 1 protocol ip permit ! OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 140
    Configuring Dial Backup and Remote Management Through the ISDN S/T Port Chapter 13 Configuring Dial Backup and Remote Management 13-22 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 141
    Started • Before Contacting Cisco or Your Reseller • ADSL Troubleshooting • SHDSL Troubleshooting • ATM Troubleshooting Commands • Software Upgrade Methods • Recovering a Lost Password • Managing Your Router with SDM Getting Started Before troubleshooting a software problem, you must connect
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 142
    telephone cable can introduce line errors. SHDSL Troubleshooting Symmetrical high-data-rate digital subscriber line (SHDSL) is available on Cisco 878 and Cisco 1803 router models. If you experience trouble with the SHDSL connection, verify the following: • The SHDSL line is connected and using pins
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 143
    # show interface atm 0 ATM0 is up, line protocol is up Hardware is PQUICC_SAR (with Alcatel ADSL Module) Internet address is 14.0.0.16/8 MTU 1500 bytes, sub MTU 1500, BW 640 Kbit, DLY 80 usec, reliability 40/255, txload 1/255, rxload 1/255 Encapsulation ATM, loopback not set Keepalive not supported
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 144
    correctly. Fast Ethernet n is up, line protocol is down The specified Fast Ethernet interface has been correctly configured and enabled, but the Ethernet cable might be disconnected from the LAN. 14-4 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 145
    of AAL enabled. The Cisco 850 and Cisco 870 series access routers support AAL5. Maximum number of virtual connections this interface supports. Number of active virtual channel connections (VCCs). OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 14-5
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 146
    debug atm errors ATM errors debugging is on Router# 01:32:02:ATM(ATM0.2):VC(3) Bad SAP received 4500 01:32:04:ATM(ATM0.2):VC(3) Bad SAP received 4500 01:32:06:ATM(ATM0.2):VC(3) Bad SAP received 4500 14-6 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 147
    14 Troubleshooting ATM Troubleshooting Commands 01:32:08:ATM(ATM0.2):VC(3) Bad SAP received 4500 01:32:10:ATM(ATM0.2):VC(3) Bad SAP received 4500 debug atm events Command Use the debug atm events command to display events that occur on the ATM interface processor and to diagnose problems in
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 148
    Commands Chapter 14 Troubleshooting 00:03:00: DSL: 1: Modem state = 0x8 00:03:00: DSL: 1: Modem ATM0 (O) Description Interface that is generating the packet. Output packet. (I) would mean receive packet. 14-8 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 149
    router through the console port. These procedures cannot be performed through a Telnet session. Tip See the "Hot Tips" section on Cisco.com for additional information on replacing enable secret passwords. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 150
    Strataflash) Configuration register is 0x2102 If you do not have access to the router (because of a lost login or tacacs password), you can safely consider that your configuration register is set to 0x2102. 14-10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 151
    mode: Router> enable The prompt changes to the privileged EXEC prompt: Router# Enter the show startup-config command to display an enable password in the configuration file: Router# show startup-config OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide 14
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 152
    to the configuration being used before you recovered the lost enable password, do not save the configuration changes before rebooting the router. Step 4 Reboot the router, and enter the recovered password. 14-12 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 153
    Chapter 14 Troubleshooting Managing Your Router with SDM Managing Your Router with SDM The Cisco SDM tool is a free software configuration utility, supporting the Cisco 850 and Cisco 870 series access routers. It includes a web-based GUI that offers the following features: • Simplified setup •
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 154
    Managing Your Router with SDM Chapter 14 Troubleshooting 14-14 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 155
    PART 4 Reference Information
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 156
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 157
    Enable Secret Passwords and Enable Passwords • Entering Global Configuration Mode • Using Commands • Saving Configuration Changes • Summary • Where to Go Next If you are already familiar with Cisco IOS software, go to one of the following chapters: • Chapter 1, "Basic Router Configuration" • Chapter
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 158
    the Cisco IOS command mode structure. Each command mode supports specific Cisco IOS commands. For example, you can use the interface type number command only from global configuration mode. The following Cisco IOS command modes are hierarchical. When you begin a router session, you are in user EXEC
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 159
    command from user EXEC mode. Router# Global configuration Enter the configure command from privileged EXEC mode. Router (config)# Interface configuration Enter the interface command (with a specific interface, such as interface atm 0) from global configuration mode. Router (config-if)# Exit
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 160
    user-profile to interface clear Reset functions ... To complete a command, enter a few known characters followed by a question mark (with no space): Router> s? * s=show set key for more commands. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide A-4 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 161
    to your router configuration. Enter the configure terminal command to enter global configuration mode: Router# configure terminal Router(config)# You can now make changes to your router configuration. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide A-5
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 162
    entering Cisco IOS commands at the command-line interface (CLI). Abbreviating Commands You only have to enter enough characters for the router to recognize available in this particular command mode. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide A-6 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 163
    startup-config, or enter your desired destination filename and press Return. It might take a minute or two to save the configuration to NVRAM. After the configuration has been saved, the following message appears: Building configuration... Router# Summary Now that you have reviewed some Cisco IOS
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 164
    Where to Go Next Appendix A Cisco IOS Software Basic Skills Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide A-8 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 165
    Concepts APPENDIX B ADSL OL-5332-01 This appendix contains conceptual information that may be useful to Internet service providers or network administrators when they configure Cisco routers. To review some typical network scenarios, see Chapter 2, "Sample Network Deployments." For information
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 166
    between a network service provider (NSP) central office and a customer site, or on local loops created within either a building or a campus. G.SHDSL devices can extend the reach from central offices and remote terminals to approximately 26,000 feet (7925 m), at symmetrical data rates from 72 kbps
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 167
    By default, every router does not send a hello packet within a prescribed period, Enhanced IGRP assumes that the state of a destination has changed and sends an incremental update. Because Enhanced IGRP supports IP Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide B-3
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 168
    of IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 169
    services, such as event logging. User passwords are administered in a central database rather than in individual routers. TACACS+ also provides support for separate modular authentication, authorization, and accounting (AAA) facilities that are configured at individual routers. Network Interfaces
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 170
    requirement is that data be sent to the ATM subsystem of the router in a manner that follows the specific AAL format. Dialer Interface A dialer interface assigns PPP features (such as authentication and IP address assignment method) to a PVC. Dialer interfaces are used when configuring PPP over ATM
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 171
    . By configuring a set of watched routes that define the primary interface, you are able to monitor and track the status of the primary interface as watched routes are added and deleted. When a watched route is deleted, dialer watch checks for at least one valid route for any of the IP addresses or
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 172
    unique IP address; in this case, the Internet). With PPP/IPCP, Cisco routers automatically negotiate a globally unique (registered) IP address for the dialer interface from the ISP router. Easy IP (Phase 2) The Easy IP (Phase 2) feature combines Dynamic Host Configuration Protocol (DHCP) server
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 173
    they perform might differ as well. To configure your IP network for real-time voice traffic, you need to consider the functions of both edge and backbone routers in your network. QoS software enables complex networks to control and predictably service a variety of networked applications and traffic
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 174
    Strict priority queuing allows delay-sensitive data to be dequeued and sent first (before packets in other queues are dequeued), giving delay-sensitive data preferential treatment over other traffic. B-10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 175
    the session and the packet therefore belongs to an established session.) This filter criterion would be part of an access list applied permanently to an interface. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide B-11
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 176
    Access Lists Appendix B Concepts B-12 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 177
    enable Step 2 Step 3 configure terminal config-reg 0x0 Purpose Enters privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Resets the configuration register. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide C-1
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 178
    configuration mode. Reboots the router with the new configuration register value. The router remains in ROM monitor and does not boot the Cisco IOS software. As long as the configuration value is 0x0, you must manually directories-dir display instruction stream serial download a program
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 179
    initializes the router, router flash memory. Use the tftpdnld command only for disaster recovery, because it erases all existing data in flash memory before downloading a new software image to the router. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 180
    DEFAULT_GATEWAY= ip_address IP address of the TFTP server from which the TFTP_SERVER= ip_address software will be downloaded. Name of the file that will be downloaded to TFTP_FILE= filename the router. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide C-4 OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 181
    Configures how the router displays file download progress. 0-No progress is displayed. 1-Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting. 2-Detailed progress is displayed during the file download process; for example: • Initializing interface
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 182
    the contents by describing the meaning of each bit. In either case, the new virtual configuration register value is written into NVRAM but does not take effect until you reset or reboot the router. Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide C-6 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 183
    transmitter/receiver (UART). If the PC serial port is not using a 16550 UART, we recommend using a speed of 38,400 bps or less when downloading a Cisco IOS image over the console port. OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide C-7
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 184
    you have changed the baud rate from the default rate, the error message is followed by a message telling you to restore the terminal to the baud rate specified in the configuration register. Debug Commands Most ROM monitor debugging commands are functional only when Cisco IOS software has crashed or
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 185
    , and size of NVRAM; for example: rommon 9> meminfo Main memory size: 40 MB. Available main memory starts at 0x10000, size 40896KB IO (packet) memory size: 5 percent of main memory. NVRAM size: 32KB OL-5332-01 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide C-9
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 186
    for new config to take effect: rommon 2 > boot The router will boot the Cisco IOS image in flash memory. The configuration register will change to 0x2101 the next time the router is reset or power cycled. C-10 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 187
    Time Resource Location Protocol Hostname server Who is Login Host Protocol Domain name server Bootstrap Protocol Server Bootstrap Protocol Client Trivial File Transfer Protocol Any private dial-out service Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide D-1
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 188
    UNIX remote execution (control) TCP-UNIX remote login UDP-UNIX broadcast name service TCP-UNIX remote shell UDP-system log UNIX line printer remote spooling Routing Information Protocol Time server Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide D-2 OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 189
    access groups 3 access lists applying to interfaces 4 configuration commands 2 configuring for firewalls 3, 2 description 11 ACK bits 11 Address Resolution Protocol See ARP ADSL configuring 6 ordering 4 overview 1 troubleshooting 2 aggregator, configuring 20 ARP 2 Asymmetric Digital Line Subscriber
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 190
    and GRE 9 VPN with IPSec tunnel 11 wireless LAN 7 configuration prerequisites 4 configuration register changing 10 to 11 changing from ROM monitor 6 value, resetting 12 configuring ATM WAN interface 7 IN-2 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 191
    8, 9 default configuration, viewing 2 DHCP configuring DHCP server 2 IP address assignment 1 DHCP and Easy IP (Phase 2) 8 DHCP server configuration example 4 configuring router as 1 verify configuration 4 dial backup configuring 1, 9, 16 dialer watch 4 floating static routes 2 dialer interface
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 192
    5, 4 H handshake defined 2 three-way 4 two-way 4 help command 3 help with commands 4 hop count, defined 3 I i command 3 IKE policy, configuring 4, 3 inspection rules applying to interfaces 4 IN-4 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 193
    20 S/T port for dial backup 16 ISDN interface, configuring 17 ISDN peer router, configuring 20 K k command 9 L LAN with DHCP and VLANs, configuring 1 to 8 LCP 4 LFQ 10 line configuration mode 4 Link Control Protocol See LCP LLC 6 loopback interface, configuring 8 to 9 low latency queuing See LFQ
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 194
    to 10 queues, ATM 10 R radio station subinterfaces, configuring 6 related documents 14 remote access VPN 1 remote management, configuring 9, 16 reset command 3 resetting configuration register value 12 passwords 12 router 11 to 12 RIP configuring 13 overview 2 to 3 ROM monitor commands 2 to 3 debug
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 195
    security features, configuring 1 to 4 settings router default 2 standard VT-100 emulation 2 SHDSL configuring 7 overview 2 troubleshooting 2 show atm interface command 5, 6 show controllers dsl command 8 show dsl interface atm command 7 show interface command 3 site-to-site VPN 1 software, upgrading
  • Cisco CISCO876-SEC-I-K9 | Configuration Guide - Page 196
    Index configuration example 11 configuration tasks 3, 2 configuring 1, 4 W WAN interface, configuring 6, 3 wireless LAN configuration example 7 X xmodem command 8 IN-8 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Cisco 850 Series and Cisco 870 Series
Access Routers Software
Configuration Guide
Text Part Number: OL-5332-01