advertisement
Cisco 800 Series Integrated Services Routers Software Configuration
Guide
First Published: January 01, 2009
Last Modified: July 22, 2014
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-31704-02
©
2009-14 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
P r e f a c e
C H A P T E R 1
OL-31704-02
Obtaining Documentation and Submitting a Service Request xxvii
Information About Cisco 800 Series ISRs 1
Features of Cisco 860 Series ISRs 2
4-port 10/100 FE LAN Switch of Cisco 860 Series ISRs 2
Security Features for Cisco 860 Series ISRs 2
802.11n Wireless LAN Option for Cisco 860 Series ISRs 2
Features of Cisco 860VAE Series ISRs 2
General Features of Cisco 860 VAE Series Routers 2
Interfaces of Cisco 860 VAE Series ISRs 4
IOS Images for Cisco 860 VAE Series ISRs 5
Models of Cisco 880 Series ISRs 5
Common Features of Cisco 880 Series ISRs 7
4-port 10/100 FE LAN Switch of Cisco 880 Series ISRs 7
802.11n Wireless LAN Option of Cisco 880 Series ISRs 7
Real-Time Clock of Cisco 880 Series ISRs 7
Security Features of Cisco 880 Series ISRs 8
Voice Features of Cisco 880 Series ISRs 8
Cisco 800 Series Integrated Services Routers Software Configuration Guide iii
Contents
C H A P T E R 2
8-port 10/100 FE LAN Switch of Cisco 890 Series ISRs 9
802.11n Wireless LAN Option of Cisco 890 Series ISRs 9
Real-Time Clock of Cisco 890 Series ISRs 9
Security Features of Cisco 890 Series ISRs 9
Features of Cisco 812 Series ISRs 10
3G Features of Cisco 812 Series ISR 10
WLAN Features of Cisco 812 Series ISR 11
Dual Radio of Cisco 812 Series ISR 11
Cleanair Technology of Cisco 812 Series ISR 11
Dynamic Frequency Selection of Cisco 812 Series ISR 11
Platform Features of Cisco 812 Series ISR 11
TFTP with Ethernet WAN Interface Feature of Cisco 812 Series ISR 12
SKU Information for Cisco 812 Series ISR 12
Features of Cisco 819 Series ISRs 12
3G Features of Cisco 819 Series ISRs 12
WLAN Features of Cisco 819 Series ISRs 13
4G LTE Features of Cisco 819 Series ISRs 13
Platform Features of Cisco 819 Series ISRs 13
Security Features of Cisco 819 Series ISRs 13
SKU Information for Cisco 819 Series ISRs 14
Licensing for Cisco 800 Series ISRs 14
Selecting Feature Sets for Cisco 800 Series ISRs 14
Information Needed for Configuration 17
Configuring Command-Line Access 19
Configuring Global Parameters 21
Configuring a Gigabit Ethernet WAN Interface 22
Configuring the Cellular Wireless WAN Interface 23
Prerequisites for Configuring the 3G Wireless Interface 24
Restrictions for Configuring the Cellular Wireless Interface 24
iv
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
C H A P T E R 3
OL-31704-02
Verifying Signal Strength and Service Availability 25
Configuring a GSM Modem Data Profile 26
CDMA Modem Activation and Provisioning 27
Configuring a Cellular Interface 29
Examples for Configuring Cellular Wireless Interfaces 33
Basic Cellular Interface Configuration 34
Tunnel over Cellular Interface Configuration 34
Configuration for 8705 modem 35
Configuring Dual SIM for Cellular Networks 35
Configuring Router for Image and Config Recovery Using Push Button 37
Output When Button Is Not Pushed: Example 38
Output When Button Is Pushed: Example 38
Configuring the Fast Ethernet LAN Interfaces 39
Configuring a Loopback Interface 39
Configuring Routing Information Protocol 42
Configuring Enhanced Interior Gateway Routing Protocol 45
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces 47
Configuring a Network Interface Device on the L3 Interface 47
Verifying the NID Configuration 49
Troubleshooting the NID Configuration 50
Ethernet Data Plane Loopback 50
Restrictions for Configuring Ethernet Data Plane Loopback 51
Configuring External Ethernet Data Plane Loopback 52
Configuration Examples for Ethernet Data Plane Loopback 54
Verifying the Ethernet Data Plane Loopback Configuration 54
Troubleshooting the Ethernet Data Plane Loopback Configuration 55
CFM Support on Routed Port and Port MEP 56
Cisco 800 Series Integrated Services Routers Software Configuration Guide v
Contents
C H A P T E R 4
C H A P T E R 5
Restrictions for Configuring Ethernet CFM 56
Configuring Ethernet CFM (Port MEP) 57
Configuration Example for Ethernet CFM (Port MEP) 59
Verifying the Ethernet CFM Configuration on a Port MEP 59
Configuring Ethernet CFM (Single-Tagged Packets) 61
Configuration Example for Ethernet CFM (Single-Tagged Packets) 63
Verifying the Ethernet CFM Configuration for Single-Tagged Packets 63
Configuring Ethernet CFM (Double-Tagged Packets) 65
Configuration Example for Ethernet CFM (Double-Tagged Packets) 68
Verififying the Ethernet CFM Configuration for Double-Tagged Packets 68
Troubleshooting Ethernet CFM Configuration 70
Support for Y.1731 Performance Monitoring on Routed Port (L3 Subinterface) 71
Restrictions for Configuring Two-Way Delay Measurement 71
Configuring Two-Way Delay Measurement 72
Configuration Examples for Two-Way Delay Measurement 73
Verifying Two-Way Delay Measurement Configuration 74
Troubleshooting Two-Way Delay Measurement Configuration 76
Configuring Power Management 79
Monitoring Power Usage with EnergyWise 79
Configuring Power-over-Ethernet 79
Enabling/Disabling Power-over-Ethernet 79
Verifying the Power-over-Ethernet Configuration on the Interface 80
Configuring Security Features 81
Authentication, Authorization, and Accounting 81
Configuring Cisco IOS Firewall 83
Configuring a VPN over an IPSec Tunnel 87
vi
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
C H A P T E R 6
C H A P T E R 7
OL-31704-02
Configuring Group Policy Information 89
Applying Mode Configuration to the Crypto Map 90
Configuring IPSec Transforms and Protocols 91
Configuring the IPSec Crypto Method and Parameters 92
Applying the Crypto Map to the Physical Interface 93
Creating a Cisco Easy VPN Remote Configuration 94
Configuring a Site-to-Site GRE Tunnel 97
Configuring Backup Data Lines and Remote Management 101
Configuring Backup Interfaces 102
Configuring Cellular Dial-on-Demand Routing Backup 103
Configuring DDR Backup Using Dialer Watch 103
Configuring DDR Backup Using Floating Static Route 105
Cellular Wireless Modem as Backup with NAT and IPsec Configuration 106
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port 109
Configuring Data Line Backup and Remote Management Through the ISDN S/T Port 115
Configuring Aggregator and ISDN Peer Router 120
Configuring Gigabit Ethernet Failover Media 121
Configuring Third-Party SFPs 123
Example for Configuring Third-Party SFPs 126
Configuring Ethernet Switches 127
Switch Port Numbering and Naming 127
Restrictions for the FE Switch 128
VLANs and VLAN Trunk Protocol 128
Layer 2 Ethernet Switching 128
Cisco 800 Series Integrated Services Routers Software Configuration Guide vii
Contents
C H A P T E R 8
BRIDGE-MIB for Layer 2 Ethernet Switching 130
Configuring Ethernet Switches 131
VLANs on the FE and GE Switch Ports 132
VLANs on the GE Port and GE ESW Port of Wireless APs 133
Configuring Layer 2 Interfaces 134
Configuring 802.1x Authentication 134
Configuring Spanning Tree Protocol 134
Configuring MAC Table Manipulation 135
Configuring Cisco Discovery Protocol 135
Configuring the Switched Port Analyzer 136
Configuring Power Management on the Interface 136
Configuring IP Multicast Layer 3 Switching 136
Configuring Per-Port Storm Control 137
Configuring Separate Voice and Data Subnets 137
Configuring Voice Functionality 139
Analog and Digital Voice Port Assignments 140
viii
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
C H A P T E R 9
OL-31704-02
Real-Time Transport Protocols 141
Dual Tone Multi Frequency Relay 142
SCCP-Controlled Analog Ports with Supplementary Features 142
T.37 Store-and-Forward Fax 143
Unified Survival Remote Site Telephony 143
Verification of Voice Configuration 144
Configuring the Serial Interface 145
Configuring the Serial Interface 145
Configuring Serial Interfaces 147
LMI on Frame Relay Interfaces 150
Configuring Serial Interfaces 150
Configuring a Synchronous Serial Interface 151
Specifying a Synchronous Serial Interface 151
Specifying Synchronous Serial Encapsulation 151
Configuring Compression of HDLC Data 152
Using the NRZI Line-Coding Format 153
Enabling the Internal Clock 154
Inverting the Transmit Clock Signal 154
Configuring DTR Signal Pulsing 155
Ignoring DCD and Monitoring DSR as Line Up/Down Indicator 156
Cisco 800 Series Integrated Services Routers Software Configuration Guide ix
Contents
C H A P T E R 1 0
Specifying the Serial Network Interface Module Timing 156
Specifying the Serial Network Interface Module Timing 157
Configuring Low-Speed Serial Interfaces 157
Half-Duplex DTE and DCE State Machines 157
Half-Duplex DTE State Machines 158
Half-Duplex DCE State Machines 159
Placing a Low-Speed Serial Interface in Constant-Carrier Mode 161
Changing Between Synchronous and Asynchronous Modes 162
Changing Between Synchronous and Asynchronous Modes 163
Examples for Interface Enablement Configuration 164
Examples for Low-Speed Serial Interface 164
Examples for Synchronous or Asynchronous Mode 164
Example for Half-Duplex Timers 165
Configuring Wireless Devices 167
Software Modes for Wireless Devices 167
Management Options for Wirelss Device 168
Central Unit in an All-Wireless Network 169
TFTP support with Ethernet WAN interface 171
LEDs for Cisco 819 Series ISRs 171
Basic Wireless Configuration for Cisco 800 Series ISR 174
Starting a Wireless Configuration Session 174
Configuring Wireless Settings 177
Cisco IOS Command Line Interface 177
Configuring Wireless Security Settings 178
Configuring Authentication 178
Configuring WEP and Cipher Suites 178
Configuring Wireless VLANs and Assigning SSIDs 179
x
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
OL-31704-02
Configuring Wireless Quality of Service 181
Configuring the Access Point in Hot Standby Mode 181
Upgrading to Cisco Unified Software 182
Secure an IP Address on the Access Point 182
Example Configuration: Secure an IP Address on the Access Point 182
Confirm that the Mode Setting is Enabled 182
Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode 183
Downgrading the Software on the Access Point 184
Recovering Software on the Access Point 184
Configuring Radio Settings 186
Enabling the Radio Interface 186
Wireless Device Roles in a Radio Network 187
Configuring the Wireless Device Roles in a Radio Network 188
Configuring Dual-Radio Fallback 189
Overview of Radio Data Rates 190
Configuring Radio Data Rates 191
Configuration Example: Configuring Radio Data Rates 193
Configuration Example: MCS Rates 195
Configuring Radio Transmit Power 195
Limiting the Power Level for Associated Client Devices 196
Configuring Radio Channel Settings 197
Configuring Wireless Channel Width 198
Enabling and Disabling World Mode 199
Disabling and Enabling Short Radio Preambles 200
Disabling Short Radio Preambles 200
Transmit and Receive Antennas 201
Configuring Transmit and Recieve Antennas 201
Cisco 800 Series Integrated Services Routers Software Configuration Guide xi
Contents
Disabling and Enabling Aironet Extensions 202
Disabling Aironet Extensions 203
Ethernet Encapsulation Transformation Method 204
Configuring the Ethernet Encapsulation Transformation Method 204
Enabling and Disabling Public Secure Packet Forwarding 205
Configuring Public Secure Packet Forwarding 205
Configuring Protected Ports 206
Beacon Period and the DTIM 207
Configuring the Beacon Period and the DTIM 207
Configuring RTS Threshold and Retries 208
Configuring the Maximum Data Retries 209
Configuring the Fragmentation Threshold 210
Configuring the Fragment Threshold 210
Enabling Short Slot Time for 802.11g Radios 211
Performing a Carrier Busy Test 211
Configuring VoIP Packet Handling 211
Configuring WLAN Using the Web-based Interface 212
Connecting to the Web-based WLAN Interface 212
Address for Accessing Web-based Interface 213
Displaying Device Information 213
Displaying Connection Statistics 213
Configuring Access to the Web-based Interface 213
Configuring Basic Wireless Settings 214
Configuring Advanced Wireless Settings 215
Configuring the Password for Connecting to the Web-based Interface 218
Saving the Wireless LAN Configuration to a File 219
Loading a Wireless LAN Configuration File 219
xii
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
OL-31704-02
Restoring the Default Configuration 219
Configuring WLAN Using the CLI-based Interface 219
Displaying Command Information for WLAN CLI 220
Example : Displaying Command Information for WLAN CLI 220
Connecting to the WLAN CLI Interface 220
Example: Configuring a Loopback Interface 220
Example: Accessing WLAN CLI Using Telnet Through the Loopback Interface 221
Exiting from the WLAN CLI Interface 221
Setting the IP Address for the Web-based Interface 221
Enabling and Disabling WLAN 222
Enabling and Disabling Guest SSIDs 224
Enabling and Disabling Client Isolation 225
Enabling and Disabling WMM Advertise 226
Enabling and Disabling Wireless Multicast Forwarding (WMF) 227
Configuring the Global Maximum Number of Clients 228
Configuring the Maximum Number of Clients for an SSID 228
Configuring Authentication Options 229
Configuring Encryption Options 233
Configuring the MAC Address Filter Access List 236
Configuring the MAC Address Filter Mode 237
Configuring 802.11n Options 238
Configuring the 54g Preamble Type 241
Configuring 54g Protection 243
Configuring the Multicast Rate 243
Configuring the Basic Rate 244
Configuring the Fragmentation Threshold 245
Configuring the RTS Threshold 246
Configuring the DTIM Interval 246
Cisco 800 Series Integrated Services Routers Software Configuration Guide xiii
Contents
Configuring the Beacon Interval 247
Configuring the Radio Transmit Power 247
Displaying Current CLI Values and Keywords 249
Displaying Current Channel and Power Information 250
Displaying Current Associated Clients 252
Displaying the SSID to BSSID Mapping 253
Displaying the Tx/Rx Statistics 254
Displaying the BVI 1 Interface Details 254
Displaying Dot11Radio 0 Interface Information 255
Example: Displaying Dot11Radio 0 Interface Information 256
Displaying Brief Details for All Interfaces 256
Example: Displaying CPU Statistics 257
Showing a Summary of Memory Usage 257
Changing the Administrator Password 258
Configuring the Number of Lines on Screen 259
Administering the Wireless Device 259
Securing Access to the Wireless Device 259
Disabling the Mode Button Function 259
Dispaying the mode-button status 260
Preventing Unauthorized Access to Your Access Point 260
Protecting Access to Privileged EXEC Commands 261
Configuring Default Password and Privilege Level 261
Setting or Changing a Static Enable Password 261
Configuration Example: Changing a Static Enable Password 262
Protecting Enable and Enable Secret Passwords with Encryption 262
Configuration Example: Enable Secret Passwords 264
Configuring Username and Password Pairs 264
Configuring Multiple Privilege Levels 265
Configuring Multiple Privilege Levels 267
Controlling Access Point Access with RADIUS 267
Configuring RADIUS Login Authentication 268
xiv
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
OL-31704-02
Defining AAA Server Groups 269
Configuration Example: AAA Group 271
Configuring RADIUS Authorization for User Privileged Access and Network
Displaying the RADIUS Configuration 273
Controlling Access Point Access with TACACS+ 273
Default TACACS+ Configuration 273
Configuring TACACS+ Login Authentication 274
Configuring TACACS+ Authorization for Privileged EXEC Access and Network
Displaying the TACACS+ Configuration 276
Administering the Access Point Hardware and Software 276
Administering the Wireless Hardware and Software 276
Resetting the Wireless Device to the Factory Default Configuration 277
Rebooting the Wireless Device 277
Monitoring the Wireless Device 277
Managing the System Time and Date 278
Understanding Simple Network Time Protocol 278
Time and Date Manual Configuration 279
Example Configuration : Time and Date 281
Configuring a System Name and Prompt 281
Configuring a Message-of-the-Day Login Banner 285
Example: Configuring a MOTD Banner 286
Configuring a Login Banner 286
Example Configuration: Login Banner 287
Administering Wireless Device Communication 287
Configuring Ethernet Speed and Duplex Settings 287
Configuring the Access Point for Wireless Network Management 288
Configuring the Access Point for Local Authentication and Authorization 289
Configuring the Authentication Cache and Profile 290
Example Configuration: Authentication Cache and Profile 291
Cisco 800 Series Integrated Services Routers Software Configuration Guide xv
Contents
C H A P T E R 1 1
C H A P T E R 1 2
C H A P T E R 1 3
Configuring the Access Point to Provide DHCP Service 293
Setting up the DHCP Server 293
Monitoring and Maintaining the DHCP Server Access Point 295
Configuring the Access Point for Secure Shell 296
Understanding Client ARP Caching 297
Configuring Client ARP Caching 297
Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging 298
Configuring PPP over Ethernet with NAT 299
Configure the Virtual Private Dialup Network Group Number 301
Configure Ethernet WAN Interfaces 302
Configure the Dialer Interface 303
Configure Network Address Translation 305
Verifying Your Configuration 309
Configuring PPP over ATM with NAT 311
Configure the Dialer Interface 313
Configure the ATM WAN Interface 315
Configure DSL Signaling Protocol 316
Verifying the Configuration 317
Configure Network Address Translation 318
Verifying Your Configuration with NAT 322
Environmental and Power Management 323
xvi
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
C H A P T E R 1 4
C H A P T E R 1 5
C H A P T E R 1 6
OL-31704-02
Environmental and Power Management 323
4G LTE Support on Cisco 800 Series ISRs 325
How to Configure Cisco 800 Series 4G LTE ISRs 326
Configuration Examples for Cisco 800 Series 4G LTE ISRs 326
Example: Basic Cellular Configuration 326
Example: Dialer-Watch Configuration without External Dialer Interface 326
Example: Dialer-Persistent Configuration with External Dialer Interface 327
Example: GRE Tunnel over Cellular Interface Configuration 327
3G Support on Cisco 880G series ISRs 328
Configuring a LAN with DHCP and VLANs 329
Configuring a LAN with DHCP and VLANs 329
Configuring DHCP and VLANs 330
Configuration Example: DHCP 332
Verifying Your DHCP Configuration 332
Assigning a Switch Port to a VLAN 334
Verifying Your VLAN Configuration 334
Configuring a VPN Using Easy VPN and an IPSec Tunnel 337
Configuring a VPN Using Easy VPN and an IPSec Tunnel 337
Configuring the IKE Policy 339
Configuring Group Policy Information 341
Applying Mode Configuration to the Crypto Map 342
Configuring IPSec Transforms and Protocols 344
Configuring the IPSec Crypto Method and Parameters 345
Cisco 800 Series Integrated Services Routers Software Configuration Guide xvii
Contents
C H A P T E R 1 7
C H A P T E R 1 8
C H A P T E R 1 9
C H A P T E R 2 0
Applying the Crypto Map to the Physical Interface 346
Creating an Easy VPN Remote Configuration 347
Verifying Your Easy VPN Configuration 349
Configuration Examples for VPN and IPSec 349
Configuring Cisco Multimode G.SHDSL EFM/ATM 351
Configuring VDSL2 Bonding and Single-Wire Pair 353
Configuring Bonding in Auto Mode 354
Configuring Bonding in VDSL2 Mode 354
Configuring a Single-Wire Pair on Line 0 355
Configuring a Single-Wire Pair on Line 1 356
About the Deployment Scenarios 359
Internet Service and IPSec VPN with 3G 361
Enterprise Wireless Deployments with LWAPP 363
Enterprise Small Branch Office Deployment 364
Troubleshooting Cisco 800 Series Routers 365
Before Contacting Cisco or Your Reseller 365
VDSL2 Troubleshooting 367 show interfaces Troubleshooting Command 367
ATM Troubleshooting Commands 369
ping atm interface Command 370 show atm interface Command 370
Guidelines for Using Debug Commands 371
xviii
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
A P P E N D I X A
A P P E N D I X B
OL-31704-02
Recovering a Lost Password 374
Change the Configuration Register 374
Reset the Password and Save Your Changes 377
Reset the Configuration Register Value 378
Cisco Configuration Professional Express 379
Cisco IOS Software Basic Skills 381
Configuring the Router from a PC 381
Understanding Command Modes 382
Enable Secret Passwords and Enable Passwords 385
Entering Global Configuration Mode 386
Command-Line Error Messages 387
Saving Configuration Changes 388
PPP Authentication Protocols 391
Cisco 800 Series Integrated Services Routers Software Configuration Guide xix
Contents
A P P E N D I X C
Network Address Translation 393
PPP Fragmentation and Interleaving 397
ROM Monitor Commands for 860VAE ISRs 401
ROM Monitor Command Descriptions 401
Disaster Recovery with TFTP Download 402
TFTP Download Command Variables 403
Using the TFTP Download Command 404
Changing the Configuration Register Manually 405
Changing the Configuration Register Using Prompts 405
xx
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Contents
ROM Monitor Debug Commands 407
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide xxi
Contents xxii
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Preface
This preface describes the audience, organization, and conventions of this guide, and describes related documents that have additional information. It contains the following sections:
•
•
Document Organization, page xxiii
•
Document Conventions, page xxv
•
Related Documentation, page xxvi
•
Obtaining Documentation and Submitting a Service Request, page xxvii
Audience
This guide provides an overview and explains how to configure the various features for the Cisco 810, Cisco
860, Cisco 880, and Cisco 890 series Integrated Services Routers (ISRs). Some information may not apply to your particular router model.
This guide is intended for Cisco equipment providers who are technically knowledgeable and familiar with
Cisco routers and Cisco IOS software and features.
For warranty, service, and support information, see the “Cisco One-Year Limited Hardware Warranty Terms” section in the Readme First for the Cisco 800 Series Integrated Services Routers that was shipped with your router.
Document Organization
This document is organized into the following chapters:
Chapter
Description
Provides a brief description of the router models and the available software features.
Provides procedures for configuring the basic parameters of the router.
Cisco 800 Series Integrated Services Routers Software Configuration Guide xxiii OL-31704-02
Preface
Document Organization
Chapter Description
Y.1731 Performance Monitoring on Layer 3 Interfaces, on page
47
Provides procedures for configuring the network interface device functionality, Ethernet data plane loopback, IEEE connectivity fault management, and Y.1731 performance monitoring.
Provides the configuration of power management and
Power-over-Ethernet (PoE).
Provides procedures for implementing the security features that can be configured on the router.
Configuring Backup Data Lines and Remote Management
Provides procedures for configuring remote management functions and a backup data line connection.
Provides an overview of the configuration tasks for the 4-port Fast
Ethernet switch on the router.
Configuring Voice Functionality
Provides references to the procedures for voice configuration.
Configuring the Serial Interface
Provides information about WAN access and aggregation, Legacy protocol transport, and Dial Access Server.
Provides procedures for initial configuration of the wireless device, radio settings, WLAN, and administration of the wireless device.
Configuring PPP over Ethernet with NAT
Provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT)s that can be configured on the Cisco 860 and Cisco 880 series Integrated Services Routers (ISRs).
Provides an overview of Point-to-Point Protocol over Asynchronous
Transfer Mode (PPPoA) clients and network address translation (NAT) that can be configured on the Cisco 860 and Cisco 880 series Integrated
Services Routers (ISRs).
Provides information about 4G LTE and 3G cellular networks.
Configuring a LAN with DHCP and VLANs
Describes how the routers can use the Dynamic Host Configuration
Protocol (DHCP) to enable automatic assignment of IP configurations for nodes on these networks.
Provides an overview of the creation of Virtual Private Networks (VPNs) that can be configured on the Cisco 860 and Cisco 880 series Integrated
Services Routers (ISRs).
Describes the configuration of the Cisco Multimode 4-pair G.SHDSL.
Shows some typical deployment scenarios for the Cisco 860, Cisco 880, and Cisco 890 series ISRs.
xxiv
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Preface
Document Conventions
Chapter Description
Troubleshooting Cisco 800 Series
Provides information to help isolate problems you might encounter.
Cisco IOS Software Basic Skills
Provides information for how to use Cisco IOS software to configure your router.
Provides conceptual information that may be useful to Internet service providers or network administrators when they configure Cisco routers.
Provides information on how to use Cisco’s ROM Monitor firmware.
Document Conventions
This document uses the following conventions:
Convention
^ or Ctrl
Description
Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard.
For example, the key combination ^D or Ctrl-D means that you hold down the Control key while you press the D key. (Keys are indicated in capital letters but are not case sensitive.)
bold font Commands and keywords and user-entered text appear in bold font.
Italic font
|
Courier font
Bold Courier font
[x]
...
[x | y]
{x | y}
Document titles, new or emphasized terms, and arguments for which you supply values are in italic font.
Terminal sessions and information the system displays appear in courier font.
Bold Courier font indicates text that the user must enter.
Elements in square brackets are optional.
An ellipsis (three consecutive nonbolded periods without spaces) after a syntax element indicates that the element can be repeated.
A vertical line, called a pipe, indicates a choice within a set of keywords or arguments.
Optional alternative keywords are grouped in brackets and separated by vertical bars.
Required alternative keywords are grouped in braces and separated by vertical bars.
Cisco 800 Series Integrated Services Routers Software Configuration Guide xxv OL-31704-02
Preface
Related Documentation
Convention
[x {y | z}] string
< >
[ ]
!, #
Description
Nested set of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element.
A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.
Nonprinting characters such as passwords are in angle brackets.
Default responses to system prompts are in square brackets.
An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
Reader Alert Conventions
This document uses the following conventions for reader alerts:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.
Warning Means reader be warned. In this situation, you might perform an action that could result in bodily injury.
Related Documentation
In addition to this document, the Cisco 810, Cisco 860, Cisco 880, and Cisco 890 series ISR documentation set includes the following documents: xxvi
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Preface
Obtaining Documentation and Submitting a Service Request
• Readme First for the Cisco 800 Series Integrated Services Routers.
• Cisco 860, Cisco 880, and Cisco 890 Series Integrated Services Routers Hardware Installation Guide
• Regulatory Compliance and Safety Information for Cisco 800 Series and SOHO Series Routers
• Declarations of Conformity and Regulatory Information for Cisco Access Products with 802.11n Radios
• Software Activation on Cisco Integrated Services Routers and Cisco Integrated Service Routers G2
You might also need to refer to the following documents:
• Cisco System Manager Quick Start Guide
• Cisco IOS Release 12.4 Quality of Service Solutions Configuration Guide
• Cisco IOS Security Configuration Guide, Release 12.4
• Cisco IOS Security Configuration Guide, Release 12.4T
• Cisco IOS Security Command Reference, Release 12.4
• Cisco IOS Security Command Reference, Release 12.4T
• Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges, versions 12.4(10b) JA and 12.3(8) JEC
• Cisco Aironet 1240AG Access Point Support Documentation
• Cisco 4400 Series Wireless LAN Controllers Support Documentation
• LWAPP Wireless LAN Controllers
• LWAPP Wireless LAN Access Points
• Cisco IOS Release 12.4 Voice Port Configuration Guide
• SCCP Controlled Analog (FXS) Ports with Supplementary Features in Cisco IOS Gateways
• Cisco Software Activation Conceptual Overview
• Cisco Software Activation Tasks and Commands
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Cisco 800 Series Integrated Services Routers Software Configuration Guide xxvii OL-31704-02
Obtaining Documentation and Submitting a Service Request
Preface xxviii
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
1
Product Overview
This chapter provides an overview of the features available for the Cisco 810, Cisco 860, Cisco 880 and
Cisco 890 series Integrated Services Routers (ISRs), and contains the following sections:
•
Information About Cisco 800 Series ISRs, page 1
•
•
•
•
Cisco 810 Series ISRs, page 10
•
Licensing for Cisco 800 Series ISRs, page 14
Information About Cisco 800 Series ISRs
The Cisco 860, Cisco 880, and Cisco 890 series ISRs provide Internet, VPN, voice, data, and backup capability to corporate teleworkers and remote and small offices of fewer than 20 users. These routers are capable of bridging and multiprotocol routing between LAN and WAN ports, and provide advanced features such as antivirus protection. In addition, the Cisco 860W, Cisco 880W, and Cisco 890W series ISRs incorporate an
802.11n wireless LAN option that allows the ISR to act as a wireless access point.
The Cisco 810 series ISRs provide Internet, VPN, data, and backup capability to corporate teleworkers and remote and small offices of fewer than 20 users and provides machine to machine connectivity. Under Cisco
810 series ISRs, there are two different series of routers available - Cisco 812 series ISRs and Cisco 819 series
ISRs. The Cisco 812 ISRs support Gigabit Ethernet (GE), WAN connections over Cellular (3G) interface, and WLAN. The Cisco 819 ISRs are fixed-configuration data routers that provide four 10/100 Fast Ethernet
(FE), 1 Gigabit Ethernet (GE), WAN connections over Serial and Cellular (3G, 4G) interfaces and WLAN.
Cisco 860 Series ISRs
The Cisco 860 series ISRs are fixed-configuration data routers that provide either a 10/100 Fast Ethernet (FE) or an ADSL2 over POTs WAN connection.
This section contains the following topics:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
1 OL-31704-02
Product Overview
Features of Cisco 860 Series ISRs
Features of Cisco 860 Series ISRs
The following features are supported on all Cisco 860 series ISRs:
4-port 10/100 FE LAN Switch of Cisco 860 Series ISRs
The 4-port 10/100 FE LAN switch provides four ports for connecting to 10/100BASE-T (10/100 Mbps) Fast
Ethernet (FE) LANs or access points.
Security Features for Cisco 860 Series ISRs
The Cisco 860 Series ISRs provide the following security features:
• IPsec
• Firewall
802.11n Wireless LAN Option for Cisco 860 Series ISRs
The Cisco 861W ISR has an integrated 802.11b/g/n single radio module for wireless LAN connectivity. With this module, the router can then act as an access point in the local infrastructure.
Features of Cisco 860VAE Series ISRs
The following sections describe the features of the Cisco 860VAE series ISRs:
General Features of Cisco 860 VAE Series Routers
Table 1: General Features of Cisco 860VAE Series ISRs, on page 2
describes the general features of Cisco
860VAE series routers.
Table 1: General Features of Cisco 860VAE Series ISRs
Feature
Increased performance
Benefit
• Performance enables customers to take advantage of broadband network speeds while running secure, concurrent data, voice, video, and wireless services.
2
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Product Overview
Features of Cisco 860VAE Series ISRs
Feature
Security and QoS with secure routers
State-of-the-art xDSL
ScanSafe web filtering
IPv6 support
WAN Diversity
Four-port 10/100-Mbps managed switch
1 GE port for secure routers
Benefit
• IPSec & Easy VPN with 10 tunnels.
• BGP.
• MAC filtering and port security.
• QoS features include LLQ and WFQ.
• NBAR and DiffServ.
• State-of-the-art xDSL features, including latest
ADSL2+/VDSL2 standards.
• Improved interoperability vs. various DSLAMs deployed at WW SPs.
• Protects network and staff from undesirable web content
• Increases productivity by limiting time spent on recreational surfing
• Optimizes network resources by reducing bandwidth congestion
• Monitors online activity with comprehensive reporting
• Supports latest IP addressing standards
• GE + DSL multimode VDSL2 and ADSL 1, 2, and 2+.
• Multiple WAN options within the same box allow consistent configuration across diverse deployments.
• Connection of multiple devices within a teleworker home or a small office, with the ability to designate a port as the network edge.
• VLANs allow for secure segmentation of network resources.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
3
Product Overview
Features of Cisco 860VAE Series ISRs
Feature
CON/AUX port
Real-time clock
Benefit
• A single dual-purpose port provides direct connection to a console or external modem for management or backup access points.
• A built-in real-time clock maintains an accurate date and time for applications that require an accurate time stamp, such as logging and digital certificates.
Interfaces of Cisco 860 VAE Series ISRs
Table 2: Interfaces of the Cisco 860VAE Series ISRs, on page 4
describes the interfaces of the Cisco
860VAE series routers.
Table 2: Interfaces of the Cisco 860VAE Series ISRs
Interfaces
4 FE
switch ports
Models
866VAE x
1 GE
switch port —
1 GE WAN port x
1 VDSL/ADSL over
POTS port
—
1 VDSL/ADSL over
ISDN port x
867VAE x
— x x
— x x
866VAE-K9 x
— x x x
867VAE-K9 x x
—
1 FE = Fast Ethernet
2 GE = Gigabit Ethernet
Note The Cisco 866VAE, 867VAE, 866VAE-K9, and 867VAE-K9 routers each have two WAN ports. Only one of the two ports can be active at any given time.
4
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Product Overview
Cisco 880 Series ISRs
IOS Images for Cisco 860 VAE Series ISRs
Table 3: IOS Images of the Cisco 860VAE Series ISRs, on page 5
describes the IOS images included in
Cisco 860VAE series routers.
Table 3: IOS Images of the Cisco 860VAE Series ISRs
IOS Image c860vae-ipbasek9-mz x c860vae-advsecurityk9-mz —
Model
866VAE c860vae-advsecurityk9_npe-mz —
—
—
867VAE x x x
867VAE-K9
—
Cisco 880 Series ISRs
The Cisco 880 series ISRs are a family of fixed-configuration data and voice routers as described in the following sections:
Models of Cisco 880 Series ISRs
The Cisco 880 series ISRs have data and voice capabilities. Each router has one WAN port. In addition, routers supporting voice have either FXS (Foreign Exchange Station) or BRI voice ports. Data or voice backup ports are also available on most of the routers. The Cisco 880G routers come with a commercial third-generation
(3G) wireless interface card that provides cellular backup. 802.11b/g/n option is available on all models.
Table 4: Port Configurations of the Cisco 880 Series Data ISRs , on page 5
gives the port configurations of Cisco 880 series data ISRs.
Table 4: Port Configurations of the Cisco 880 Series Data ISRs
Model WAN Port
881 and 881W
881-V
881G and 881GW
886 and 886W
FE
FE
FE
ADSL2oPOTS
— x
—
—
Backup
Data ISDN x
—
Data 3G
—
—
Cisco 800 Series Integrated Services Routers Software Configuration Guide
5 OL-31704-02
Product Overview
Models of Cisco 880 Series ISRs
886G and 886GW
887 and 887W
887G and 887GW
887-VA-V
887V and 887VW
887VG and 887VGW
888 and 888W
888G and 888GW
888E and 888EW
C888EA-K9
ADSL2oPOTS
ADSL2oPOTS
ADSL2oPOTS
VDSL2oPOTS
VDSL2oPOTS
VDSL2oPOTS
G.SHDSL
G.SHDSL
EFM over G.SHDSL
Multimode
— x
— x x
— x
— x x
— x
— x
—
— x
— x x
Table 5: Port Configurations of Cisco 880 Series Voice ISRs , on page 6
gives the port configurations of
Cisco 880 series voice ISRs.
Table 5: Port Configurations of Cisco 880 Series Voice ISRs
Model WAN Port
C881SRST and
C881SRSTW
C888SRST and
C888SRSTW
FE
G.SHDSL
C888ESRST and
C888ERSTW
EFM over
G.SHDSL
FXS Voice Ports
4
Backup
PSTN FXO x
4
4
—
—
PSTN BRI
— x
4
Table 6: Port Configurations of Cisco 880 Series Data and Voice ISRs , on page 6
gives the port configurations of Cisco 881-V, Cisco887VA-V, and Cisco 887VA-V-W series ISRs.
Table 6: Port Configurations of Cisco 880 Series Data and Voice ISRs
Model WAN Port FXS Voice
Ports
PSTN BRI WLAN Backup
PSTN FXO Data (ISDN)
6
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Product Overview
Common Features of Cisco 880 Series ISRs
C881-V FE 4
C887VA-V VDSL2/ADSL2 4
C887VA-V-W VDSL2/ADSL2 4
2
2
2
—
— x
1
—
—
— x x
The Cisco 887 VA-V and Cisco 881-V routers give you the flexibility to use the FXS or BRI voice ports (The
Cisco 881-V router also supports a backup FX0 port), but the number of concurrent calls that the router supports is limited by the codec complexity configuration. The router supports less calls when the codec complexity setting is configured for high complexity.
Table 7: Number of Concurrent Calls Supported on
Cisco 880 Series Data and Voice ISRs, on page 7
shows the number of concurrent calls that is supported on the router for each codec complexity setting. Configuring the codec complexity setting to support secure calls does not affect the numbers below.
Table 7: Number of Concurrent Calls Supported on Cisco 880 Series Data and Voice ISRs
Model
C881-V
C887VA-V
C887VA-V-W
Flexible Complexity
9
8
8
Medium Complexity
8
8
8
High Complexity
6
6
6
Common Features of Cisco 880 Series ISRs
Cisco 880 series ISRs support the following features:
4-port 10/100 FE LAN Switch of Cisco 880 Series ISRs
This switch provides four ports for connecting to 10/100BASE-T FE LANs, access points, or IP phones. In addition, an upgrade is available that gives Power over Ethernet (PoE) on two of the ports to provide power to access points or phones.
802.11n Wireless LAN Option of Cisco 880 Series ISRs
The Cisco 880W series ISRs have an integrated 802.11b/g/n single radio module for wireless LAN connectivity.
With this module, the router can act as an access point in the local infrastructure.
Real-Time Clock of Cisco 880 Series ISRs
A real-time clock (RTC) provides date and time when the system is powered on. The RTC is used to verify the validity of the Certification Authority stored on the router.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
7
Product Overview
Voice Features of Cisco 880 Series ISRs
Security Features of Cisco 880 Series ISRs
The Cisco 880 Series ISRs provide the following security features:
• Intrusion Prevention System (IPS)
• Dynamic Multipoint VPN (DMVPN)
• IPsec
• Quality of service (QoS)
• Firewall
• URL filtering
Voice Features of Cisco 880 Series ISRs
The Cisco 880 voice and data platforms (C880SRST, C880SRSTW, C881-V, C887 VA-V, and C887VA-V-W) support the following voice features:
• Signaling protocols: Session Initiation Protocol (SIP), Media Gateway Control Protocol (MGCP), and
H323
• Real-time transfer protocol (RTP), Cisco RTP (cRTP), and secure RTP (SRTP) for these signaling protocols
• Fax passthrough, Cisco fax relay, T37 fax store-and-forward, and T.38 fax relay (including T.38
gateway-controlled MGCP fax relay)
• Dual tone multifrequency (DTMF) Relay—OOB and RFC2833
• Silence suppression/comfort noise
• G.711 (a-law and u-law), G.729A, G.729AB, G.729, G.729B, G.726
• Support of SRST failover to a Foreign Exchange Office (FXO) or BRI backup port connected to PSTN in case of WAN failure on C880SRST and C880SRSTW.
• Support for SRST and CME requires user license, but only a 5-user license is supported on C881-V,
C887VA-V, and C887VA-V-W routers.
• Direct inward dialing (DID) on FXS
Cisco 890 Series ISRs
The Cisco 890 series ISRs are fixed-configuration data routers. These routers have a Gigabit Ethernet WAN port and data backup ports.
Table 8: Port Configurations of the Cisco 890 Series ISRs, on page 9
gives the port configurations for the
Cisco 890 Series ISRs.
8
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Product Overview
8-port 10/100 FE LAN Switch of Cisco 890 Series ISRs
Table 8: Port Configurations of the Cisco 890 Series ISRs
Model WAN Port
891 and 891W
892 and 892W
892F and 892F-W
GE
GE
GE
or SFP
x x
Data Backup
FE x
—
—
V.92
x x x
ISDN
—
3 GE copper port.
4 SFP port supports GE with fiber. For a complete list of SFPs supported, see the Cisco 892F ISR data sheet on Cisco.com.
Some of the features supported on Cisco 890 series ISRs are given as follows:
8-port 10/100 FE LAN Switch of Cisco 890 Series ISRs
The 8-port 10/100 FE LAN switch provides eight ports for connecting to 10/100BASE-T FE LANs, access points, or IP phones. In addition, an upgrade is available that gives PoE on four of the ports to provide power to access points or phones.
802.11n Wireless LAN Option of Cisco 890 Series ISRs
The Cisco 890W series ISRs have integrated 802.11b/g/n and 802.11a/n dual radio modules for wireless LAN connectivity. With these modules, the router can act as an access point in the local infrastructure.
Real-Time Clock of Cisco 890 Series ISRs
A real-time clock (RTC) provides date and time when the system is powered on. The RTC is used to verify the validity of the Certification Authority stored on the router.
Security Features of Cisco 890 Series ISRs
Cisco 890 Series ISRs provide the following security features:
• Intrusion Prevention System (IPS)
• Dynamic Multipoint VPN (DMVPN)
• IPsec
• Quality of service (QoS)
• Firewall
• URL filtering
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
9
Product Overview
Cisco 810 Series ISRs
Cisco 810 Series ISRs
This section provides information about the features supported by Cisco 810 series ISRs. In Cisco 810 series
ISRs, there are two different series of routers available - Cisco 812 series ISRs and Cisco 819 series ISRs.
This section contains the following topics:
Features of Cisco 812 Series ISRs
This section lists the software, platform, and security features supported by the Cisco 812 Series ISRs.
Note The WAAS Express feature is not supported. This feature will be supported for 3G and 4G interfaces with later IOS releases.
3G Features of Cisco 812 Series ISR
The 3rd Generation (3G) is a generation of standards for mobile technology that facilitates growth, increased in bandwidth, and supports more diverse applications. The following 3G features are supported in Cisco 812 series ISR.
• Modem control and management
• Asynchronous transport (AT) command set
• Wireless Host Interface Protocol (WHIP)
• Control and Status (CNS) for out-of-band modem control and status
• Diagnostic Monitor (DM) logging
• Account provisioning
• Modem firmware upgrade
• SIM locking and unlocking
• MEP unlocking
• OMA-DM activation, voice-initiated data callback
• Dual SIM card slots
• Link persistence
• SMS Services
• Global Positioning System (GPS) Services
• 3G MIB
10
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Product Overview
Features of Cisco 812 Series ISRs
WLAN Features of Cisco 812 Series ISR
A Wireless Local Area Network (WLAN) implements a flexible data communication system frequently augmenting rather than replacing a wired LAN within a building or campus. WLANs use radio frequency to transmit and receive data over the air, minimizing the need for wired connections.
Cisco 812 ISR supports the following WLAN features:
Dual Radio of Cisco 812 Series ISR
The Cisco 802 Access Points (AP802) is an integrated access point on Cisco 812 ISRs. The access point is a wireless LAN transceiver that acts as the connection point between wireless and wired networks or as the center point of a standalone wireless network. In large installations, the roaming functionality provided by multiple access points enables wireless users to move freely throughout the facility while maintaining uninterrupted access to the network.
AP802 Dual Radio contains two different types of wirelesss radio that can support connections on both 2.4
Ghz used by 802.11b, 802.11g, and 802.11n and 5 Ghz used by 802.11a and 802.11n.
All the WLAN traffic for Cisco 812 ISR passes through the Ethernet WAN or 3G interface. The AP802 Dual
Radio is supported on the following SKUs:
• C812G-CIFI+7-E-K9
• C812G-CIFI+7-N-K9
• C812G-CIFI-V-A-K9
• C812G-CIFI-S-A-K9
Cleanair Technology of Cisco 812 Series ISR
The CleanAir is a new wireless technology that intelligently avoids Radio Frequency (RF) to protect 802.11n
performance. For more information, see Cisco CleanAir Technology . This feature is supported in all SKUs that has WLAN support.
Dynamic Frequency Selection of Cisco 812 Series ISR
The Dynamic Frequency Selection (DFS) is the process of detecting radar signals that must be protected against 802.11a interference and upon detection switching the 802.11a operating frequency to one that is not interfering with the radar systems. Transmit Power Control (TPC) is used to adapt the transmission power based on regulatory requirements and range information.
Note The DFS functionality is disabled for FCC SKUs pending FCC certification. For more information, see
Dynamic Frequency Selection and IEEE 802.11h Transmit Power Control .
Platform Features of Cisco 812 Series ISR
For the complete list of Cisco 812 ISR platform features, see Platform Features .
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
11
Product Overview
Features of Cisco 819 Series ISRs
TFTP with Ethernet WAN Interface Feature of Cisco 812 Series ISR
For more information on TFTP download, see Disaster Recovery with TFTP Download .
Note The Cisco 812 ISR has a GE interface as the only Ethernet interface. Hence, the port number is automatically set at Rommon for TFTP connectivity.
SKU Information for Cisco 812 Series ISR
See the following link for SKUs available for Cisco 812 series ISR router: http://www.cisco.com/en/US/docs/routers/access/800/812/hardware/install/guide/overview.html#wp1057240
SKU information for Cisco 812 series
Features of Cisco 819 Series ISRs
This section lists the software, platform, and security features supported by the Cisco 819 Series ISRs.
Note The WAAS Express feature is not supported. This feature will be supported for 3G and 4G interfaces with later IOS releases.
3G Features of Cisco 819 Series ISRs
The following 3G features are supported by Cisco 819 series ISR routeres .
• Modem control and management
• Asynchronous transport (AT) command set
• Wireless Host Interface Protocol (WHIP)
• Control and Status (CNS) for out-of-band modem control and status
• Diagnostic Monitor (DM) logging
• Account provisioning
• Modem firmware upgrade
• SIM locking and unlocking
• MEP unlocking
• OMA-DM activation
• Dual SIM card slots
• Link persistence
• SMS Services
12
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Product Overview
Features of Cisco 819 Series ISRs
• Global Positioning System (GPS) Services
• 3G MIB
WLAN Features of Cisco 819 Series ISRs
Cisco 819 series ISRs support the following WLAN features:
• Dual Radio
• CleanAir Technology
• Dynamic Frequency Selection
4G LTE Features of Cisco 819 Series ISRs
Cisco 819 series ISRs supports the following 4G LTE features:
• IPv4 bearer
• MIPv4, NEMOv4, RFC 3025
• IPv4 subnet behind LTE UE interface
• Evolved High-Rate Packet Data (EHRPD), which allows seamless handoff between 4G LTE and 3G services (C819(H)G-4G-V-K9 only)
• Seamless hand-off between LTE and EHRPD network (C819(H)G-4G-V-K9 only)
• Support for UMTS service as a fallback option from LTE service (C819(H)G-4G-A-K9 and
C819(H)G-4G-G-K9 only)
• Seamless handoff between LTE and UMTS service (C819(H)G-4G-A-K9 and C819(H)G-4G-G-K9 only)
• Remote access to Qualcomm diagnostic monitor port
• OTA-DM including wireless configuration FOTA (C819(HG-4G-V-K9 only)
• Mini USB type 2 connector for modem provisioning
Platform Features of Cisco 819 Series ISRs
For the complete list of Cisco 819 Series ISRs platform features, see Platform Features for Cisco 819 ISRs .
Security Features of Cisco 819 Series ISRs
The Cisco 819 Series ISRs provide the following security features:
• Intrusion Prevention System (IPS)
• Dynamic Multipoint VPN (DMVPN)
• IPsec
• Quality of service (QoS)
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
13
Product Overview
Licensing for Cisco 800 Series ISRs
• Firewall
• URL filtering
SKU Information for Cisco 819 Series ISRs
See the following link for SKUs available for Cisco 819 series ISRs: http://www.cisco.com/c/en/us/td/docs/routers/access/800/hardware/installation/guide/800HIG/ prodoverview.html#pgfId-1146483
Licensing for Cisco 800 Series ISRs
The Cisco 810, 860, Cisco 880, and Cisco 890 ISRs ship with licensed software installed. Software features may be upgraded and the software licenses may be managed through Cisco Licensing Manager . See Software
Activation On Cisco Integrated Services Routers and Cisco Integrated Service Routers G2 for details.
When you order a new router, you specify the software image and feature set that you want. The image and feature set are installed on your router before you receive it, so you do not need to purchase a software license.
The router stores the software license file on the flash memory.
Note The Cisco 860VAE does not require licenses.
Selecting Feature Sets for Cisco 800 Series ISRs
Some feature sets are bundled and offered with a software license that is installed on the hardware platforms.
For a list of features available with a software license on the Cisco 810, Cisco 860, Cisco 880, and Cisco 890 platforms, see Cisco 812 Data Sheet Cisco 819 Data Sheet , Cisco 860 Data Sheet , Cisco 880 Data Sheet , and Cisco 890 Data Sheet . See Cisco IOS Software Activation Tasks and Commands for details about how to activate and manage the software licenses.
14
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
2
Basic Router Configuration
This chapter provides procedures for configuring the basic parameters of your Cisco router, including global parameter settings, routing protocols, interfaces, and command-line access. It also describes the default configuration on startup.
Note Individual router models may not support every feature described in this guide. Features that are not supported by a particular router are indicated whenever possible.
This chapter includes configuration examples and verification steps, as available.
For complete information on how to access global configuration mode, see the
section.
•
•
Default Configuration, page 16
•
Information Needed for Configuration, page 17
•
Configuring Command-Line Access, page 19
•
Configuring Global Parameters, page 21
•
Configuring WAN Interfaces, page 22
•
Configuring a Loopback Interface, page 39
•
Configuring Static Routes, page 41
•
Configuring Dynamic Routes, page 42
Interface Ports
Table 9: Supported Interfaces and Associated Port Labels by Cisco Router , on page 16
lists the interfaces that are supported for each router and their associated port labels on the equipment.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
15 OL-31704-02
Basic Router Configuration
Default Configuration
Table 9: Supported Interfaces and Associated Port Labels by Cisco Router
Router
Cisco 819 Router
Interface
4-port Fast Ethernet LAN
Gigabit Ethernet WAN
Port Label
LAN, FE0–FE3
GE WAN 0
Serial
Console/Aux port
Serial
Mini USB for 3G port Provisioning 3G RSVD
CON/AUX
Note There are two labels for the associated antennas with the labels: Main and DIV/GPS.
Default Configuration
When you first boot up your Cisco router, some basic configuration has already been performed. All of the
LAN and WAN interfaces have been created, console and vty ports are configured, and the inside interface for Network Address Translation (NAT) has been assigned. Use the show running-config command to view the initial configuration, as shown in the following example for a Cisco 819 ISR:
Router# show running
Building configuration...
Current configuration : 977 bytes
!
version 15.1
service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption
!
hostname Router
!
boot-start-marker boot-end-marker no aaa new-model ip source-route ip cef no ipv6 cef license udi pid CISCO819G-G-K9 sn FHK1429768Q controller Cellular 0 interface Cellular0 no ip address encapsulation ppp interface Ethernet-wan0 no ip address shutdown duplex auto speed auto interface FastEthernet0 interface FastEthernet1 interface FastEthernet2 interface FastEthernet3 interface Serial0
16
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Information Needed for Configuration no ip address shutdown
!
no fair-queue clock rate 2000000 interface Vlan1 no ip address
!
ip forward-protocol nd no ip http server no ip http secure-server logging esm config control-plane line con 0 no modem enable line aux 0 line 3 no exec line 7 stopbits 1 speed 115200 line vty 0 4 login
!
transport input all scheduler allocate 20000 1000 end
Information Needed for Configuration
You need to gather some or all of the following information, depending on your planned network scenario, before configuring your network:
• If you are setting up an Internet connection, gather the following information:
â—¦PPP client name that is assigned as your login name
â—¦PPP authentication type: Challenge Handshake Authentication Protocol (CHAP) or Password
Authentication Protocol (PAP)
â—¦PPP password to access your Internet service provider (ISP) account
â—¦DNS server IP address and default gateways
• If you are setting up a connection to a corporate network, you and the network administrator must generate and share the following information for the WAN interfaces of the routers:
â—¦PPP authentication type: CHAP or PAP
â—¦PPP client name to access the router
â—¦PPP password to access the router
• If you are setting up IP routing:
â—¦Generate the addressing scheme for your IP network.
• If you are setting up the serial interface:
â—¦Mode of operation (sync, async, bisync)
â—¦Clock rate depending on the mode
Cisco 800 Series Integrated Services Routers Software Configuration Guide
17 OL-31704-02
Basic Router Configuration
Information Needed for Configuration
â—¦IP address depending on the mode
• If you are setting up 3G:
â—¦You must have service availability on the Cisco 819 ISR from a carrier, and you must have network coverage where your router will be physically placed. For a complete list of supported carriers, see the data sheet at Cisco 3G Wireless Connectivity Solutions.
â—¦You must subscribe to a service plan with a wireless service provider and obtain a SIM card.
â—¦You must install the SIM card before configuring the 3G Cisco 819 ISR. For instructions on how to install the SIM card, see the Cisco 800 Series Hardware Installation Guide.
• You must install the required antennas before you configure the 3G for Cisco 819 ISR. See the following
URLs for instructions on how to install the antennas:
â—¦3G-ANTM1919D—See Cisco Multiband Swivel-Mount Dipole Antenna (3G-ANTM1919D) .
â—¦3G-ANTM1916-CM—See Cisco Multiband Omnidirectional Ceiling Mount Antenna
(3G-ANTM1916-CM) .
â—¦3G-AE015-R (Antenna Extension)—See Cisco Single-Port Antenna Stand for Multiband TNC
Male-Terminated Portable Antenna (Cisco 3G-AE015-R) .
â—¦3G-AE010-R (Antenna Extension)—See Cisco Single-Port Antenna Stand for Multiband TNC
Male-Terminated Portable Antenna (Cisco 3G-AE015-R) . This document applies to both
3G-AE015-R and 3G-AE010-R. The only difference between these two products is the length of the cable.
â—¦3G-ANTM-OUT-OM—See Cisco 3G Omnidirectional Outdoor Antenna (3G-ANTM-OUT-OM) .
â—¦3G-ANTM-OUT-LP—See Cisco Multiband Omnidirectional Panel-Mount Antenna
(3G-ANTM-OUT-LP) .
â—¦3G-ACC-OUT-LA—See Cisco 3G Lightning Arrestor (3G-ACC-OUT-LA) .
â—¦ 4G-ANTM-OM-CM—See Cisco 4G Indoor Ceiling-Mount Omnidirectional Antenna
(4G-ANTM-OM-CM) .
• You must check your LEDs for signal reception as described in
Table 21: 3G LED Descriptions for
Cisco 819 Series ISRs, on page 171
.
• You should be familiar with the Cisco IOS software. See the Cisco IOS documentation beginning with
Release 12.4(15)T or later for Cisco 3G support.
• To configure your 3G data profile, you will need the username, password, and access point name (APN) from your service provider:
After you have collected the appropriate information, you can perform a full configuration on your router, beginning with the tasks in the
Configuring Command-Line Access, on page 19
.
To obtain or change software licenses:
• See Software Activation on Cisco Integrated Services Routers and Cisco Integrated Service Routers G2 .
18
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring Command-Line Access
Configuring Command-Line Access
To configure parameters to control access to the router, perform the following steps, beginning in global configuration mode:
SUMMARY STEPS
1. line [aux | console | tty | vty] line-number
2. password password
3. login
4. exec-timeout minutes [seconds]
5. line [aux | console | tty | vty] line-number
6. password password
7. login
8. end
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action
line [aux | console | tty | vty] line-number
Example:
Router(config)# line console 0
Example:
Router(config-line)#
password password
Example:
Router(config)# password 5dr4Hepw3
Example:
Router(config-line)# login
Example:
Router(config-line)# login
Example:
Router(config-line)#
Purpose
Enters line configuration mode and specifies the type of line.
This example specifies a console terminal for access.
Specifies a unique password for the console terminal line.
Enables password checking at terminal session login.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
19 OL-31704-02
Basic Router Configuration
Configuring Command-Line Access
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action exec-timeout minutes [seconds]
Example:
Router(config-line)# exec-timeout 5 30
Example:
Router(config-line)#
line [aux | console | tty | vty] line-number
Example:
Router(config-line)# line vty 0 4
Example:
Router(config-line)# password password
Example:
Router(config-line)# password aldf2ad1
Example:
Router(config-line)# login
Example:
Router(config-line)# login
Example:
Router(config-line)# end
Example:
Router(config-line)# end
Example:
Router#
What to Do Next
Example
Purpose
Sets the interval that the EXEC command interpreter waits until user input is detected. The default is 10 minutes.
Optionally, add seconds to the interval value.
This example shows a timeout of 5 minutes and 30 seconds.
Entering a timeout of 0 0 specifies never to time out.
Specifies a virtual terminal for remote console access.
Specifies a unique password for the virtual terminal line.
Enables password checking at the virtual terminal session login.
Exits line configuration mode and returns to privileged
EXEC mode.
20
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring Global Parameters
The following configuration shows the command-line access commands.
You do not need to input the commands marked “default.” These commands appear automatically in the configuration file generated when you use the show running-config command.
!
line con 0 exec-timeout 10 0 password 4youreyesonly login transport input none (default) stopbits 1 (default) line vty 0 4 password secret login
!
Configuring Global Parameters
To configure selected global parameters for your router, perform these steps:
SUMMARY STEPS
1. configure terminal
2. hostname name
3. enable secret password
4. no ip domain-lookup
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Example:
Router> enable
Example:
Router# configure terminal
Example:
Router(config)#
hostname name
Example:
Router(config)# hostname Router
Purpose
Enters global configuration mode when using the console port.
If you are connecting to the router using a remote terminal, use the following: telnet router name or address
Login: login id
Password: *********
Router> enable
Specifies the name for the router.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
21 OL-31704-02
Basic Router Configuration
Configuring WAN Interfaces
Step 3
Step 4
Command or Action
Example:
Router(config)# enable secret password
Example:
Router(config)# enable secret cr1ny5ho
Example:
Router(config)# no ip domain-lookup
Example:
Router(config)# no ip domain-lookup
Router(config)#
Purpose
Specifies an encrypted password to prevent unauthorized access to the router.
Disables the router from translating unfamiliar words (typos) into IP addresses.
Configuring WAN Interfaces
Configure the WAN interface for your router using one of the following as appropriate:
Configuring a Gigabit Ethernet WAN Interface
To configure the Ethernet interface on a Cisco 819 ISR, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. interface type number
2. ip address ip-address mask
3. no shutdown
4. exit
22
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action
interface type number
Example:
Router(config)# interface gigabitethernet 0
Example:
Router(config-if)# ip address ip-address mask
Example:
Router(config-if)# ip address 192.168.12.2
255.255.255.0
Example:
Router(config-if)# no shutdown
Example:
Router(config-if)# no shutdown
Example:
Router(config-if)# exit
Example:
Router(config-if)# exit
Example:
Router(config)#
Purpose
Enters the configuration mode for a Gigabit Ethernet WAN interface on the router.
Sets the IP address and subnet mask for the specified
Gigabit Ethernet interface.
Enables the Ethernet interface, changing its state from administratively down to administratively up.
Exits configuration mode for the Gigabit Ethernet interface and returns to global configuration mode.
Configuring the Cellular Wireless WAN Interface
The Cisco 819 ISRs provide a Third-Generation (3G) wireless interface for use over Global System for Mobile
Communications (GSM) and code division multiple access (CDMA) networks. The interface is a 34-millimetre embedded mini express card.
Its primary application is WAN connectivity as a backup data link for critical data applications. However, the
3G wireless interface can also function as the router’s primary WAN connection.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
23
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
To configure the 3G cellular wireless interface, follow these guidelines and procedures:
Prerequisites for Configuring the 3G Wireless Interface
The following are prerequisites to configuring the 3G wireless interface:
• You must have wireless service from a carrier, and you must have network coverage where your router will be physically placed. For a complete list of supported carriers, see the data sheet at: www.cisco.com/ go/m2m
• You must subscribe to a service plan with a wireless service provider and obtain a SIM card (GSM modem only) from the service provider.
• You must check your LEDs for signal strength, as described in
LEDs for Cisco 819 Series ISRs, on
page 171 .
• You should be familiar with the Cisco IOS software. See Cisco IOS documentation beginning with
Cisco IOS Release 12.4(15)XZ or later for Cisco 3G Wireless support.
• To configure your GSM data profile, you need the following information from your service provider:
â—¦Username
â—¦Password
â—¦Access point name (APN)
• To configure your CDMA (CDMA only) data profile for manual activation, you need the following information from your service provider:
â—¦Master Subsidy Lock (MSL) number
â—¦Mobile Directory number (MDN)
â—¦Mobile Station Identifier (MSID)
â—¦Electronic Serial Number (ESN)
• Check the LED located on the front panel of the router for signal strength and other indications.
LEDs for Cisco 819 Series ISRs, on page 171
describes the 3G LEDs for the Cisco 819 ISR.
Restrictions for Configuring the Cellular Wireless Interface
The following restrictions apply to configuring the Cisco 3G wireless interface:
• A data connection can be originated only by the 3G wireless interface. Remote dial-in is not supported.
• Because of the shared nature of wireless communications, the experienced throughput varies depending on the number of active users or the amount of congestion in a given network.
• Cellular networks have higher latency than wired networks. Latency rates depend on the technology and carrier. Latency may be higher when there is network congestion.
• VoIP is currently not supported.
• Any restrictions that are part of the terms of service from your carrier also apply to the Cisco 3G wireless interface.
24
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
• Inserting a different type of modem from what was previously removed requires configuration changes and you must reload the system.
Data Account Provisioning
Note To provision your modem, you must have an active wireless account with a service provider. A SIM card must be installed in a GSM 3G wireless card.
To provision your data account, follow these procedures:
Verifying Signal Strength and Service Availability
To verify the signal strength and service availability on your modem, use the following commands in privileged
EXEC mode.
SUMMARY STEPS
1. show cellular 0 network
2. show cellular 0 hardware
3. show cellular 0 connection
4. show cellular 0 gps
5. show cellular 0 radio
6. show cellular 0 profile
7. show cellular 0 security
8. show cellular 0 sms
9. show cellular 0 all
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action show cellular 0 network
Example:
Router# show cellular 0 network show cellular 0 hardware
Example:
Router# show cellular 0 hardware show cellular 0 connection
Example:
Router# show cellular 0 connection
Purpose
Displays information about the carrier network, cell site, and available service.
Displays the cellular modem hardware information.
Displays the current active connection state and data statistics.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
25
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Command or Action show cellular 0 gps
Example:
Router# show cellular 0 gps show cellular 0 radio
Example:
Router# show cellular 0 radio show cellular 0 profile
Example:
Router# show cellular 0 profile show cellular 0 security
Example:
Router# show cellular 0 security show cellular 0 sms
Example:
Router# show cellular 0 sms show cellular 0 all
Example:
Example:
Router# show cellular 0 all
Purpose
Displays the cellular gps information.
Shows the radio signal strength.
Note The RSSI should be better than –90 dBm for steady and reliable connection.
Shows information about the modem data profiles created.
Shows the security information for the modem, such as SIM and modem lock status.
Displays the cellular sms information.
Shows consolidated information about the modem, such as the profiles that were created, the radio signal strength, the network security, and so on.
Configuring a GSM Modem Data Profile
To configure or create a new modem data profile, enter the following command in privileged EXEC mode.
SUMMARY STEPS
1. cellular 0 gsm profile create <profile number> <apn> <authentication> <username> <password> ipv4
26
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
DETAILED STEPS
Step 1
Command or Action cellular 0 gsm profile create <profile number> <apn>
<authentication> <username> <password> ipv4
Example:
Router# gsm profile create 2 <apn-name> chap username password ipv4
Purpose
Creates a new modem data profile. See
Data Profile Parameters, on page 27
for details about the command parameters.
What to Do Next
Table 10: Modem Data Profile Parameters, on page 27
lists the modem data profile parameters.
Table 10: Modem Data Profile Parameters profile number apn authentication
Username
Password
Number for the profile that you are creating. You can create up to 16 profiles.
Access point name. You must get this information from the service provider.
Type of authentication, for example, CHAP, PAP.
Username provided by your service provider.
Password provided by your service provider.
CDMA Modem Activation and Provisioning
Activation procedures may differ, depending upon your carrier. Consult your carrier and perform one of the following procedures as appropriate:
• Manual activation
• Activating using over-the-air service provisioning
The following table lists the activation and provisioning processes supported by different wireless carriers.
Table 11:
Activation and Provisioning Process
Manual Activation using MDN, MSID, MSL
Carrier
Sprint
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
27
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
Activation and Provisioning Process
OTASP
Activation
IOTA
for Data Profile refresh
5 OTASP = Over the Air Service Provisioning.
6 IOTA = Internet Over the Air.
Manual Activation
Carrier
Verizon Wireless
Sprint
Note You must have valid mobile directory number (MDN), mobile subsidy lock (MSL), and mobile station identifier (MSID) information from your carrier before you start this procedure.
To configure a modem profile manually, use the following command, beginning in EXEC mode:
cellular unit cdma activate manual mdn msid msl
Besides being activated, the modem data profile is provisioned through the Internet Over the Air (IOTA) process. The IOTA process is initiated automatically when you use the cellular unit cdma activate manual
mdn msid msl command.
The following is a sample output from this command: router# cellular 0 cdma activate manual 1234567890 1234567890 12345
NAM 0 will be configured and will become Active
Modem will be activated with following Parameters
MDN :1234567890; MSID :1234567890; SID :1234; NID 12:
Checking Current Activation Status
Modem activation status: Not Activated
Begin Activation
Account activation - Step 1 of 5
Account activation - Step 2 of 5
Account activation - Step 3 of 5
Account activation - Step 4 of 5
Account activation - Step 5 of 5
Secure Commit Result: Succeed
Done Configuring - Resetting the modem
The activation of the account is Complete
Waiting for modem to be ready to start IOTA
Beginning IOTA router#
*Feb 6 23:29:08.459: IOTA Status Message Received. Event: IOTA Start, Result: SUCCESS
*Feb 6 23:29:08.459: Please wait till IOTA END message is received
*Feb 6 23:29:08.459: It can take up to 5 minutes
*Feb 6 23:29:27.951: OTA State = SPL unlock, Result = Success
*Feb 6 23:29:32.319: OTA State = Parameters committed to NVRAM, Result = Success
*Feb 6 23:29:40.999: Over the air provisioning complete; Result:Success
*Feb 6 23:29:41.679: IOTA Status Message Received. Event: IOTA End, Result: SUCCESS
The IOTA start and end must have “success” as the resulting output. If you receive an error message, you can run IOTA independently by using the cellular cdma activate iota command.
Your carrier may require periodic refreshes of the data profile. Use the following command to refresh the data profile: cellular cdma activate iota
28
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
Activating with Over-the-Air Service Provisioning
To provision and activate your modem using Over-the-Air Service Provisioning (OTASP), use the following command, beginning in EXEC mode.
router # cellular 0 cdma activate otasp phone_number
Note You need to obtain the phone number for use with this command from your carrier. The standard OTASP calling number is *22899.
The following is a sample output from this command: router# cellular 0 cdma activate otasp *22899
Beginning OTASP activation
OTASP number is *22899
819H#
OTA State = SPL unlock, Result = Success router#
OTA State = PRL downloaded, Result = Success
OTA State = Profile downloaded, Result = Success
OTA State = MDN downloaded, Result = Success
OTA State = Parameters committed to NVRAM, Result = Success
Over the air provisioning complete; Result:Success
Configuring a Cellular Interface
To configure the cellular interface, enter the following commands, beginning in privileged EXEC mode.
Note The PPP Challenge Handshake Authentication Protocol (CHAP) authentication parameters that you use in this procedure must be the same as the username and password provided by your carrier and configured only under the GSM profile. CDMA does not require a username or password.
SUMMARY STEPS
1. configure terminal
2. interface cellular 0
3. encapsulation ppp
4. ppp chap hostname hostname
5. ppp chap password 0 password
6. asynchronous mode interactive
7. ip address negotiated
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
29
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action configure terminal
Purpose
Enters global configuration mode from the terminal.
Example:
Router# configure terminal interface cellular 0
Example:
Router (config)# interface cellular 0 encapsulation ppp
Specifies the cellular interface.
Specifies PPP encapsulation for an interface configured for dedicated asynchronous mode or dial-on-demand routing (DDR).
Example:
Router (config-if)# encapsulation ppp
ppp chap hostname hostname
Example:
Router (config-if)# ppp chap hostname [email protected]
ppp chap password 0 password
Defines an interface-specific Challenge Handshake
Authentication Protocol (CHAP) hostname. This must match the username given by the carrier. Applies to GSM only.
Defines an interface-specific CHAP password. This must match the password given by the carrier.
Example:
Router (config-if)# ppp chap password 0 cisco asynchronous mode interactive
Example:
Router (config-if)# asynchronous mode interactive ip address negotiated
Example:
Router (config-if)# ip address negotiated
Returns a line from dedicated asynchronous network mode to interactive mode, enabling the slip and ppp commands in privileged EXEC mode.
Specifies that the IP address for a particular interface is obtained via PPP and IPCP address negotiation.
30
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
What to Do Next
Note When the cellular interface requires a static IP address, the address may be configured as IP address negotiated. Through IP Control Protocol (IPCP), the network ensures that the correct static IP address is allocated to the device. If a tunnel interface is configured with the IP address unnumbered <cellular interface> command, the actual static IP address must be configured under the cellular interface, in place of IP address negotiated. For a sample cellular interface configuration, see the
.
Configuring DDR
Perform these steps to configure dial-on-demand routing (DDR) for the cellular interface.
SUMMARY STEPS
1. configure terminal
2. interface cellular 0
3. dialer in-band
4. dialer idle-timeout seconds
5. dialer string string
6. dialer-group number
7. exit
8. dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}
9. ip access-list <access list number> permit <ip source address>
10. line 3
11. script dialer <regexp>
12. exit
13. For GSM:
14. interface cellular 0
15. dialer string string
DETAILED STEPS
Step 1
Command or Action configure terminal
Example:
Router# configure terminal
Purpose
Enters global configuration mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
31
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action interface cellular 0
Purpose
Specifies the cellular interface.
Example:
Router (config)# interface cellular 0 dialer in-band Enables DDR and configures the specified serial interface for in-band dialing.
Example:
Router (config-if)# dialer in-band
dialer idle-timeout seconds Specifies the duration of idle time, in seconds, after which a line is disconnected.
Example:
Router (config-if)# dialer idle-timeout 30
dialer string string Specifies the number or string to dial. Use the name of the chat script here.
Example:
Router (config-if)# dialer string gsm
dialer-group number Specifies the number of the dialer access group to which a specific interface belongs.
Example:
Router (config-if)# dialer-group 1 exit Enters the global configuration mode.
Example:
Router (config-if)# exit
dialer-list dialer-group protocol protocol-name {permit |
deny | list access-list-number | access-group}
Creates a dialer list for traffic of interest and permits access to an entire protocol.
Example:
Router (config)# dialer-list 1 protocol ip list 1
ip access-list <access list number> permit <ip source address>
Defines traffic of interest.
Example:
Router (config)# ip access list 1 permit any line 3 Specifies the line configuration mode. It is always 3.
Example:
Router (config-line)# line 3
32
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
Step 11
Step 12
Step 13
Step 14
Step 15
Command or Action script dialer <regexp>
Purpose
Specifies a default modem chat script.
Example:
Router (config-line)# script-dialer gsm exit Exits line configuration mode.
Example:
Router (config-line)# exit
For GSM:
Example: chat-script <script name> ”” “ATDT*99*<profile number># ” TIMEOUT <timeout value> CONNECT
Example:
For CDMA:
Example: chat-script script name "" "ATDT*777* profile number#" TIMEOUT timeout value CONNECT
Configures this line for GSM.
Configures this line for CDMA.
Defines the Attention Dial Tone (ATDT) commands when the dialer is initiated.
Example:
Router (config)# chat-script gsm "" "ATDT*98*2#"
TIMEOUT 60 "CONNECT “ interface cellular 0 Specifies the cellular interface.
Example:
Router (config)# interface cellular 0
dialer string string
Example:
Router (config)# dialer string gsm
Specifies the dialer script (defined using the chat script command).
Examples for Configuring Cellular Wireless Interfaces
This section provides the following configuration examples:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
33
Basic Router Configuration
Configuring the Cellular Wireless WAN Interface
Basic Cellular Interface Configuration
The following example shows how to configure a gsm cellular interface to be used as a primary WAN connection. It is configured as the default route.
chat-script gsm "" "ATDT*98*2#" TIMEOUT 60 "CONNECT “
!
interface Cellular0 ip address negotiated encapsulation ppp dialer in-band dialer string gsm dialer-group 1 async mode interactive ppp chap hostname [email protected]
ppp chap password 0 cisco ppp ipcp dns request
!
ip route 0.0.0.0 0.0.0.0 Cellular0
!
!
access-list 1 permit any dialer-list 1 protocol ip list 1
!
line 3 exec-timeout 0 0 script dialer gsm login modem InOut
The following example shows how to configure a cdma cellular interface to be used as a primary WAN connection. It is configured as the default route.
chat-script cdma "" "ATDT#777" TIMEOUT 60 "CONNECT “
!
interface Cellular0 ip address negotiated encapsulation ppp dialer in-band dialer string cdma dialer-group 1 async mode interactive ppp chap password 0 cisco
!
ip route 0.0.0.0 0.0.0.0 Cellular0
!
!
access-list 1 permit any dialer-list 1 protocol ip list 1
!
line 3 exec-timeout 0 0 script dialer cdma login modem InOut
Tunnel over Cellular Interface Configuration
The following example shows how to configure the static IP address when a tunnel interface is configured with the ip address unnumbered <cellular interface > command: interface Tunnel2 ip unnumbered Cellular0 tunnel source Cellular0 tunnel destination 128.107.248.254
interface Cellular0
34
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring Dual SIM for Cellular Networks bandwidth receive 1400000 ip address 23.23.0.1 255.255.0.0
ip nat outside ip virtual-reassembly encapsulation ppp no ip mroute-cache dialer in-band dialer idle-timeout 0 dialer string dial<carrier> dialer-group 1 async mode interactive no ppp lcp fast-start ppp chap hostname <hostname> ppp chap password 0 <password> ppp ipcp dns request
*** gsm only ***
! traffic of interest through the tunnel/cellular interface ip route 10.10.0.0 255.255.0.0 Tunnel2
Configuration for 8705 modem
The following shows how to configure an HSPA+ modem: chat-script hspa "" "AT!SCACT=1,1" TIMEOUT 60 "OK" interface Cellular0 ip address negotiated encapsulation slip dialer in-band dialer pool-member 1 dialer-group 1 async mode interactive interface Dialer1 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation slip dialer pool 1 dialer string hspa dialer-group 1 ip nat inside source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 access-list 1 permit any dialer-list 1 protocol ip permit line 3 script dialer hspa+ modem InOut no exec transport input all
Configuring Dual SIM for Cellular Networks
The Dual SIM feature implements auto-switch and failover between two cellular networks on a Cisco 819
ISR. This feature is enabled by default with SIM slot 0 being the primary slot and slot 1 being the secondary
(failover) slot.
Note For instructions on how to configure the Dual SIM feature for 4G LTE cellular networks, see the Cisco
4G LTE Software Installation Guide .
You can configure the Dual SIM feature using the following commands:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
35
Basic Router Configuration
Configuring Dual SIM for Cellular Networks
Command gsm failovertimer gsm sim authenticate gsm sim max-retry gsm sim primary slot gsm sim profile
Syntax gsm failovertimer <1-7> gsm sim authenticate <0,7>
<pin> slot <0-1>
Verifies the SIM CHV1 code.
gsm sim max-retry <0-65535> Specifies the maximum number of failover retries. The default value is 10.
gsm sim primary slot <0-1>
Description
Sets the failover timer in minutes.
gsm sim profile <1-16> slot
<0-1>
Modifies the primary slot assignment.
Configures the SIM profile.
Note the following:
• For auto-switch and failover to work, configure the SIM profile for slots 0 and 1 using the gsm sim
profile command.
• For auto-switch and failover to work, configure the chat script without a specific profile number.
• If no SIM profile is configured, profile #1 is used by default.
• If no GSM failover timer is configured, the default failover timeout is 2 minutes.
• If no GSM SIM primary slot is configured, the default primary SIM is slot 0.
The following example shows you how to set the SIM switchover timeout period to 3 minutes: router(config-controller)# gsm failovertimer 3
The following example shows you how to authenticate using an unencrypted pin: router(config-controller)# gsm sim authenticate
0
1234 slot
0
The following example shows you how to set the maximum number of SIM switchover retries to 20: router(config-controller)# gsm sim max-retry
20
The following example shows you how to set SIM slot 1 as the primary slot: router(config-controller)# gsm sim primary slot 1
36
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring Router for Image and Config Recovery Using Push Button
The following example shows you how to configure the SIM card in slot 0 to use profile 10: router(config-controller)# gsm sim profile 10 slot 0
Perform the following commands to manually switch the SIM:
Command cellular GSM SIM gsm sim gsm sim unblock gsm sim change-pin gsm sim activate slot
Syntax cellular GSM SIM {lock | unlock} cellular <unit> gsm sim [lock
| unlock] <pin> cellular <unit> gsm sim unblock <puk> <newpin>
Description
Locks or unlocks the SIM.
Locks or unlocks the gsm SIM.
Unblocks the gsm SIM.
cellular <unit> gsm sim change-pin <oldpin> <newpin>
Changes the PIN of the SIM.
cellular <unit> gsm sim activate slot <slot_no>
Activates the GSM SIM.
The following command forces the modem to connect to SIM1:
Router# cellular
0 gsm sim activate slot 1
Configuring Router for Image and Config Recovery Using Push Button
A push button feature is available on the Cisco 819 ISR. The reset button on the front panel of the router enables this feature.
Perform the following steps to use this feature:
SUMMARY STEPS
1. Unplug power.
2. Press the reset button on the front panel of the router.
3. Power up the sytem while holding down the reset button.
DETAILED STEPS
Step 1
Step 2
Step 3
Unplug power.
Press the reset button on the front panel of the router.
Power up the sytem while holding down the reset button.
The system LED blinks four times indicating that the router has accepted the button push.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
37
Basic Router Configuration
Configuring Router for Image and Config Recovery Using Push Button
What to Do Next
Using this button takes effect only during ROMMON initialization. During a warm reboot, pressing this button has no impact on performance.
Table 12: Push Button Functionality during ROMMON Initialization, on page
38 shows the high level functionality when the button is pushed during ROMMON initialization.
Table 12: Push Button Functionality during ROMMON Initialization
ROMMON Behavior IOS Behavior
• Boots using default baud rate.
• Performs auto-boot.
• Loads the *.default image if available on compact flash
Note If no *.default image is available, the
ROMMON will boot up with the first Cisco
IOS image on flash.
Examples of names for default images: c800-universalk9-mz.SPA.default, c-800-universalk9_npe-mz.151T.default, image.default
If the configuration named *.cfg is available in nvram storage or flash storage, IOS will perform a backup of the original configuration and will boot up using this configuration.
Note You can only have one configuration file with *.cfg option. Having more than one file will result in uncertain operational behavior.
Note You can only have one configuration file with *.cfg option. Having more than one file will result in uncertain operational behavior.
Use the show platform command to display the current bootup mode for the router. The following sections show sample outputs when the button is not pushed and when the button is pushed.
Output When Button Is Not Pushed: Example
router# show platform boot-record
Platform Config Boot Record :
============================
Configuration Register at boot time : 0x0
Reset Button Status at Boot Time : Not Pressed
Startup-config Backup Status at Boot: No Status
Startup-config(backup file)location : No Backup
Golden config file at location
Config Recovery Status
: No Recovery Detected
: No Status
Output When Button Is Pushed: Example
router# show platform boot-record
Platform Config Boot Record :
============================
Configuration Register at boot time : 0x0
Reset Button Status at Boot Time : Pressed
Startup-config Backup Status at Boot: Ok
Startup-config(backup file)location : flash:/startup.backup.19000716-225840-UTC
38
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring the Fast Ethernet LAN Interfaces
Golden config file at location
Config Recovery Status
: flash:/golden.cfg
: Ok
Push Button in WLAN AP
When the push button on the front panel is pressed, WLAN AP will perform both image and configuration recovery.
To perform image recovery, WLAN will go into the boot loader so that the user can download the image from the bootloader prompt.
To perform configuration recovery, WLAN AP will overwrite the contents of flash:/config.txt with the contents of flash:/cpconfig-ap802.cfg file if available in flash drive. Otherwise, flash:/config.txt will be deleted.
Configuring the Fast Ethernet LAN Interfaces
The Fast Ethernet LAN interfaces on your router are automatically configured as part of the default VLAN and are not configured with individual addresses. Access is provided through the VLAN. You may assign the interfaces to other VLANs if you want. For more information about creating VLANs, see the
Ethernet Switches, on page 127
.
Configuring a Loopback Interface
The loopback interface acts as a placeholder for the static IP address and provides default routing information.
Perform these steps to configure a loopback interface, beginning in global configuration mode:
SUMMARY STEPS
1. interface type number
2. ip address ip-address mask
3. exit
DETAILED STEPS
Step 1
Command or Action interface type number
Example:
Router(config)# interface Loopback 0
Example:
Router(config-if)#
Purpose
Enters configuration mode for the loopback interface.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
39 OL-31704-02
Basic Router Configuration
Configuring a Loopback Interface
Step 2
Step 3
Command or Action ip address ip-address mask
Example:
Router(config-if)# ip address 10.108.1.1
255.255.255.0
Example:
Router(config-if)# exit
Example:
Router(config-if)# exit
Example:
Router(config)#
Purpose
Sets the IP address and subnet mask for the loopback interface.
Exits configuration mode for the loopback interface and returns to global configuration mode.
What to Do Next
Example
The loopback interface in this sample configuration is used to support Network Address Translation (NAT) on the virtual-template interface. This configuration example shows the loopback interface configured on the
Fast Ethernet interface with an IP address of 200.200.100.1/24, which acts as a static IP address. The loopback interface points back to virtual-template1, which has a negotiated IP address.
!
interface loopback 0 ip address 200.200.100.1 255.255.255.0 (static IP address) ip nat outside
!
interface Virtual-Template1 ip unnumbered loopback0 no ip directed-broadcast ip nat outside
!
Verifying Configuration
To verify that you have properly configured the loopback interface, enter the show interface loopback command.
You should see a verification output similar to the following example:
Router# show interface loopback 0
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 200.200.100.1/24
MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec, reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/0, 0 drops; input queue 0/75, 0 drops
40
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring Static Routes
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Another way to verify the loopback interface is to ping it:
Router# ping 200.200.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Configuring Static Routes
Static routes provide fixed routing paths through the network. They are manually configured on the router. If the network topology changes, the static route must be updated with a new route. Static routes are private routes unless they are redistributed by a routing protocol.
Follow these steps to configure static routes, beginning in global configuration mode.
SUMMARY STEPS
1. ip route prefix mask {ip-address | interface-type interface-number [ip-address]}
2. end
DETAILED STEPS
Step 1
Step 2
Command or Action ip route prefix mask {ip-address | interface-type interface-number [ip-address]}
Example:
Router(config)# ip route 192.168.1.0 255.255.0.0
10.10.10.2
Purpose
Specifies the static route for the IP packets.
For details about this command and about additional parameters that can be set, see Cisco IOS IP Routing:
Protocol-Independent Command Reference .
Example:
Router(config)# end Exits router configuration mode and enters privileged EXEC mode.
Example:
Router(config)# end
Example:
Router#
Cisco 800 Series Integrated Services Routers Software Configuration Guide
41 OL-31704-02
Basic Router Configuration
Configuring Dynamic Routes
What to Do Next
For general information on static routing, see the
.
Example
In the following configuration example, the static route sends out all IP packets with a destination IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Fast Ethernet interface to another device with an
IP address of 10.10.10.2. Specifically, the packets are sent to the configured PVC.
You do not need to enter the command marked “(default).” This command appears automatically in the configuration file generated when you use the show running-config command.
!
ip classless (default) ip route 192.168.1.0 255.255.255.0 10.10.10.2!
Verifying Configuration
To verify that you have properly configured static routing, enter the show ip route command and look for static routes signified by the “S.”
You should see a verification output similar to the following:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.108.1.0 is directly connected, Loopback0
S* 0.0.0.0/0 is directly connected, FastEthernet0
Configuring Dynamic Routes
In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or topology.
Changes in dynamic routes are shared with other routers in the network.
The Cisco routers can use IP routing protocols, such as Routing Information Protocol (RIP) or Enhanced
Interior Gateway Routing Protocol (EIGRP), to learn routes dynamically. You can configure either of these routing protocols on your router.
Configuring Routing Information Protocol
To configure the RIP routing protocol on the router, perform these steps, beginning in global configuration mode:
42
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring Routing Information Protocol
SUMMARY STEPS
1. router rip
2. version {1 | 2}
3. network ip-address
4. no auto-summary
5. end
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action router rip
Example:
Router> configure terminal
Example:
Router(config)# router rip
Example:
Router(config-router)#
version {1 | 2}
Example:
Router(config-router)# version 2
Example:
Router(config-router)#
network ip-address
Example:
Router(config-router)# network 192.168.1.1
Example:
Router(config-router)# network 10.10.7.1
Example:
Router(config-router)#
Purpose
Enters router configuration mode and enables RIP on the router.
Specifies use of RIP version 1 or 2.
Specifies a list of networks on which RIP is to be applied, using the address of the network of each directly connected network.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
43
Basic Router Configuration
Configuring Routing Information Protocol
Step 4
Step 5
Command or Action no auto-summary
Example:
Router(config-router)# no auto-summary
Example:
Router(config-router)# end
Example:
Router(config-router)# end
Example:
Router#
Purpose
Disables automatic summarization of subnet routes into network-level routes. This allows subprefix routing information to pass across classfull network boundaries.
Exits router configuration mode and enters privileged
EXEC mode.
What to Do Next
For general information on RIP, see the
Example
The following configuration example shows RIP version 2 enabled in IP network 10.0.0.0 and 192.168.1.0.
To see this configuration, use the show running-config command from privileged EXEC mode.
!
Router# show running-config router rip version 2 network 10.0.0.0
network 192.168.1.0
no auto-summary
!
Verifying Configuration
To verify that you have properly configured RIP, enter the show ip route command and look for RIP routes signified by “R.” You should see a verification output like the following example:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C
R
10.108.1.0 is directly connected, Loopback0
3.0.0.0/8 [120/1] via 2.2.2.1, 00:00:02, Ethernet0/0
44
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Basic Router Configuration
Configuring Enhanced Interior Gateway Routing Protocol
Configuring Enhanced Interior Gateway Routing Protocol
To configure Enhanced Interior Gateway Routing Protocol (EIGRP), perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. router eigrp as-number
2. network ip-address
3. end
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action
router eigrp as-number
Example:
Router(config)# router eigrp 109
Example:
Router(config)# network ip-address
Example:
Router(config)# network 192.145.1.0
Example:
Router(config)# network 10.10.12.115
Example:
Router(config)# end
Example:
Router(config-router)# end
Example:
Router#
Purpose
Enters router configuration mode and enables EIGRP on the router. The autonomous-system number identifies the route to other EIGRP routers and is used to tag the EIGRP information.
Specifies a list of networks on which EIGRP is to be applied, using the IP address of the network of directly connected networks.
Exits router configuration mode and enters privileged EXEC mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
45
Basic Router Configuration
Configuring Enhanced Interior Gateway Routing Protocol
What to Do Next
For general information on EIGRP concept, see the
.
Example
The following configuration example shows the EIGRP routing protocol enabled in IP networks 192.145.1.0
and 10.10.12.115. The EIGRP autonomous system number is 109.
To see this configuration, use the show running-config command, beginning in privileged EXEC mode.
!
router eigrp 109 network 192.145.1.0
network 10.10.12.115
!
Verifying Configuration
To verify that you have properly configured IP EIGRP, enter the show ip route command and look for EIGRP routes indicated by “D.” You should see a verification output similar to the following:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C
D
10.108.1.0 is directly connected, Loopback0
3.0.0.0/8 [90/409600] via 2.2.2.1, 00:00:02, Ethernet0/0
46
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
3
Configuring Ethernet CFM and Y.1731
Performance Monitoring on Layer 3 Interfaces
This chapter provides procedures for configuring the network interface device functionality, Ethernet data plane loopback, IEEE connectivity fault management, and Y.1731 performance monitoring, and contains the following sections:
•
Configuring a Network Interface Device on the L3 Interface, page 47
•
Ethernet Data Plane Loopback, page 50
•
CFM Support on Routed Port and Port MEP, page 56
•
Support for Y.1731 Performance Monitoring on Routed Port (L3 Subinterface), page 71
Configuring a Network Interface Device on the L3 Interface
Configuring a Network Interface Device (NID) enables support for the NID functionality on the router without including a NID hardware in the network. This feature combines the Customer-Premises Equipment (CPE) and the NID functionality into a physical device. The following are the advantages of configuring the NID functionality:
• Eliminates a physical device.
• Supports both the managed CPE feature set and the NID requirements.
Note This feature is supported only if you have purchased the advipservices licensing module. For more information about managing software activation licenses on the Cisco ISR and Cisco ISR G2 platforms, see http://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html
.
Configuring the NID
The following steps describe how to configure the NID:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
47 OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring the NID
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port
4. port-tagging
5. encapsulation dot1q vlan-id
6. set cos cos-value
7. end
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action enable
Purpose
Enables the privileged EXEC mode.
Enter your password when prompted.
Example:
Router>enable configure terminal Enters the global configuration mode.
Example:
Router#configure terminal
interface gigabitethernet slot/port
Example:
Router(config)#interface gigabitethernet 0/2
Specifies an interface and enters the interface configuration mode.
port-tagging Inserts the VLAN ID into a packet header to identify which
Virtual Local Area Network (VLAN) the packet belongs to.
Example:
Router(config-if)#port-tagging
encapsulation dot1q vlan-id Defines the encapsulation format as IEEE 802.1Q (dot1q), and specifies the VLAN identifier.
Example:
Router(config-if-port-tagging)#encapsulation dot1q 10
set cos cos-value Sets the Layer 2 class of service (CoS) value to an outgoing packet end.
Example:
Router(config-if-port-tagging)#set cos 6
48
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring the NID
Step 7
Command or Action end
Example:
Router(config-if-port-tagging)#end
Purpose
Exits the interface configuration mode.
Configuration Example
This configuration example shows how to configure the NID:
Router> enable
Router# configure terminal
Router(config)# interface gigabitethernet 0/2
Router(config-if)# port-tagging
Router(config-if-port-tagging)# encapsulation dot1q 10
Router(config-if-port-tagging)# set cos 6
Router(config-if-port-tagging)# end
Verifying the NID Configuration
Use the following commands to verify the port tagging sessions:
• show run int
• ping
Use the show run int command to display the port tagging sessions:
Router# show run int gi0/2
Building configuration...
Current configuration : 10585 bytes
!
interface GigabitEthernet0/2 no ip address duplex auto speed auto port-tagging encapsulation dot1q 10 set cos 6 exit end
!
interface GigabitEthernet0/2.1101
encapsulation dot1Q 100 ip address 132.1.101.4 255.255.255.0
!
interface GigabitEthernet0/2.1102
encapsulation dot1Q 100 ip address 132.1.102.4 255.255.255.0
!
Use the ping command to verify the connectivity with port tagging configured:
Router# ping
132.1.101.3
Type escape sequence to abort.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
49
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Ethernet Data Plane Loopback
Sending 5, 100-byte ICMP Echos to 132.1.101.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms router#
Troubleshooting the NID Configuration
Table 13: debug Commands for NID Configuration , on page 50
lists the debug commands to troubleshoot the issues pertaining to the NID functionality.
The Cisco IOS Master Command List at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html provides more information about these commands.
Caution Because debugging output is assigned high priority in the CPU process, it can diminish the performance of the router or even render it unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.
Note Before you run any of the debug commands listed in the following table, ensure that you run the logging
buffered debugging command, and then turn off console debug logging using the no logging console command.
Table 13: debug Commands for NID Configuration debug Command debug ethernet nid configuration debug ethernet nid packet egress debug ethernet nid packet ingress
Purpose
Enables debugging of configuration-related issues.
Enables debugging of packet processing (VLAN tag push) on the egress side.
Enables debugging of packet processing (VLAN tag pop) on the ingress side.
Ethernet Data Plane Loopback
The Ethernet Data Plane Loopback feature provides a means for remotely testing the throughput of an Ethernet port. You can verify the maximum rate of frame transmission with no frame loss.
Note This feature is supported only if you have purchased the advipservices licensing module. For more information about managing software activation licenses on the Cisco ISR and Cisco ISR G2 platforms, see http://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html
.
50
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Restrictions for Configuring Ethernet Data Plane Loopback
Note Internal Ethernet data plane loopback is not supported.
Figure 4-1 represents a sample topology to configure Ethernet data plane loopback.
Restrictions for Configuring Ethernet Data Plane Loopback
Follow the guidelines and take note of the restrictions listed here when configuring Ethernet data plane loopback on a Layer 3 interface:
• Only external loopback (packets coming from the wire side) on the L3 dot1q subinterface and (untagged) main interface are supported.
• To perform a MAC swap, the destination address and source address must be swapped for the packets that are looped back. If the destination address is broadcast or multicast, the MAC address is used as the source address for the packets that are looped back.
• Loopback operations are supported at line rate.
• Untagged frames are not supported on a subinterface. However, the frames for dot1q and qinq are supported on a subinterface.
• dot1ad is not supported on the main interface. However, untagged frames are supported on the main interface.
• Single VLAN is supported as a filtering option for a subinterface, but VLAN list and VLAN range are not supported.
• Only MAC address is supported as a filtering option for the main interface.
• For the filtering option, the destination MAC cannot be combined with inner VLAN or outer VLAN.
• There is no support for L3 and L4 loopback. Source and destination IP address or source and destination ports will not be swapped.
• Connectivity Fault Management (CFM) packets are transparent to the data plane loopback configuration and cannot be looped back.
• Packets coming from the other side of the wire where loopback is configured and having the same destination MAC address are dropped.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
51
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring External Ethernet Data Plane Loopback
• The broadcast and multicast IP addresses of the broadcast and multicast IP frames that are received cannot be used as the source IP address of the frame when it is sent back to the initiator. In such a case, the IP address of the subinterface is used as the source IP address of the frame when it is sent back to the initiator.
Configuring External Ethernet Data Plane Loopback
Configuring external Ethernet data plane loopback is permitted on a Layer 3 main interface and subinterfaces.
The following steps show how to configure external Ethernet data plane loopback on a subinterface using single and double tagging. (The procedure to configure external Ethernet data plane loopback on the main interface is similar to this procedure.)
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port.sub-port
4. Do one of the following:
• encapsulation dot1q vlan-id
• encapsulation dot1q vlan-id second-dot1q inner vlan-id
5. ethernet loopback permit external
6. end
7. ethernet loopback start local interface gigabitethernet slot/port.sub-port external timeout none
8. ethernet loopback stop local interface gigabitethernet slot/port.sub-port id session-id
9. show ethernet loopback active
DETAILED STEPS
Step 1
Step 2
Command or Action enable
Example:
Router>enable configure terminal
Example:
Router#configure terminal
Purpose
Enables the privileged EXEC mode.
Enter your password when prompted.
Enters the global configuration mode.
52
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring External Ethernet Data Plane Loopback
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action
interface gigabitethernet slot/port.sub-port
Example:
Router(config)#interface gigabitethernet 0/2.1101
Purpose
Specifies the subinterface and enters the subinterface configuration mode.
Do one of the following:
• encapsulation dot1q vlan-id
• encapsulation dot1q vlan-id second-dot1q inner vlan-id
Defines the encapsulation format as IEEE 802.1Q
(dot1q), and specifies the VLAN identifier.
For double tagging, use the second-dot1q keyword and the inner vlan-id argument to specify the VLAN tag.
Example:
Router(config-subif)#encapsulation dot1q 100 or
Example:
Router(config-subif)#encapsulation dot1q 100 second-dot1q 1101 ethernet loopback permit external Configures Ethernet external loopback on the subinterface.
Example:
Router(config-subif)#ethernet loopback permit external end Exits the subinterface configuration mode.
Example:
Router(config-subif)#end ethernet loopback start local interface gigabitethernet
slot/port.sub-port external timeout none
Starts Ethernet external loopback on a subinterface.
Enter timeout as none to have no time out period for the loopback.
Example:
Router#ethernet loopback start local interface gigabitethernet 0/2.1101 external timeout none ethernet loopback stop local interface gigabitethernet
slot/port.sub-port id session-id
Stops Ethernet external loopback on a sub-interface.
Enter the value of the loopback session ID to specify the loopback session that you want to stop.
Example:
Router#ethernet loopback stop local interface gigabitethernet 0/2.1101 id 1
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
53
Configuration Examples for Ethernet Data Plane Loopback
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Step 9
Command or Action show ethernet loopback active
Example:
Router#show ethernet loopback active
Purpose
Displays information to verify if the loopback session has ended.
Configuration Examples for Ethernet Data Plane Loopback
This example shows how to configure Ethernet data plane loopback using single tagging:
Router> enable
Router# configure terminal
Router(config)# interface gigabitethernet 0/2.1101
Router(config-subif)# encapsulation dot1q 100
Router(config-subif)# ethernet loopback permit external
Router(config-subif)# end
This example shows how to configure Ethernet data plane loopback using double tagging:
Router> enable
Router# configure terminal
Router(config)# interface gigabitethernet 0/2.1101
Router(config-subif)# encapsulation dot1q 100 second-dot1q 1101
Router(config-subif)# ethernet loopback permit external
Router(config-subif)# end
This example shows how to start an Ethernet data plane loopback:
Router# ethernet loopback start local interface gigabitethernet 0/2.1101 external timeout none
This is an intrusive loopback and the packets matched with the service will not be able to pass through. Continue? (yes/[no]):
Enter yes to continue.
This example shows how to stop an Ethernet data plane loopback:
Router# ethernet loopback stop local interface gigabitethernet 0/2.1101 id 1
Router#*Oct 21 10:16:17.887: %E_DLB-6-DATAPLANE_LOOPBACK_STOP: Ethernet Dataplane Loopback
Stop on interface GigabitEthernet0/2 with session id 1
Router# show ethernet loopback active
Total Active Session(s): 0
Total Internal Session(s): 0
Total External Session(s): 0
Verifying the Ethernet Data Plane Loopback Configuration
Use the following commands to verify the Ethernet data plane loopback configuration:
• show ethernet loopback permitted
• show ethernet loopback active
54
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Troubleshooting the Ethernet Data Plane Loopback Configuration
Use the show ethernet loopback permitted command to view the loopback capabilities per interface:
Router# show ethernet loopback permitted
--------------------------------------------------------------------------------
Interface SrvcInst Direction
Dot1q/Dot1ad(s) Second-Dot1q(s)
--------------------------------------------------------------------------------
Gi0/2.1101
100
N/A
1101
External
Use the show ethernet loopback active command to display the summary of the active loopback sessions on a subinterface:
Router# show ethernet loopback active
Loopback Session ID
Interface
Service Instance
: 1
: GigabitEthernet0/2.1101
: N/A
Direction
Time out(sec)
Status
Start time
Time left
Dot1q/Dot1ad(s)
Second-dot1q(s)
: External
: none
: on
: *10:17:46.930 UTC Mon Oct 21 2013
: N/A
: 100
: 1101
Source Mac Address : Any
Destination Mac Address : Any
Ether Type
Class of service
: Any
: Any
Llc-oui : Any
Total Active Session(s): 1
Total Internal Session(s): 0
Total External Session(s): 1
Use the show ethernet loopback active command to display the summary of the active loopback sessions on the main interface:
Router# show ethernet loopback permitted
Loopback Session ID : 1
Interface
Service Instance
: GigabitEthernet0/2
: N/A
Direction
Time out(sec)
Status
Start time
: External
: none
: on
: *10:14:23.507 UTC Mon Oct 21 2013
Time left
Dot1q/Dot1ad(s)
: N/A
: 1-100
Second-dot1q(s)
Source Mac Address
: 1-1101
: Any
Destination Mac Address : Any
Ether Type
Class of service
: Any
: Any
Llc-oui : Any
Total Active Session(s): 1
Total Internal Session(s): 0
Total External Session(s): 1
Troubleshooting the Ethernet Data Plane Loopback Configuration
Table 14: debug Commands for Ethernet Data Plane Loopback Configuration , on page 56
lists the debug commands to troubleshoot issues pertaining to the Ethernet Data Plane Loopback feature. The Cisco IOS
Master Command List at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html provides more information about these commands.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
55
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
CFM Support on Routed Port and Port MEP
Caution Because debugging output is assigned high priority in the CPU process, it can diminish the performance of the router or even render it unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.
Note Before you run any of the debug commands listed in the following table, ensure that you run the logging
buffered debugging command, and then turn off console debug logging using the no logging console command.
Table 14: debug Commands for Ethernet Data Plane Loopback Configuration debug Command debug elb-pal-pd all debug elb-pal-pd error debug elb-pal-pd event
Purpose
Displays all the debugging information about the
Ethernet data plane loopback configuration.
Displays debugging information about Ethernet data plane loopback configuration errors.
Displays debugging information about Ethernet data plane loopback configuration changes.
CFM Support on Routed Port and Port MEP
IEEE Connectivity Fault Management (CFM) is an end-to-end per-service Ethernet-layer Operations,
Administration, and Maintenance (OAM) protocol. CFM includes proactive connectivity monitoring, fault verification, and fault isolation for large Ethernet metropolitan-area networks (MANs) and WANs.
Note This feature is supported only if you have purchased the advipservices licensing module. For more information about managing software activation licenses on the Cisco ISR and Cisco ISR G2 platforms, see http://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html
.
Restrictions for Configuring Ethernet CFM
• A specific domain must be configured. If it is not, an error message is displayed.
• Multiple domains (different domain names) having the same maintenance level can be configured.
However, associating a single domain name with multiple maintenance levels is not permitted.
56
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Port MEP)
Configuring Ethernet CFM (Port MEP)
Complete these steps to configure and enable Ethernet CFM on a port Maintenance End Point (MEP):
SUMMARY STEPS
1. enable
2. configure terminal
3. ethernet cfm ieee
4. ethernet cfm global
5. ethernet cfm domain domain-name level value
6. service service-name port
7. continuity-check interval value
8. end
9. configure terminal
10. interface gigabitethernet slot/port
11. ethernet cfm mep domain domain-name mpid mpid-value service service-name
12. end
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action enable
Example:
Router>enable configure terminal
Example:
Router#configure terminal ethernet cfm ieee
Example:
Router(config)#ethernet cfm ieee ethernet cfm global
Example:
Router(config)#ethernet cfm global
Purpose
Enables the privileged EXEC mode.
Enter your password when prompted.
Enters the global configuration mode.
Enables the IEEE version of CFM.
Enables CFM processing globally on the router.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
57
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Port MEP)
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Command or Action Purpose
ethernet cfm domain domain-name level value
Example:
Defines a CFM maintenance domain at a specified level, and enters the Ethernet CFM configuration mode.
level can be any value from 0 to 7.
Router(config-ecfm)#ethernet cfm domain carrier level 2
service service-name port Creates a service on the interface and sets the
config-ecfm-srv submode.
Example:
Router(config-ecfm)#service carrier port
continuity-check interval value Enables sending continuity check messages at the set interval.
Example:
Router(config-ecfm-srv)#continuity-check interval 100m end Returns the router to the privileged EXEC mode.
Example:
Router(config-ecfm-srv)#end configure terminal Enters the global configuration mode.
Example:
Router#configure terminal
interface gigabitethernet slot/port Specifies an interface and enters the interface configuration mode.
Example:
Router(config)#interface gigabitethernet 0/2
ethernet cfm mep domain domain-name mpid
mpid-value service service-name
Sets a port to a maintenance domain and defines it as an
MEP.
Note The values for domain and service must be the same as the values configured for CFM.
Example:
Router(config-if)#ethernet cfm mep domain carrier mpid 44 service carrier end Returns the router to the privileged EXEC mode.
Example:
Router(config-if-ecfm-mep)#end
58
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Port MEP)
Configuration Example for Ethernet CFM (Port MEP)
This example shows how to configure Ethernet CFM on a port MEP:
Router> enable
Router# configure terminal
Router(config)# ethernet cfm ieee
Router(config)# ethernet cfm global
Router(config-ecfm)# ethernet cfm domain carrier level 2
Router(config-ecfm)# service carrier port
Router(config-ecfm-srv)# continuity-check interval 100m
Router(config-ecfm-srv)# end
Router# configure terminal
Router(config)# interface gigabitethernet
0/2
Router(config-if)# ethernet cfm mep domain carrier mpid 44 service carrier
Router(config-if-ecfm-mep)# end
Verifying the Ethernet CFM Configuration on a Port MEP
Use the following commands to verify Ethernet CFM configured on a port MEP:
• show ethernet cfm domain
• show ethernet cfm maintenance-points local
• show ethernet cfm maintenance-points remote
• ping ethernet mpid mpid-value domain domain-name service service-name cos value
• traceroute ethernet mpid mpid-value domain domain-name service service-name
• show ethernet cfm error configuration
Use the show ethernet cfm domain command to view details about CFM maintenance domains:
Router# show ethernet cfm domain carrier
Domain Name: carrier
Level: 2
Total Services: 1
Services:
Type Id Dir CC CC-int Static-rmep Crosscheck MaxMEP Source MA-Name
Port none Dwn Y
Router#
100ms Disabled Disabled 100 Static carrier
Use the show ethernet cfm maintenance-points local command to view the MEPs that are configured locally on a router. The following is a sample output of the show ethernet cfm maintenance-points local command:
Router# show ethernet cfm maintenance-points local
Local MEPs:
--------------------------------------------------------------------------------
MPID Domain Name Lvl MacAddress Type CC
Ofld Domain Id
MA Name
Dir Port
SrvcInst
Id
Source
EVC name
--------------------------------------------------------------------------------
44 carrier
No carrier carrier
2 5657.a844.04fa Port Y
Down Gi0/2 none
N/A Static
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
59
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Port MEP)
N/A
Total Local MEPs: 1
Local MIPs: None
Use the show ethernet cfm maintenance-points remote command to display information about remote maintenance point domains or levels. In the following example, carrier, Provider, and customer are the maintenance point domains that are configured:
On router 1:
Router1# show ethernet cfm maintenance-points remote
--------------------------------------------------------------------------------
MPID Domain Name MacAddress IfSt PtSt
Lvl Domain ID
RDI MA Name
EVC Name
Local MEP Info
Ingress
Type Id SrvcInst
Age
--------------------------------------------------------------------------------
43 carrier 5657.a86c.fa92
Up N/A
2
carrier carrier
N/A
Gi0/2
Port none N/A
0s
33
5
-
MPID: 44 Domain: carrier MA: carrier
Provider
Provider
Provider
5657.a86c.fa92
Gi0/2.100
Vlan 100
Up
N/A
0s
Up
3101 customer
7
-
N/A
MPID: 34 Domain: Provider MA: Provider customer customer1101
3102 customer
7 customer
-
N/A
MPID: 4101 Domain: customer MA: customer1101 customer1102
N/A
5657.a86c.fa92
Gi0/2.1102
S,C 100,1102
MPID: 4102 Domain: customer MA: customer1102
Total Remote MEPs: 4
5657.a86c.fa92
Gi0/2.1101
S,C 100,1101
Up
N/A
0s
Up
N/A
0s
Up
Up
Use the show ethernet cfm maintenance-points remote command to view the details of a remote maintenance point domain:
On router 1:
Router1# show ethernet cfm maintenance-points remote domain carrier service carrier
--------------------------------------------------------------------------------
MPID Domain Name MacAddress IfSt PtSt
Lvl
RDI
Domain ID
MA Name
EVC Name
Local MEP Info
Ingress
Type Id SrvcInst
Age
--------------------------------------------------------------------------------
43
2 carrier carrier
5657.a86c.fa92
Gi0/2
Up Up
carrier
N/A
S,C 100,1101 N/A
0s
MPID: 44 Domain: carrier MA: carrier
Total Remote MEPs: 1
On router 2:
Router2# show ethernet cfm maintenance-points remote domain carrier service carrier
--------------------------------------------------------------------------------
MPID Domain Name
Lvl Domain ID
MacAddress
Ingress
IfSt PtSt
RDI MA Name
EVC Name
44
2 carrier carrier
Type Id
5657.g945.04fa
Gi0/2
SrvcInst
Age
Local MEP Info
--------------------------------------------------------------------------------
Up Up
60
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Single-Tagged Packets)
carrier
N/A
MPID: 43 Domain: carrier MA: carrier
S,C 100,1101 N/A
0s
Use the ping command to verify if Loopback Messages (LBM) and Loopback Replies (LBR) are successfully sent and received between the routers:
Router1# ping ethernet mpid 44 domain carrier service carrier cos 5
Type escape sequence to abort.
Sending 5 Ethernet CFM loopback messages to 5657.a86c.fa92, timeout is 5 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Router1#
Use the traceroute command to send the Ethernet CFM traceroute messages:
Router# traceroute ethernet mpid 44 domain carrier service carrier
Type escape sequence to abort. TTL 64. Linktrace Timeout is 5 seconds
Tracing the route to 5657.a86c.fa92 on Domain carrier, Level 2, service carrier
Traceroute sent via Gi0/2
B = Intermediary Bridge
! = Target Destination
* = Per hop Timeout
--------------------------------------------------------------------------------
MAC Ingress Ingr Action Relay Action
Hops Host Forwarded Egress Egr Action Previous Hop
--------------------------------------------------------------------------------
! 1 5657.a86c.fa92 Gi0/2
Not Forwarded
IngOk RlyHit:MEP
5657.g945.04fa
Router#
Configuring Ethernet CFM (Single-Tagged Packets)
Complete these steps to configure and enable Ethernet CFM for single-tagged packets:
SUMMARY STEPS
1. enable
2. configure terminal
3. ethernet cfm ieee
4. ethernet cfm global
5. ethernet cfm domain domain-name level value
6. service service-name vlan vlan-id direction down
7. continuity-check
8. interface gigabitethernet slot/port
9. ethernet cfm mep domain domain-name mpid mpid-value service service-name
10. interface gigabitethernet slot/port.subinterface
11. encapsulation dot1q vlan-id
12. end
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
61
Configuring Ethernet CFM (Single-Tagged Packets)
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Command or Action enable
Purpose
Enables the privileged EXEC mode.
Enter your password when prompted.
Example:
Router>enable configure terminal Enters the global configuration mode.
Example:
Router#configure terminal ethernet cfm ieee Enables the IEEE version of CFM.
Example:
Router(config)#ethernet cfm ieee ethernet cfm global Enables CFM processing globally on the router.
Example:
Router(config)#ethernet cfm global
ethernet cfm domain domain-name level value
Example:
Defines a CFM maintenance domain at a specified level, and enters the Ethernet CFM configuration mode.
level can be any value from 0 to 7.
Router(config)#ethernet cfm domain customer level
7
service service-name vlan vlan-id direction down Enters the CFM service configuration mode.
vlan—Specifies the VLAN.
Example:
Router(config-ecfm)#service customer1101 vlan
100 direction down continuity-check Enables sending continuity check messages.
Example:
Router(config-ecfm-srv)#continuity-check
interface gigabitethernet slot/port Specifies an interface and enters the interface configuration mode.
Example:
Router(config-ecfm-srv)#interface gigabitethernet
0/2
ethernet cfm mep domain domain-name mpid
mpid-value service service-name
Sets a port to a maintenance domain and defines it as an
MEP.
62
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Single-Tagged Packets)
Step 10
Step 11
Step 12
Command or Action
Example:
Router(config-if)#ethernet cfm mep domain customer mpid 100 service customer1101
interface gigabitethernet slot/port.subinterface
Example:
Router(config-if-ecfm-mep)#interface gigabitethernet 0/2.1
encapsulation dot1q vlan-id
Example:
Router(config-subif)#encapsulation dot1q 100 end
Example:
Router(config-subif)#end
Purpose
Note The values for domain and service must be the same as the values that were configured for
CFM.
Specifies a subinterface and enters the subinterface configuration mode.
Defines the encapsulation format as IEEE 802.1Q (dot1q), and specifies the VLAN identifier.
Returns the router to the privileged EXEC mode.
Configuration Example for Ethernet CFM (Single-Tagged Packets)
This example shows how to configure Ethernet CFM for single-tagged packets:
Router> enable
Router# configure terminal
Router(config)# ethernet cfm ieee
Router(config)# ethernet cfm global
Router(config)# ethernet cfm domain customer level 7
Router(config-ecfm)# service customer1101 vlan 100 direction down
Router(config-ecfm-srv)# continuity-check
Router(config)# interface gigabitethernet
0/2
Router(config-if)# ethernet cfm mep domain customer mpid 100 service customer1101
Router(config-if-ecfm-mep)# interface gigabitethernet 0/2.1
Router(config-subif)# encapsulation dot1q 100
Router(config-subif)# end
Verifying the Ethernet CFM Configuration for Single-Tagged Packets
Use the following commands to verify Ethernet CFM configured for single-tagged packets:
• show ethernet cfm domain
• show ethernet cfm maintenance-points local
• show ethernet cfm maintenance-points remote
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
63
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Single-Tagged Packets)
• show ethernet cfm error configuration
Use the show ethernet cfm domain command to display the maintenance point domains configured in the network. In the following example, the customer, enterprise, and carrier maintenance point domains are configured.
Router# show ethernet cfm domain
Domain Name: customer
Level: 7
Total Services: 1
Services:
Type Id Dir CC CC-int Static-rmep Crosscheck MaxMEP Source MA-Name
Vlan 100 Dwn Y 10s Disabled Disabled 100 Static customer1101
Domain Name: enterprise
Level: 6
Total Services: 1
Services:
Type Id Dir CC CC-int Static-rmep Crosscheck MaxMEP Source MA-Name
Vlan 110 Dwn Y 10s
Domain Name: carrier
Disabled Disabled 100 Static custservice
Level: 2
Total Services: 1
Services:
Type Id Dir CC CC-int Static-rmep Crosscheck MaxMEP Source MA-Name
Vlan 200
Router#
Dwn Y 10s Disabled Disabled 100 Static carrier
Use the show ethernet cfm maintenance-points local command to view the local MEPs. The following is a sample output of the show ethernet cfm maintenance-points local command:
Router# show ethernet cfm maintenance-points local
--------------------------------------------------------------------------------
MPID Domain Name Lvl MacAddress Type CC
Ofld Domain Id
MA Name
Dir Port
SrvcInst
Id
Source
EVC name
--------------------------------------------------------------------------------
100 customer 7 70ca.9b4d.a400 Vlan Y
No customer customer1101
N/A
400 enterprise
Down Gi0/2
N/A
100
Static
No enterprise custservice
N/A
6 70ca.9b4d.a400 Vlan I
Down Gi0/1
N/A
110
Static
44
No carrier carrier carrier
N/A
Total Local MEPs: 3
Local MIPs: None
Router#
2 70ca.9b4d.a400 Vlan N
Down Gi0/2 200
N/A Static
Use the show ethernet cfm maintenance-points remote command to display information about remote maintenance point domains or levels.
The following example displays the continuity check messages exchanged between remote MEPs:
On router 1:
Router1# show ethernet cfm maintenance-points remote
-----------------------------------------------------------------------------------------
MPID Domain Name MacAddress IfSt PtSt
Lvl Domain
RDI MA
EVC Name
Local MEP Info
Ingress
Type Id SrvcInst
Age
-----------------------------------------------------------------------------------------
110 customer 70ca.9b4d.a400
Up Up
7 customer
customer1101
Gi0/2
Vlan 100 N/A
64
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Double-Tagged Packets)
N/A
MPID: 100 Domain: customer MA: customer1101
410 enterprise
6 enterprise
custservice
70ca.9b4d.a400
Gi0/1
Vlan 110
N/A
MPID: 400 Domain: enterprise MA: custservice
43 carrier
2 carrier
70ca.9b4d.a400
Gi0/2
carrier
N/A
Vlan 200
MPID: 44 Domain: carrier MA: carrier
Total Remote MEPs: 3
Router1#
On router 2:
12s
Up
N/A
12s
Up
N/A
12s
Up
Up
Router2# show ethernet cfm maintenance-points remote
-----------------------------------------------------------------------------------------
MPID Domain Name MacAddress IfSt PtSt
Lvl Domain
RDI MA
EVC Name
Local MEP Info
Ingress
Type Id SrvcInst
Age
-----------------------------------------------------------------------------------------
100 customer
7 customer
0026.99f7.0b41
Gi0/2
Up Up
customer1101
N/A
Vlan 100 N/A
2s
MPID: 110 Domain: customer MA: customer1101
400 enterprise 0026.99f7.0b41
6 enterprise
custservice
N/A
Gi0/1
Vlan 110
Up
N/A
2s
Up
MPID: 410 Domain: enterprise MA: custservice
44 carrier 0026.99f7.0b41
2
carrier carrier
N/A
Gi0/2
Vlan 200
MPID: 43 Domain: carrier MA: carrier
Total Remote MEPs: 3
Router2#
Up
N/A
2s
Up
Use the show ethernet cfm error configuration command to view Ethernet CFM configuration errors (if any). The following is a sample output of the show ethernet cfm error configuration command:
Router# show ethernet cfm error configuration
--------------------------------------------------------------------------------
CFM Interface Type Id Level Error type
--------------------------------------------------------------------------------
Gi0/2 S,C 100 5 CFMLeak
Configuring Ethernet CFM (Double-Tagged Packets)
Complete these steps to configure and enable Ethernet CFM for double-tagged packets:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
65
Configuring Ethernet CFM (Double-Tagged Packets)
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
SUMMARY STEPS
1. enable
2. configure terminal
3. ethernet cfm ieee
4. ethernet cfm global
5. ethernet cfm domain domain-name level 0 to 7
6. service service-name vlan vlan-id inner-vlan inner vlan-id direction down
7. continuity-check
8. interface gigabitethernet slot/port
9. ethernet cfm mep domain domain-name mpid mpid-value service service-name
10. interface gigabitethernet slot/port.subinterface
11. encapsulation dot1q vlan-id second-dot1q inner vlan-id
12. end
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action enable
Example:
Router>enable configure terminal
Purpose
Enables the privileged EXEC mode.
Enter your password when prompted.
Enters the global configuration mode.
Example:
Router#configure terminal ethernet cfm ieee
Example:
Router(config)#ethernet cfm ieee ethernet cfm global
Enables the IEEE version of CFM.
Enables CFM processing globally on the router.
Example:
Router(config)#ethernet cfm global
ethernet cfm domain domain-name level 0 to 7
Example:
Router(config-ecfm)#ethernet cfm domain customer level 7
service service-name vlan vlan-id inner-vlan inner
vlan-id direction down
Defines a CFM maintenance domain at a specified level, and enters Ethernet CFM configuration mode.
level can be any value from 0 to 7.
Enters the CFM service configuration mode.
The following are the parameters:
66
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Double-Tagged Packets)
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Command or Action
Example:
Router(config-ecfm)#service customer1101 vlan
100 inner-vlan 30 direction down
Purpose
• vlan—Specifies the VLAN.
• inner-vlan—The inner-vlan keyword and the inner
vlan-id argument specify the VLAN tag for double-tagged packets.
continuity-check Enables sending continuity check messages.
Example:
Router(config-ecfm-srv)#continuity-check
interface gigabitethernet slot/port Specifies an interface and enters the interface configuration mode.
Example:
Router(config-ecfm-srv)#interface gigabitethernet 0/2
ethernet cfm mep domain domain-name mpid
mpid-value service service-name
Example:
Router(config-if)#ethernet cfm mep domain customer mpid 100 service customer1101
interface gigabitethernet slot/port.subinterface
Sets a port to a maintenance domain and defines it as an
MEP.
Note The values for domain and service must be the same as the values configured for CFM.
MPID—Specifies the maintenance endpoint identifier.
Specifies a subinterface and enters the subinterface configuration mode.
Example:
Router(config-if-ecfm-mep)#interface gigabitethernet 0/2.1101
encapsulation dot1q vlan-id second-dot1q inner vlan-id
Example:
Router(config-subif)#encapsulation dot1q 100 second-dot1q 30 end
Defines the encapsulation format as IEEE 802.1Q (dot1q), and specifies the VLAN identifier.
Use the second-dot1q keyword and the inner vlan-id argument to specify the VLAN tag.
Returns the router to the privileged EXEC mode.
Example:
Router(config-subif)#end
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
67
Configuring Ethernet CFM (Double-Tagged Packets)
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuration Example for Ethernet CFM (Double-Tagged Packets)
This example shows how to configure Ethernet CFM for double-tagged packets:
Router> enable
Router# configure terminal
Router(config)# ethernet cfm ieee
Router(config)# ethernet cfm global
Router(config-ecfm)# ethernet cfm domain customer level 7
Router(config-ecfm)# service customer1101 vlan 100 inner-vlan 30 direction down
Router(config-ecfm-srv)# continuity-check
Router(config-ecfm-srv)# interface gigabitethernet
0/2
Router(config-if)# ethernet cfm mep domain customer mpid 100 service customer1101
Router(config-if-ecfm-mep)# interface gigabitethernet 0/2.1101
Router(config-subif)# encapsulation dot1q 100 second-dot1q 30
Router(config-subif)# end
Verififying the Ethernet CFM Configuration for Double-Tagged Packets
Use the following commands to verify Ethernet CFM configured for double-tagged packets:
• show ethernet cfm maintenance-points local
• show ethernet cfm maintenance-points remote
• ping ethernet mpid mpid-value domain domain-name service service-name cos value
• traceroute ethernet mpid mpid-value domain domain-name service service-name
• show ethernet cfm error configuration
Use the show ethernet cfm maintenance-points local command to view the local MEPs. The following is a sample output of the show ethernet cfm maintenance-points local command:
Router# show ethernet cfm maintenance-points local
----------------------------------------------------------------------------------
MPID Domain Name
Lvl Domain ID
MacAddress
Ingress
IfSt PtSt
RDI MA Name
EVC Name
Type Id
Age
SrvcInst
Local MEP Info
----------------------------------------------------------------------------------
Up Up 100 customer
7 customer
customer1101
8843.e154.6f01
Gi0/2.1101
S, C 100, 30 N/A
N/A 58s
MPID: 100 Domain: customer MA: customer1101
Router#
Use the show ethernet cfm maintenance-points remote command to display the remote maintenance point domains. In the following example, customer, carrier, and enterprise are the maintenance point domains that are configured:
On router 1:
Router1# show ethernet cfm maintenance-points remote
----------------------------------------------------------------------------------
MPID Domain Name
Lvl Domain ID
RDI MA Name
EVC Name
MacAddress
Ingress
Type Id
IfSt
SrvcInst
Age
PtSt
Local MEP Info
68
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Ethernet CFM (Double-Tagged Packets)
----------------------------------------------------------------------------------
110 customer 8843.e154.6f01
Up Up
7
customer customer1101
N/A
Gi0/2.1101
S, C 100, 30 N/A
58s
MPID: 100 Domain: customer MA: customer1101
43 carrier 8843.e154.6f01
2 carrier
carrier
Gi0/2.2
S, C 50, 20
N/A
MPID: 44 Domain: carrier MA: carrier
410 enterprise 8843.e154.6f01
Up
N/A
58s
Up
Up
Up
6 enterprise
custservice
N/A
MPID: 400 Domain: enterprise MA: custservice
Router1#
Gi0/1.1
S, C 200, 70 N/A
58s
On router 2:
Router2# show ethernet cfm maintenance-points remote
----------------------------------------------------------------------------------
IfSt PtSt MPID Domain Name
Lvl Domain ID
RDI MA Name
EVC Name
Local MEP Info
MacAddress
Ingress
Type Id SrvcInst
Age
----------------------------------------------------------------------------------
100 customer 0026.99f7.0b41
Up Up
7
customer customer1101
N/A
Gi0/2.1101
S, C 100, 30 N/A
40s
MPID: 110 Domain: customer MA: customer1101
44 carrier 0026.99f7.0b41
2 carrier
carrier
Gi0/2.2
S, C 50, 20
N/A
MPID: 43 Domain: carrier MA: carrier
400 enterprise 0026.99f7.0b41
6 enterprise
custservice
N/A
MPID: 410 Domain: enterprise MA: custservice
Router2#
Gi0/1.1
S, C 200, 70
Up
N/A
40s
Up
N/A
40s
Up
Up
Use the ping command to verify if Ethernet CFM loopback messages are successfully sent and received between the routers:
Router# ping ethernet mpid 100 domain customer service customer1101 cos 5
Type escape sequence to abort.
Sending 5 Ethernet CFM loopback messages to 8843.e154.6f01, timeout is 5 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Router#
Use the traceroute command to send the Ethernet CFM traceroute messages:
Router# traceroute ethernet mpid 100 domain customer service customer1101
Type escape sequence to abort. TTL 64. Linktrace Timeout is 5 seconds
Tracing the route to 8843.e154.6f01 on Domain customer, Level 7, service customer1101, vlan
100 inner-vlan 30
Traceroute sent via Gi0/2.1101
B = Intermediary Bridge
! = Target Destination
* = Per hop Timeout
--------------------------------------------------------------------------------
MAC Ingress Ingr Action Relay Action
Hops Host Forwarded Egress Egr Action Previous Hop
--------------------------------------------------------------------------------
! 1 8843.e154.6f01 Gi0/2.1101 IngOk
Not Forwarded
RlyHit:MEP
5657.a86c.fa92
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
69
Configuring Ethernet CFM (Double-Tagged Packets)
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Use the show ethernet cfm error configuration command to view Ethernet CFM configuration errors (if any). The following is a sample output of the show ethernet cfm error configuration command:
Router# show ethernet cfm error configuration
--------------------------------------------------------------------------------
CFM Interface Type Id Level Error type
--------------------------------------------------------------------------------
Gi0/2
Gi0/2
S,C 100,30
S,C 100,30
5
1
CFMLeak
CFMLeak
Troubleshooting Ethernet CFM Configuration
Table 15: debug Commands for Ethernet CFM Configuration , on page 70
lists the debug commands to troubleshoot issues pertaining to the Ethernet CFM configuration.
The Cisco IOS Master Command List at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html provides more information about these commands.
Caution Because debugging output is assigned high priority in the CPU process, it can diminish the performance of the router or even render it unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.
Note Before you run any of the debug commands listed in the following table, ensure that you run the logging
buffered debugging command, and then turn off console debug logging using the no logging console command.
Table 15: debug Commands for Ethernet CFM Configuration debug Command debug ethernet cfm all debug ethernet cfm diagnostic debug ethernet cfm error debug ethernet cfm packets debug ecfmpal all debug ecfmpal api
Purpose
Enables all Ethernet CFM debug messages.
Enables low-level diagnostic debugging of Ethernet
CFM general events or packet-related events.
Enables debugging of Ethernet CFM errors.
Enables debugging of Ethernet CFM message packets.
Enables debug messages for all Ethernet CFM platform events.
Displays debug messages for all Ethernet CFM platform API events.
70
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Support for Y.1731 Performance Monitoring on Routed Port (L3 Subinterface) debug Command debug ecfmpal common debug ecfmpal ecfmpal debug ecfmpal epl debug ecfmpal isr
Purpose
Displays debug messages for all Ethernet CFM platform common events.
Enables debugging of all Ethernet CFM platform events.
Enables debugging of all Ethernet CFM platform endpoint list (EPL) events.
Enables debugging of all Ethernet CFM platform interrupt service request (ISR) events.
Support for Y.1731 Performance Monitoring on Routed Port (L3
Subinterface)
Y.1731 Performance Monitoring (PM) provides a standard Ethernet PM function that includes measurement of Ethernet frame delay, frame delay variation, frame loss, and frame throughput measurements specified by the ITU-T Y-1731 standard and interpreted by the Metro Ethernet Forum (MEF) standards group.
Note This feature is supported only if you have purchased the advipservices licensing module. For more information about managing software activation licenses on the Cisco ISR and Cisco ISR G2 platforms, see http://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html
.
Frame Delay
Ethernet frame delay measurement is used to measure frame delay and frame delay variations. Ethernet frame delay is measured using the Delay Measurement Message (DMM) method.
Restrictions for Configuring Two-Way Delay Measurement
Follow the guidelines and restrictions listed here when you configure two-way delay measurement:
• Y.1731 PM measurement works only for a point-to-point network topology.
• The granularity of the clock for delay measurement is in seconds and nanoseconds.
• CFM Y.1731 packets work with a maximum of two VLAN tags. The expected behavior is not observed with more VLAN tags. Also, CFM Y.1731 packets do not work with untagged cases.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
71 OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuring Two-Way Delay Measurement
Configuring Two-Way Delay Measurement
The following steps show how to configure two-way delay measurement. Both single and double tagging methods are included in the steps listed below.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip sla operation number
4. Do one of the following:
• ethernet y1731 delay DMM domain value vlan vlan-id mpid value cos value source mpid value
• ethernet y1731 delay DMM domain value vlan vlan-id inner-vlan inner vlan-id mpid value cos
value source mpid value
5. aggregate interval seconds
6. exit
7. ip sla schedule operation number life value forever start-time value
8. end
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action enable
Example:
Router> enable configure terminal
Purpose
Enables the privileged EXEC mode.
Enter your password when prompted.
Enters the global configuration mode.
Example:
Router# configure terminal
ip sla operation number
Example:
Router(config)# ip sla 1101
Do one of the following:
• ethernet y1731 delay DMM domain value
vlan vlan-id mpid value cos value source
mpid value
Enables the IP SLA configuration.
operation-number —The IP SLA operation you want to configure.
Configures a two-way delay measurement.
Note Both single tagging and double tagging are supported.
The following are the parameters:
• delay—Specifies the delay distribution parameter.
72
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Configuration Examples for Two-Way Delay Measurement
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose
Note DMM is the only supported delay distribution parameter.
• ethernet y1731 delay DMM domain value
vlan vlan-id inner-vlan inner vlan-id mpid
value cos value source mpid value • vlan—Specifies the VLAN.
• inner-vlan—The inner-vlan keyword and the inner vlan-id argument specify the VLAN tag for double-tagged packets.
Example:
Router(config-ip-sla)# ethernet y1731 delay
DMM domain customer vlan 100 mpid 3101 cos
1 source mpid 4101 or Note
• cos—Specifies the CoS. The value can be any number between 0 and 7.
For double-tagged packets, the cos value corresponds to the value specified for the outer tag.
Example: • mpid—Specifies the destination MPID.
Router(config-ip-sla)# ethernet y1731 delay
DMM domain customer vlan 100 inner-vlan
1101 mpid 3101 cos 1 source mpid 4101
aggregate interval seconds
• source—Specifies the source MPID.
Configures the Y.1731 aggregation parameter, where aggregate
interval refers to the interval at which the packets are sent.
Example:
seconds —Specifies the length of time, in seconds.
Router(config-sla-y1731-delay)# aggregate interval 30 exit Exits the router configuration mode.
Example:
Router(config-sla-y1731-delay)# exit
ip sla schedule operation number life value forever
start-time value
Schedules the two-way delay measurement.
• life—Specifies a period of time (in seconds) to execute. The value can also be set as forever .
Example:
Router(config)#ip sla schedule 1101 life forever start-time now
• start-time—Specifies the time at which to start the entry.
The options available are after, hh:mm, hh:mm:ss, now, and
pending .
end
Example:
Router(config)#end
Exits the router configuration mode and returns to the privileged
EXEC mode.
Configuration Examples for Two-Way Delay Measurement
This example shows how to configure two-way delay measurement using single tagging: router> enable
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
73
Verifying Two-Way Delay Measurement Configuration
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces router# configure terminal router(config)# ip sla
1101 router(config-ip-sla)# ethernet y1731 delay DMM domain customer vlan 100 mpid 3101 cos 1 router(config-sla-y1731-delay)# aggregate interval 30 router(config-sla-y1731-delay)# exit router(config)# ip sla schedule 1102 life forever start-time now router(config)# end
This example shows how to configure two-way delay measurement using double tagging: router> enable router# configure terminal router(config)# ip sla
1101 router(config-ip-sla)# ethernet y1731 delay DMM domain customer vlan 100 inner-vlan 1101 mpid 3101 cos 1 source mpid 4101 router(config-sla-y1731-delay)# aggregate interval 30 router(config-sla-y1731-delay)# exit router(config)# ip sla schedule 1101 life forever start-time now router(config)# end
Verifying Two-Way Delay Measurement Configuration
Use the following commands to verify the performance-monitoring sessions:
• show run | sec ip sla
• show ip sla summary
• show ip sla statistics entry-number
• show ip sla configuration entry-number
• show ethernet cfm pm session summary
• show ethernet cfm pm session detail session-id
• show ethernet cfm pm session db session-id
The following are the sample outputs of the commands listed above:
Router# show run | sec ip sla ip sla auto discovery ip sla 1101 ethernet y1731 delay DMM domain customer vlan 100 inner-vlan 1101 mpid 3101 cos
1 source mpid 4101 ip sla schedule 1101 life forever start-time now
Router# show ip sla summary
IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending
ID
*1101
Type Destination lan:100 CVlan:110
1 Mpid:3101
Stats y1731-delay Domain:customer V -
Return
OK
Last
(ms) Code Run
-----------------------------------------------------------------------
27 seconds ag o
Router# show ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 1101
Delay Statistics for Y1731 Operation 1101
Type of operation: Y1731 Delay Measurement
Latest operation start time: *10:43:12.930 UTC Mon Oct 21 2013
Latest operation return code: OK
74
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Verifying Two-Way Delay Measurement Configuration
Distribution Statistics:
Interval
Start time: *10:43:12.930 UTC Mon Oct 21 2013
Elapsed time: 15 seconds
Number of measurements initiated: 7
Number of measurements completed: 7
Flag: OK
Router# show ip sla configuration 1101
IP SLAs Infrastructure Engine-III
Entry number: 1101
Owner:
Tag:
Operation timeout (milliseconds): 5000
Ethernet Y1731 Delay Operation
Frame Type: DMM
Domain: customer
Vlan: 100
CVlan: 1101
Target Mpid: 3101
Source Mpid: 4101
CoS: 1
Max Delay: 5000
Request size (Padding portion): 64
Frame Interval: 1000
Clock: Not In Sync
Threshold (milliseconds): 5000
Schedule:
Operation frequency (seconds): 30 (not considered if randomly scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Statistics Parameters
Frame offset: 1
Distribution Delay Two-Way:
Number of Bins 10
Bin Boundaries: 5000,10000,15000,20000,25000,30000,35000,40000,45000,-1
Distribution Delay-Variation Two-Way:
Number of Bins 10
Bin Boundaries: 5000,10000,15000,20000,25000,30000,35000,40000,45000,-1
Aggregation Period: 30
History
Number of intervals: 2
Router# show ethernet cfm pm session summary
Number of Configured Session : 150
Number of Active Session: 2
Number of Inactive Session: 148
Router#
Router(config)# show ethernet cfm pm session detail 0
Session ID: 0
Sla Session ID: 1101
Level: 7
Service Type: S,C
Service Id: 100,1101
Direction: Down
Source Mac: 5352.a824.04fr
Destination Mac: 5067.a87c.fa92
Session Version: 0
Session Operation: Proactive
Session Status: Active
MPID: 4101
Tx active: yes
Rx active: yes
RP monitor Tx active: yes
RP monitor Rx active: yes
Timeout timer: stopped
Last clearing of counters: *00:00:00.000 UTC Mon Jan 1 1900
DMMs:
Transmitted: 117
DMRs:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
75
Troubleshooting Two-Way Delay Measurement Configuration
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Rcvd: 117
1DMs:
Transmitted: 0
Rcvd: 0
LMMs:
Transmitted: 0
LMRs:
Rcvd: 0
VSMs:
Transmitted: 0
VSRs:
Rcvd: 0
SLMs:
Transmitted: 0
SLRs:
Rcvd: 0
Test ID 0
Router1#
Router# show ethernet cfm pm session db 0
----------------------------------------------------------------------------
TX Time FWD
TX Time BWD
Sec:nSec
RX Time FWD
RX Time BWD
Sec:nSec
Frame Delay
Sec:nSec
----------------------------------------------------------------------------
Session ID: 0
****************************************************************************
3591340722:930326034 3591340663:866791722
3591340663:866898528 3591340722:930707484 0:274644
****************************************************************************
3591340723:927640626 3591340664:864091056
3591340664:864182604 3591340723:927976302 0:244128
****************************************************************************
3591340724:927640626
3591340665:864167346
3591340665:864091056
3591340724:927961044 0:244128
****************************************************************************
3591340725:927671142 3591340666:864121572
3591340666:864213120 3591340725:928006818 0:244128
****************************************************************************
3591340726:927655884 3591340667:864106314
3591340667:864197862 3591340726:927991560 0:244128
****************************************************************************
3591340727:927732174
3591340668:864533538
3591340668:864167346
3591340727:928327236 0:228870
****************************************************************************
3591340728:927655884 3591340669:864121572
3591340669:864197862 3591340728:928006818 0:274644
****************************************************************************
3591340729:927671142 3591340670:864121572
3591340670:864197862 3591340729:927991560 0:244128
****************************************************************************
Troubleshooting Two-Way Delay Measurement Configuration
Table 16: debug Commands for Two-Way Delay Measurement Configuration , on page 77
lists the debug commands to troubleshoot issues pertaining to the two-way delay measurement configuration.
The Cisco IOS Master Command List at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html provides more information about these commands.
76
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
Troubleshooting Two-Way Delay Measurement Configuration
Note Because debugging output is assigned high priority in the CPU process, it can diminish the performance of the router or even render it unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.
Note Before you run any of the debug commands listed in the following table, ensure that you run the logging
buffered debugging command, and then turn off console debug logging using the no logging console command.
Table 16: debug Commands for Two-Way Delay Measurement Configuration debug Command debug epmpal all debug epmpal api debug epmpal rx debug epmpal tx
Purpose
Enables debugging of all Ethernet performance monitoring (PM) events.
Enables debugging of Ethernet PM API events.
Enables debugging of Ethernet PM packet-receive events.
Enables debugging of Ethernet PM packet-transmit events.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
77
Troubleshooting Two-Way Delay Measurement Configuration
Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
78
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
4
Configuring Power Management
This chapter provides information about configuring power management and Power-over-Ethernet (PoE) for router models that support these features. See specific router model documentation for information about supported features:
•
Monitoring Power Usage with EnergyWise, page 79
•
Configuring Power-over-Ethernet, page 79
Monitoring Power Usage with EnergyWise
Cisco EnergyWise monitors and manages the power usage of network devices and devices connected to the network. For information about using EnergyWise technology, see the configuration guides at the following site:
Cisco EnergyWise Configuration Guides
Configuring Power-over-Ethernet
Use the power inline command to enable/disable or the show power inline command to verify
Power-over-Ethernet (PoE).
Note Power-over-Ethernet is available for the C867VAE-POE-W-A-K9 model, using port FE0, with a 60-W power supply.
Enabling/Disabling Power-over-Ethernet
Use the power inline command to enable/disable Power-over-Ethernet (PoE) on the Fast Ethernet (FE) port
0. Beginning in privileged EXEC mode, perform these steps.
SUMMARY STEPS
1 configure terminal
Cisco 800 Series Integrated Services Routers Software Configuration Guide
79 OL-31704-02
Configuring Power Management
Verifying the Power-over-Ethernet Configuration on the Interface
2 interface fastethernet 0
3 power inline {auto | never}
4 end
DETAILED STEPS
SUMMARY STEPS
1. Router# configure terminal
2. Router(config)# interface fastethernet 0
3. Router(config-if)# power inline {auto | never}
4. Router(config-if)# end
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action
Router# configure terminal
Purpose
Enters global configuration mode.
Router(config)# interface fastethernet 0 The Fast Ethernet (FE) 0 interface.
Router(config-if)# power inline {auto | never}
Note The C867VAE-POE-W-A-K9 supports
Power-over-Ethernet on the FE0 interface only.
Use auto to configure the port to supply inline power automatically.
Use never to disable inline power on the port.
Router(config-if)# end Exits configuration mode.
Example:
Router#
Verifying the Power-over-Ethernet Configuration on the Interface
Use the show power inline command to verify the power configuration on the FE0 port.
Router# show power inline
PowerSupply SlotNum.
Maximum Allocated
--------------------------------
INT-PS 0 18.000
6.300
Interface Config Device Powered
-------------------------
Fa0 auto Cisco On
Status
------
PS GOOD
PowerAllocated
--------------
6.300 Watts
80
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
5
Configuring Security Features
This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the primary Cisco framework for implementing selected security features that can be configured on the Cisco
860 and Cisco 880 series Integrated Services Routers (ISRs).
This chapter contains the following sections:
•
Authentication, Authorization, and Accounting, page 81
•
Configuring AutoSecure, page 82
•
Configuring Access Lists, page 82
•
Configuring Cisco IOS Firewall, page 83
•
Configuring Cisco IOS IPS, page 84
•
•
Authentication, Authorization, and Accounting
AAA network security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and depending on the security protocol you choose, encryption.
Authorization provides the method for remote access control, including one-time authorization or authorization for each service; per-user account list and profile; user group support; and support of IP, Internetwork Packet
Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.
AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.
For information about configuring AAA services and supported security protocols, see the following sections
: of http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/12_4T/sec_securing_user_ services_12.4t_book.html
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
Cisco 800 Series Integrated Services Routers Software Configuration Guide
81 OL-31704-02
Configuring Security Features
Configuring AutoSecure
• Configuring Authentication
• Configuring Authorization
• Configuring Accounting
• RADIUS and TACACS + Attributes
• Configuring Kerberos
Configuring AutoSecure
The AutoSecure feature disables common IP services that can be exploited for network attacks and enables
IP services and features that can aid in the defense of a network when under attack. These IP services are all disabled and enabled simultaneously with a single command, which simplifies security configuration on your router. For a complete description of the AutoSecure feature, see AutoSecure .
Configuring Access Lists
Access lists permit or deny network traffic over an interface based on source IP address, destination IP address, or protocol. Access lists are configured as standard or extended. A standard access list either permits or denies passage of packets from a designated source. An extended access list allows designation of both the destination and the source, and it allows designation of individual protocols to be permitted or denied passage.
For more complete information on creating access lists, see the “Access Control Lists (ACLs)” section in http:/
/www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/sec_data_plane_12_4t_book.html
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T.
An access list is a series of commands with a common tag to bind them together. The tag is either a number or a name. Table below lists the commands used to configure access lists.
Table 17: Access List Configuration Commands
Configuration Commands ACL Type
Numbered
Standard
Extended
access-list 1-99}{permit | deny} source-addr
[source-mask]
access-list 100-199}{permit | deny} protocol source-addr [source-mask] destination-addr
[destination-mask]
Named
Standard ip access-list standard name deny {source |
source-wildcard | any}
82
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Access Groups
ACL Type
Extended
Configuration Commands
ip access-list extended name {permit | deny}
protocol {source-addr[source-mask] |
any}{destination-addr [destination-mask] | any}
To create, refine, and manage access lists, see the “Access Control Lists (ACLs)” section in http:// www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/12_4t/sec_data_plane_12_4t_book.html
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T :
• Creating an IP Access List and Applying It to an Interface
• Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
• Refining an IP Access List
• Displaying and Clearing IP Access List Data Using ACL Manageability
Access Groups
An access group is a sequence of access list definitions bound together with a common name or number. This group is enabled for an interface during interface configuration. Use the following guidelines when creating access groups.
• The order of access list definitions is significant. A packet is compared against the first access list in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is compared with the next access list, and so on.
• All parameters must match the access list before the packet is permitted or denied.
• There is an implicit “deny all” at the end of all sequences.
For information on configuring and managing access groups, see http://www.cisco.com/en/US/docs/ios/ sec_data_plane/configuration/guide/12_4t/sec_data_plane_12_4t_book.html
Cisco IOS Security Configuration
Guide: Securing the Data Plane, Release 12.4T.
Configuring Cisco IOS Firewall
The Cisco IOS Firewall lets you configure a stateful firewall in which packets are inspected internally and the state of network connections is monitored. A stateful firewall is superior to static access lists because access lists can only permit or deny traffic based on individual packets, not based on streams of packets. Also, because Cisco IOS Firewall inspects the packets, decisions to permit or deny traffic can be made by examining application layer data, which static access lists cannot examine.
To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command in interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list is created to allow the passage of return traffic. The timeout parameter specifies the length of time the dynamic
Cisco 800 Series Integrated Services Routers Software Configuration Guide
83 OL-31704-02
Configuring Security Features
Configuring Cisco IOS IPS access list remains active without return traffic passing through the router. When the timeout value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules can be activated elsewhere in the configuration by using the ip inspect inspection-name {in | out} command when you configure an interface at the firewall.
For additional information about configuring a Cisco IOS Firewall, see http://www.cisco.com/en/US/docs/ ios/sec_data_plane/configuration/guide/12_4t/sec_data_plane_12_4t_book.html
Cisco IOS Security
Configuration Guide: Securing the Data Plane, Release 12.4T .
The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol (SIP) applications. SIP inspection provides basic inspect functionality (SIP packet inspection and detection of pin-hole openings), as well protocol conformance and application security. For more information, see Cisco
IOS Firewall: SIP Enhancements: ALG and AIC .
Configuring Cisco IOS IPS
Cisco IOS Intrusion Prevention System (IPS) technology is available on Cisco 880 series ISRs and enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity.
Cisco IOS IPS identifies attacks using “signatures” to detect patterns of misuse in network traffic. Cisco IOS
IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match known IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds before network security can be compromised, it logs the event, and, depending on configuration, it does one of the following:
• Sends an alarm
• Drops suspicious packets
• Resets the connection
• Denies traffic from the source IP address of the attacker for a specified amount of time
• Denies traffic on the connection for which the signature was seen for a specified amount of time
For additional information about configuring Cisco IOS IPS, see http://www.cisco.com/en/US/docs/ios/ sec_data_plane/configuration/guide/12_4t/sec_data_plane_12_4t_book.html
Cisco IOS Security Configuration
Guide: Securing the Data Plane, Release 12.4T .
URL Filtering
Cisco 860 series and Cisco 880 series ISRs provide category based URL filtering. The user provisions URL filtering on the ISR by selecting categories of websites to be permitted or blocked. An external server, maintained by a third party, is used to check for URLs in each category. Permit and deny policies are maintained on the ISR. The service is subscription based, and the URLs in each category are maintained by the third-party vendor.
For additional information about configuring URL filtering, see http://www.cisco.com/en/US/docs/ios/ sec_data_plane/configuration/guide/sec_url_filtering.html
Subscription-based Cisco IOS Content Filtering guide .
84
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Configuring VPN
Configuring VPN
A VPN connection provides a secure connection between two networks over a public network such as the
Internet. Cisco 860 and Cisco 880 series ISRs support two types of VPNs; site-to-site and remote access.
Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log into a corporate network. Two examples are given in this section: remote access VPN and site-to-site VPN.
Remote Access VPN
The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to configure and secure the connection between the remote client and the corporate network. Figure below shows a typical deployment scenario.
Figure 1: Remote Access VPN Using IPSec Tunnel
OL-31704-02
1
2
3
4
5
6
Remote networked users
VPN client—Cisco 880 series access router
Router—Providing the corporate office network access
VPN server—Easy VPN server; for example, a Cisco
VPN 3000 concentrator with outside interface address
210.110.101.1
Corporate office with a network address of 10.1.1.1
IPSec tunnel
Cisco 800 Series Integrated Services Routers Software Configuration Guide
85
Configuring Security Features
Configuring VPN
The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the
Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, Windows Internet Naming Service (WINS) server addresses, and split-tunneling flags to be defined at a VPN server, such as a Cisco VPN 3000 series concentrator that is acting as an IPSec server.
A Cisco Easy VPN server-enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Cisco Easy VPN server-enabled devices allow remote routers to act as Cisco Easy VPN Remote nodes.
The Cisco Easy VPN client feature can be configured in one of two modes: client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. Resources at the client site are unavailable to the central site. Network extension mode allows users at the central site (where the VPN 3000 series concentrator is located) to access network resources on the client site.
After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 880 series ISR. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.
Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network
Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server.
Cisco 860 and Cisco 880 series ISRs can also be configured to act as Cisco Easy VPN servers, letting authorized
Cisco Easy VPN clients establish dynamic VPN tunnels to the connected network. For information on the configuration of Cisco Easy VPN servers see http://www.cisco.com/c/en/us/support/docs/ cloud-systems-management/configuration-professional/112037-easyvpn-router-config-ccp-00.html
.
Site-to-Site VPN
The configuration of a site-to-site VPN uses IPSec and the generic routing encapsulation (GRE) protocol to secure the connection between the branch office and the corporate network. Figure below shows a typical deployment scenario.
Figure 2: Site-to-Site VPN Using an IPSec Tunnel and GRE
1
2
86
Cisco 800 Series Integrated Services Routers Software Configuration Guide
Branch office containing multiple LANs and VLANs
Fast Ethernet LAN interface—With address
192.165.0.0/16 (also the inside interface for NAT)
OL-31704-02
Configuring Security Features
Configuring a VPN over an IPSec Tunnel
5
6
3
4
7
8
9
VPN client—Cisco 860 or Cisco 880 series ISR
Fast Ethernet or ATM interface—With address
200.1.1.1 (also the outside interface for NAT)
LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1
VPN client—Another router, which controls access to the corporate network
LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1
Corporate office network
IPSec tunnel with GRE
For more information about IPSec and GRE configuration, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ ios/security/config_library/12-4t/secon-12-4t-library.html
Cisco IOS Security Configuration Guide: Secure
Connectivity, Release 12.4T .
Configuration Examples
Each example configures a VPN over an IPSec tunnel, using the procedure given in the
Configuring a VPN over an IPSec Tunnel, on page 87
. The specific procedure for a remote access configuration is given, followed by the specific procedure for a site-to-site configuration.
The examples shown in this chapter apply only to the endpoint configuration on the Cisco 860 and Cisco 880
ISRs. Any VPN connection requires both endpoints be configured properly to function. See the software configuration documentation as needed to configure the VPN for other router models.
VPN configuration information must be configured on both endpoints. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address Translation (NAT).
Configuring a VPN over an IPSec Tunnel
Perform the following tasks to configure a VPN over an IPSec tunnel:
Configuring the IKE Policy
To configure the Internet Key Exchange (IKE) policy, perform these steps, beginning in global configuration mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
87
Configuring Security Features
Configuring a VPN over an IPSec Tunnel
SUMMARY STEPS
1. crypto isakmp policy priority
2. encryption {des | 3des | aes | aes 192 | aes 256}
3. hash {md5 | sha}
4. authentication {rsa-sig | rsa-encr | pre-share}
5. group {1 | 2 | 5}
6. lifetime seconds
7. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action
crypto isakmp policy priority
Example:
Router(config)# crypto isakmp policy 1
Purpose
Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest.
Also enters the Internet Security Association Key and Management
Protocol (ISAKMP) policy configuration mode.
encryption {des | 3des | aes | aes 192 | aes 256} Specifies the encryption algorithm used in the IKE policy.
The example specifies 168-bit data encryption standard (DES).
Example:
Router(config-isakmp)# encryption 3des hash {md5 | sha}
Example:
Router(config-isakmp)# hash md5
Specifies the hash algorithm used in the IKE policy.
The example specifies the Message Digest 5 (MD5) algorithm. The default is Secure Hash standard (SHA-1).
authentication {rsa-sig | rsa-encr | pre-share} Specifies the authentication method used in the IKE policy.
The example specifies a pre-shared key.
Example:
Router(config-isakmp)# authentication pre-share
group {1 | 2 | 5} Specifies the Diffie-Hellman group to be used in an IKE policy.
Example:
Router(config-isakmp)# group 2 lifetime seconds
Example:
Router(config-isakmp)# lifetime 480 exit
Example:
Router(config-isakmp)# exit
Specifies the lifetime, in seconds, for an IKE security association
(SA).
Acceptable values are from 60 to 86400.
Exits ISAKMP policy configuration mode and returns to global configuration mode.
88
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Configuring a VPN over an IPSec Tunnel
Configuring Group Policy Information
To configure the group policy, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto isakmp client configuration group {group-name | default}
2. key name
3. dns primary-server
4. domain name
5. exit
6. ip local pool {default | poolname} [low-ip-address [high-ip-address]]
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action crypto isakmp client configuration group
{group-name | default}
Example:
Router(config)# crypto isakmp client configuration group rtr-remote
key name
Purpose
Creates an IKE policy group containing attributes to be downloaded to the remote client.
Also enters the Internet Security Association Key and
Management Protocol (ISAKMP) group policy configuration mode.
Specifies the IKE pre-shared key for the group policy.
Example:
Router(config-isakmp-group)# key secret-password
dns primary-server Specifies the primary Domain Name System (DNS) server for the group.
Example:
Note To specify Windows Internet Naming Service (WINS) servers for the group, use the wins command.
Router(config-isakmp-group)# dns 10.50.10.1
domain name Specifies group domain membership.
Example:
Router(config-isakmp-group)# domain company.com
exit Exits ISAKMP group policy configuration mode and returns to global configuration mode.
Example:
Router(config-isakmp-group)# exit
Router(config)#
ip local pool {default | poolname} [low-ip-address
[high-ip-address]]
Specifies a local address pool for the group.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
89
Configuring Security Features
Configuring a VPN over an IPSec Tunnel
Command or Action
Example:
Router(config)# ip local pool dynpool
30.30.30.20 30.30.30.30
Purpose
.
For details about this command and additional parameters that can be set, see Cisco IOS Dial Technologies Command Reference
Applying Mode Configuration to the Crypto Map
To apply mode configuration to the crypto map, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto map map-name isakmp authorization list list-name
2. crypto map tag client configuration address [initiate | respond]
DETAILED STEPS
Step 1
Step 2
Command or Action Purpose
crypto map map-name isakmp authorization list list-name
Example:
Applies mode configuration to the crypto map and enables key lookup (IKE queries) for the group policy from an authentication, authorization, and accounting (AAA) server.
Router(config)# crypto map dynmap isakmp authorization list rtr-remote
crypto map tag client configuration address [initiate | respond]
Configures the router to reply to mode configuration requests from remote clients.
Example:
Router(config)# crypto map dynmap client configuration address respond
Enabling Policy Lookup
To enable policy lookup through AAA, perform these steps, beginning in global configuration mode:
90
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Configuring a VPN over an IPSec Tunnel
SUMMARY STEPS
1. aaa new-model
2. aaa authentication login {default | list-name} method1 [method2...]
3. aaa authorization {network | exec | commands level | reverse-access | configuration} {default |
list-name} [method1 [method2...]]
4. username name {nopassword | password password | password encryption-type encrypted-password}
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action aaa new-model
Purpose
Enables the AAA access control model.
Example:
Router(config)# aaa new-model
aaa authentication login {default | list-name}
method1 [method2...]
Specifies AAA authentication of selected users at login, and specifies the method used.
• This example uses a local authentication database.
Example:
Router(config)# aaa authentication login rtr-remote local
aaa authorization {network | exec | commands level
| reverse-access | configuration} {default | list-name}
[method1 [method2...]]
Note You could also use a RADIUS server. For details, see
Cisco IOS Security Configuration Guide: Securing User
Services, Release 12.4T
and Cisco IOS Security
Command Reference .
Specifies AAA authorization of all network-related service requests, including PPP, and specifies the method of authorization.
• This example uses a local authorization database.
Example:
Router(config)# aaa authorization network rtr-remote local
username name {nopassword | password password
| password encryption-type encrypted-password}
Note You could also use a RADIUS server. For details, see
Cisco IOS Security Configuration Guide: Securing User
Services, Release 12.4T
and Cisco IOS Security
Command Reference .
Establishes a username-based authentication system.
Example:
Router(config)# username username1 password
0 password1
Configuring IPSec Transforms and Protocols
A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
91
Configuring Security Features
Configuring a VPN over an IPSec Tunnel
During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers. When a transform set is found that contains such a transform, it is selected and applied to the protected traffic as a part of both configurations.
To specify the IPSec transform set and protocols, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto ipsec profile profile-name
2. crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]
3. crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action
crypto ipsec profile profile-name
Purpose
Configures IPSec profile to apply protection on the tunnel for encryption.
Example:
Router(config)# crypto ipsec profile pro1
crypto ipsec transform-set transform-set-name transform1
[transform2] [transform3] [transform4]
Defines a transform set—an acceptable combination of
IPSec security protocols and algorithms.
Example:
See Cisco IOS Security Configuration Guide: Secure
Connectivity, Release 12.4T
for details about the valid transforms and combinations.
Router(config)# crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime {seconds seconds
| kilobytes kilobytes}
Specifies global lifetime values used when IPSec security associations are negotiated.
Example:
Router(config)# crypto ipsec security-association lifetime seconds 86400
Configuring the IPSec Crypto Method and Parameters
A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peers, even if the router does not know all the crypto map parameters (for example, IP address).
To configure the IPSec crypto method, perform these steps, beginning in global configuration mode:
92
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Configuring a VPN over an IPSec Tunnel
SUMMARY STEPS
1. crypto dynamic-map dynamic-map-name dynamic-seq-num
2. set transform-set transform-set-name [transform-set-name2...transform-set-name6]
3. reverse-route
4. exit
5. crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action Purpose
crypto dynamic-map dynamic-map-name dynamic-seq-num Creates a dynamic crypto map entry and enters crypto map configuration mode.
Example:
Router(config)# crypto dynamic-map dynmap 1
See Cisco IOS Security Command Reference for more details about this command.
set transform-set transform-set-name
[transform-set-name2...transform-set-name6]
Specifies which transform sets can be used with the crypto map entry.
Example:
Router(config-crypto-map)# set transform-set vpn1 reverse-route Creates source proxy information for the crypto map entry.
Example:
See Cisco IOS Security Command Reference for details.
Router(config-crypto-map)# reverse-route exit Exits crypto map configuration mode and returns to global configuration mode.
Example:
Router(config-crypto-map)# exit
crypto map map-name seq-num [ipsec-isakmp] [dynamic
dynamic-map-name] [discover] [profile profile-name]
Creates a crypto map profile.
Example:
Router(config)# crypto map static-map 1 ipsec-isakmp dynamic dynmap
Applying the Crypto Map to the Physical Interface
The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
93
Configuring Security Features
Creating a Cisco Easy VPN Remote Configuration sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet.
To apply a crypto map to an interface, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. interface type number
2. crypto map map-name
3. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action
interface type number
Purpose
Enters the interface configuration mode for the interface to which the crypto map will be applied.
Example:
Router(config)# interface fastethernet 4
crypto map map-name
Example:
Router(config-if)# crypto map static-map exit
Applies the crypto map to the interface.
• See Cisco IOS Security Command Reference for more details about this command.
Exits interface configuration mode and returns to global configuration mode.
Example:
Router(config-crypto-map)# exit
Router(config)#
What to Do Next
Where to Go Next
If you are creating a Cisco Easy VPN remote configuration, go to the
Creating a Cisco Easy VPN Remote
.
If you are creating a site-to-site VPN using IPSec tunnels and GRE, go to the
Configuring a Site-to-Site GRE
.
Creating a Cisco Easy VPN Remote Configuration
The router acting as the Cisco Easy VPN client must create a Cisco Easy VPN remote configuration and assign it to the outgoing interface.
To create the remote configuration, perform these steps, beginning in global configuration mode:
94
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Creating a Cisco Easy VPN Remote Configuration
SUMMARY STEPS
1. crypto ipsec client ezvpn name
2. group group-name key group-key
3. peer {ipaddress | hostname}
4. mode {client | network-extension | network extension plus}
5. exit
6. crypto isakmp keepalive seconds
7. interface type number
8. crypto ipsec client ezvpn name [outside | inside]
9. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
crypto ipsec client ezvpn name
Purpose
Creates a Cisco Easy VPN remote configuration, and enters Cisco
Easy VPN remote configuration mode.
Example:
Router(config)# crypto ipsec client ezvpn ezvpnclient
group group-name key group-key Specifies the IPSec group and IPSec key value for the VPN connection.
Example:
Router(config-crypto-ezvpn)# group ezvpnclient key secret-password
peer {ipaddress | hostname}
Example:
Router(config-crypto-ezvpn)# peer
192.168.100.1
Specifies the peer IP address or hostname for the VPN connection.
• A hostname can be specified only when the router has a DNS server available for hostname resolution.
mode {client | network-extension | network extension plus}
Note Use this command to configure multiple peers for use as backup. If one peer goes down, the Easy VPN tunnel is established with the second available peer. When the primary peer comes up again, the tunnel is reestablished with the primary peer.
Specifies the VPN mode of operation.
Example:
Router(config-crypto-ezvpn)# mode client exit Exits Cisco Easy VPN remote configuration mode and returns to global configuration mode.
Example:
Router(config-crypto-ezvpn)# exit
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
95
Configuring Security Features
Creating a Cisco Easy VPN Remote Configuration
Step 6
Step 7
Step 8
Step 9
Command or Action
crypto isakmp keepalive seconds
Purpose
Enables dead peer detection messages.
Example:
• seconds—Sets the time between messages. The range is from
10 to 3600.
Router(config)# crypto isakmp keepalive
10
interface type number
Example:
Router(config)# interface fastethernet 4
Enters the interface configuration mode for the interface to which the Cisco Easy VPN remote configuration will be applied.
Note For routers with an ATM WAN interface, this command would be interface atm 0.
crypto ipsec client ezvpn name [outside | inside] Assigns the Cisco Easy VPN remote configuration to the WAN interface.
Example:
Router(config-if)# crypto ipsec client ezvpn ezvpnclient outside
• This command causes the router to automatically create the
NAT or port address translation (PAT) and access list configuration needed for the VPN connection.
exit
Example:
Router(config-crypto-ezvpn)# exit
Exits interface configuration mode and returns to global configuration mode.
What to Do Next
Configuration Example
The following configuration example shows a portion of the configuration file for the VPN and IPSec tunnel described in this chapter.
!
aaa new-model
!
aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common
!
username Cisco password 0 Cisco
!
crypto isakmp policy 1 encryption 3des authentication pre-share group 2
!
lifetime 480 crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1
domain company.com
pool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec security-association lifetime seconds 86400
96
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Configuring a Site-to-Site GRE Tunnel
!
crypto dynamic-map dynmap 1
!
set transform-set vpn1 reverse-route crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key secret-password mode client
!
peer 192.168.100.1
interface fastethernet 4 crypto ipsec client ezvpn ezvpnclient outside
!
crypto map static-map interface vlan 1 crypto ipsec client ezvpn ezvpnclient inside
!
Configuring a Site-to-Site GRE Tunnel
To configure a GRE tunnel, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. interface type number
2. ip address ip-address mask
3. tunnel source interface-type number
4. tunnel destination default-gateway-ip-address
5. crypto map map-name
6. exit
7. ip access-list {standard | extended}access-list-name
8. permit protocol source source-wildcard destination destination-wildcard
9. exit
DETAILED STEPS
Step 1
Step 2
Command or Action
interface type number
Example:
Router(config)# interface tunnel 1
ip address ip-address mask
Example:
Router(config-if)# 10.62.1.193 255.255.255.252
Purpose
Creates a tunnel interface and enters interface configuration mode.
Assigns an address to the tunnel.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
97
Configuring Security Features
Configuring a Site-to-Site GRE Tunnel
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Command or Action
tunnel source interface-type number
Purpose
Specifies the source endpoint of the router for the GRE tunnel.
Example:
Router(config-if)# tunnel source fastethernet 0
tunnel destination default-gateway-ip-address Specifies the destination endpoint of the router for the
GRE tunnel.
Example:
Router(config-if)# tunnel destination
192.168.101.1
crypto map map-name
Example:
Router(config-if)# crypto map static-map exit
Assigns a crypto map to the tunnel.
Note Dynamic routing or static routes to the tunnel interface must be configured to establish connectivity between the sites.
Exits interface configuration mode, and returns to global configuration mode.
Example:
Router(config-if)# exit
ip access-list {standard | extended}access-list-name Enters ACL configuration mode for the named ACL that is used by the crypto map.
Example:
Router(config)# ip access-list extended vpnstatic1
permit protocol source source-wildcard destination destination-wildcard
Specifies that only GRE traffic is permitted on the outbound interface.
Example:
Router(config-acl)# permit gre host 192.168.100.1
host 192.168.101.1
exit Exits ACL configuration mode and returns to global configuration mode.
Example:
Router(config-acl)# exit
Router(config)#
What to Do Next
Configuration Example
98
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Security Features
Configuring a Site-to-Site GRE Tunnel
The following configuration example shows a portion of the configuration file for a VPN using a GRE tunnel scenario described in the preceding sections.
!
aaa new-model
!
aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common
!
username cisco password 0 cisco
!
interface tunnel 1 ip address 10.62.1.193 255.255.255.252
tunnel source fastethernet 0 tunnel destination interface 192.168.101.1
ip route 20.20.20.0 255.255.255.0 tunnel 1 crypto isakmp policy 1 encryption 3des authentication pre-share
!
group 2 crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1
domain company.com
pool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap 1 set transform-set vpn1
!
reverse-route crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond
!
! Defines the key association and authentication for IPsec tunnel.
crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.1.1
!
!
! Defines encryption and transform set for the IPsec tunnel.
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
! Associates all crypto values and peering address for the IPsec tunnel.
crypto map to_corporate 1 ipsec-isakmp set peer 200.1.1.1
set transform-set set1
!
match address 105
!
! VLAN 1 is the internal home network.
interface vlan 1 ip address 10.1.1.1 255.255.255.0
ip nat inside ip inspect firewall in ! Inspection examines outbound traffic.
crypto map static-map no cdp enable
!
! FE4 is the outside or Internet-exposed interface interface fastethernet 4 ip address 210.110.101.21 255.255.255.0
! acl 103 permits IPsec traffic from the corp. router as well as
! denies Internet-initiated traffic inbound.
ip access-group 103 in
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
99
Configuring Security Features
Configuring a Site-to-Site GRE Tunnel ip nat outside no cdp enable
!
crypto map to_corporate ! Applies the IPsec tunnel to the outside interface.
! Utilize NAT overload in order to make best use of the
! single address provided by the ISP.
ip nat inside source list 102 interface Ethernet1 overload ip classless ip route 0.0.0.0 0.0.0.0 210.110.101.1
no ip http server
!
!
! acl 102 associated addresses used for NAT.
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
! acl 103 defines traffic allowed from the peer for the IPsec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.
access-list 103 permit icmp any any access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.
! acl 105 matches addresses for the IPsec tunnel to or from the corporate network.
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
no cdp run
100
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
OL-31704-02
C H A P T E R
6
Configuring Backup Data Lines and Remote
Management
The Cisco 819 series and Cisco 880 Series Integrated Services Routers (ISRs) support backup data connectivity with a backup data line that enables them to mitigate WAN downtime.
Note Voice backup is available on router models C881SRST and C888SRST. For information on configuring voice backup, see
Configuring Voice Functionality, on page 139
Cisco 880 ISRs also support remote management functions as follows:
• Through the auxiliary port on Cisco 880 series ISRs
• Through the ISDN S/T port on the Cisco 880 series ISRs
Cisco 819 ISRs a support remote management functions through the auxiliary port on any Cisco 819 series
ISRs.
Note On Cisco 819 sries and Cisco880 series ISRs, the console port and the auxiliary port are on the same physical RJ-45 port; therefore, the two ports cannot be activated simultaneously. You must use the CLI to enable the desired function.
Note Cisco 892F ISRs have a Gigabit Ethernet (GE) port that supports copper connections or a small-form-factor pluggable (SFP) port that supports fiber connections and can be configured for failover redundancy when the network goes down.
This chapter describes configuring backup data lines and remote management in the following sections:
•
Configuring Backup Interfaces, page 102
•
Configuring Cellular Dial-on-Demand Routing Backup, page 103
•
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port, page 109
•
Configuring Data Line Backup and Remote Management Through the ISDN S/T Port, page 115
Cisco 800 Series Integrated Services Routers Software Configuration Guide
101
Configuring Backup Data Lines and Remote Management
Configuring Backup Interfaces
•
Configuring Gigabit Ethernet Failover Media, page 121
•
Configuring Third-Party SFPs, page 123
Configuring Backup Interfaces
When the router receives an indication that the primary interface is down, the backup interface becomes enabled. After the primary connection has been restored for a specified period, the backup interface is disabled.
Even if the backup interface comes out of standby mode, the router does not enable the backup interface unless the router receives the traffic specified for that backup interface.
Table below shows the backup interfaces for Cisco 810, Cisco 880 and Cisco 890 series ISRs, along with their port designations. Basic configurations for these interfaces are given in the
on page 22
Table 18: Model Numbers and Data Line Backup Capabilities
3G
Yes
V.92
—
Router Model Number
881G, 886G, 887G,
887VG, 888G
ISDN
—
886, 886VA, 887, 887V,
888, 888E
Yes
891
892, 892F
—
Yes
819
—
—
—
Yes
—
Yes
—
To configure your router with a backup interface, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. interface type number
2. backup interface interface-type interface-number
3. exit
DETAILED STEPS
Step 1
Command or Action
interface type number
Example:
Router(config)# interface atm 0
Purpose
Enters interface configuration mode for the interface for which you want to configure the backup.
This interface can be a serial, ISDN, or asynchronous.
102
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Cellular Dial-on-Demand Routing Backup
Step 2
Step 3
Command or Action
backup interface interface-type interface-number
Example:
Router(config-if)# backup interface bri 0 exit
Purpose
The example shows the configuration of a backup interface for an ATM
WAN connection.
Assigns an interface as the secondary, or backup interface.
This can be a serial interface or asynchronous interface. For example, a serial 1 interface could be configured to back up a serial 0 interface.
The example shows a BRI interface configured as the backup interface for the ATM 0 interface.
Exits the configuration interface mode.
Example:
Router(config-if)# exit
Router(config)#
Configuring Cellular Dial-on-Demand Routing Backup
To monitor the primary connection and initiate the backup connection over the cellular interface when needed, the router can use one of the following methods:
• Backup Interface—Backup interface that stays in standby mode until the primary interface line protocol is detected as down and then is brought up. See the
Configuring Backup Interfaces, on page 102
.
• Dialer Watch—Backup feature that integrates dial backup with routing capabilities. See the
DDR Backup Using Dialer Watch, on page 103
.
• Floating Static Route—Route through the backup interface has an administrative distance that is greater than the administrative distance of the primary connection route and therefore would not be in the routing table until the primary interface goes down. When the primary interaface goes down, the floating static route is used. See the
Configuring DDR Backup Using Floating Static Route, on page 105
.
Note You cannot configure a backup interface for the cellular interface and any other asynchronous serial interface.
Configuring DDR Backup Using Dialer Watch
To initiate dialer watch, you must configure the interface to perform dial-on-demand routing (DDR) and backup. Use traditional DDR configuration commands, such as dialer maps, for DDR capabilities. To enable dialer watch on the backup interface and create a dialer list, use the following commands in interface configuration mode.
or
Cisco 800 Series Integrated Services Routers Software Configuration Guide
103 OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring DDR Backup Using Dialer Watch
dialer group dialer group number
SUMMARY STEPS
1. configure terminal
2. interface type number
3. dialer watch-group group-number
4. dialer watch-list group-number ip ip-address address-mask
5. dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}
6. ip access-list access-list-number permit ip source address
7. interface cellular 0
8. Do one of the following:
• dialer string string
• or
• dialer group dialer group number
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Example:
Router# configure terminal
interface type number
Purpose
Enters global configuration mode.
Specifies the interface.
Example:
Router (config)# interface ATM0
dialer watch-group group-number Enables dialer watch on the backup interface.
Example:
Router(config-if)# dialer watch-group 2
dialer watch-list group-number ip ip-address address-mask Defines a list of all IP addresses to be watched.
Example:
Router(config-if)# dialer watch-list 2 ip 10.4.0.254
255.255.0.0
104
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring DDR Backup Using Floating Static Route
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose
dialer-list dialer-group protocol protocol-name {permit | deny
| list access-list-number | access-group}
Creates a dialer list for traffic of interest and permits access to an entire protocol.
Example:
Router(config)# dialer-list 2 protocol ip permit
ip access-list access-list-number permit ip source address
Example:
Router(config)# access list 2 permit 10.4.0.0
interface cellular 0
Defines traffic of interest.
Do not use the access list permit all command to avoid sending traffic to the IP network. This may result in call termination.
Specifies the cellular interface.
Example:
Router (config)# interface cellular 0
Do one of the following:
• dialer string string
• or
• dialer group dialer group number
CDMA only. Specifies the dialer script (defined using the chat script command).
GSM only. Maps a dialer list to the dialer interface.
Example:
Router (config-if)# dialer string cdma *** cdma *** or
Router (config-if)# dialer group 2 *** gsm ***
Configuring DDR Backup Using Floating Static Route
To configure a floating static default route on the secondary interface, use the following commands, beginning in the global configuration mode.
Note Make sure you have ip classless enabled on your router.
SUMMARY STEPS
1. configure terminal
2. ip route network-number network-mask {ip address | interface} [administrative distance] [name name]
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
105
Configuring Backup Data Lines and Remote Management
Cellular Wireless Modem as Backup with NAT and IPsec Configuration
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Purpose
Enters global configuration mode from the terminal.
Example:
Router# configure terminal
ip route network-number network-mask {ip address
| interface} [administrative distance] [name name]
Establishes a floating static route with the configured administrative distance through the specified interface.
Example:
A higher administrative distance should be configured for the route through the backup interface, so that the backup interface is used only when the primary interface is down.
Router (config)# ip route 0.0.0.0 Dialer 2 track 234
Cellular Wireless Modem as Backup with NAT and IPsec Configuration
The following example shows how to configure the 3G wireless modem as backup with NAT and IPsec on either GSM or CDMA networks.
Note The receive and transmit speeds cannot be configured. The actual throughput depends on the cellular network service.
Current configuration : 3433 bytes
!
version 12.4
no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption
!
hostname Router
!
boot-start-marker boot-end-marker
!
!
no aaa new-model
!
!
!
!
crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key gsm address 128.107.241.234
!
!
crypto ipsec transform-set gsm ah-sha-hmac esp-3des
!
crypto map gsm1 10 ipsec-isakmp set peer 128.107.241.234
set transform-set gsm
*** or cdma ***
*** or cdma ***
*** or cdma1 ***
*** or cdma ***
106
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Cellular Wireless Modem as Backup with NAT and IPsec Configuration
!
match address 103
!
!
no ip dhcp use vrf connected ip dhcp excluded-address 10.4.0.254
!
ip dhcp pool gsmpool network 10.4.0.0 255.255.0.0
dns-server 66.209.10.201 66.102.163.231
default-router 10.4.0.254
!
!
ip cef
!
no ipv6 cef multilink bundle-name authenticated chat-script gsm "" "atdt*98*1#" TIMEOUT 30 "CONNECT"
!
!
archive log config hidekeys
!
!
controller DSL 0 mode atm line-term cpe line-mode 4-wire standard line-rate 4608
!
!
!
!
interface ATM0 no ip address ip virtual-reassembly load-interval 30 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point backup interface Cellular0 ip nat outside ip virtual-reassembly pvc 0/35
!
!
pppoe-client dial-pool-number 2 interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp no ip mroute-cache dialer in-band dialer idle-timeout 0 dialer string gsm dialer-group 1 async mode interactive no ppp lcp fast-start ppp chap hostname [email protected]
ppp chap password 0 B7uhestacr
!
ppp ipcp dns request crypto map gsm1
*** or cdmapool ***
*** or cdma ***
*** or cdma ***
*** or cdma1 ***
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
107
Configuring Backup Data Lines and Remote Management
Cellular Wireless Modem as Backup with NAT and IPsec Configuration interface Vlan1 description used as default gateway address for DHCP clients ip address 10.4.0.254 255.255.0.0
ip nat inside ip virtual-reassembly
!
interface Dialer2 ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp load-interval 30 dialer pool 2 dialer-group 2 ppp authentication chap callin ppp chap hostname [email protected]
ppp chap password 0 cisco ppp ipcp dns request crypto map gsm1
!
ip local policy route-map track-primary-if ip forward-protocol nd
*** or cdma1 *** ip route 0.0.0.0 0.0.0.0 Dialer2 track 234 ip route 0.0.0.0 0.0.0.0 Cellular0 254 no ip http server no ip http secure-server
!
!
ip nat inside source route-map nat2cell interface Cellular0 overload ip nat inside source route-map nat2dsl interface Dialer2 overload
!
ip sla 1 icmp-echo 209.131.36.158 source-interface Dialer2 timeout 1000 frequency 2 ip sla schedule 1 life forever start-time now access-list 1 permit any access-list 2 permit 10.4.0.0 0.0.255.255
access-list 3 permit any access-list 101 permit ip 10.4.0.0 0.0.255.255 any access-list 102 permit icmp any host 209.131.36.158
access-list 103 permit ip host 166.136.225.89 128.107.0.0 0.0.255.255
access-list 103 permit ip host 75.40.113.246 128.107.0.0 0.0.255.255
dialer-list 1 protocol ip list 1 dialer-list 2 protocol ip permit
!
!
!
route-map track-primary-if permit 10 match ip address 102 set interface Dialer2
!
route-map nat2dsl permit 10 match ip address 101 match interface Dialer2
!
route-map nat2cell permit 10 match ip address 101 match interface Cellular0
!
!
control-plane
!
!
line con 0 no modem enable line aux 0 line 3 exec-timeout 0 0 script dialer gsm login modem InOut
*** or cdma ***
108
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port no exec line vty 0 4
!
login scheduler max-task-time 5000
!
webvpn cef end
Configuring Dial Backup and Remote Management Through the
Console or Auxiliary Port
When customer premises equipment, such as a Cisco 880 series ISR or Cisco 819 series ISR, is connected to an ISP, an IP address is dynamically assigned to the router, or the IP address may be assigned by the router peer through the centrally managed function. The dial backup feature can be added to provide a failover route in case the primary line fails. The Cisco 880 series ISRs can use the auxiliary port for dial backup and remote management.
Figure below shows the network configuration used for remote management access and for providing backup to the primary WAN line.
Figure 3: Dial Backup and Remote Management Through the Auxiliary Port
OL-31704-02
1
2
Cisco 880 series router
Modem
A
B
Main WAN link; primary connection to Internet service provider
Dial backup; serves as a failover link for Cisco
880 routers when the primary line goes down
Cisco 800 Series Integrated Services Routers Software Configuration Guide
109
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port
Configuring Backup Data Lines and Remote Management
3 PC C Remote management; serves as dial-in access to allow changes or updates to Cisco IOS configurations
To configure dial backup and remote management for these routers, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. ip name-server server-address
2. ip dhcp pool name
3. exit
4. chat-script script-name expect-send
5. interface type number
6. exit
7. interface type number
8. dialer watch-group group-number
9. exit
10. ip nat inside source {list access-list-number} {interface type number | pool name} [overload]
11. ip route prefix mask {ip-address | interface-type interface-number [ip-address]
12. access-list access-list-number {deny | permit} source [source-wildcard]
13. dialerwatch-list group-number {ipip-address address-mask | delay route-check initial seconds
14. line [aux | console | tty | vty] line-number [ending-line-number]
15. modem enable
16. exit
17. line [aux | console | tty | vty] line-number [ending-line-number]
18. flowcontrol {none | software [lock] [in | out] | hardware [in | out]}
DETAILED STEPS
Step 1
Step 2
Command or Action
ip name-server server-address
Example:
Purpose
Enters your ISP DNS IP address.
Tip You may add multiple server addresses if available.
Router(config)# ip name-server 192.168.28.12
ip dhcp pool name
Example:
Router(config)# ip dhcp pool 1
Creates a DHCP address pool on the router and enters DHCP pool configuration mode. The name argument can be a string or an integer.
Configure the DHCP address pool. For sample commands that you can use in DHCP pool configuration mode, see the
110
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Command or Action exit
Example:
Router(config-if)# exit
interface type number
Purpose
on page 113 .
Exits config-dhcp mode and enters global configuration mode.
Example:
Router(config-dhcp)#exit
chat-script script-name expect-send
Example:
Configures a chat script used in dial-on-demand routing
(DDR) to give commands for dialing a modem and for logging in to remote systems. The defined script is used to place a call over a modem connected to the PSTN.
Router(config)# chat-script Dialout ABORT ERROR ABORT BUSY ““
“AT” OK “ATDT 5555102 T” TIMEOUT 45 CONNECT \c
interface type number
Example:
Router(config)# interface Async 1
Creates and enters configuration mode for the asynchronous interface.
Configure the asynchronous interface. For sample commands that you can use in asynchronous interface configuration mode, see the
Example for specifying an IP address for the
ATM interface through PPP and IPCP address negotiation and dial backup, on page 113
.
exit Enters global configuration mode.
Creates and enters configuration mode for the dilaer interface.
Example:
Router(config)# interface Dialer 3
dialer watch-group group-number Specifies the group number for the watch list.
Example:
Router(config-if)# dialer watch-group 1 exit Exits the interface configuration mode.
Example:
Router(config-if)# exit
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
111
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port
Configuring Backup Data Lines and Remote Management
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
Step 16
Step 17
Command or Action
ip nat inside source {list access-list-number}
{interface type number | pool name} [overload]
Purpose
Enables dynamic translation of addresses on the inside interface.
Example:
Router(config)# ip nat inside source list 101 interface Dialer
3 overload
ip route prefix mask {ip-address | interface-type interface-number [ip-address]
Sets the IP route to point to the dialer interface as a default gateway.
Example:
Router(config)# ip route 0.0.0.0 0.0.0.0
22.0.0.2
access-list access-list-number {deny | permit} source
[source-wildcard]
Defines an extended access list that indicates which addresses need translation.
Example:
Router(config)# access-list 1 permit
192.168.0.0 0.0.255.255 any
dialerwatch-list group-number {ipip-address
address-mask | delay route-check initial seconds
Evaluates the status of the primary link, based on the existence of routes to the peer. The address 22.0.0.2 is the peer IP address of the ISP.
Example:
Router(config)# dialer watch-list 1 ip 22.0.0.2
255.255.255.255
line [aux | console | tty | vty] line-number
[ending-line-number]
Enters configuration mode for the line interface.
Example:
Router(config)# line console 0 modem enable Switches the port from console to auxiliary port function.
Example:
Router(config-line)# modem enable exit Exits the configure interface mode.
Example:
Router(config-line)# exit
line [aux | console | tty | vty] line-number
[ending-line-number]
Enters configuration mode for the auxiliary interface.
112
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Example for specifying an IP address for the ATM interface through PPP and IPCP address negotiation and dial backup
Step 18
Command or Action
Example:
Router(config)# line aux 0
flowcontrol {none | software [lock] [in | out] |
hardware [in | out]}
Example:
Router(config)# flowcontrol hardware
Purpose
Enables hardware signal flow control.
Example for specifying an IP address for the ATM interface through PPP and
IPCP address negotiation and dial backup
The following configuration example specifies an IP address for the ATM interface through PPP and IPCP address negotiation and dial backup over the console port.
!
ip name-server 192.168.28.12
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool 1 import all
!
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
! Need to use your own correct ISP phone number.
modemcap entry MY-USER_MODEM:MSC=&F1S0=1 chat-script Dialout ABORT ERROR ABORT BUSY ““ “AT” OK “ATDT 5555102\T”
TIMEOUT 45 CONNECT \c
!
!
!
!
interface vlan 1 ip address 192.168.1.1 255.255.255.0
ip nat inside ip tcp adjust-mss 1452 hold-queue 100 out
!
! Dial backup and remote management physical interface.
interface Async1 no ip address encapsulation ppp dialer in-band dialer pool-member 3 async default routing async dynamic routing async mode dedicated ppp authentication pap callin
!
interface ATM0 mtu 1492 no ip address no atm ilmi-keepalive pvc 0/35
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
113
Configuring Backup Data Lines and Remote Management
Example for specifying an IP address for the ATM interface through PPP and IPCP address negotiation and dial backup pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
! Primary WAN link.
interface Dialer1 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 ppp authentication pap callin ppp pap sent-username account password 7 pass ppp ipcp dns request ppp ipcp wins request ppp ipcp mask request
!
! Dialer backup logical interface.
interface Dialer3 ip address negotiated ip nat outside encapsulation ppp no ip route-cache no ip mroute-cache dialer pool 3 dialer idle-timeout 60 dialer string 5555102 modem-script Dialout dialer watch-group 1
!
! Remote management PC IP address.
peer default ip address 192.168.2.2
no cdp enable
!
! Need to use your own ISP account and password.
ppp pap sent-username account password 7 pass ppp ipcp dns request ppp ipcp wins request ppp ipcp mask request
!
! IP NAT over Dialer interface using route-map.
ip nat inside source route-map main interface Dialer1 overload ip nat inside source route-map secondary interface Dialer3 overload ip classless
!
! When primary link is up again, distance 50 will override 80 if dial backup
! has not timed out. Use multiple routes because peer IP addresses are alternated
! among them when the CPE is connected.
ip route 0.0.0.0 0.0.0.0 64.161.31.254 50 ip route 0.0.0.0 0.0.0.0 66.125.91.254 50 ip route 0.0.0.0 0.0.0.0 64.174.91.254 50 ip route 0.0.0.0 0.0.0.0 63.203.35.136 80 ip route 0.0.0.0 0.0.0.0 63.203.35.137 80 ip route 0.0.0.0 0.0.0.0 63.203.35.138 80 ip route 0.0.0.0 0.0.0.0 63.203.35.139 80 ip route 0.0.0.0 0.0.0.0 63.203.35.140 80 ip route 0.0.0.0 0.0.0.0 63.203.35.141 80 ip route 0.0.0.0 0.0.0.0 Dialer1 150 no ip http server ip pim bidir-enable
!
! PC IP address behind CPE.
access-list 101 permit ip 192.168.0.0 0.0.255.255 any access-list 103 permit ip 192.168.0.0 0.0.255.255 any
!
! Watch multiple IP addresses because peers are alternated
! among them when the CPE is connected.
dialer watch-list 1 ip 64.161.31.254 255.255.255.255
dialer watch-list 1 ip 64.174.91.254 255.255.255.255
dialer watch-list 1 ip 64.125.91.254 255.255.255.255
!
! Dial backup will kick in if primary link is not available
! 5 minutes after CPE starts up.
dialer watch-list 1 delay route-check initial 300 dialer-list 1 protocol ip permit
114
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Data Line Backup and Remote Management Through the ISDN S/T Port
!
! Direct traffic to an interface only if the dialer is assigned an IP address.
route-map main permit 10 match ip address 101 match interface Dialer1
!
route-map secondary permit 10 match ip address 103 match interface Dialer3
!
! Change console to aux function.
line con 0 exec-timedout 0 0 modem enable stopbits 1 line aux 0 exec-timeout 0 0
! To enable and communicate with the external modem properly.
script dialer Dialout modem InOut modem autoconfigure discovery transport input all stopbits 1 speed 115200 flowcontrol hardware line vty 0 4 exec-timeout 0 0
!
password cisco login scheduler max-task-time 5000 end
Configuring Data Line Backup and Remote Management Through the ISDN S/T Port
Cisco 880 series routers can use the ISDN S/T port for remote management.
Through CPE Splitter, DSLAM, and CO Splitter, on page 116
and
Figure 5: Data Line Backup Directly from
Router to ISDN Switch, on page 117
show two typical network configurations that provide remote management access and backup for the primary WAN line. In
Figure 4: Data Line Backup Through CPE Splitter, DSLAM, and CO Splitter, on page 116
, the dial backup link goes through a customer premises equipment (CPE) splitter, a digital subscriber line access multiplexer (DSLAM), and a central office (CO) splitter before connecting to
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
115
Configuring Data Line Backup and Remote Management Through the ISDN S/T Port
Configuring Backup Data Lines and Remote Management the ISDN switch. In
Figure 5: Data Line Backup Directly from Router to ISDN Switch, on page 117
, the dial backup link goes directly from the router to the ISDN switch.
Figure 4: Data Line Backup Through CPE Splitter, DSLAM, and CO Splitter
1
5
6
7
2
3
4
8
Cisco 880 series router A
B DSLAM
ATM aggregator
ISDN switch
ISDN
ISDN peer router
Web server
C
Administrator —
Primary DSL interface,
FE interface (Cisco 881 router)
Dial backup and remote management through the
ISDN interface (ISDN
S/T port); serves as a failover link when the primary line goes down
Provides administrator with remote management capability through the
ISDN interface when the primary DSL link is down; serves as dial-in access to allow changes or updates to Cisco IOS configuration
—
116
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Data Line Backup and Remote Management Through the ISDN S/T Port
Figure 5: Data Line Backup Directly from Router to ISDN Switch
OL-31704-02
1
2
3
4
PC
Cisco 880 series ISR
DSLAM
Aggregator
A
B
Primary DSL interface
Dial backup and remote management through the
ISDN interface (ISDN
S/T port); serves as a failover link when the primary line goes down
Cisco 800 Series Integrated Services Routers Software Configuration Guide
117
Configuring Backup Data Lines and Remote Management
Configuring ISDN Settings
5
6
7
ISDN switch
Web server
Administrator
C Provides administrator with remote management capability through the
ISDN interface when the primary DSL link is down; serves as dial-in access to allow changes or updates to Cisco IOS configuration
To configure dial backup and remote management through the ISDN S/T port of your router, perform the following procedures:
•
Configuring ISDN Settings, on page 118
•
Configuring Aggregator and ISDN Peer Router, on page 120
Configuring ISDN Settings
Note Traffic of interest must be present to activate the backup ISDN line by means of the backup interface and floating static routes methods. Traffic of interest is not needed for the dialer watch to activate the backup
ISDN line.
To configure your router ISDN interface for use as a backup interface, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. isdn switch-type switch-type
2. interface type number
3. encapsulation encapsulation-type
4. dialer pool-member number
5. isdn switch-type switch-type
6. exit
7. interface dialer dialer-rotary-group-number
8. ip address negotiated
9. encapsulation encapsulation-type
10. dialer pool number
11. dialer string dial-string#[:isdn-subaddress]
12. dialer-group group-number
13. exit
14. dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}
118
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring ISDN Settings
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose
isdn switch-type switch-type Specifies the ISDN switch type.
Example:
Router(config)# isdn switch-type basic-net3
The example specifies a switch type used in Australia, Europe, and the United Kingdom. For details on other supported switch types, see the Cisco IOS Dial Technologies Command
Reference .
interface type number Enters configuration mode for the ISDN BRI.
Example:
Router(config)# interface bri 0
encapsulation encapsulation-type
Example:
Router(config-if)# encapsulation ppp
dialer pool-member number
Sets the BRI0 interface encapsulation type.
Specifies the dialer pool membership.
Example:
Router(config-if)# dialer pool-member 1
isdn switch-type switch-type
Example:
Router(config-if)# isdn switch-type basic-net3 exit
Specifies the ISDN switch type.
Exits configuration interface mode and enters global configuration mode.
Example:
Router(config-if)# exit
interface dialer dialer-rotary-group-number
Example:
Router(config)# interface dialer 0 ip address negotiated
Creates a dialer interface (numbered 0 to 255) and enters interface configuration mode.
Specifies that the IP address for the interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation.
The IP address is obtained from the peer.
Example:
Router(config-if)# ip address negotiated
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
119
Configuring Backup Data Lines and Remote Management
Configuring Aggregator and ISDN Peer Router
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Command or Action
encapsulation encapsulation-type
Purpose
Sets the encapsulation type to PPP for the interface.
Example:
Router(config-if)# encapsulation ppp
dialer pool number
Example:
Router(config-if)# dialer pool 1
dialer string dial-string#[:isdn-subaddress]
Specifies the dialer pool to be used.
In the example, the dialer pool 1 setting associates the dialer
0 interface with the BRI0 interface because the BRI0 dialer pool-member value is 1.
Specifies the telephone number to be dialed.
Example:
Router(config-if)# dialer string 384040
dialer-group group-number Assigns the dialer interface to a dialer group (1–10).
Example:
Router(config-if)# dialer group 1 exit Exits dialer 0 interface configuration mode, and enters global configuration mode.
Example:
Router(config-if)# exit
dialer-list dialer-group protocol protocol-name
{permit | deny | list access-list-number | access-group}
Example:
Router(config)# dialer-list 1 protocol ip permit
Creates a dialer list for packets of interest to be forwarded through the specified interface dialer group.
In the example, dialer-list 1 corresponds to dialer-group 1.
For details about this command and additional parameters that can be set, see Cisco IOS Dial Technologies Command
Reference .
Configuring Aggregator and ISDN Peer Router
The ISDN peer router is any router that has an ISDN interface and can communicate through a public ISDN network to reach your Cisco router ISDN interface. The ISDN peer router provides Internet access for your
Cisco router during the ATM network downtime.
The aggregator is typically a concentrator router where your Cisco router ATM PVC terminates. In the following configuration example, the aggregator is configured as a PPPoE server.
! This portion of the example configures the aggregator.
vpdn enable no vpdn logging
!
120
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Gigabit Ethernet Failover Media vpdn-group 1 accept-dialin
!
protocol pppoe virtual-template 1 interface Ethernet3 description “4700ref-1” ip address 40.1.1.1 255.255.255.0
!
media-type 10BaseT interface Ethernet4 ip address 30.1.1.1 255.255.255.0
media-type 10BaseT
!
interface Virtual-Template1 ip address 22.0.0.2 255.255.255.0
ip mtu 1492 peer default ip address pool adsl
!
interface ATM0 no ip address pvc 1/40
!
encapsulation aal5snap protocol pppoe no atm limi-keepalive
!
ip local pool adsl 22.0.0.1
ip classless ip route 0.0.0.0 0.0.0.0 22.0.0.1 50 ip route 0.0.0.0 0.0.0.0 30.1.1.2.80
! This portion of the example configures the ISDN peer.
isdn switch-type basic-net3
!
interface Ethernet0 ip address 30.1.1.2 255.0.0.0
!
interface BRI0 description “to 836-dialbackup” no ip address encapsulation ppp dialer pool-member 1
!
isdn switch-type basic-net3 interface Dialer0 ip address 192.168.2.2 255.255.255.0
encapsulation ppp dialer pool 1 dialer string 384020 dialer-group 1 peer default ip address pool isdn
!
ip local pool isdn 192.168.2.1
ip http server ip classless ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 40.0.0.0 255.0.0.0 30.1.1.1
!
dialer-list 1 protocol ip permit!
Configuring Gigabit Ethernet Failover Media
Cisco 892F routers have a Gigabit Ethernet (GE) port that supports copper connections or a small-form-factor pluggable (SFP) port that supports fiber connections. Media can be configured for failover redundancy when the network goes down.
To assign primary and secondary failover media on the GE-SFP port, perform these steps, beginning in global configuration mode.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
121 OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Auto-Detect
SUMMARY STEPS
1. hostname name
2. enable secret password
3. interface gigabitethernet slot/port
4. media-type {sfp | rj45} auto-failover
5. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
hostname name
Purpose
Specifies the name for the router.
Example:
Router(config)# hostname Router
enable secret password Specifies an encrypted password to prevent unauthorized access to the router.
Example:
Router(config)# enable secret cr1ny5ho
interface gigabitethernet slot/port Enters interface configuration mode.
Example:
Router(config)# interface gigabitethernet 0/1 media-type {sfp | rj45} auto-failover
Example:
Configures the port with SFP as the primary media for automatic failover from SFP to RJ-45.
Or
Router(config-if)# media-type sfp auto-failover
Or
Configures the port with RJ-45 as the primary media for automatic failover from RJ-45 to SFP.
Router(config-if)# media-type rj45 auto-failover exit Exits interface configuration mode and returns to global configuration mode.
Example:
Router(config-if)# exit
Or
Router(config)#
Configuring Auto-Detect
The Auto-Detect feature is enabled if media-type is not configured. This feature automatically detects which media is connected and links up. If both media are connected, whichever media comes up first is linked up.
122
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Third-Party SFPs
Note The Auto-Detect feature only works with 1000 Base SFPs. This feature does not detect 100 Base SFPs.
To configure the Auto-Detect feature, perform the following steps, starting in global configuration mode:
SUMMARY STEPS
1. interface gigabitethernet slot/port
2. no media-type
3. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action
interface gigabitethernet slot/port
Purpose
Enters interface configuration mode.
Example:
Router(config)# interface gigabitethernet
0/1 no media-type
Example:
Router(config-if)# no media-type
GigabitEthernet0/1: Changing media to
UNKNOWN.
You may need to update the speed and duplex settings for this interface.
Enables Auto-Detect. If a 1000Base SFP is plugged in, the speed and duplex are set automatically to 1000 and full. Speed and duplex options are not available. An RJ45 connection will only work with speed as 1000 and duplex as full. If an SFP is not plugged in, all speeds and duplexes are available for the RJ45 media.
Note The Auto-Detect feature only works with 1000Base SFPs.
This feature does not detect 100Base SFPs.
exit Exits interface configuration mode and returns to global configuration mode.
Example:
Router(config-if)# exit
Router(config)#
Configuring Third-Party SFPs
Small Form-Factor Pluggables (SFPs) that are not Cisco certified are called third-party SFPs. Cisco approved means the SFPs have undergone rigorous testing with Cisco products and the SFPs are guaranteed to have
100% compatibility.
Third-party SFPs are manufactured by companies that are not on the Cisco-approved Vendor List (AVL).
Currently, Cisco ISR G2 routers support only Cisco-approved SFPs. From Release 15.3(2)T, Cisco ISR G2 routers recognize third-party SFPs.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
123 OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Third-Party SFPs
Note Cisco does not provide any kind of support for the third-party SFPs because they are not validated by
Cisco.
Note • Supports only 100BASE SFPs and 1000BASE SFPs under two speed configurations:
• 100 Mbps speed for 100BASE SFPs
• 1000 Mbps speed for 1000BASE SFPs
• Only the following routers and modules support third-party SFPs:
• Cisco 2921 Integrated Services Router
• Cisco 2951 Integrated Services Router
• Cisco 3900 Integrated Services Router
• Cisco 3900E Series Integrated Services Routers
• Cisco 892-F Gigabit Ethernet Security Router
• Cisco 898-EA Gigabit Ethernet Security Router
• EHWIC-1GE-SFP
SUMMARY STEPS
1. enable
2. configure terminal
3. service unsupported-transceiver
4. interface type slot/subslot/port number
5. media-type sfp
6. speed value
7. shutdown
8. no shutdown
9. exit
DETAILED STEPS
Step 1
Command or Action enable
Example:
Router> enable
Purpose
Enables the privileged EXEC mode.
Enter your password if prompted.
124
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Backup Data Lines and Remote Management
Configuring Third-Party SFPs
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Command or Action configure terminal
Example:
Router# configure terminal service unsupported-transceiver
Example:
Router(config)# service unsupported-transceiver
interface type slot/subslot/port number
Example:
Router(config)# interface ethernet 0/3/0 media-type sfp
Example:
Router(config-if)# media-type sfp
speed value
Example:
Router(config-if)# speed 100 shutdown
Example:
Router(config-if)# shutdown no shutdown
Example:
Router(config-if)# no shutdown exit
Example:
Router(config-if)# exit
Router(config)#
Purpose
Enters the global configuration mode.
Enables third-party SFP support.
Selects an interface to configure.
Changes media type to SFP.
Configures the speed of the interface.
Note For 100BASE SFPs, configure the speed to 100
Mbps only. Similarly, for 1000BASE SFPs, configure the speed to 1000 Mbps only.
Disables the interface, changing its state from administratively
UP to administratively DOWN.
Enables the interface, changing its state from administratively
DOWN to administratively UP.
Exits the configuration mode and returns the global configuration mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
125
Configuring Backup Data Lines and Remote Management
Example for Configuring Third-Party SFPs
Example for Configuring Third-Party SFPs
This example shows how to configure a third-party SFP on a Cisco ISR G2 Series Router:
Router# configure terminal
Router(config-if)# service unsupported-transceiver
Router(config)# interface ethernet 0/3/0
Router(config-if)# media-type sfp
Router(config-if)# speed 100
Router(config-if)# shutdown
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# exit
126
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
7
Configuring Ethernet Switches
This chapter gives an overview of configuration tasks for the following:
• 4-port Fast Ethernet (FE) switch on the Cisco 860, 880, and 890 integrated service routers (ISRs)
• Gigabit Ethernet (GE) switch on the Cisco 860VAE-K9
• Gigabit Ethernet (GE) switch that services the embedded wireless access point on the Cisco 860 and
Cisco 880 series ISRs.
The FE switches are 10/100Base T Layer 2 Fast Ethernet switches. The GE switch is a 1000Base T Layer
2 Gigabit Ethernet switch. Traffic between different VLANs on a switch is routed through the router platform with the switched virtual interface (SVI).
Any switch port may be configured as a trunking port to connect to other Cisco Ethernet switches. An optional power module can be added to Cisco 880 series ISRs to provide inline power to two of the FE ports for IP telephones or external access points.
This chapter contains the following sections:
•
Switch Port Numbering and Naming, page 127
•
Restrictions for the FE Switch, page 128
•
•
Overview of SNMP MIBs, page 130
•
Configuring Ethernet Switches, page 131
Switch Port Numbering and Naming
The ports for Cisco 860, 880, and 890 ISRs are numbered as follows:
• The ports on the FE switch for the Cisco 860, 880, and 890 ISRs are numbered FE0 through FE3.
• The port on the GE switch for the 860VAE-K9 is numbered GE0.
• The port on the GE switch that services the embedded wireless access point on the Cisco 860 and Cisco
880 series ISRs is named and numbered Wlan-GigabitEthernet0.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
127 OL-31704-02
Configuring Ethernet Switches
Restrictions for the FE Switch
Restrictions for the FE Switch
The following restrictions apply to the FE switch:
• Ports of an FE switch must not be connected to any Fast Ethernet onboard port of the router.
• On Cisco 880 series ISRs, inline power is supported only on FE switch ports FE0 and FE1. Inline power is not supported on Cisco 860 series ISRs.
• VTP pruning is not supported.
• FE switch can support up to 200 secure MAC addresses.
Ethernet Switches
To configure Ethernet switches, you should understand the following concepts:
VLANs and VLAN Trunk Protocol
For information on the concepts of VLANs and VLAN Trunk Protocol (VTP), see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1047027
Inline Power
Inline power is not supported on the Cisco 860 series ISRs. On the Cisco 880 series ISRs, inline power can be supplied to Cisco IP phones or external access points on FE switch ports FE0 and FE1.
A detection mechanism on the FE switch determines whether it is connected to a Cisco device. If the switch senses that there is no power on the circuit, the switch supplies the power. If there is power on the circuit, the switch does not supply it.
You can configure the switch to never supply power to the Cisco device and to disable the detection mechanism.
The FE switch also provides support for powered devices compliant with IEEE 802.3af.
Layer 2 Ethernet Switching
For information on Layer 2 Ethernet Switching, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1048478
802.1x Authentication
For information on 802.1x Authentication, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1051006
128
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet Switches
Spanning Tree Protocol
Note The authentication command under switch trunk interface mode is enabled for the NEAT feature. This is available with Cisco IOS Release 15.2T.
Spanning Tree Protocol
For information on Spanning Tree Protocol, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1048458
Cisco Discovery Protocol
Cisco Discovery Protocol (CDP) runs over Layer 2 (the data link layer) on all Cisco routers, bridges, access servers, and switches. CDP allows network management applications to discover Cisco devices that are neighbors of already known devices, in particular, neighbors running lower-layer, transparent protocols. With
CDP, network management applications can learn the device type and the SNMP agent address of neighboring devices. This feature enables applications to send SNMP queries to neighboring devices.
CDP runs on all LAN and WAN media that support Subnetwork Access Protocol (SNAP). Each CDP-configured device sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain the time-to-live, or hold-time information, which indicates the length of time a receiving device should hold CDP information before discarding it.
Switched Port Analyzer
For information on Switched Port Analyzer, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1053663
IGMP Snooping
For information on IGMP Snooping, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1053727
IGMP Version 3
The Cisco 880 series ISRs support Version 3 of IGMP snooping.
IGMPv3 provides support for source filtering, which enables a multicast receiver host to signal to a router from which groups the receiver host is to receive multicast traffic, and from which sources this traffic is expected. Enabling the IGMPv3 feature with IGMP snooping on Cisco ISRs provides Basic IGMPv3 Snooping
Support (BISS). BISS provides constrained flooding of multicast traffic in the presence of IGMPv3 hosts.
This support constrains traffic to approximately the same set of ports as IGMPv2 snooping does with IGMPv2 hosts. The constrained flooding only considers the destination multicast address.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
129
Configuring Ethernet Switches
Storm Control
Storm Control
For information on storm control, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1051018
Overview of SNMP MIBs
Simple Management Network Protocol (SNMP) development and use is centered around the MIB. An SNMP
MIB is an abstract database and it is a conceptual specification for information that a management application may read and modify in a certain form. This does not imply that the information is kept in the managed system in that same form. The SNMP agent translates between the internal data structures and formats of the managed system and the external data structures and formats defined for the MIB.
The SNMP MIB is conceptually a tree structure with conceptual tables. Cisco Layer 2 Switching Interface
MIB is discussed in more detail in
BRIDGE-MIB for Layer 2 Ethernet Switching , on page 130
. Relative to this tree structure, the term MIB is used in two ways. One definitions of MIB is, it is actually a MIB branch, usually containing information for a single aspect of technology, such as a transmission medium or a routing protocol. A MIB used in this sense is more accurately called a MIB module, and is usually defined in a single document. The other definition of a MIB is a collection of such branches. Such a collection might comprise, for example, all the MIB modules implemented by a given agent, or the entire collection of MIB modules defined for SNMP.
A MIB is a tree where the leaves are individual items of data called objects. An object may be, for example, a counter or a protocol status. MIB objects are also sometimes called variables.
BRIDGE-MIB for Layer 2 Ethernet Switching
The Layer 2 Ethernet Switching Interface BRIDGE-MIB is supported in the Cisco 887, 880, and 890 platforms.
The BRIDGE-MIB enables the user to know the Media Access Control (MAC) addresses and spanning tree information of the Ethernet switch modules. The user can query the MIB agent using the SNMP protocol and get the details of Ethernet switch modules, such as MAC addresses, of each interface and spanning protocol information.
The Bridge-MIB uses the following approaches to get the Layer 2 BRIDGE-MIB information:
• Community-string-based approach
• Context-based approach
In the community string based approach, one community string is created for each VLAN. Based on the query, the respective VLAN MIB is displayed.
To get the BRIDGE-MIB details, use the snmp-server community public RW command in the configuration mode.
Router(config)# snmp-server community public RW
Use the following syntax to query the SNMP BRIDGE-MIB details: snmpwalk -v2c <ip address of the ISR, ...> public .1.3.6.1.2.1.17
snmpwalk -v2c <ip address of the ISR, ...> public@2 .1.3.6.1.2.1.17
snmpwalk -v2c <ip address of the ISR, ...> public@3 .1.3.6.1.2.1.17
130
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet Switches
MAC Address Notification
Note When you create a VLAN ‘x’, the logical entity public@x is added. If you query with public community, the Layer 3 MIB is displayed. When you query with public@x, the Layer 2 MIB for VLAN ‘x’ is displayed.
In the context based approach, the SNMP context mapping commands are used to display the values for Layer
2 interfaces. Each VLAN is mapped to a context. When the user queries with a context, the MIB displays the data for that specific VLAN, which is mapped to the context. In this approach, each VLAN is manually mapped to a context.
To get the BRIDGE-MIB details, use the following commands in the configuration mode:
Router(config)# Routersnmp-server group public v2c context bridge-group
Router(config)# snmp-server community public RW
Router(config)# snmp-server community private RW
Router(config)# snmp-server context bridge-group
Router(config)# snmp mib community-map public context bridge-group
Use the following syntax to query the SNMP BRIDGE-MIB details.
snmpwalk -v2c <ip address of the ISR, ...> public@1 .1.3.6.1.2.1.17 ?L2-MIB snmpwalk -v2c <ip address of the ISR, ...> private .1.3.6.1.2.1.17?L3-MIB
Note When you query with the public community, the Layer 2 MIB is displayed. Use a private group for Layer
3 MIB.
For more details to configure and retrieve the BRIDGE-MIB details, see: http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a9b. shtml#brgmib
MAC Address Notification
MAC address notification enables you to track users on a network by storing the MAC address activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the NMS. If you have many users coming and going from the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the
MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses.
For more details to configure MAC address notification, see: http://www1.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/ configuration/ guide/swadmin.html#wp1102213
Configuring Ethernet Switches
See the following sections for configuration tasks for Ethernet switches:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
131 OL-31704-02
Configuring Ethernet Switches
Configuring VLANs
Configuring VLANs
This section provides information on how to configure VLANs. The Cisco 860 series ISRs support two VLANs and the 860VAE series ISRs support five VLANs.The Cisco 880 series ISRs support eight VLANs.
Note Cisco 866VAE-K9 and 867VAE-K9 routers have four Fast Ethernet (FE) switching ports and one Gigabit
Ethernet (GE) switching port.
VLANs on the FE and GE Switch Ports
To configure VLANs, perform these steps, beginning in configuration mode.
SUMMARY STEPS
1. interface type number
2. shutdown
3. switchport access vlan vlan_id
4. no shutdown
5. end
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action
interface type number
Purpose
Selects the Fast Ethernet port to configure.
Example:
Router(config)# Interface fastethernet0 shutdown (Optional) Shuts down the interface to prevent traffic flow until configuration is complete.
Example:
Router(config-if)# shutdown
switchport access vlan vlan_id Creates instances of additional VLANs. Allowable values of
vlan_id are 2 to 4094, except for reserved values of 1002 to
1005.
Example:
Router(config-if)# switchport access vlan 2 no shutdown Enables the interface, changing its state from administratively down to administratively up.
Example:
Router(config-if)# no shutdown
132
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet Switches
Configuring VLANs
Step 5
Command or Action end
Example:
Router(config-if)# end
Purpose
Exits configuration mode.
What to Do Next
For additional information, see the information at the following URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ layer2.html
VLANs on the GE Port and GE ESW Port of Wireless APs
Because the GE port is an internal interface that services only the embedded access point of the router, it cannot be configured only with the switchport access vlan X command, where X is other than 1. It may, however, be configured in trunk mode. This may be done by performing the following steps, beginning in global configuration mode.
SUMMARY STEPS
1. interface type number
2. switchport mode trunk
3. switchport access vlan vlan_id
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action
interface type number
Example:
Router(config)# Interface gigabitethernet0 switchport mode trunk
Example:
Router(config-if)# switchport mode trunk
switchport access vlan vlan_id
Example:
Router(config-if)# switchport access vlan 2
Purpose
Selects the Gigabit Ethernet port to configure.
Places the port in trunk mode.
(Optional) Once the port is in trunk mode, it may be assigned a VLAN number other than 1.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
133
Configuring Ethernet Switches
Configuring Layer 2 Interfaces
Configuring Layer 2 Interfaces
For information on how to configure Layer 2 interfaces, see the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1047041
The URL contains information on the following topics:
• Configuring a range of interfaces
• Defining a range macro
• Configuring Layer 2 optional interface features
Configuring 802.1x Authentication
For information on how to configure 802.1x port-based authentication, see: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_8021x.html
The document contains information on the following topics:
• Understanding the default 802.1x configuration
• Enabling 802.1x authentication
• Configuring the switch-to-RADIUS-server comunication
• Enabling periodic reauthentication
• Changing the quiet period
• Changing the switch-to-client retransmission time
• Setting the switch-to-client frame-retransmission number
• Enabling multiple hosts
• Resetting the 802.1x configuration to default values
• Displaying 802.1x statistics and status
Configuring Spanning Tree Protocol
For information on how to configure Spanning Tree Protocol, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1047906
The document contains information on the following topics:
• Enabling spanning tree
• Configuring spanning tree port priority
• Configuring spanning tree port cost
• Configuring the bridge priority of a VLAN
134
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet Switches
Configuring MAC Table Manipulation
• Configuring the Hello Time
• Configuring the forward-delay time for a VLAN
• Configuring the maximum aging time for a VLAN
• Disabling spanning tree
Configuring MAC Table Manipulation
For information on how to configure MAC table manipulation, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048223
The document contains information on the following topics:
• Enabling known MAC address traffic
• Creating a static entry in the MAC address table
• Configuring the aging timer
• Verifying the aging time
Port Security
The topic of enabling known MAC address traffic deals with port security. Port security can be either static or dynamic.
Static port security allows the user to specify which devices are allowed access through a given switch port.
The specification is done manually by placing allowed device MAC addresses in the MAC address table.
Static port security is also known as MAC address filtering.
Dynamic port security is similar. However, instead of specifying the MAC address of the devices, the user specifies the maximum number of devices that is allowed on the port. If the maximum number specified is more than the number of MAC addresses specified manually, the switch learns the MAC address automatically, up to the maximum specified. If the maximum number specified is less than the number of MAC addresess already specified statically, an error message is produced.
The following command is used to specify static or dynamic port security.
Command
Router(config)# mac-address-table secure
[mac-address | maximum maximum addresses]
fastethernet interface-id [vlan vlan id]
Purpose
mac-address enables static port security. The
maximum keyword enables dynamic port security.
Configuring Cisco Discovery Protocol
For information on how to configure Cisco Discovery Protocol (CDP), see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048365
The document contains information on the following topics:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
135
Configuring Ethernet Switches
Configuring the Switched Port Analyzer
• Enabling CDP
• Enabling CDP on an interface
• Monitoring and maintaining CDP
Configuring the Switched Port Analyzer
For information on how to configure a switched port analyzer (SPAN) session, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048473
The document contains information on the following topics:
• Configuring the SPAN sources
• Configuring SPAN destinations
• Verifying SPAN sessions
• Removing sources or destinations from a SPAN session
Configuring Power Management on the Interface
For information on how to configure inline power for access points or Cisco IP phones, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048551
Configuring IP Multicast Layer 3 Switching
For information on how to configure IP multicast Layer 3 switching, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048610
The document contains information on the following topics:
• Enabling IP multicast routing globally
• Enabling IP protocol-independent multicast (PIM) on Layer 3 interfaces
• Verifying IP multicast Layer 3 hardware switching summary
• Verifying the IP multicast routing table
Configuring IGMP Snooping
For information on how to configure IGMP snooping, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1048777
The document contains information on the following topics:
• Enabling or disabling IGMP snooping
• Enabling IGMP immediate-leave processing
136
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Ethernet Switches
Configuring Per-Port Storm Control
• Statically configuring an interface to join a group
• Configuring a multicast router port
IGMP Version 3
In support of the IGMPv3 feature in Cisco IOS Release 12.4(15)T, the groups and count keywords were added to the show ip igmp snooping command, and the output of the show ip igmp snooping command was modified to include global information about IGMP snooping groups. Use the show ip igmp snooping command with the groups keyword to display the multicast table learned by IGMP snooping for all VLANs, or the show ip igmp snooping command with the groups keyword, vlan-id keyword, and vlan-id argument to display the multicast table learned by IGMP snooping for a specific VLAN. Use the show ip igmp snooping command with the groups and count keywords to display the number of multicast groups learned by IGMP snooping.
Configuring Per-Port Storm Control
For information on how to configure per-port storm control, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1049009
The document contains information on the following topics:
• Enabling per-port storm-control
• Disabling per-port storm-control
Configuring Separate Voice and Data Subnets
For information on how to configure separate voice and data subnets, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1049866
Managing the Switch
For information on management of the switch, see: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1049978
The document contains information on the following topics:
• Adding Trap Managers
• Configuring IP Information
• Enabling Switch Port Analyzer
• Managing the ARP Table
• Managing the MAC Address Tables
• Removing Dynamic Addresses
• Adding Secure Addresses
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
137
Managing the Switch
• Configuring Static Addresses
• Clearing all MAC Address Tables
Configuring Ethernet Switches
138
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
8
Configuring Voice Functionality
This chapter provides information about configuring voice functionality on the Cisco 880 Series Integrated
Services Routers (ISRs). The following ISRs have voice gateway capability:
• C881SRST and C888SRST: 4 FXS ports and 1 voice backup port
â—¦The C881SRST ISR has an FXO voice backup port.
â—¦The C888SRST ISR has a BRI voice backup port.
• C881-V has 4FXS ports, 2 BRI ports, and 1 backup FXO port
• C887VA-V and C887VA-V-W has 4FXS ports and 2 BRI ports.
•
•
Call Control Protocols, page 140
•
Dial Peer Configuration, page 141
•
Other Voice Features, page 141
•
•
Unified Survival Remote Site Telephony, page 143
•
Verification of Voice Configuration, page 144
Voice Ports
Analog voice ports (Foreign Exchange Station (FXS) ports) connect routers in packet-based networks to
2-wire or 4-wire analog circuits in telephony networks. Two-wire circuits connect to analog telephone or fax devices, and four-wire circuits connect to PBXs.
Digital voice ports are ISDN basic rate interface (BRI) ports.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
139 OL-31704-02
Configuring Voice Functionality
Analog and Digital Voice Port Assignments
Analog and Digital Voice Port Assignments
Analog and digital voice port assignments vary by model number.
Table 19: Voice Port Assignments for
Cisco 880 series ISRs, on page 140
lists the Cisco 880 series ISRs and their voice port assignments.
Table 19: Voice Port Assignments for Cisco 880 series ISRs
Model Number
C881SRST
C888SRST
C881-V
C887VA-V
C887VA-V-W
2
2
—
2
Digital (BRI) Port
Numbers
—
4
4
Analog (FXS) Port
Numbers
0–3
0–3
4
—
—
Voice Backup Port
Number
4 (FXO port)
4 (BRI port)
1 (FXO port)
Voice Port Configuration
To configure analog and digital voice ports, see the following documents:
• Configuring Analog Voice Ports
• Basic ISDN Voice Interface Configuration
Call Control Protocols
SIP
Session Initiation Protocol (SIP) is a peer-to-peer, multimedia signaling protocol developed in the IETF (IETF
RFC 2543). Session Initiation Protocol is ASCII-based. It resembles HTTP, and it reuses existing IP protocols
(such as DNS and SDP) to provide media setup and teardown. See the Cisco IOS SIP Configuration Guide for more information.
For router configuration information under SIP, see the Basic SIP Configuration chapter of the Cisco IOS
SIP Configuration Guide, Release 12.4T.
Cisco 880 Series ISR voice gateways provide voice security through SIP enhancements within the Cisco IOS
Firewall. SIP inspect functionality (SIP packet inspection and detection of pin-hole openings) is provided, as well as protocol conformance and application security. The user is given more granular control on the policies and security checks applied to SIP traffic, and capability to filter out unwanted messages. For more information, see “Cisco IOS Firewall: SIP Enhancements: ALG and AIC” .
140
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Voice Functionality
MGCP
MGCP
Media Gateway Control Protocol (MGCP) RFC 2705 defines a centralized architecture for creating multimedia applications, including Voice over IP (VoIP). See the Cisco IOS MGCP and Related Protocols Configuration
Guide for more information.
Cisco 880 series voice gateway ISRs are configured primarily as residential gateways (RGWs) under MGCP.
For residential gateway configuration information, see the Configuring an RGW section of the Basic MGCP
Configuration chapter of the Cisco IOS MGCP and Related Protocols Configuration Guide .
H.323
International Telecommunications Union Recommendation H.323 defines a distributed architecture for creating multimedia applications, including Voice over IP.
For router configuration information, see the Configuring H.323 Gateways chapter of the Cisco IOS H.323
Configuration Guide, Release 12.4T
.
Dial Peer Configuration
Configuring dial peers is the key to implementing dial plans and providing voice services over an IP packet network. Dial peers are used to identify call source and destination endpoints and to define the characteristics applied to each call leg in the call connection. For router configuration information, see Dial Peer Configuration on Voice Gateway Routers .
Other Voice Features
Real-Time Transport Protocols
Real-Time Transport Protocol (RTP) provides end-to-end network transport functions for applications that transmit real-time data.
Cisco Real-Time Transport Protocol (cRTP) uses the RTP protocol to forward Cisco-proprietary payload types.
Secure Real-Time Transport Protocol (SRTP) defines an RTP profile providing encryption, authentication, and replay protection.
RTP is used primarily with DTMF relay and is configured under dial peer configuration. For information on configuring RTP payload types, see the Dual-Tone Multifrequency Relay section of Dial Peer Configuration on Voice Gateway Routers .
For information on configuring SRTP on SIP-controlled platforms, see the Configuring SIP Support for SRTP chapter of the Cisco IOS SIP Configuration Guide, Release 4T .
For configuring RTP on MGCP-controlled platforms, see the Configuring an RGW section of the Basic MGCP
Configuration chapter of the Cisco IOS MGCP and Related Protocols Configuration Guide .
Cisco 800 Series Integrated Services Routers Software Configuration Guide
141 OL-31704-02
Configuring Voice Functionality
Dual Tone Multi Frequency Relay
Dual Tone Multi Frequency Relay
Using Dial Tone Multi Frequency (DTMF) Relay the local VoIP gateway listens for DTMF digits and sends the digits uncompressed as either RTP packets or H.245 packets to the remote VoIP gateway. The remote
VoIP gateway regenerates the DTMF digits. This methodology prevents digit loss due to compression. For information on configuring DTMF Relay, see the Dual-Tone Multifrequency Relay section of Dial Peer
Configuration on Voice Gateway Routers .
For information on configuring DTMF that is specific to call control protocols, see the following:
• Configuring SIP DTMF Features
• Configuring DTMF Relay (H.323)
• Configuring Global MGCP Parameters
CODECs
The following CODECs are supported by the Cisco 880 series voice gateway routers.
• G.711 (a-law and mu-law)
• G.726
• G.729, G.729A, G.729B, G.729AB
For information on CODECs, see the following:
• Dial Peer Configuration Examples appendix of Dial Peer Configuration on Voice Gateway Routers .
• Cisco IOS SIP Configuration Guide, Release 4T
• Cisco IOS H.323 Configuration Guide
SCCP-Controlled Analog Ports with Supplementary Features
Cisco 880 series voice gateway ISRs support the Cisco Skinny Client Control Protocol (SCCP) that supplies supplementary features on analog voice ports that are controlled by Cisco Unified Communications Manager or by a Cisco Unified Communications Manager Express system. Supported features include:
• Audible message waiting indication
• Call forwarding options
• Call park/pickup options
• Call transfer
• Call waiting
• Caller ID
• 3-party conference calls
• Redial
142
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Voice Functionality
Fax Services
• Speed dial options
For more information on the features supported and their configuration, see SCCP Controlled Analog (FXS)
Ports with Supplementary Features in Cisco IOS Gateways .
Fax Services
The Cisco 880 series voice gateway ISRs support the following fax services:
Fax Pass-Through
Fax Pass-Through is the simplest way of transmitting faxes over IP, although it is not as reliable as Cisco Fax
Relay. See the Configuring Fax Pass-Through chapter of the Cisco IOS Fax, Modem, and Text Services over
IP Configuration Guide for more information.
Cisco Fax Relay
Cisco Fax Relay is a Cisco proprietary fax method that is turned on by default. Cisco Fax Relay allows the relay of a T.30 modulated signal across IP gateways in real-time on H.323 or SIP networks. See the Configuring
Cisco Fax Relay chapter of the Cisco IOS Fax, Modem, and Text Services over IP Configuration Guide for more information.
T.37 Store-and-Forward Fax
The T.37 Store-and-Forward Fax mechanism allows a gateway to store and forward fax messages on H.323
or SIP networks. See the Configuring T.37 Store-and-Forward Fax chapter of the Cisco IOS Fax, Modem, and Text Services over IP Configuration Guide for more information.
T.38 Fax Relay
The T.38 Fax Relay provides an ITU-standard mechanism for real-time relay of fax signals. Gateway-controlled
T.38 Fax Relay is available on MGCP networks. See the Configuring T.38 Fax Relay chapter of the Cisco
IOS Fax, Modem, and Text Services over IP Configuration Guide for more information.
Unified Survival Remote Site Telephony
Cisco 880 Series voice gateway ISRs with Unified Survival Remote Site Telephony (SRST) include the following:
• Cisco C881SRST
• Cisco C888SRST
Cisco 800 Series Integrated Services Routers Software Configuration Guide
143 OL-31704-02
Configuring Voice Functionality
Verification of Voice Configuration
Unified SRST automatically detects a failure in the network and initializes the process of auto configuring the router. Unified SRST provides redundancy for the IP and FXS phones to ensure that the telephone system remains operational.
All the IP phones and analog phones connected to a telecommuter site are controlled by the headquarters office call control system, which uses Cisco Unified Communications Manager. During a WAN failure, the telecommuter router allows all the phones to reregister to the headquarter in SRST mode, allowing all inbound and outbound dialing to be routed off to the PSTN (on a backup Foreign Exchange Office (FXO) or BRI port).
Upon restoration of WAN connectivity, the system automatically returns communication to the primary Cisco
Unified Communications Manager cluster.
Direct Inward Dialing (DID) is supported on the Cisco 880 series SRST voice gateway ISRs.
For general Unified SRST information, see the Cisco Unified SRST System Administrator Guide . Cisco
Unified SRST is described in the Overview chapter.
• For information on how the H.323 and MGCP call control protocols relate to SRST, see the following sections of the Overview chapter in the Cisco Unified SRST System Administrator Guide .
For SIP-specific SRST information, see the Cisco Unified SRST System Administrator Guide . To configure
SIP SRST features, see the 4.1 Features chapter.
Verification of Voice Configuration
Use the following procedures to verify voice port configurations:
• Verifying Analog and Digital Voice-Port Configurations
• Cisco IOS Voice Port Configuration Guide, Verify BRI Interfaces
To verify, monitor, and maintain SRST, see Monitoring and Maintaining Cisco Unified SRST .
144
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
9
Configuring the Serial Interface
This chapter describes configuring serial interface management.
•
Configuring the Serial Interface, page 145
•
Legacy Protocol Transport, page 146
•
Configuring Serial Interfaces, page 147
•
Configuring Serial Interfaces, page 150
Configuring the Serial Interface
The Cisco 819 Integrated Services Router (ISR) supports synchronous by default and asynchronous serial interface protocols.
Configuring the serial interface in the Cisco 819 ISR allows you to enable applications such as WAN access, legacy protocol transport, console server, and dial access server. It also allows remote network management, external dial-modem access, low-density WAN aggregation, legacy protocol transport, and high port-density support.
Serial interfaces enables the following features:
• WAN access and aggregation
• Legacy protocol transport
• Dial access server
Serial interfaces can be used to provide WAN access for remote sites. With support for serial speeds up to 8
Mbps, it is ideal for low- and medium-density WAN aggregation.
Figure 6: WAN Concentration
Cisco 800 Series Integrated Services Routers Software Configuration Guide
145 OL-31704-02
Configuring the Serial Interface
Legacy Protocol Transport
Legacy Protocol Transport
Serial and synchronous/asynchronous ports are ideally suited to transport legacy traffic across a TCP/IP network, facilitating network convergence. Legacy protocols supported by Cisco IOSR Software include:
• Synchronous Data Link Control (SDLC) Protocol
• Binary Synchronous Communications Protocol (Bisync)
• X.25 Protocol
Figure 7: Network Convergence
The Cisco 819 series ISRs use Cisco Smart Serial connectors. The supported cables are noted in the table below.
Table 20: Smart Serial Cabling for Cisco 819 ISRs
Product Number
CAB-SS-V35MT
CAB-SS-V35FC 10 ft
(3m) Female
CAB-SS-232MT
CAB-SS-232FC
CAB-SS-449MT
CAB-SS-449FC
CAB-SS-X21MT
CAB-SS-X21FC
CAB-SS-530MT
CAB-SS-530AMT
Cable Type
V.35 DTE
V.35 DCE
EIA/TIA-232 DTE
EIA/TIA-232 DTE
EIA/TIA-449 DTE
EIA/TIA-449 DTE
X.21 DTE
X.21 DTE
EIA/TIA-530 DTE
EIA/TIA-232 DTE
Length
10 ft (3m)
10 ft (3m)
10 ft (3m)
10 ft (3m)
10 ft (3m)
10 ft (3m)
10 ft (3m)
10 ft (3m)
10 ft (3m)
10 ft (3m)
Connector Type
Male
Female
Male
Female
Male
Female
Male
Female
Male
Male
146
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring Serial Interfaces
Configuring Serial Interfaces
When the router receives an indication that the primary interface is down, the backup interface becomes enabled. After the primary connection has been restored for a specified period, the backup interface is disabled.
Even if the backup interface comes out of standby mode, the router does not enable the backup interface unless the router receives the traffic specified for that backup interface.
To configure serial interfaces, you must understand the following concept:
Cisco HDLC Encapsulation
Cisco High-Level Data Link Controller (HDLC) is the Cisco proprietary protocol for sending data over synchronous serial links using HDLC. Cisco HDLC also provides a simple control protocol called Serial Line
Address Resolution Protocol (SLARP) to maintain serial link keepalives. Cisco HDLC is the default for data encapsulation at Layer 2 (data link) of the Open System Interconnection (OSI) stack for efficient packet delineation and error control.
Note Cisco HDLC is the default encapsulation type for the serial interfaces.
When the encapsulation on a serial interface is changed from HDLC to any other encapsulation type, the configured serial subinterfaces on the main interface inherit the newly changed encapsulation and they do not get deleted.
Cisco HDLC uses keepalives to monitor the link state, as described in the
.
PPP Encapsulation
PPP is a standard protocol used to send data over synchronous serial links. PPP also provides a Link Control
Protocol (LCP) for negotiating properties of the link. LCP uses echo requests and responses to monitor the continuing availability of the link.
Note When an interface is configured with PPP encapsulation, a link is declared down and full LCP negotiation is re-initiated after five echo request (ECHOREQ) packets are sent without receiving an echo response
(ECHOREP).
PPP provides the following Network Control Protocols (NCPs) for negotiating properties of data protocols that will run on the link:
• IP Control Protocol (IPCP) to negotiate IP properties
• Multiprotocol Label Switching control processor (MPLSCP) to negotiate MPLS properties
• Cisco Discovery Protocol control processor (CDPCP) to negotiate CDP properties
• IPv6CP to negotiate IP Version 6 (IPv6) properties
• Open Systems Interconnection control processor (OSICP) to negotiate OSI properties
Cisco 800 Series Integrated Services Routers Software Configuration Guide
147 OL-31704-02
Configuring the Serial Interface
PPP Encapsulation
PPP uses keepalives to monitor the link state, as described in the
.
PPP supports the following authentication protocols, which require a remote device to prove its identity before allowing data traffic to flow over a connection:
• Challenge Handshake Authentication Protocol (CHAP)—CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a response message. The local router attempts to match the remote device’s name with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match.
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)—MS-CHAP is the Microsoft version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; in this case, authentication occurs between a personal computer using Microsoft Windows NT or Microsoft
Windows 95 and a Cisco router or access server acting as a network access server.
• Password Authentication Protocol (PAP)—PAP authentication requires the remote device to send a name and a password, which are checked against a matching entry in the local username database or in the remote security server database.
Use the ppp authentication command in interface configuration mode to enable CHAP, MS-CHAP, and
PAP on a serial interface.
Note Enabling or disabling PPP authentication does not effect the local router’s willingness to authenticate itself to the remote device.
Multilink PPP
Multilink Point-to-Point Protocol (MLPPP) is supported on the Cisco 819 ISR serial interface. MLPPP provides a method for combining multiple physical links into one logical link. The implementation of MLPPP combines multiple PPP serial interfaces into one multilink interface. MLPPP performs the fragmenting, reassembling, and sequencing of datagrams across multiple PPP links.
MLPPP provides the same features that are supported on PPP Serial interfaces with the exception of QoS. It also provides the following additional features:
• Fragment sizes of 128, 256, and 512 bytes
• Long sequence numbers (24-bit)
• Lost fragment detection timeout period of 80 ms
• Minimum-active-links configuration option
• LCP echo request/reply support over multilink interface
• Full T1 and E1 framed and unframed links
148
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Keepalive Timer
Keepalive Timer
Cisco keepalives are useful for monitoring the link state. Periodic keepalives are sent to and received from the peer at a frequency determined by the value of the keepalive timer. If an acceptable keepalive response is not received from the peer, the link makes the transition to the down state. As soon as an acceptable keepalive response is obtained from the peer or if keepalives are disabled, the link makes the transition to the up state.
Note The keepalive command applies to serial interfaces using HDLC or PPP encapsulation. It does not apply to serial interfaces using Frame Relay encapsulation.
For each encapsulation type, a certain number of keepalives ignored by a peer triggers the serial interface to transition to the down state. For HDLC encapsulation, three ignored keepalives causes the interface to be brought down. For PPP encapsulation, five ignored keepalives causes the interface to be brought down.
ECHOREQ packets are sent out only when LCP negotiation is complete (for example, when LCP is open).
Use the keepalive command in interface configuration mode to set the frequency at which LCP sends
ECHOREQ packets to its peer. To restore the system to the default keepalive interval of 10 seconds, use the
keepalive command with the no keyword. To disable keepalives, use the keepalive disable command. For both PPP and Cisco HDLC, a keepalive of 0 disables keepalives and is reported in the show running-config command output as keepalive disable.
When LCP is running on the peer and receives an ECHOREQ packet, it responds with an ECHOREP packet, regardless of whether keepalives are enabled on the peer.
Keepalives are independent between the two peers. One peer end can have keepalives enabled; the other end can have them disabled. Even if keepalives are disabled locally, LCP still responds with ECHOREP packets to the ECHOREQ packets it receives. Similarly, LCP also works if the period of keepalives at each end is different.
Frame Relay Encapsulation
When Frame Relay encapsulation is enabled on a serial interface, the interface configuration is hierarchical and comprises the following elements:
• The serial main interface comprises the physical interface and port. If you are not using the serial interface to support Cisco HDLC and PPP encapsulated connections, then you must configure subinterfaces with permanent virtual circuits (PVCs) under the serial main interface. Frame Relay connections are supported on PVCs only.
• Serial subinterfaces are configured under the serial main interface. A serial subinterface does not actively carry traffic until you configure a PVC under the serial subinterface. Layer 3 configuration typically takes place on the subinterface.
• When the encapsulation on a serial interface is changed from HDLC to any other encapsulation type, the configured serial subinterfaces on the main interface inherit the newly changed encapsulation and they do not get deleted.
• Point-to-point PVCs are configured under a serial subinterface. You cannot configure a PVC directly under a main interface. A single point-to-point PVC is allowed per subinterface. PVCs use a predefined circuit path and fail if the path is interrupted. PVCs remain active until the circuit is removed from either configuration. Connections on the serial PVC support Frame Relay encapsulation only.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
149
Configuring the Serial Interface
Configuring Serial Interfaces
Note The administrative state of a parent interface drives the state of the subinterface and its PVC. When the administrative state of a parent interface or subinterface changes, so does the administrative state of any child PVC configured under that parent interface or subinterface.
To configure Frame Relay encapsulation on serial interfaces, use the encapsulation (Frame Relay VC-bundle) command.
Frame Relay interfaces support two types of encapsulated frames:
• Cisco (default)
• IETF
Use the encap command in PVC configuration mode to configure Cisco or IETF encapsulation on a PVC. If the encapsulation type is not configured explicitly for a PVC, then that PVC inherits the encapsulation type from the main serial interface.
Note Cisco encapsulation is required on serial main interfaces that are configured for MPLS. IETF encapsulation is not supported for MPLS.
Before you configure Frame Relay encapsulation on an interface, you must verify that all prior Layer 3 configuration is removed from that interface. For example, you must ensure that there is no IP address configured directly under the main interface; otherwise, any Frame Relay configuration done under the main interface will not be viable.
LMI on Frame Relay Interfaces
The Local Management Interface (LMI) protocol monitors the addition, deletion, and status of PVCs. LMI also verifies the integrity of the link that forms a Frame Relay UNI interface. By default, cisco LMI is enabled on all PVCs.
If the LMI type is cisco (the default LMI type), the maximum number of PVCs that can be supported under a single interface is related to the MTU size of the main interface. Use the following formula to calculate the maximum number of PVCs supported on a card or SPA:
(MTU - 13)/8 = maximum number of PVCs
Note The default setting of the mtu command for a serial interface is 1504 bytes. Therefore, the default numbers of PVCs supported on a serial interface configured with cisco LMI is 186.
Configuring Serial Interfaces
This section contains the following tasks:
150
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring a Synchronous Serial Interface
Configuring a Synchronous Serial Interface
Synchronous serial interfaces are supported on various serial network interface cards or systems. This interface supports full-duplex operation at T1 (1.544 Mbps) and E1 (2.048 Mbps) speeds.
To configure a synchronous serial interface, perform the tasks in the following sections. Each task in the list is identified as either required or optional.
See the
Examples for Interface Enablement Configuration, on page 164
for examples of configuration tasks described in this chapter.
Specifying a Synchronous Serial Interface
To specify a synchronous serial interface and enter interface configuration mode, use one of the following commands in global configuration mode.
Command Purpose
Enters interface configuration mode.
Router(config)# interface serial
0
Specifying Synchronous Serial Encapsulation
By default, synchronous serial lines use the High-Level Data Link Control (HDLC) serial encapsulation method, which provides the synchronous framing and error detection functions of HDLC without windowing or retransmission. The synchronous serial interfaces support the following serial encapsulation methods:
• HDLC
• Frame Relay
• PPP
• Synchronous Data Link Control (SDLC)
• SMDS
• Cisco Serial Tunnel ( STUN)
• Cisco Bisync Serial Tunnel (BSTUN)
• X.25-based encapsulations
To define the encapsulation method, use the following command in interface configuration mode.
Command Purpose
Configures synchronous serial encapsulation.
Router(config-if)# encapsulation
{ hdlc
| frame-relay
| ppp
| sdlc-primary
| sdlc-secondary
| smds
| stun
| x25 | bstun
}
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
151
Configuring the Serial Interface
Configuring a Synchronous Serial Interface
Note You cannot use the physical-layer async command for frame-relay encapsulation.
Encapsulation methods are set according to the type of protocol or application you configure in the Cisco IOS software.
• PPP is described in Configuring Media-Independent PPP and Multilink PPP.
• The remaining encapsulation methods are defined in their respective books and chapters describing the protocols or applications. Serial encapsulation methods are also discussed in the Cisco IOS Interface and Hardware Component Command Reference encapsulation command.
By default, synchronous interfaces operate in full-duplex mode. To configure an SDLC interface for half-duplex mode, use the following command in interface configuration mode.
Command Purpose
Configures an SDLC interface for half-duplex mode.
Router(config-if)# half-duplex
Binary synchronous communication (Bisync) is a half-duplex protocol. Each block of transmission is acknowledged explicitly. To avoid the problem associated with simultaneous transmission, there is an implicit role of primary and secondary stations. The primary sends the last block again if there is no response from the secondary within the period of block receive timeout.
To configure the serial interface for full-duplex mode, use the following command in interface configuration mode.
Command
Router(config-if)# full-duplex
Purpose
Specifies that the interface can run Bisync using switched RTS signals.
Configuring PPP
To configure PPP, refer to the Configuring Media-Independent PPP and Multilink PPP.
Configuring Bisync
To configure the Bisync feature on the synchronous serial port adapters on Cisco 819 ISRs, refer to the Block
Serial Tunneling (BSTUN) Overview.
All commands listed in this section apply to the synchronous serial port adapters on Cisco 891 ISRs. Any command syntax that specifies an interfacenumber supports the Cisco
891 ISRs slot/port syntax.
Configuring Compression of HDLC Data
You can configure point-to-point software compression on serial interfaces that use HDLC encapsulation.
Compression reduces the size of a HDLC frame via lossless data compression. The compression algorithm used is a Stacker (LZS) algorithm.
152
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring a Synchronous Serial Interface
Compression is performed in software and might significantly affect system performance. We recommend that you disable compression if CPU load exceeds 65 percent. To display the CPU load, use the show process
cpu EXEC command.
If the majority of your traffic is already compressed files, you should not use compression.
To configure compression over HDLC, use the following commands in interface configuration mode.
SUMMARY STEPS
1. encapsulation hdlc
2. compress stac
DETAILED STEPS
Step 1
Step 2
Command or Action encapsulation hdlc
Example:
Router(config-if)# encapsulation hdlc compress stac
Example:
Router(config-if)# compress stac
Purpose
Enables encapsulation of a single protocol on the serial line.
Enables compression.
Using the NRZI Line-Coding Format
The nonreturn-to-zero (NRZ) and nonreturn-to-zero inverted (NRZI) formats are supported on the Cisco 819 serial ports.
NRZ and NRZI are line-coding formats that are required for serial connections in some environments. NRZ encoding is most common. NRZI encoding is used primarily with EIA/TIA-232 connections in IBM environments.
The default configuration for all serial interfaces is NRZ format. The default is no nrzi-encoding.
To enable NRZI format, use one of the following commands in interface configuration mode.
SUMMARY STEPS
1. Do one of the following:
• nrzi-encoding
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
153
Configuring the Serial Interface
Configuring a Synchronous Serial Interface
DETAILED STEPS
Step 1
Command or Action
Do one of the following:
• nrzi-encoding
Example:
Router(config-if)# nrzi-encoding
Router(config-if)# nrzi-encoding [mark]
Purpose
Enables NRZI encoding format.
Enables NRZI encoding format for router.
Enabling the Internal Clock
When a DTE does not return a transmit clock, use the following interface configuration command on the router to enable the internally generated clock on a serial interface:
SUMMARY STEPS
1. transmit-clock-internal
DETAILED STEPS
Step 1
Command or Action transmit-clock-internal
Example:
Router(config-if)# transmit-clock-internal
Purpose
Enables the internally generated clock on a serial interface.
Inverting the Transmit Clock Signal
Systems that use long cables or cables that are not transmitting the TxC signal (transmit echoed clock line, also known as TXCE or SCTE clock) can experience high error rates when operating at the higher transmission speeds. For example, if the interface on the PA-8T and PA-4T+ synchronous serial port adapters is reporting a high number of error packets, a phase shift might be the problem. Inverting the clock signal can correct this shift. To invert the clock signal, use the following commands in interface configuration mode.
SUMMARY STEPS
1. invert txclock
2. invert rxclock
154
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring a Synchronous Serial Interface
DETAILED STEPS
Step 1
Step 2
Command or Action invert txclock
Example:
Router(config-if)# invert txclock invert rxclock
Example:
Router(config-if)# invert rxclock
Purpose
Inverts the clock signal on an interface.
Inverts the phase of the RX clock on the UIO serial interface, which does not use the T1/E1 interface.
Setting Transmit Delay
It is possible to send back-to-back data packets over serial interfaces faster than some hosts can receive them.
You can specify a minimum dead time after transmitting a packet to remove this condition. This setting is available for serial interfaces on the MCI and SCI interface cards and for the HSSI or MIP. Use one of the following commands, as appropriate for your system, in interface configuration mode.
Command
Router(config-if)# microseconds transmitter-delay
Purpose
Sets the transmit delay on the MCI and SCI synchronous serial interfaces.
Router(config-if)# transmitter-delay hdlc-flags
Sets the transmit delay on the HSSI or MIP.
Configuring DTR Signal Pulsing
You can configure pulsing Data Terminal Ready (DTR) signals on all serial interfaces. When the serial line protocol goes down (for example, because of loss of synchronization), the interface hardware is reset and the
DTR signal is held inactive for at least the specified interval. This function is useful for handling encrypting or other similar devices that use the toggling of the DTR signal to reset synchronization. To configure DTR signal pulsing, use the following command in interface configuration mode.
Command Purpose
Configures DTR signal pulsing.
Router(config-if)# pulse-time seconds
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
155
Configuring the Serial Interface
Configuring a Synchronous Serial Interface
Ignoring DCD and Monitoring DSR as Line Up/Down Indicator
By default, when the serial interface is operating in DTE mode, it monitors the Data Carrier Detect (DCD) signal as the line up/down indicator. By default, the attached DCE device sends the DCD signal. When the
DTE interface detects the DCD signal, it changes the state of the interface to up.
In some configurations, such as an SDLC multidrop environment, the DCE device sends the Data Set Ready
(DSR) signal instead of the DCD signal, which prevents the interface from coming up. To tell the interface to monitor the DSR signal instead of the DCD signal as the line up/down indicator, use the following command in interface configuration mode.
SUMMARY STEPS
1. ignore-dcd
DETAILED STEPS
Step 1
Command or Action ignore-dcd
Example:
Router(config-if)# ignore-dcd
Purpose
Configures the serial interface to monitor the DSR signal as the line up/down indicator.
What to Do Next
Caution Unless you know for certain that you really need this feature, be very careful using this command. It will hide the real status of the interface. The interface could actually be down and you will not know just by looking at show displays.
Specifying the Serial Network Interface Module Timing
On Cisco 819 series ISRs, you can specify the serial Network Interface Module timing signal configuration.
When the board is operating as a DCE and the DTE provides terminal timing (SCTE or TT), you can configure the DCE to use SCTE from the DTE. When running the line at high speeds and long distances, this strategy prevents phase shifting of the data with respect to the clock.
To configure the DCE to use SCTE from the DTE, use the following command in interface configuration mode.
SUMMARY STEPS
1. dce-terminal-timing enable
156
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring Low-Speed Serial Interfaces
DETAILED STEPS
Step 1
Command or Action dce-terminal-timing enable
Example:
Router(config-if)# dce-terminal-timing enable
Purpose
Configures the DCE to use SCTE from the DTE.
Specifying the Serial Network Interface Module Timing
When the board is operating as a DTE, you can invert the TXC clock signal it gets from the DCE that the
DTE uses to transmit data. Invert the clock signal if the DCE cannot receive SCTE from the DTE, the data is running at high speeds, and the transmission line is long. Again, this prevents phase shifting of the data with respect to the clock.
To configure the interface so that the router inverts the TXC clock signal, use the following command in interface configuration mode.
SUMMARY STEPS
1. dte-invert-txc
DETAILED STEPS
Step 1
Command or Action dte-invert-txc
Example:
Router(config-if)# dte-invert-txc
Purpose
Specifies timing configuration to invert TXC clock signal.
Configuring Low-Speed Serial Interfaces
This section describes how to configure low-speed serial interfaces and contains the following sections:
For configuration examples, see the
Examples for Low-Speed Serial Interface, on page 164
.
Half-Duplex DTE and DCE State Machines
The following sections describe the communication between half-duplex DTE transmit and receive state machines and half-duplex DCE transmit and receive state machines.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
157
Configuring the Serial Interface
Configuring Low-Speed Serial Interfaces
Half-Duplex DTE State Machines
As shown in the figure below, the half-duplex DTE transmit state machine for low-speed interfaces remains in the ready state when it is quiescent. When a frame is available for transmission, the state machine enters the transmit delay state and waits for a time period, which is defined by the half-duplex timer transmit-delay command. The default is 0 milliseconds. Transmission delays are used for debugging half-duplex links and assisting lower-speed receivers that cannot process back-to-back frames.
Figure 8: Half-Duplex DTE Transmit State Machine
After idling for a defined number of milliseconds (ms), the state machine asserts a request to send (RTS) signal and changes to the wait-clear-to-send (CTS) state for the DCE to assert CTS. A timeout timer with a value set by the half-duplex timer rts-timeout command starts. The default is 3 ms. If the timeout timer expires before CTS is asserted, the state machine returns to the ready state and deasserts RTS. If CTS is asserted before the timer expires, the state machine enters the transmit state and sends the frames.
Once there are no more frames to transmit, the state machine transitions to the wait transmit finish state. The machine waits for the transmit FIFO in the serial controller to empty, starts a delay timer with a value defined by the half-duplex timer rts-drop-delay interface command, and transitions to the wait RTS drop delay state.
When the timer in the wait RTS drop delay state expires, the state machine deasserts RTS and transitions to the wait CTS drop state. A timeout timer with a value set by the half-duplex timer cts-drop-timeout interface command starts, and the state machine waits for the CTS to deassert. The default is 250 ms. Once the CTS
158
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring Low-Speed Serial Interfaces signal is deasserted or the timeout timer expires, the state machine transitions back to the ready state. If the timer expires before CTS is deasserted, an error counter is incremented, which can be displayed by issuing the show controllers command for the serial interface in question.
As shown in the figure below, a half-duplex DTE receive state machine for low-speed interfaces idles and receives frames in the ready state. A giant frame is any frame whose size exceeds the maximum transmission unit (MTU). If the beginning of a giant frame is received, the state machine transitions to the in giant state and discards frame fragments until it receives the end of the giant frame. At this point, the state machine transitions back to the ready state and waits for the next frame to arrive.
Figure 9: Half-Duplex DTE Receive State Machine
An error counter is incremented upon receipt of the giant frames. To view the error counter, use the show
interfaces command for the serial interface in question.
Half-Duplex DCE State Machines
As shown in the figure below, for a low-speed serial interface in DCE mode, the half-duplex DCE transmit state machine idles in the ready state when it is quiescent. When a frame is available for transmission on the serial interface, such as when the output queues are no longer empty, the state machine starts a timer (based on the value of the half-duplex timer transmit-delay command, in milliseconds) and transitions to the transmit delay state. Similar to the DTE transmit state machine, the transmit delay state gives you the option of setting a delay between the transmission of frames; for example, this feature lets you compensate for a slow receiver that loses data when multiple frames are received in quick succession. The default transmit-delay
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
159
Configuring the Serial Interface
Configuring Low-Speed Serial Interfaces value is 0 ms; use the half-duplex timer transmit-delay interface configuration command to specify a delay value not equal to 0.
Figure 10: Half-Duplex DCE Transmit State Machine
After the transmit delay state, the next state depends on whether the interface is in constant-carrier mode (the default) or controlled-carrier mode.
If the interface is in constant-carrier mode, it passes through the following states:
1 The state machine passes to the transmit state when the transmit-delay timer expires. The state machine stays in the transmit state until there are no more frames to transmit.
2 When there are no more frames to transmit, the state machine passes to the wait transmit finish state, where it waits for the transmit FIFO to empty.
3 Once the FIFO empties, the DCE passes back to the ready state and waits for the next frame to appear in the output queue.
If the interface is in controlled-carrier mode, the interface performs a handshake using the data carrier detect
(DCD) signal. In this mode, DCD is deasserted when the interface is idle and has nothing to transmit. The transmit state machine transitions through the states as follows:
1 After the transmit-delay timer expires, the DCE asserts DCD and transitions to the DCD-txstart delay state to ensure a time delay between the assertion of DCD and the start of transmission. A timer is started based on the value specified using the dcd-txstart-delay command. (This timer has a default value of 100 ms; use the half-duplex timer dcd-txstart-delay interface configuration command to specify a delay value.)
2 When this delay timer expires, the state machine transitions to the transmit state and transmits frames until there are no more frames to transmit.
160
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring Low-Speed Serial Interfaces
3 After the DCE transmits the last frame, it transitions to the wait transmit finish state, where it waits for transmit FIFO to empty and the last frame to transmit to the wire. Then DCE starts a delay timer by specifying the value using the dcd-drop-delay command. (This timer has the default value of 100 ms; use the half-duplex timer dcd-drop-delay interface configuration command to specify a delay value.)
4 The DCE transitions to the wait DCD drop delay state. This state causes a time delay between the transmission of the last frame and the deassertion of DCD in the controlled-carrier mode for DCE transmits.
5 When the timer expires, the DCE deasserts DCD and transitions back to the ready state and stays there until there is a frame to transmit on that interface.
As shown in the figure below, the half-duplex DCE receive state machine idles in the ready state when it is quiescent. It transitions out of this state when the DTE asserts RTS. In response, the DCE starts a timer based on the value specified using the cts-delay command. This timer delays the assertion of CTS because some
DTE interfaces expect this delay. (The default value of this timer is 0 ms; use the half-duplex timer cts-delay interface configuration command to specify a delay value.)
Figure 11: Half-Duplex DCE Receive State Machine
When the timer expires, the DCE state machine asserts CTS and transitions to the receive state. It stays in the receive state until there is a frame to receive. If the beginning of a giant frame is received, it transitions to the in giant state and keeps discarding all the fragments of the giant frame and transitions back to the receive state.
Transitions back to the ready state occur when RTS is deasserted by the DTE. The response of the DCE to the deassertion of RTS is to deassert CTS and go back to the ready state.
Placing a Low-Speed Serial Interface in Constant-Carrier Mode
To return a low-speed serial interface to constant-carrier mode from controlled-carrier mode, use the following command in interface configuration mode.
SUMMARY STEPS
1. no half-duplex controlled-carrier
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
161
Configuring the Serial Interface
Configuring Low-Speed Serial Interfaces
DETAILED STEPS
Step 1
Command or Action no half-duplex controlled-carrier
Example:
Router(config-if)# no half-duplex controlled-carrier
Purpose
Places a low-speed serial interface in constant-carrier mode.
Tuning Half-Duplex Timers
To optimize the performance of half-duplex timers, use the following command in interface configuration mode.
Command Purpose
Router(config-if)#
value | half-duplex timer { cts-delay cts-drop-timeout value
| dcd-drop-delay
value | dcd-txstart-delay value
Tunes half-duplex timers.
| rts-drop-delay value
| rts-timeout
value | transmit-delay value
}
The timer tuning commands permit you to adjust the timing of the half-duplex state machines to suit the particular needs of their half-duplex installation.
Note that the half-duplex timer command and its options replaces the following two timer tuning commands that are available only on high-speed serial interfaces:
• sdlc cts-delay
• sdlc rts-timeout
Changing Between Synchronous and Asynchronous Modes
To specify the mode of a low-speed serial interface as either synchronous or asynchronous, use the following command in interface configuration mode.
SUMMARY STEPS
1. physical-layer {sync | async}
162
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Configuring Low-Speed Serial Interfaces
DETAILED STEPS
Step 1
Command or Action physical-layer {sync | async}
Example:
Router(config-if)# physical-layer sync
Purpose
Specifies the mode of a low-speed interface as either synchronous or asynchronous.
Changing Between Synchronous and Asynchronous Modes
This command applies only to low-speed serial interfaces available on Cisco 2520 through Cisco 2523 routers.
Note When you make a transition from asynchronous mode to synchronous mode in serial interfaces, the interface state becomes down by default. You should then use the no shutdown option to bring the interface up.
In synchronous mode, low-speed serial interfaces support all interface configuration commands available for high-speed serial interfaces, except the following two commands:
• sdlc cts-delay
• sdlc rts-timeout
When placed in asynchronous mode, low-speed serial interfaces support all commands available for standard asynchronous interfaces. The default is synchronous mode.
Note When you use this command, it does not appear in the output of the show running-config and show
startup-config commands because the command is a physical-layer command.
To return to the default mode (synchronous) of a low-speed serial interface on a Cisco 2520 through Cisco
2523 router, use the following command in interface configuration mode.
SUMMARY STEPS
1. no physical-layer
DETAILED STEPS
Step 1
Command or Action no physical-layer
Example:
Router(config-if)# no physical-layer
Purpose
Returns the interface to its default mode, which is synchronous.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
163
Configuring the Serial Interface
Examples for Interface Enablement Configuration
Examples for Interface Enablement Configuration
The following example illustrates how to begin interface configuration on a serial interface. It assigns PPP encapsulation to serial interface 0.
interface serial 0 encapsulation ppp
The same example on the router, assigning PPP encapsulation to port 0 in slot 1, requires the following commands: interface serial 1/0 encapsulation ppp
The following example shows how to configure the access server so that it will use the default address pool on all interfaces except interface 7, on which it will use an address pool called lass: ip address-pool local ip local-pool lass 172.30.0.1
async interface interface 7 peer default ip address lass
Examples for Low-Speed Serial Interface
The section includes the following configuration examples for low-speed serial interfaces:
Examples for Synchronous or Asynchronous Mode
The following example shows how to change a low-speed serial interface from synchronous to asynchronous mode: interface serial 2 physical-layer async
The following examples show how to change a low-speed serial interface from asynchronous mode back to its default synchronous mode: interface serial 2 physical-layer sync or interface serial 2 no physical-layer
The following example shows some typical asynchronous interface configuration commands: interface serial 2 physical-layer async ip address 10.0.0.2 255.0.0.0
async default ip address 10.0.0.1
async mode dedicated async default routing
164
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring the Serial Interface
Examples for Low-Speed Serial Interface
The following example shows some typical synchronous serial interface configuration commands available when the interface is in synchronous mode: interface serial 2 physical-layer sync ip address 10.0.0.2 255.0.0.0
no keepalive ignore-dcd nrzi-encoding no shutdown
Example for Half-Duplex Timers
The following example shows how to set the cts-delay timer to 1234 ms and the transmit-delay timer to 50 ms: interface serial 2 half-duplex timer cts-delay 1234 half-duplex timer transmit-delay 50
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
165
Examples for Low-Speed Serial Interface
Configuring the Serial Interface
166
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
10
Configuring Wireless Devices
This chapter describes the procedures for initial configuration of the wireless device, radio settings, WLAN, and administration of the wireless devices. This chapter contains the following sub-sections:
•
Wireless Device Overview, page 167
•
Basic Wireless Configuration for Cisco 800 Series ISR, page 174
•
Configuring Radio Settings, page 186
•
•
Administering the Wireless Device, page 259
Wireless Device Overview
Wireless devices (commonly configured as access points ) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. When configured as an access point, the wireless device serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. In large installations, wireless users within radio range of an access point can roam throughout a facility while maintaining seamless, uninterrupted access to the network.
With a management system based on Cisco IOS software, wireless devices are Wi-Fi CERTIFIED ™ ,
802.11a-compliant, 802.11b-compliant, 802.11g-compliant, and 802.11n-compliant wireless LAN transceivers.
Software Modes for Wireless Devices
The access point is shipped with an autonomous image and recovery image on the access point’s flash. The default mode is autonomous; however, the access point can be upgraded to operate in Cisco Unified Wireless mode.
Each mode is described below:
• Autonomous mode—supports standalone network configurations, where all configuration settings are maintained locally on the wireless device. Each autonomous device can load its starting configuration independently, and still operate in a cohesive fashion on the network.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
167 OL-31704-02
Configuring Wireless Devices
Management Options for Wirelss Device
• Cisco Unified Wireless mode—operates in conjunction with a Cisco Unified Wireless LAN controller, where all configuration information is maintained within the controller. In the Cisco Unified Wireless
LAN architecture, wireless devices operate in the lightweight mode using Leightweight Access Point
Protocol (LWAPP), (as opposed to autonomous mode). The lightweight access point, or wireless device, has no configuration until it associates to a controller. The configuration on the wireless device can be modified by the controller only when the networking is up and running. The controller manages the wireless device configuration, firmware, and control transactions such as 802.1x authentication. All wireless traffic is tunneled through the controller.
For more information about Cisco Unified Wireless mode, see http://www.cisco.com/en/US/prod/collateral/ wireless/ps5679/ps6548/prod_white_paper0900aecd804f19e3_ps6305_Products_White_Paper.html
.
Management Options for Wirelss Device
The wireless device runs its own version of Cisco IOS software that is separate from the Cisco IOS software operating on the router. You can configure and monitor the access point with several different tools:
• Cisco IOS software CLI
• Simple Network Management Protocol (SNMP)
• Web-browser Interface
Note Avoid using the CLI and the web-browser tools concurrently. If you configure the wireless device using the CLI, the web-browser interface may display an inaccurate interpretation of the configuration.
Use the interface dot11radio command from global configuration mode to place the wireless device into the radio configuration mode. Network Configuration Examples
Set up the access point role in any of these common wireless network configurations. The access point default configuration is as a root unit connected to a wired LAN or as the central unit in an all-wireless network.
Access points can also be configured as bridges and workgroup bridges. These roles require specific configurations, as defined in the following examples.
Root Access Point
An access point connected directly to a wired LAN provides a connection point for wireless users. If more than one access point is connected to the LAN, users can roam from one area of a facility to another without losing their connection to the network. As users move out of range of one access point, they automatically connect to the network (associate) through another access point. The roaming process is seamless and transparent
168
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Management Options for Wirelss Device to the user.
Figure 12: Access Points as Root Units on a Wired LAN, on page 169
shows access points acting as root units on a wired LAN.
Figure 12: Access Points as Root Units on a Wired LAN
Central Unit in an All-Wireless Network
In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
169
Cisco ScanSafe
Configuring Wireless Devices communications, increasing the communication range of wireless users.
Figure 13: Access Point as Central
Unit in All-Wireless Network, on page 170
shows an access point in an all-wireless network.
Figure 13: Access Point as Central Unit in All-Wireless Network
Cisco ScanSafe
The Cisco Integrated Services Router G2 (ISR G2) family delivers numerous security services, including firewall, intrusion prevention, and VPN. These security capabilities have been extended with Cisco ISR Web
Security with Cisco ScanSafe for a web security and web filtering solution that requires no additional hardware or client software.
Cisco ISR Web Security with Cisco ScanSafe enables branch offices to intelligently redirect web traffic to the cloud to enforce granular security and acceptable use policies over user web traffic. With this solution, you can deploy market-leading web security quickly and can easily protect branch office users from web-based threats, such as viruses, while saving bandwidth, money, and resources.
For more information, see Cisco ISR Web Security with Cisco ScanSafe Solution Guide.
170
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
TFTP support with Ethernet WAN interface
TFTP support with Ethernet WAN interface
Trivial File Transfer Protocol (TFTP) is a file transfer protocol notable for its simplicity. It is generally used for automated transfer of configuration or boot files between machines in a local environment.
The Cisco 819H ISR supports TFTP with Ethernet WAN interface that supports data transfer rate of 10 Mbps.
For more information, see
Using the TFTP Download Command
.
Note This feature is supported in all Cisco 819 ISRs that have ROMMON version 15.2(2r)T and above.
Note TFTP download using switch port is supported in Cisco 819HGW SKUs only.
LEDs for Cisco 819 Series ISRs
The LED is located on the front panel of the router.
Table 21: 3G LED Descriptions for Cisco 819 Series
describes the 3G LED for the Cisco 819 ISR.
Table 21: 3G LED Descriptions for Cisco 819 Series ISRs
LED
SYS
ACT
Color
Yellow
Green (blinking)
Description
FPGA download is complete.
ROMMON is operational.
Green (solid) IOS is operational.
Green (four blinks during bootup) Reset button has been pushed during the bootup.
Off After powering up, when FPGA is being downloaded (in ROMMON).
Green
Off
Network activity on FE Switch ports, GE WAN port, 3G cellular interface, and serial interfaces.
No network activity.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
171
LEDs for Cisco 819 Series ISRs
LED
WWAN
GPS
RSSI
Configuring Wireless Devices
Color
Green
Green (slow blinking)
Green (fast blinking)
Description
Module is powered on and connected but not transmitting or receiving.
Module is powered on and searching for connection.
Module is transmitting or receiving.
Module is not powered.
Standalone GPS.
Off
Green (solid)
Green (slow blinking)
Yellow (solid)
Yellow (slow blinking)
Off
GPS is acquiring.
Assisted GPS.
Assisted GPS is acquiring.
GPS is not configured.
Green (solid) Signal > –60
Very strong signal
Green (four blinks and then a long pause)
Signal <= –60 to 74
Strong signal
Green (two blinks and then a long pause)
Signal <= –75 to –89
Fair signal
Green (one blink and then a long pause)
Signal <= –90 to –109
Marginal signal
Off Signal <= –110
Unusable signal
172
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
LEDs for Cisco 819 Series ISRs
LED
SIM
3G
,
Color
Green / Yellow (one green blink followed by two yellow blinks)
Description
SIM in slot 0 active, SIM in slot 1 is not.
Yellow / Green (one yellow blink followed by two greenblinks)
SIM in slot 1 active, SIM in slot 0 is not.
Off / Green (two green blinks and then pause)
No SIM in slot 0, SIM present in slot 1.
Green / Off (Slow single green blink and then pause)
Off / Off
SIM present in slot0, no SIM in slot 1.
No SIM present in either slots.
One blink green and then pause
Two blink green and then pause
For 1xRTT, EGPRS, GPRS service.
For EVDO, EVDO/1xRTT,
UMTS.
Three blink green and then pause For EVDO/1xRTT RevA, HSPA,
HSUPA/HSDPA.
Green (solid) For HSPA PLUS.
7 Not applicable to Verizon and Sprint EVDO modems.
8 There is only one LED to indicate the status two SIMs. A one-blink pattern represents the status of the SIM in slot 0, followed by a two-blink pattern for the
SIM in slot 1.
Use the following show commands to check the LED status for your router:
• show platform led (for all LEDs)
• show controller cellular 0 (for 3G LEDs)
The following is a sample output from the show platform led command and shows the LED status:
Router# show platform led
LED STATUS:
==========
LEDS :
STATUS:
SYSTEM
GREEN
WWAN
GREEN
RSSI GPS
GREEN(2 BLINK) OFF
LEDS : ACTIVITY SIM(slot0 / slot1)
STATUS: OFF GREEN / YELLOW
LAN PORTS : FE0 FE1 FE2 FE3
3G
GREEN
LINK/ENABLE LED : OFF
SPEED LED : Unknown
OFF
Unknown
OFF
Unknown
OFF
Unknown
PORT : GE-WAN0
LINK/ENABLE LED : OFF
SPEED LED : Unknown
The following is a sample output from the show controllers cellular command showing the 3G LED status:
Router# show controllers cellular 0
Interface Cellular0
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
173
Configuring Wireless Devices
Basic Wireless Configuration for Cisco 800 Series ISR
3G Modem-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS Global and GPS,
Cellular modem configuration:
---------------------------
GSM-Carrier Type : Cellular GSM Global.
SKU (PRI) Value: 9900198 .
Modem is recognized as valid manufacture id: 0x00001199 product id: 0x000068A3
Sierra Wireless Mini Card MC8705 HSPA+R7 modem.
Cellular Dual SIM details:
---------------------------
SIM 0 is present
SIM 0 is active SIM
Modem Management Statistics
---------------------------
Modem resets = 2
Last known modem state = 'application' mode
Packets sent = 2508, Packets received = 44621, Packets pending = 0
DIP MDM link status retry count = 0 pdp context = 0
DIP MDM link up pending = 0 pdp context = 0
IDB Cellular0: DIP profile id = 255
RSSI LED : 3-blink Green
Service LED : 3-blink Green
SIM LED : Slot0 - Green;
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Slot1 - Off <<<<<<<<<<<<<<<<<<<<<<<
GPS LED : Off <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
GPS NMEA port = Disabled (Stream OFF)
DM port = Disabled
:
:
:
B
Basic Wireless Configuration for Cisco 800 Series ISR
This module describes how to configure the autonomous wireless device on the following Cisco Integrated
Services Routers (ISRs):
• Cisco 860 Series
• Cisco 880 Series
• Cisco 890 Series
• Cisco 810 Series
Note To upgrade the autonomous software to Cisco Unified software on the embedded wireless device, see the
Upgrading to Cisco Unified Software, on page 182
for instructions.
The wireless device is embedded and does not have an external console port for connections. To configure the wireless device, use a console cable to connect a personal computer to the host router’s console port, and perform these procedures to establish connectivity and configure the wireless settings.
Starting a Wireless Configuration Session
Note Before you configure the wireless settings in the router’s setup, you must follow these steps to open a session between the router and the access point.
174
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Starting a Wireless Configuration Session
Enter the following commands in global configuration mode on the router’s Cisco IOS command-line interface
(CLI).
SUMMARY STEPS
1. interface wlan-ap0
2. ip address subnet mask
3. no shut
4. interface vlan1
5. ip address subnet mask
6. exit
7. exit
8. service-module wlan-ap 0 session
DETAILED STEPS
Step 1
Command or Action interface wlan-ap0
Example:
Router(config)# interface wlan-ap0
Purpose
Defines the router’s console interface to the wireless device.
• The interface is used for communication between the router’s console and the wireless device.
Note Always use port
0.
• The following message appears:
Step 2
Step 3
Step 4
The wlan-ap 0 interface is used for managing the embedded
AP. Please use the service-module wlan-ap 0 session command to console into the embedded AP.
ip address subnet mask
Example:
Router(config-if)# ip address 10.21.0.20
255.255.255.0
Specifies the interface IP address and subnet mask.
Note The IP address can be shared with the IP address assigned to the Cisco Integrated Services Router by using the ip unnumbered vlan1 command.
no shut Specifies that the internal interface connection will remain open.
Example:
Router(config-if)# no shut interface vlan1
Example:
Router(config-if)# interface vlan1
Specifies the virtual LAN interface for data communication on the internal Gigabit Ethernet 0 (GE0) port to other interfaces.
• All the switch ports inherit the default vlan1 interface on the
Cisco 860 Series, Cisco 880 Series, and Cisco 890 Series ISRs.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
175
Configuring Wireless Devices
Starting a Wireless Configuration Session
Step 5
Step 6
Step 7
Step 8
Command or Action
ip address subnet mask
Example:
Router(config)# exit
Purpose
Specifies the interface IP address and subnet mask.
Example:
Router(config-if)# ip address 10.10.0.30
255.255.255.0
exit Exits interface configuration mode and returns to global configuration mode.
Example:
Router(config-if)# exit
Exits the global configuration mode.
Example:
Router(config)# exit service-module wlan-ap 0 session
Example:
Router# service-module wlan-ap0 session
Trying 10.21.0.20, 2002 ... Open ap>
Opens the connection between the wireless device and the router’s console.
What to Do Next
Tip To create a Cisco IOS software alias for the console to session into the wireless device, enter the alias
exec dot11radio service-module wlan-ap 0 session command at the EXEC prompt. After entering this command, you utomatically skip to the dot11 radio level in the Cisco IOS software.
Closing the Session
To close the session between the wireless device and the router’s console, use control+shift+6 and x on the wireless device and enter disconnect command on the router and then press enter two times on the router.
176
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring Wireless Settings
Configuring Wireless Settings
Note If you are configuring the wireless device for the first time, you must start a configuration session between the access point and the router before you attempt to configure the basic wireless settings. See the
Starting a Wireless Configuration Session , on page 174
.
Configure the wireless device with either of the following tools, depending on the software you are using:
•
Cisco IOS Command Line Interface, on page 177
—Autonomous software
• Cisco Express Setup —Unified Software
Note To upgrade to Unified mode from the Autonomous mode, see
Upgrading to Cisco Unified Software, on
page 182 for upgrade instructions. After upgrading to Cisco Unified Wireless software, use the web-browser tool to configure the device: http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/ scg12410b-chap2-gui.html
Cisco Express Setup
To configure the Unified wireless device, use the web-browser tool and perform these steps
1 Establish a console connection to the wireless device and get the Bridge-Group Virtual Interface (BVI)
IP address by entering the show interface bvi1 Cisco IOS command.
2 Open a browser window, and enter the BVI IP address in the browser-window address line. Press Enter.
An Enter Network Password window appears.
3 Enter your username. Cisco is the default user name.
4 Enter the wireless device password. Cisco is the default password. The Summary Status page appears. For details about using the web-browser configuration page, see the following URL: http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/ scg12410b-chap4-first.html#wp1103336
Cisco IOS Command Line Interface
To configure the Autonomous wireless device, use the Cisco IOS CLI tool and perform these tasks:
Configuring the Radio
Configure the radio parameters on the wireless device to transmit signals in autonomous or Cisco Unified mode. For specific configuration procedures, see
Configuring Radio Settings, on page 186
.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
177
Configuring Wireless Devices
Cisco IOS Command Line Interface
Configuring Wireless Security Settings
This section includes the following configuration tasks:
Configuring Authentication
Authentication types are tied to the Service Set Identifiers (SSIDs) that are configured for the access point.
To serve different types of client devices with the same access point, configure multiple SSIDs.
Before a wireless client device can communicate on your network through the access point, the client device must authenticate to the access point by using open or shared-key authentication. For maximum security, client devices should also authenticate to your network using MAC address or Extensible Authentication
Protocol (EAP) authentication. Both authentication types rely on an authentication server on your network.
To select an authentication type, see Authentication Types for Wireless Devices at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityAuthentication Types.html.
To set up a maximum security environment, see RADIUS and TACACS+ Servers in a Wireless Environment at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityRadiusTacacs_1.html
To provide local authentication service or backup authentication service for a WAN link failure or a server failure, you can configure an access point to act as a local authentication server. The access point can authenticate up to 50 wireless client devices using Lightweight Extensible Authentication Protocol (LEAP),
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), or MAC-based authentication. The access point performs up to five authentications per second.
Configure the local authenticator access point manually with client usernames and passwords because it does not synchronize its database with RADIUS servers. You can specify a VLAN and a list of SSIDs that a client is allowed to use.
For details about setting up the wireless device in this role, see Using the Access Point as a Local Authenticator at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityLocalAuthent.html
Configuring WEP and Cipher Suites
Wired Equivalent Privacy (WEP) encryption scrambles the data transmitted between wireless devices to keep the communication private. Wireless devices and their wireless client devices use the same WEP key to encrypt and decrypt data. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to one device on the network. Multicast messages are addressed to multiple devices on the network.
Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized
Key Management (CCKM).
Cipher suites that contain Temporal Key Integrity Protocol (TKIP) provide the greatest security for your wireless LAN. Cipher suites that contain only WEP are the least secure.
For encryption procedures, see Configuring WEP and Cipher Suites at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/SecurityCipherSuitesWEP.html
178
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Cisco IOS Command Line Interface
Configuring Wireless VLANs and Assigning SSIDs
If you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs by using any of the four security settings defined in the
Table 22: Types of SSID Security , on page 179
. A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), that are connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment, such as LAN switches that operate bridging protocols between them with a separate group of protocols for each
VLAN.
For more information about wireless VLAN architecture, see Configuring Wireless VLANs at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/wireless_vlans.html
Note If you do not use VLANs on your wireless LAN, the security options that you can assign to SSIDs are limited because the encryption settings and authentication types are linked on the Express Security page.
You can configure up to 16 SSIDs on a wireless device in the role of an access point, and you can configure a unique set of parameters for each SSID. For example, you might use one SSID to allow guests limited access to the network and another SSID to allow authorized users access to secure data.
For more about creating multiple SSIDs, see Service Set Identifiers at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/ServiceSetID.html
.
Note Without VLANs, encryption settings (WEP and ciphers) apply to an interface, such as the 2.4-GHz radio, and you cannot use more than one encryption setting on an interface. For example, when you create an
SSID with static WEP with VLANs disabled, you cannot create additional SSIDs with WPA authentication because the SSIDs use different encryption settings. If the security setting for an SSID conflicts with the settings for another SSID, delete one or more SSIDs to eliminate the conflict.
Security Types
Table 22: Types of SSID Security , on page 179
describes the four security types that you can assign to an
SSID.
Table 22: Types of SSID Security
Security Type
No security
Description Security Features Enabled
This is the least secure option. You should use this option only for SSIDs in a public space, and you should assign it to a VLAN that restricts access to your network.
None.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
179
Configuring Wireless Devices
Cisco IOS Command Line Interface
Security Type
Static WEP key
EAP
authentication
Description Security Features Enabled
This option is more secure than no security.
However, static WEP keys are vulnerable to attack. If you configure this setting, you should consider limiting association to the wireless device based on MAC address, see Cipher Suites and WEP at: http:// www.cisco.com/en/US/docs/routers/access/ wireless/software/guide/
SecurityCipherSuitesWEP.html
. Or
Mandatory WEP. Client devices cannot associate using this SSID without a WEP key that matches the wireless device key.
If your network does not have a RADIUS server, consider using an access point as a local authentication server. See Using the
Access Point as a Local Authenticator for instructions: http://www.cisco.com/en/US/ docs/routers/access/wireless/software/ guide/SecurityLocalAuthent.html
.
This option enables 802.1X authentication
(such as LEAP
, PEAP
, EAP-TLS
,
EAP-FAST
, EAP-TTLS
, EAP-GTC
,
EAP-SIM
, and other 802.1X/EAP-based products)
This setting uses mandatory encryption,
WEP, open authentication plus EAP, network EAP authentication, no key management, and RADIUS server authentication port 1645.
You are required to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.1X
authentication provides dynamic encryption keys, you do not need to enter a WEP key.
Mandatory 802.1X authentication. Client devices that associate using this SSID must perform 802.1X authentication.
If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following warning message appears:
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST,
AUTH OPEN with EAP should also be configured.
180
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring the Access Point in Hot Standby Mode
Security Type
WPA
Description Security Features Enabled
This option permits wireless access to users who are authenticated against a database.
Access is through the services of an authentication server. User IP traffic is then encrypted with stronger algorithms than those used in WEP.
This setting uses encryption ciphers,
TKIP
, open authentication plus EAP, network EAP authentication, key management WPA mandatory, and
RADIUS server authentication port 1645.
Mandatory WPA authentication. Client devices that associate using this SSID must be WPA capable.
If radio clients are configured to authenticate using EAP-FAST, open authentication with EAP should also be configured. If you do not configure open authentication with EAP, the following warning message appears:
As with EAP authentication, you must enter the IP address and shared secret for an authentication server on your network
(server authentication port 1645).
SSID CONFIG WARNING: [SSID]: If radio clients are using EAP-FAST,
AUTH OPEN with EAP should also be configured.
9 EAP = Extensible Authentication Protocol.
10 LEAP = Lightweight Extensible Authentication Protocol.
11 PEAP = Protected Extensible Authentication Protocol.
12 EAP-TLS = Extensible Authentication Protocol—Transport Layer Security.
13 EAP-FAST = Extensible Authentication Protocol—Flexible Authentication via Secure Tunneling.
14 EAP-TTLS = Extensible Authentication Protocol—Tunneled Transport Layer Security.
15 EAP-GTC = Extensible Authentication Protocol—Generic Token Card.
16 EAP-SIM = Extensible Authentication Protocol—Subscriber Identity Module.
17 WPA = Wi-Fi Protected Access.
18 TKIP = Temporal Key Integrity Protocol.
Configuring Wireless Quality of Service
Configuring Quality of Service (QoS) can provide preferential treatment to certain traffic at the expense of other traffic. Without QoS, the device offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput. To configure
QoS for your wireless device, see Quality of Service in a Wireless Environment at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/QualityOfService.html.
Configuring the Access Point in Hot Standby Mode
In hot standby mode, an access point is designated as a backup for another access point. The standby access point is placed near the access point that it monitors and is configured exactly like the monitored access point.
The standby access point associates with the monitored access point as a client and sends Internet Access
Point Protocol (IAPP) queries to the monitored access point through the Ethernet and radio ports. If the monitored access point fails to respond, the standby access point comes online and takes the monitored access point’s place in the network.
Except for the IP address, the standby access point’s settings should be identical to the settings on the monitored access point. If the monitored access point goes off line and the standby access point takes its place in the
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
181
Configuring Wireless Devices
Upgrading to Cisco Unified Software network, matching settings ensure that client devices can switch easily to the standby access point. For more information, see Hot Standby Access Points at: http://www.cisco.com/en/US/docs/routers/access/wireless/software/guide/RolesHotStandby.html.
Upgrading to Cisco Unified Software
To run the access point in Cisco Unified mode, upgrade the software by performing the following procedures:
Software Prerequisites
• Cisco 890 Series ISRs with embedded access points can be upgraded from autonomous software to
Cisco Unified software, if the router is running the IP Base feature set and Cisco IOS 12.4(22)YB software.
• Cisco 880 Series ISRs with embedded access points can be upgraded from autonomous software to
Cisco Unified software, if the router is running the advipservices feature set and Cisco IOS 12.4(20)T software.
• To use the embedded access point in a Cisco Unified Architecture, the Cisco Wireless LAN Configuration
(WLC) must be running version 5.1 or later.
Preparing for the Upgrade
Perform the tasks in the following sections to prepare for the upgrade:
Secure an IP Address on the Access Point
Secure an IP address on the access point so it that can communicate with the WLC and download the Unified image upon boot up. The host router provides the access point DHCP server functionality through the DHCP pool. The access point then communicates with the WLC and setup option 43 for the controller IP address in the DHCP pool configuration.
Example Configuration: Secure an IP Address on the Access Point
The following example shows a sample configuration: ip dhcp pool embedded-ap-pool network 60.0.0.0 255.255.255.0
dns-server 171.70.168.183
default-router 60.0.0.1
option 43 hex f104.0a0a.0a0f
(single WLC IP address(10.10.10.15) in hex format) int vlan1 ip address 60.0.0.1 255.255.255.0
For more information about the WLC discovery process, see Cisco Wireless LAN Configuration Guide at: http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/ccfig40.html
Confirm that the Mode Setting is Enabled
To confirm that the mode setting is enabled, perform the following steps.
182
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Performing the Upgrade
1 Ping the WLC from the router to confirm IP connectivity.
2 Enter the service-module wlan-ap 0 session command to establish a session into the access point.
3 Confirm that the access point is running an autonomous boot image.
4 Enter the show boot command on the access point to confirm that the mode setting is enabled.
Autonomous-AP# show boot
BOOT path-list: flash:ap801-k9w7-mx.124-10b.JA3/ap801-k9w7-mx.124-10b.JA3
Config file: flash:/config.txt
Private Config file: flash:/private-config
Enable Break:
Manual Boot:
HELPER path-list:
NVRAM/Config file yes yes buffer size: 32768
Mode Button: on
Performing the Upgrade
To upgrade the autonomous software to Cisco Unified software, follow these steps:
1 To change the access point boot image to a Cisco Unified upgrade image (also known as a recovery image
), use the service-module wlan-ap 0 bootimage unified command, in global configuration mode.
Router# conf terminal
Router(config)# service-module wlan-ap 0 bootimage unified
Router(config)# end
Note If the service-module wlan-ap 0 bootimage unified command does not work successfully, check whether the software license is still eligible.
Note To identify the access point’s boot image path, use the show boot command in privileged EXEC mode on the access point console.
2 To perform a graceful shutdown and reboot of the access point to complete the upgrade process, use the
service-module wlan-ap 0 reload command in global configuration mode. Establish a session into the access point, and monitor the upgrade process.
Note See the Cisco Express Setup for details about using the GUI configuration page to set up the wireless device settings.
Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode
If the access point fails to upgrade from autonomous to Unified software, perform the following actions:
• Check to ensure the autonomous access point does not have the static IP address configured on the BVI interface before you boot the recovery image.
• Ping between the router/access point and the WLC to confirm communication.
• Check that the access point and WLC clock (time and date) are set correctly.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
183
Configuring Wireless Devices
Downgrading the Software on the Access Point
The access point may attempt to boot and fail or may become stuck in the recovery mode and fail to upgrade to the Unified software. If either one of this occurs, use the service-module wlan-ap0 reset bootloader command to return the access point to the bootloader for manual image recovery.
Downgrading the Software on the Access Point
To reset the access point boot to the last autonomous image, use the service-module wlan-ap0 bootimage
autonomous command in global configuration mode. To reload the access point with the autonomous software image, use the service-module wlan-ap 0 reload command.
Recovering Software on the Access Point
To recover the image on the access point, use the service-module wlan-ap0 reset bootloader command in global configuration mode. This command returns the access point to the bootloader for manual image recovery.
Caution Use this command with caution. It does not provide an orderly shutdown and consequently may impact file operations that are in progress. Use this command only to recover from a shutdown or a failed state.
Related Documentation
See the following documentation for additional autonomous and unified configuration procedures:
Table 23: Autonomous Cisco Documentation
Topic
Wireless Overview
Configuring the Radio
Authentication Types for Wireless Devices
RADIUS and TACACS+ Servers in a Wireless Environment
Links
Wireless Device Overview, on page 167
Configuring Radio Settings, on page 186
This document describes the authentication types that are configured on the access point.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/SecurityAuthenticationTypes.html
This document describes how to enable and configure the
RADIUS and TACACS+ and provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA
and can be enabled only through AAA commands.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/SecurityRadiusTacacs_1.html
184
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Topic
Using the Access Point as a Local Authenticator
Cipher Suites and WEP
Hot Standby Access Points
Configuring Wireless VLANs
Service Set Identifiers
Administering the Access Point
Quality of Service
Related Documentation
Links
This document describes how to use a wireless device in the role of an access point as a local authenticator, serving as a standalone authenticator for a small wireless LAN, or providing backup authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/SecurityLocalAuthent.html
This document describes how to configure the cipher suites required for using WPA and CCKM
; WEP; and WEP features including AES
, MIC
, TKIP, and broadcast key rotation.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/SecurityCipherSuitesWEP.html
This document describes how to configure your wireless device as a hot standby unit.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/RolesHotStandby.html
This document describes how to configure an access point to operate with the VLANs set up on a wired LAN.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/wireless_vlans.html
In the role of an access point, a wireless device can support up to 16 SSIDs. This document describes how to configure and manage SSIDs on the wireless device.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/ServiceSetID.html
Administering the Wireless Device, on page 259
This document describes how to configure QoS on your Cisco wireless interface. With this feature, you can provide preferential treatment to certain traffic at the expense of other traffic. Without
QoS, the device offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/QualityOfService.html
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
185
Configuring Wireless Devices
Configuring Radio Settings
Topic
Regulatory Domains and Channels
System Message Logging
Links
This document lists the radio channels supported by Cisco access products in the regulatory domains of the world.
http://www.cisco.com/en/US/customer/docs/routers/access/ wireless/software/guide/RadioChannelFrequencies.html
This document describes how to configure system message logging on your wireless device.
http://www.cisco.com/en/US/docs/routers/access/wireless/ software/guide/SysMsgLogging.html
19 AAA = Authentication, Authorization, and Accounting.
20 CCKM = Cisco Centralized Key Management.
21 AES = Advanced Encryption Standard.
22 MIC = Message Integrity Check.
Table 24: Cisco Unified Documentation
Network Design
Why Migrate to the Cisco Unified Wireless Network?
Wireless LAN Controller (WLC) FAQ
Links http://www.cisco.com/en/US/solutions/ns175/networking_ solutions_products_genericcontent0900aecd805299ff.html
http://www.cisco.com/en/US/products/ps6366/products_qanda_ item09186a008064a991.shtml
Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges, versions 12.4(10b) JA and 12.3(8) JEC http://www.cisco.com/en/US/docs/wireless/access_point/
12.4_10b_JA/command/reference/cr2410b.html
Cisco Aironet 1240AG Access Point Support Documentation http://www.cisco.com/en/US/docs/wireless/access_point/1240/ quick/guide/ap1240qs.html
Cisco 4400 Series Wireless LAN Controllers Support
Documentation http://www.cisco.com/en/US/products/ps6366/tsd_products_ support_series_home.html
Configuring Radio Settings
This section describes how to configure radio settings for the wireless device and includes the following sub sections:
Enabling the Radio Interface
The wireless device radios are disabled by default.
186
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Wireless Device Roles in a Radio Network
Note You must create a service set identifier (SSID) before you can enable the radio interface.
To enable the access point radio, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. dot11 ssid ssid
3. interface dot11radio {0}
4. ssid ssid
5. no shutdown
6. end
7. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action configure terminal
dot11 ssid ssid interface dot11radio {0}
ssid ssid
Purpose
Enters global configuration mode.
Enters the SSID.
Note The SSID consists of up to 32 alphanumeric characters. SSIDs are case sensitive.
Enters interface configuration mode for the radio interface.
The 2.4-GHz and 802.11g/n 2.4-GHz radios are radio 0.
Assigns the SSID that you created in Step 2 to the appropriate radio interface.
no shutdown end
Enables the radio port.
Note Use the shutdown command to disable the radio port.
Returns to privileged EXEC mode.
copy running-config startup-config (Optional) Saves your entries in the configuration file.
Wireless Device Roles in a Radio Network
The wirless device radio performs the following roles in the wireless network:
• Access point
• Access point (fallback to radioP shutdown)
• Root bridge
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
187
Configuring Wireless Devices
Wireless Device Roles in a Radio Network
• Non-root bridge
• Root bridge with wireless clients
• Non-root bridge without wireless clients
You can also configure a fallback role for root access points. The wireless device automatically assumes the fallback role when its Ethernet port is disabled or disconnected from the wired LAN. The default fallback role for Cisco ISR wireless devices is shutdown, that is the wireless device shuts down its radio and disassociates all client devices.
Configuring the Wireless Device Roles in a Radio Network
To set the wireless device’s radio network role and fallback role, follow these steps, beginning in privileged
EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. station-role non-root {bridge | wireless-clients} root {access-point | ap-only | [bridge | wireless-clients]
| [fallback | repeater | shutdown]} workgroup-bridge {multicast | mode { client | infrastructure} |
universal Ethernet-client-MAC-address }
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal interface dot11radio {0} station-role non-root {bridge | wireless-clients} root {access-point | ap-only | [bridge | wireless-clients] |
[fallback | repeater | shutdown]} workgroup-bridge {multicast | mode { client | infrastructure} | universal
Ethernet-client-MAC-address }
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 2.4-GHz and 802.11g/n 2.4-GHz radios are radio 0
Sets the wireless device role.
• Sets the role to non-root bridge with or without wireless clients, to root access point or bridge, or to workgroup bridge.
Note The bridge mode radio supports point-to-point configuration only.
Note
Note
The repeater and wireless-clients commands are not supported on
Cisco 860 Series , Cisco 880 Series Integrated Services Routers.
The scanner command is not supported on Cisco 860 SeriesCisco
880 Series Integrated Services Routers.
• The Ethernet port is shut down when any one of the radios is configured as a repeater. Only one radio per access point may be configured as a workgroup bridge or repeater. A workgroup bridge can have a maximum of 25 clients, presuming that no other wireless clients are associated to the root bridge or access point.
188
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring Dual-Radio Fallback
Step 4
Step 5
Command or Action end copy running-config startup-config
Purpose
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
What to Do Next
Note When you enable the role of a device in the radio network as a bridge or workgroup bridge and enable the interface using the no shut command, the physical status and the software status of the interface will be up (ready) only if the device on the other end (access point or bridge) is up. Otherwise, only the physical status of the device will be up. The software status will be up when the device on the other end is configured and ready.
Configuring Dual-Radio Fallback
The dual-radio fallback features allows you to configure access points so that if the non-root bridge link connecting the access point to the network infrastructure goes down, the root access point link through which a client connects to the access point shut down. Shutting down the root access point link causes the client to roam to another access point. Without this feature, the client remains connected to the access point, but won't be able to send or receive data from the network.
You can configure dual-radio fallback in three ways:
Radio Tracking
You can configure the access point to track or monitor the status of one of its radios. If the tracked radio goes down or is disabled, the access point shuts down the other radio. If the tracked radio comes up, the access point enables the other radio.
To track radio 0, enter the following command:
# station-role root access-point fallback track d0 shutdown
Fast Ethernet Tracking
You can configure the access point for fallback when its Ethernet port is disabled or disconnected from the wired LAN. For guidance on configuring the access point for Fast Ethernet tracking, see the
Roles in a Radio Network, on page 187
.
Note Fast Ethernet tracking does not support the repeater mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
189
Configuring Wireless Devices
Overview of Radio Data Rates
To configure the access point for Fast Ethernet tracking, enter the following command:
# station-role root access-point fallback track fa 0
MAC-Address Tracking
You can configure the radio whose role is root access point to come up or go down by tracking a client access point, using its MAC address, on another radio. If the client disassociates from the access point, the root access point radio goes down. If the client reassociates to the access point, the root access point radio comes back up.
MAC-address tracking is most useful when the client is a non-root bridge access point connected to an upstream wired network.
For example, to track a client whose MAC address is 12:12:12:12:12:12, enter the following command:
# station-role root access-point fallback track mac-address 12:12:12:12:12:12 shutdown
Overview of Radio Data Rates
You use the data rate settings to choose the data rates that the wireless device uses for data transmission. The rates are expressed in megabits per second (Mb/s). The wireless device always attempts to transmit at the highest data rate set to basic, also known as required on the browser-based interface. If there are obstacles or interference, the wireless device steps down to the highest rate that allows data transmission. You can set each data rate to one of three states:
• Basic (the GUI labels Basic rates as Required)—Allows transmission at this rate for all packets, both unicast and multicast. At least one of the data rates of the wireless device must be set to basic.
• Enabled—The wireless device transmits only unicast packets at this rate; multicast packets are sent at one of the data rates set to basic.
• Disabled—The wireless device does not transmit data at this rate.
Note At least one data rate must be set to basic.
You can use the data rate settings to set an access point to serve client devices operating at specific data rates.
For example, to set the 2.4-GHz radio for 11 Mb/s service only, set the 11-Mb/s rate to basic, and set the other data rates to disabled. To set the wireless device to serve only client devices operating at 1 and 2 Mb/s, set 1 and 2 to basic, and set the rest of the data rates to disabled. To set the 2.4-GHz, 802.11g radio to serve only
802.11g client devices, set any orthogonal frequency division multiplexing (OFDM) data rate (6, 9, 12, 18,
24, 36, 48, 54) to basic. To set the 5-GHz radio for 54-Mb/s service only, set the 54-Mb/s rate to basic, and set the other data rates to disabled.
You can configure the wireless device to set the data rates automatically to optimize either the range or the throughput. When you enter range for the data rate setting, the wireless device sets the 1-Mb/s rate to basic and sets the other rates to enabled. The range setting allows the access point to extend the coverage area by compromising on the data rate. Therefore, if you have a client that cannot connect to the access point although other clients can, the client might not be within the coverage area of the access point. In such a case, using the range option will help extend the coverage area, and the client may be able to connect to the access point.
190
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Overview of Radio Data Rates
Typically, the trade-off is between throughput and range. When the signal degrades (possibly due to distance from the access point), the rates renegotiate in order to maintain the link (but at a lower data rate). A link that is configured for a higher throughput simply drops when the signal degrades enough that it no longer sustains a configured high data rate, or the link roams to another access point with sufficient coverage, if one is available.
The balance between the two (throughput vs. range) is a design decision that must be made based on resources available to the wireless project, the type of traffic the users will be passing, the service level desired, and as always, the quality of the RF environment. When you enter throughput for the data rate setting, the wireless device sets all four data rates to basic.
Note When a wireless network has a mixed environment of 802.11b clients and 802.11g clients, make sure that data rates 1, 2, 5.5, and 11 Mb/s are set to required (basic) and that all other data rates are set to enable.
The 802.11b adapters do not recognize the 54 Mb/s data rate and do not operate if data rates higher than
11 Mb/s are set to required on the connecting access point.
Configuring Radio Data Rates
To configure the radio data rates, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. speed
• 802.11b, 2.4-GHz radio:
{[1.0] [11.0] [2.0] [5.5] [basic-1.0] [basic-11.0] [basic-2.0] [basic-5.5] | range | throughput}
• 802.11g, 2.4-GHz radio:
{[1.0] [2.0] [5.5] [6.0] [9.0] [11.0] [12.0] [18.0] [24.0] [36.0] [48.0] [54.0] [basic-1.0] [basic-2.0]
[basic-5.5] [basic-6.0] [basic-9.0] [basic-11.0] [basic-12.0] [basic-18.0] [basic-24.0] [basic-36.0]
[basic-48.0] [basic-54.0] | range | throughput [ofdm] | default}
• 802.11a 5-GHz radio:
{[6.0] [9.0] [12.0] [18.0] [24.0] [36.0] [48.0] [54.0] [basic-6.0] [basic-9.0] [basic-12.0] [basic-18.0]
[basic-24.0] [basic-36.0] [basic-48.0] [basic-54.0] | range | throughput | ofdm-throughput | default}
• 802.11n 2.4-GHz radio:
{[1.0] [11.0] [12.0] [18.0] [2.0] [24.0] [36.0] [48.0] [5.5] [54.0] [6.0] [9.0] [basic-1.0] [basic-11.0]
[basic-12.0] [basic-18.0] [basic-24.0] [basic-36.0] [basic-48.0] [basic-5.5] [basic-54.0] [basic-6.0]
[ basic-9.0] [default] [m0-7] [m0.] [m1.] [m10.] [m11.] [m12.] [m13.] [m14.] [m15.] [m2.] [m3.]
[m4.] [m5.] [m6.] [m7.] [m8-15] [m8.] [m9.] [ofdm] [only-ofdm] | range | throughput}
4. end
5. copy running-config startup-config
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
191
Configuring Wireless Devices
Overview of Radio Data Rates
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal interface dot11radio {0}
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 2.4-GHz and the 802.11g/n 2.4-GHz radios are radio 0.
Step 3 speed
• 802.11b, 2.4-GHz radio:
{[1.0] [11.0] [2.0] [5.5] [basic-1.0]
[basic-11.0] [basic-2.0] [basic-5.5] | range | throughput}
Sets each data rate to basic or enabled, or enters range to optimize range or enters throughput to optimize throughput.
• (Optional) Enter 1.0, 2.0, 5.5, and 11.0 to set these data rates to enabled on the 802.11b, 2.4-GHz radio.
• 802.11g, 2.4-GHz radio:
Enter 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.0 to set these data rates to enabled on the 802.11g, 2.4-GHz radio.
{[1.0] [2.0] [5.5] [6.0] [9.0] [11.0] [12.0]
[18.0] [24.0] [36.0] [48.0] [54.0]
[basic-1.0] [basic-2.0] [basic-5.5]
[basic-6.0] [basic-9.0] [basic-11.0]
[basic-12.0] [basic-18.0] [basic-24.0]
[basic-36.0] [basic-48.0] [basic-54.0] | range | throughput [ofdm] | default}
• 802.11a 5-GHz radio:
Enter 6.0, 9.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.0 to set these data rates to enabled on the 5-GHz radio.
• (Optional) Enter basic-1.0, basic-2.0, basic-5.5, and basic-11.0 to set these data rates to basic on the 802.11b, 2.4-GHz radio.
Enter basic-1.0, basic-2.0, basic-5.5, basic-6.0, basic-9.0, basic-11.0, basic-12.0, basic-18.0, basic-24.0, basic-36.0, basic-48.0, and basic-54.0 to set these data rates to basic on the 802.11g, 2.4-GHz radio.
{[6.0] [9.0] [12.0] [18.0] [24.0] [36.0]
[48.0] [54.0] [basic-6.0] [basic-9.0]
[basic-12.0] [basic-18.0] [basic-24.0]
[basic-36.0] [basic-48.0] [basic-54.0] | range | throughput | ofdm-throughput
| default}
Note If the client must support the basic rate that you select, it cannot associate to the wireless device. If you select 12-Mb/s or higher for the basic data rate on the 802.11g radio, 802.11b client devices cannot associate to the wireless device 802.11g radio.
Enter basic-6.0, basic-9.0, basic-12.0, basic-18.0, basic-24.0, basic-36.0, basic-48.0, and basic-54.0 to set these data rates to basic on the 5-GHz radio.
• 802.11n 2.4-GHz radio:
{[1.0] [11.0] [12.0] [18.0] [2.0] [24.0]
[36.0] [48.0] [5.5] [54.0] [6.0] [9.0]
[basic-1.0] [basic-11.0] [basic-12.0]
[basic-18.0] [basic-24.0] [basic-36.0]
[basic-48.0] [basic-5.5] [basic-54.0]
[basic-6.0] [ basic-9.0] [default] [m0-7]
[m0.] [m1.] [m10.] [m11.] [m12.] [m13.]
[m14.] [m15.] [m2.] [m3.] [m4.] [m5.]
[m6.] [m7.] [m8-15] [m8.] [m9.] [ofdm]
[only-ofdm] | range | throughput}
• (Optional) Enter range or throughput or {[1.0] [11.0] [2.0] [5.5]
[basic-1.0] [basic-11.0] [basic-2.0] [basic-5.5] | range |
throughput}ofdm-throughput (no ERP protection) to automatically optimize radio range or throughput. When you enter range, the wireless device sets the lowest data rate to basic and sets the other rates to enabled. When you enter throughput, the wireless device sets all data rates to basic.
(Optional) On the 802.11g radio, enter speed throughput ofdm to set all
OFDM rates (6, 9, 12, 18, 24, 36, and 48) to basic (required) and to set all the CCK rates (1, 2, 5.5, and 11) to disabled. This setting disables 802.11b
protection mechanisms and provides maximum throughput for 802.11g clients.
However, it prevents 802.11b clients from associating to the access point.
• (Optional) Enter default to set the data rates to factory default settings
(not supported on 802.11b radios).
On the 802.11g radio, the default option sets rates 1, 2, 5.5, and 11 to basic, and stes rates 6, 9, 12, 18, 24, 36, 48, and 54 to enabled. These rate settings
192
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring MCS Rates
Command or Action
Step 4 end
Step 5 copy running-config startup-config
Purpose allow both 802.11b and 802.11g client devices to associate to the wireless device 802.11g radio.
On the 5-GHz radio, the default option sets rates 6.0, 12.0, and 24.0 to basic, and stes rates 9.0, 18.0, 36.0, 48.0, and 54.0 to enabled.
On the 802.11g/n 2.4-GHz radio, the default option sets rates 1.0, 2.0, 5.5, and 11.0 to enabled.
On the 802.11g/n 5-GHz radio, the default option sets rates to 6.0, 12.0, and
24.0 to enabled.
The modulation coding scheme (MCS) index range for both 802.11g/n radios is 0 to 15.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
Configuration Example: Configuring Radio Data Rates
This example shows how to configure data rates basic-2.0 and basic-5.5 from the configuration: ap1200# configure terminal ap1200(config)# interface dot11radio 0 ap1200(config-if)# speed basic-2.0 basic-5.5
ap1200(config-if)# end
Configuring MCS Rates
Modulation coding scheme (MCS) is a specification of PHY parameters consisting of modulation order (binary phase shift keying [BPSK], quaternary phase shift keying [QPSK], 16-quadrature amplitude modulation
[16-QAM], 64-QAM) and forward error correction (FEC) code rate (1/2, 2/3, 3/4, 5/6). MCS is used in the wireless device 802.11n radios, which define 32 symmetrical settings (8 per spatial stream):
• MCS 0–7
• MCS 8–15
• MCS 16–23
• MCS 24–31
The wireless device supports MCS 0–15. High-throughput clients support at least MCS 0–7.
MCS is an important setting because it provides for potentially greater throughput. High-throughput data rates are a function of MCS, bandwidth, and guard interval. The 802.11a, b, and g radios use 20-MHz channel widths.
Table 25: Data Rates Based on MCS Settings, Guard Interval, and Channel Width , on page 194
shows potential data rated based on MCS, guard interval, and channel width.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
193
Configuring Wireless Devices
Configuring MCS Rates
Table 25: Data Rates Based on MCS Settings, Guard Interval, and Channel Width
MCS Index
5
6
3
4
0
1
2
7
8
9
12
13
10
11
14
15
The legacy rates are as follows:
5 GHz: 6, 9, 12, 18,
24, 36, 48, and 54
Mb/s
2.4 GHz: 1, 2, 5.5,
6, 9, 11, 12, 18, 24,
36, 48, and 54 Mb/s
117
130
39
52
78
104
65
13
26
26
39
52
58.5
Guard Interval = 800 ns
Guard Interval = 400 ns
20-MHz Channel
Width Data Rate
(Mb/s)
40-MHz Channel
Width Data Rate
(Mb/s)
20-MHz Channel
Width Data Rate
(Mb/s)
6.5
13
19.5
13.5
27
40.5
7 2/9
14 4/9
21 2/3
54
81
109
121.5
135
27
54
28 8/9
43 1/3
57 5/9
65
72 2/9
14 4/9
28 8/9
81
108
162
216
243
270
43 1/3
57 7/9
86 2/3
115 5/9
130
144 4/9
90
120
180
240
270
300
60
90
120
135
152.5
30
60
15
30
45
40-MHz Channel
Width Data Rate
(Mb/s)
194
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring Radio Transmit Power
Configuration Example: MCS Rates
MCS rates are configured using the speed command.
The following example shows configuring speed setting for an 802.11g/n 2.4-GHz radio: interface Dot11Radio0 no ip address no ip route-cache
!
ssid 800test
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m8.
m9. m10. m11. m12. m13. m14. m15.
Configuring Radio Transmit Power
Radio transmit power is based on the type of radio or radios installed in your access point and the regulatory domain in which it operates.
To set the transmit power on access point radios, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. power local
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Example:
Router# configure terminal interface dot11radio {0}
Step 3
Purpose
Enters global configuration mode.
power local
Example:
These options are available for the
2.4-GHz 802.11n radio (in dBm):
Example:
{8 | 9| 11 | 14 | 15 | 17 | maximum}
Enters interface configuration mode for the radio interface.
The 2.4-GHz and the 802.11g/n 2.4-GHz radios are radio 0.
Sets the transmit power for the 2.4-GHz radioso that the power level is allowed in your regulatory domain.
Note Use the no form of the power local command to return the power setting to maximum, the default setting.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
195
Configuring Wireless Devices
Configuring Radio Transmit Power
Step 4
Step 5
Command or Action end copy running-config startup-config
Purpose
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
Limiting the Power Level for Associated Client Devices
You can also limit the power level on client devices that associate to the wireless device. When a client device associates to the wireless device, the wireless device sends the maximum power level setting to the client.
Note Cisco AVVID documentation uses the term Dynamic Power Control (DPC) to refer to limiting the power level on associated client devices.
To specify a maximum allowed power setting on all client devices that associate to the wireless device, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. power client
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal interface dot11radio {0}
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 2.4-GHz and 802.11g/n 2.4-GHz radios are radio 0.
power client
Example:
These options are available for
802.11n 2.4-GHz clients (in dBm):
{local | 8 | 9 | 11 | 14 | 15 | 17
| maximum}
Sets the maximum power level allowed on client devices that associate to the wireless device.
• Setting the power level to local sets the client power level to that of the access point.
• Setting the power level to maximum sets the client power to the allowed maximum.
Note The settings allowed in your regulatory domain might differ from the settings listed here.
196
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring Radio Channel Settings
Step 4
Step 5
Command or Action end copy running-config startup-config
Purpose
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
What to Do Next
Use the no form of the power client command to disable the maximum power level for associated clients.
Note Aironet extensions must be enabled to limit the power level on associated client devices. Aironet extensions are enabled by default.
Configuring Radio Channel Settings
The default channel setting for the wireless device radios is least congested. At startup, the wireless device scans for and selects the least-congested channel. For the most consistent performance after a site survey, however, we recommend that you assign a static channel setting for each access point. The channel settings on the wireless device correspond to the frequencies available in your regulatory domain. See the access point hardware installation guide for the frequencies allowed in your domain.
Each 2.4-GHz channel covers 22 MHz. Because the bands for channels 1, 6, and 11 do not overlap, you can set up multiple access points in the same vicinity without causing interference. The 802.11b and 802.11g
2.4-GHz radios use the same channels and frequencies.
The 5-GHz radio operates on 8 channels from 5180 to 5320 MHz, up to 27 channels from 5170 to 5850 MHz depending on regulatory domain. Each channel covers 20 MHz, and the bands for the channels overlap slightly.
For best performance, use channels that are not adjacent (use channels 44 and 46, for example) for radios that are close to each other.
Note The presence of too many access points in the same vicinity can create radio congestion that can reduce throughput. A careful site survey can determine the best placement of access points for maximum radio coverage and throughput.
The 802.11n standard allows both 20-MHz and 40-Mhz channel widths consisting of two contiguous non-overlapping channels (for example, 2.4-GHz channels 1 and 6)
One of the 20-MHz channels is called the control channel. Legacy clients and 20-MHz high-throughput clients use the control channel. Only beacons can be sent on this channel. The other 20-MHz channel is called the extension channel. The 40-MHz stations may use this channel and the control channel simultaneously.
A 40-MHz channel is specified as a channel and extension, such as 1,1. In this example, the control channel is channel 1 and the extension channel is above it.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
197
Configuring Wireless Devices
Configuring Radio Channel Settings
Configuring Wireless Channel Width
To set the wireless device channel width, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0 }
3. channel {frequency | least-congested | width [20 | 40-above | 40-below] | dfs}
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal interface dot11radio {0 }
Step 3
Step 4
Step 5 channel {frequency | least-congested | width [20 |
40-above | 40-below] | dfs} end copy running-config startup-config
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz radio is radio 0
Sets the default channel for the wireless device radio.To search for the least-congested channel on startup, enter least-congested.
• Use the width option to specify a bandwidth to use. This option is available for the Cisco 800 series ISR wireless devices and consists of three available settings: 20, 40-above, and 40-below:
â—¦Choosing 20 sets the channel width to 20 MHz.
â—¦Choosing 40-above sets the channel width to 40 MHz with the extension channel above the control channel.
â—¦Choosing 40-below sets the channel width to 40 MHz with the extension channel below the control channel.
Note The channel command is disabled for 5-GHz radios that comply with
European Union regulations on dynamic frequency selection (DFS). See the
Enabling and Disabling World Mode, on page 199
for more information.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
198
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Enabling and Disabling World Mode
Enabling and Disabling World Mode
You can configure the wireless device to support 802.11d world mode, Cisco legacy world mode, or world mode roaming. When you enable world mode, the wireless device adds channel carrier set information to its beacon. Client devices with world mode enabled receive the carrier set information and adjust their settings automatically. For example, a client device used primarily in Japan could rely on world mode to adjust its channel and power settings automatically when it travels to Italy and joins a network there. Cisco client devices detect whether the wireless device is using 802.11d or Cisco legacy world mode and automatically use the world mode that matches the mode used by the wireless device.
You can also configure world mode to be always on. In this configuration, the access point essentially roams between countries and changes its settings as required. World mode is disabled by default.
Enabling World Mode
To enable world mode, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0 }
3. world-mode {dot11d country_code code {both | indoor | outdoor} | world-mode roaming | legacy}
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
interface dot11radio {0 } world-mode {dot11d country_code code {both | indoor | outdoor} | world-mode roaming | legacy}
Enables world mode.
• Enter the dot11d option to enable 802.11d world mode.
â—¦When you enter the dot11d option, you must enter a two-character
ISO country code (for example, the ISO country code for the United
States is US). You can find a list of ISO country codes at the ISO website.
â—¦After the country code, you must enter indoor, outdoor, or both to indicate the placement of the wireless device.
• Enter the legacy option to enable Cisco legacy world mode.
• Enter the world-mode roaming option to place the access point in a continuous world mode configuration.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
199
Configuring Wireless Devices
Disabling and Enabling Short Radio Preambles
Step 4
Step 5
Command or Action end
Purpose
Note Aironet extensions must be enabled for legacy world mode operation, but Aironet extensions are not required for 802.11d world mode. Aironet extensions are enabled by default.
Returns to privileged EXEC mode.
copy running-config startup-config (Optional) Saves your entries in the configuration file.
What to Do Next
Use the no form of the world-mode command to disable world mode.
Disabling and Enabling Short Radio Preambles
The radio preamble (sometimes called a header) is a section of data at the head of a packet that contains information that the wireless device and client devices need when sending and receiving packets. You can set the radio preamble to long or short:
• Short—A short preamble improves throughput performance.
• Long—A long preamble ensures compatibility between the wireless device and all early models of Cisco
Aironet Wireless LAN Adapters. If these client devices do not associate to the wireless devices, you should use short preambles.
You cannot configure short or long radio preambles on the 5-GHz radio.
Disabling Short Radio Preambles
To disable short radio preambles, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0 }
3. no preamble-short
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action configure terminal
Purpose
Enters global configuration mode.
200
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Transmit and Receive Antennas
Step 2
Step 3
Step 4
Step 5
Command or Action interface dot11radio {0 } no preamble-short end copy running-config startup-config
Purpose
Enters interface configuration mode for the 2.4-GHz radio interface.
Disables short preambles and enables long preambles.
Note Short preambles are enabled by default. Use the preamble-short command to enable short preambles if they are disabled.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
What to Do Next
Transmit and Receive Antennas
You can select the antenna that the wireless device uses to receive and transmit data. There are four options for both the receive antenna and the transmit antenna:
• Gain—Sets the resultant antenna gain in decibels (dB).
• Diversity—This default setting tells the wireless device to use the antenna that receives the best signal.
If the wireless device has two fixed (non-removable) antennas, you should use this setting for both receive and transmit.
• Right—If the wireless device has removable antennas and you install a high-gain antenna on the wireless device’s right connector, you should use this setting for both receive and transmit. When you look at the wireless device’s back panel, the right antenna is on the right.
• Left—If the wireless device has removable antennas and you install a high-gain antenna on the wireless device’s left connector, you should use this setting for both receive and transmit. When you look at the wireless device’s back panel, the left antenna is on the left.
See the following section for information on configuring transmit and receive antennas:
Configuring Transmit and Recieve Antennas
To select the antennas that the wireless device uses to receive and transmit data, follow these steps, beginning in privileged EXEC mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
201
Configuring Wireless Devices
Disabling and Enabling Aironet Extensions
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0 }
3. gain dB
4. antenna receive {diversity | left | right}
5. end
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal interface dot11radio {0 } gain dB
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz radio is radio 0
Specifies the resultant gain of the antenna attached to the device.
• Enter a value from –128 to 128 dB. If necessary, you can use a decimal in the value, such as 1.5.
Note The Cisco 860 and Cisco 880 ISRs are shipped with a fixed antenna that cannot be removed. The antenna gain cannot be configured on these models
Sets the receive antenna to diversity, left, or right.
antenna receive {diversity | left | right} end
Note For best performance with two antennas, leave the receive antenna setting at the default setting, diversity. For one antenna, attach the antenna on the right and set the antenna for right.
Returns to privileged EXEC mode.
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Disabling and Enabling Aironet Extensions
By default, the wireless device uses Cisco Aironet 802.11 extensions to detect the capabilities of Cisco Aironet client devices and to support features that require specific interaction between the wireless device and associated client devices. Aironet extensions must be enabled to support these features:
• Load balancing—The wireless device uses Aironet extensions to direct client devices to an access point that provides the best connection to the network on the basis of such factors as number of users, bit error rates, and signal strength.
202
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Disabling and Enabling Aironet Extensions
• Message Integrity Check (MIC)—MIC is an additional WEP security feature that prevents attacks on encrypted packets called bit-flip attacks. The MIC, implemented on the wireless device and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof.
• Load balancing—The wireless device uses Aironet extensions to direct client devices to an access point that provides the best connection to the network on the basis of such factors as number of users, bit error rates, and signal strength.
• Cisco Key Integrity Protocol (CKIP)—Cisco’s WEP key permutation technique is based on an early algorithm presented by the IEEE 802.11i security task group. The standards-based algorithm, Temporal
Key Integrity Protocol (TKIP), does not require Aironet extensions to be enabled.
• World mode (legacy only)—Client devices with legacy world mode enabled receive carrier set information from the wireless device and adjust their settings automatically. Aironet extensions are not required for
802.11d world mode operation.
• Limiting the power level on associated client devices—When a client device associates to the wireless device, the wireless device sends the maximum allowed power level setting to the client.
Disabling Aironet extensions disables the features listed above, but it sometimes improves the ability of non-Cisco client devices to associate to the wireless device.
Disabling Aironet Extensions
Aironet extensions are enabled by default. To disable Aironet extensions, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0 }
3. no dot11 extension aironet
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal interface dot11radio {0 } no dot11 extension aironet end copy running-config startup-config
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz radio is radio 0.
Disables Aironet extensions.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
203
Configuring Wireless Devices
Ethernet Encapsulation Transformation Method
What to Do Next
Use the dot11 extension aironet command to enable Aironet extensions if they are disabled.
Ethernet Encapsulation Transformation Method
When the wireless device receives data packets that are not 802.3 packets, the wireless device must format the packets to 802.3 by using an encapsulation transformation method. These are the two transformation methods:
• 802.1H—This method provides optimum performance for Cisco wireless products.
• RFC 1042—Use this setting to ensure interoperability with non-Cisco wireless equipment. RFC1042 does not provide the interoperability advantages of 802.1H but is used by other manufacturers of wireless equipment.
For information on how to configure the ethernet encapsulation transformation method, see the following section:
Configuring the Ethernet Encapsulation Transformation Method
To configure the encapsulation transformation method, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0 }
3. payload-encapsulation {snap | dot1h}
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal interface dot11radio {0 } payload-encapsulation {snap | dot1h} end copy running-config startup-config
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz radio is radio 0.
Sets the encapsulation transformation method to RFC 1042 (snap) or 802.1h (dot1h, the default setting).
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
204
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Enabling and Disabling Public Secure Packet Forwarding
Enabling and Disabling Public Secure Packet Forwarding
Public Secure Packet Forwarding (PSPF) prevents client devices that are associated to an access point from inadvertently sharing files or communicating with other client devices that are associated to the access point.
PSPF provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses.
Note To prevent communication between clients associated to different access points, you must set up protected ports on the switch to which the wireless devices are connected. See the
Related Documentation, on page
184 for instructions on setting up protected ports.
To enable and disable PSPF using CLI commands on the wireless device, you use bridge groups. For a detailed explanation of bridge groups and instructions for implementing them, see the following link: http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcftb_ps1835_TSD_Products_
Configuration_Guide_Chapter.html
Configuring Public Secure Packet Forwarding
PSPF is disabled by default. To enable PSPF, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. bridge-group group port-protected
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal interface dot11radio {0} bridge-group group port-protected end copy running-config startup-config
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz radio is radio 0.
Enables PSPF.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
205
Configuring Wireless Devices
Enabling and Disabling Public Secure Packet Forwarding
What to Do Next
Use the no form of the bridge group command to disable PSPF.
Configuring Protected Ports
To prevent communication between client devices that are associated to different access points on your wireless
LAN, you must set up protected ports on the switch to which the wireless devices are connected.
To define a port on your switch as a protected port, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface interface-id
3. switchport protected
4. end
5. show interfaces interface-id switchport
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal
interface interface-id
Purpose
Enters global configuration mode.
Enters interface configuration mode.
• Enter the type and number of the switch port interface to configure, such as wlan-gigabitethernet0.
switchport protected end
show interfaces interface-id switchport copy running-config startup-config
Configures the interface to be a protected port.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
To disable protected port, use the no switchport protected command.
For detailed information on protected ports and port blocking, see the “Configuring Port-Based Traffic Control” chapter in Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(12c)EA1. Click this link to browse to that guide: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_12c_ea1/ configuration/ guide/3550scg.html
206
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Beacon Period and the DTIM
Beacon Period and the DTIM
The beacon period is the amount of time between access point beacons in kilomicroseconds (Kmicrosecs).
One Kmicrosec equals 1,024 microseconds. The data beacon rate, always a multiple of the beacon period, determines how often the beacon contains a delivery traffic indication message (DTIM). The DTIM tells power-save client devices that a packet is waiting for them.
For example, if the beacon period is set at 100, its default setting, and if the data beacon rate is set at 2, its default setting, then the wireless device sends a beacon containing a DTIM every 200 Kmicrosecs.
The default beacon period is 100, and the default DTIM is 2.
See the following section for information on configuring beacon period and DTIM:
Configuring the Beacon Period and the DTIM
To configure the beacon period and the DTIM, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. beacon period value
4. beacon dtim-period value
5. end
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal interface dot11radio {0}
beacon period value
beacon dtim-period value end copy running-config startup-config
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz radio is radio 0
Sets the beacon period.
• Enter a value in kilomicroseconds.
Sets the DTIM.
• Enter a value in kilomicroseconds.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
207
Configuring Wireless Devices
RTS Threshold and Retries
RTS Threshold and Retries
The request to send (RTS) threshold determines the packet size at which the wireless device issues an RTS before sending the packet. A low RTS threshold setting can be useful in areas where many client devices are associating with the wireless device, or in areas where the clients are far apart and can detect only the wireless device and not detect each other. You can enter a setting ranging from 0 to 2347 bytes.
The maximum RTS retries is the maximum number of times the wireless device issues an RTS before stopping the attempt to send the packet over the radio. Enter a value from 1 to 128.
The default RTS threshold is 2347 for all access points and bridges, and the default maximum RTS retries setting is 32.
Configuring RTS Threshold and Retries
To configure the RTS threshold and maximum RTS retries, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. rts threshold value
4. rts retries value
5. end
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal interface dot11radio {0}
rts threshold value
rts retries value
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 2.4-GHz and the 802.11g/n 2.4-GHz radios are radio 0
Sets the RTS threshold.
• Enter an RTS threshold from 0 to 2347.
Sets the maximum RTS retries.
• Enter a setting from 1 to 128.
end copy running-config startup-config
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
208
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Maximum Data Retries
What to Do Next
Use the no form of the rts command to reset the RTS settings to defaults.
Maximum Data Retries
The maximum data retries setting determines the number of attempts that the wireless device makes to send a packet before it drops the packet. The default setting is 32.
Configuring the Maximum Data Retries
To configure the maximum data retries, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. packet retries value
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal interface dot11radio {0}
packet retries value
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz radio is radio 0.
Sets the maximum data retries.
• Enter a setting from 1 to 128.
end copy running-config startup-config
Note Use the no form of the packet retries command to reset the setting to the default.
Returns to privileged EXEC mode.
(Optional) Saves your entries in the configuration file.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
209
Configuring Wireless Devices
Configuring the Fragmentation Threshold
What to Do Next
Configuring the Fragmentation Threshold
The fragmentation threshold determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference. The default setting is 2346 bytes.
Configuring the Fragment Threshold
To configure the fragmentation threshold, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. interface dot11radio {0}
3. fragment-threshold value
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal interface dot11radio {0}
fragment-threshold value
Purpose
Enters global configuration mode.
Enters interface configuration mode for the radio interface.
The 802.11g/n 2.4-GHz and 5-GHz radios are radio 0.
Sets the fragmentation threshold.
• Enter a setting from 256 to 2346 bytes for the 2.4-GHz radio.
• Enter a setting from 256 to 2346 bytes for the 5-GHz radio.
end
Note Use the no form of the fragment-threshold command to reset the setting to the default.
Returns to privileged EXEC mode.
copy running-config startup-config (Optional) Saves your entries in the configuration file.
210
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Enabling Short Slot Time for 802.11g Radios
What to Do Next
Enabling Short Slot Time for 802.11g Radios
You can increase throughput on the 802.11g 2.4-GHz radio by enabling short slot time. Reducing the slot time from the standard 20 microseconds to the 9-microsecond short slot time decreases the overall backoff, which increases throughput. Backoff, which is a multiple of the slot time, is the random length of time that a station waits before sending a packet on the LAN.
Many 802.11g radios support short slot time, but some do not. When you enable short slot time, the wireless device uses the short slot time only when all clients associated to the 802.11g 2.4-GHz radio support short slot time.
Short slot time is supported only on the 802.11g 2.4-GHz radio. Short slot time is disabled by default.
In radio interface mode, enter the short-slot-time command to enable short slot time: ap(config-if)# short-slot-time
Use the no form of the short-slot-time command to disable short slot time.
Performing a Carrier Busy Test
You can perform a carrier busy test to check the radio activity on wireless channels. During the carrier busy test, the wireless device drops all associations with wireless networking devices for 4 seconds while it conducts the carrier test and then displays the test results.
In privileged EXEC mode, enter this command to perform a carrier busy test: dot11 interface-number carrier busy
For interface-number, enter dot11radio 0 to run the test on the 2.4-GHz radio
Use the show dot11 carrier busy command to redisplay the carrier busy test results.
Configuring VoIP Packet Handling
You can improve the quality of VoIP packet handling per radio on access points by enhancing 802.11 MAC behavior for lower latency for the class of service (CoS) 5 (Video) and CoS 6 (Voice) user priorities.
To configure VoIP packet handling on an access point, follow these steps:
1 Using a browser, log in to the access point.
2 Click Services in the task menu on the left side of the web-browser interface.
3 When the list of Services expands, click Stream.
The Stream page appears.
4 Click the tab for the radio to configure.
5 For both CoS 5 (Video) and CoS 6 (Voice) user priorities, choose Low Latency from the Packet Handling drop-down menu, and enter a value for maximum retries for packet discard in the corresponding field.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
211
Configuring WLAN
Configuring Wireless Devices
The default value for maximum retries is 3 for the Low Latency setting. This value indicates how many times the access point will try to retrieve a lost packet before discarding it.
Figure 14: Packet Handling Configuration
Note You may also configure the CoS 4 (Controlled Load) user priority and its maximum retries value.
6 Click Apply.
Configuring WLAN
This section describes the Wireless LAN (WLAN) configuration tasks for Cisco 810, 860, 880 and 890 series routers and contains the following sections:
Configuring WLAN Using the Web-based Interface
Use the web-based interface to display wireless LAN (WLAN) information and configure settings. For information about the CLI-based WLAN interface, see
Configuring WLAN Using the CLI-based Interface,
on page 219 .
Connecting to the Web-based WLAN Interface
To connect to the web-based WLAN interface, open the following address in a web browser: http://10.10.10.2
Log in using the default credentials:
User name: admin
Password: admin
Note When using the default WLAN credentials, the user is prompted to change the password when logging in for the first time.
212
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the Web-based Interface
Address for Accessing Web-based Interface
You can change the address for accessing the web-based interface. See
Configuring Access to the Web-based
.
DHCP Server Configuration
By default, the DHCP server is not configured. Configure DHCP parameters using the Cisco IOS CLI on
VLAN 1.
Subnet
Connect to the interface from a device within the LAN containing the router. The device must be within the subnet configured for accessing the router. The default subnet mask is 255.255.255.0.
Displaying Device Information
In the left pane, click Device Info -> Summary to open the Device Info page, displaying the following device information:
• Hardware and driver information for upgrading drivers or troubleshooting
Displaying Connection Statistics
In the left pane, click Device Info -> Statistics to open the Statistics - WLAN page, displaying statistics on packets received and packets transmitted. The page is automatically refreshed.
Configuring Access to the Web-based Interface
In the left pane, click Device Info -> Network Interface to open the Network Interface Setup page for configuring access to the web-based interface.
The page shows the IP address and subnet mask used to access the web-based interface. You can enter a new
IP address and subnet mask for accessing the web-based interface. The default values are:
IP: 10.10.10.2
Subnet Mask: 255.255.255.248
Note Enter IPv4 values only. IPv6 is not supported.
Note Changing the IP address to a different subnet requires changing VLAN 1 to be in the same subnet also.
Note You can access the web-based interface only from a device within the same subnet.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
213
Configuring Wireless Devices
Configuring WLAN Using the Web-based Interface
Configuring Basic Wireless Settings
In the left pane, click Wireless -> Basic to open the Wireless - Basic page, providing configuration options for the wireless LAN (WLAN).
Main SSID
The options in the top portion of the Wireless - Basic page apply to the main service set identification (SSID):
• Enable Wireless—Enables/disables the WLAN feature.
• Hide Access Point—Hiding the SSID provides a small measure of security in helping to prevent unauthorized users from accessing the network. When this feature is enabled, the WLAN access point
SSID is not broadcast, making wireless snooping more difficult.
• Clients Isolation—Prevents a wireless client connected to a specific SSID from communicating with other wireless clients connected to the same SSID.
• Disable WMM Advertise—Disables the WiFi Multimedia (WMM) feature. The WMM feature prioritizes media traffic to improve media transmission.
• Enable Wireless Multicast Forwarding (WMF)—Enables the Wireless Multicast Forwarding (WMF) feature.
• SSID—Main SSID used for accessing the WLAN. Devices connected to the WLAN using the same
SSID operate within the same domain. The main SSID can be disabled only by disabling WLAN completely.
• BSSID—MAC address for the main SSID. Each enabled SSID has a separate BSSID.
• Max Clients—Configures the maximum number of clients that can connect to the main SSID. Default value: 16 Recommended maximum: 16 Theoretical maximum: 128
Guest SSIDs
A table at the bottom of the Wireless - Basic page shows the guest SSIDs for connecting guest devices to the
WLAN. For each guest SSID, you can configure options similar to those for the main SSID.
Default SSID Values
The following are the default SSID values:
• Main SSID: Cisco860
• Guest SSID 1: Cisco860_Guest1
• Guest SSID 2: Cisco860_Guest2
• Guest SSID 3: Cisco860_Guest3
Note By default, the main SSID is enabled and guest SSIDs are disabled.
214
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the Web-based Interface
Configuring Security
In the left pane, click Wireless -> Security to open the Wireless - Security page, providing security settings for each access point.
Complete the following steps to configure security settings for an access point:
1 In the Select SSID drop-down list, select the SSID to configure.
2 Using the drop-down lists, select network authentication options for the SSID. Selecting an authentication type displays additional options specific to the authentication type.
Note By default, the network authentication is open and WEP encryption is disabled for each SSID.
3 Click Apply/Save.
Configuring MAC Filtering
In the left pane, click Wireless -> MAC Filter to open the Wireless - MAC Filter page, enabling you to restrict access to specific SSIDs according to device MAC addresses.
For each SSID, you can specify MAC addresses to allow or MAC addresses to deny. By default, the MAC restriction feature is disabled for all SSIDs.
Complete the following steps to configure MAC filtering for an SSID:
1 In the Select SSID drop-down list, select the SSID to configure.
2 To add a MAC address to the list, click Add and enter the address.
3 To remove a MAC address from the list, select the “Remove” check box for the address and click Remove.
4 Select a MAC restriction mode from these options:
• Disabled—The feature is disabled.
• Allow—Allow devices with the specified MAC addresses to connect.
• Deny—Do not allow devices with the specified MAC addresses to connect.
Configuring Advanced Wireless Settings
In the left pane, click Wireless > Advanced to open the Wireless - Advanced page for configuring the advanced wireless LAN (WLAN) features described in
Table 26: Advanced WLAN, on page 215
.
Table 26: Advanced WLAN
Option
Band
Channel
Description
Frequency band. This is preset to 2.4 GHz.
Radio channels. By default, the router sets the channel automatically. You can select a specific channel. The channel options depend on the geographic region.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
215
Configuring WLAN Using the Web-based Interface
Option
Auto Channel Timer (min)
802.11n/EWC
802.11n Rate
802.11n Protection
Support 802.11n Client Only
RIFS Advertisement
RX Chain Power Save
RX Chain Power Save Quiet Time
RX Chain Power Save PPS
54g Rate
Configuring Wireless Devices
Description
(Enabled when Channel is set to Auto)
Minutes to wait before scanning again to determine the best channel.
Range: 1 to 35791394 minutes.
Enables/disables 802.11n support.
(802.11n/EWC must be set to Auto)
Configures the rate for 802.11n.
(802.11n/EWC must be set to Auto)
Configures RTS/CTS protection.
(802.11n/EWC must be set to Auto)
Restricts support to 802.11n only.
(802.11n/EWC must be set to Auto)
Enables/disables Reduced Inter-Frame Space (RIFS)
Advertisement.
(802.11n/EWC must be set to Auto)
Enables/disables the power save mode.
(802.11n/EWC must be set to Auto and RX Chain
Power Save must be set to Enable)
Time interval (seconds) to wait before going into the power save mode.
Range: 0 to 2147483647 seconds.
(802.11n/EWC must be set to Auto and RX Chain
Power Save must be set to Enable)
Packets per second (PPS) threshold. When the PPS is below the threshold, the router enters power save mode after the number of seconds configured in the
“RX Chain Power Save Quiet Time” field.
Range: 0 to 2147483647 packets per second.
(802.11n/EWC must be set to Disabled or 802.11n
Rate must be set to “Use 54g Rate”)
Configures the 54g rate.
216
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
OL-31704-02
Option
Multicast Rate
Basic Rate
Fragmentation Threshold
RTS Threshold
DTIM Interval
Beacon Interval
Global Max Clients
Transmit Power
WMM (Wi-Fi Multimedia)
WMM No Acknowledgement
Configuring WLAN Using the Web-based Interface
Description
Transmit/Receive rate for multicast packets.
Note If 802.11n/EWC is Disabled and “54g Mode” is set to “802.11b Only,” then the options will change.
Data rate that wireless clients should support.
Maximum packet size (bytes) before data is fragmented.
Range: 256 to 2346 bytes.
RTS threshold value that will trigger the CTS protection mechanism. If an access point transmits a packet larger than the threshold, this will trigger the
CTS protection mode.
Range: 0 to 2347 bytes.
Delivery Traffic Indication Message (DTIM) interval information is included in beacon frames to inform clients of when next to expect buffered data from AP.
The interval is specified as number of beacons. For example, if DTIM interval is set to 2, the client will wake-up/check for buffered data on AP at every second beacon.
Range: 1 to 255 beacons.
Length of time between beacon transmissions.
Range: 1 to 65535 milliseconds.
Upper limit for the maximum number of clients that can connect to an AP. The “Max Clients” setting for each SSID cannot exceed this limit.
Range: 1 to 128 Default value: 16 Recommended maximum: 16 Theoretical maximum: 128
Configures the transmit power level.
Enables/disables the WMM feature, a quality of service (QoS) feature of 802.11.
(WMM (Wi-Fi Multimedia) must be set to Enabled or Auto)
Enables/disables the WMM No Acknowledgement feature.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
217
Configuring Wireless Devices
Configuring WLAN Using the Web-based Interface
Option
WMM APSD
54g Mode
54g Protection
Preamble Type
Description
(WMM (Wi-Fi Multimedia) must be set to Enabled or Auto)
Enables/disables the WMM Automatic Power Save
Delivery feature.
Note When WMM is in Auto mode, WMM APSD must be set to Enabled to enable a client to use Power Save Mode. When WMM is in
Enabled mode, the client can use Power Save
Mode regardless of whether WMM APSD is Enabled or Disabled.
(802.11n/EWC must be set to Disabled)
Configures 54g mode.
(802.11n/EWC must be set to Disabled)
Setting this field to Auto enables the RTS/CTS
Protection mechanism.
(802.11n/EWC must be set to Disabled. 54g Mode must be set to either “54g Auto” or “802.11b only”.)
Defines the length of the cyclic redundancy code
(CRC) block used for AP-to-WLAN client communication.
Station Information
In the left pane, click Wireless -> Station Info to open the Wireless - Authenticated Stations page, displaying clients that have been authenticated for wireless LAN (WLAN) and the status of each client.
Configuring the Password for Connecting to the Web-based Interface
In the left pane, click Management to open the Access Control - Passwords page for configuring the administrative password.
The user name must be admin. You can follow the instructions on this page to change the password. The default password is admin.
Note The administrative account has unrestricted permission to configure the router.
Note To restore WLAN config to the default, delete the wlconfig.txt file from the flash memory, using the Cisco
IOS CLI.
218
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Saving the Wireless LAN Configuration to a File
In the left pane, click Configuration -> Backup to save a configuration file for the wireless configuration.
The file is saved locally on the workstation being used to access the GUI. For information about loading the saved configuration from the local file, see
Loading a Wireless LAN Configuration File, on page 219
.
Loading a Wireless LAN Configuration File
In the left pane, click Configuration -> Update to load a configuration file for the wireless LAN configuration from the workstation being used to access the GUI.
Caution Loading a configuration file restarts the router, interrupting any current connections.
For information about saving a configuration file locally, see
Saving the Wireless LAN Configuration to a
.
Note A configuration file can be used to load a specific configuration onto several different routers.
Restoring the Default Configuration
In the left pane, click Configuration -> Restore Default to restore the wireless LAN configuration to default.
Caution Restoring the default configuration restarts the router, interrupting any current connections.
Configuring WLAN Using the CLI-based Interface
Use the CLI-based interface to display wireless LAN (WLAN) information and configure settings. For information about the web-based WLAN interface, see
Configuring WLAN Using the Web-based Interface,
on page 212 .
See the following sections:
WLAN CLI Interface
The WLAN CLI interface is similar to the CLI interface for IOS.
When you enter the CLI interface, the prompt appears as follows: ap#
Similarly to Cisco IOS, the prompt indicates the command mode. For example, using the configure terminal command to enter global configuration mode changes the prompt to: ap(config)#
To exit from a specific mode, use the exit command.
For example:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
219
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface ap(config)# exit ap#
Displaying Command Information for WLAN CLI
Entering a question mark (?) displays information about available command options. This feature provides a simple access to information about commands and relevant command options.
Example : Displaying Command Information for WLAN CLI
In interface configuration mode, entering ? at the prompt displays the commands available in that mode: ap(config-if)# ?
exit ip no shutdown
Exit from config-if mode
Interface Internet Protocol config commands
Negate a command or set its defaults
Shutdown the interface
In SSID configuration mode, entering encryption mode wep ? displays the options available for configuring
WEP encryption mode with the encryption mode wep command, as follows: ap(config-ssid)# encryption mode wep ?
current-key Network Key to use encryption-strength key
<cr>
Encryption strength
Set encryption keys
Three arguments (current-key , encryption-strength , and key ) may be entered for the command. The <cr> option indicates that encryption mode wep is valid by itself without additional options. In this example, entering the command without additional arguments enables WEP encryption.
Connecting to the WLAN CLI Interface
To connect to the WLAN CLI interface, complete the following steps.
1 From the Cisco IOS command line, create a loopback interface, specifying any desired IP address. For information about creating a loopback interface in Cisco IOS, see the Cisco IOS Master Commands List
: http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html
2 Connect by Telnet to the IP address specified for the loopback interface and port 2002.
3 Log in when prompted.
The router displays the WLAN CLI interface prompt.
Note The default login credentials are: User name: admin Password: admin When logging in for the first time, the router prompts you to change the default password.
Example: Configuring a Loopback Interface
Router# configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
Router(config)# interface loopback 0
Router(config-if)# ip address 1.1.1.1 255.255.255.0
Router(config-if)# end
220
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Example: Accessing WLAN CLI Using Telnet Through the Loopback Interface
Router# telnet 1.1.1.1 2002
Trying 1.1.1.1, 2002 ... Open
Connecting to AP console, enter Ctrl-^ followed by x, then "disconnect" to return to router prompt ap#
Exiting from the WLAN CLI Interface
To exit from the WLAN CLI and return to the Cisco IOS CLI prompt, press CTRL-SHIFT-6, followed by
x, then “disconnect”.
Setting the IP Address for the Web-based Interface
By default, the IP address used to access the web-based WLAN interface is 10.10.10.2.
To change the IP address of the bridge interface used to access the web-based interface, perform these steps.
SUMMARY STEPS
1. configure terminal
2. interface BVI 1
3. ip address IP-address subnet-mask
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Example: ap# configure terminal
Example: ap(config)# interface BVI 1
Example: ap(config)# interface BVI 1
ip address IP-address subnet-mask
Example: ap(config-if)# ip address 10.10.10.2
255.255.255.248
Purpose
Enters configuration mode.
The interface number.
Configures the new IP address and subnet mask.
Note
Tip
Use IPv4 addresses only.
You can display the configured IP address using the
show interfaces BVI 1 command (see
BVI 1 Interface Details, on page 254
).
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
221
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Command or Action Purpose
Enabling and Disabling WLAN
By default, the WLAN feature is enabled.
To enable or disable WLAN, follow these steps from global configuration mode:
Use shutdown to disable WLAN and no shutdown to enable WLAN.
SUMMARY STEPS
1. interface Dot11Radio 0
2. [no] shutdown
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
[no] shutdown
Example: ap(config-if)# no shutdown
Purpose
Enters interface configuration mode.
shutdown—Disables WLAN.
no shutdown—Enables WLAN.
Configuring the Main SSID
To change the name of the main SSID, perform these steps.
SUMMARY STEPS
1. configure terminal
2. dot11 ssid SSID-name
222
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Example: ap# configure terminal
Example: ap(config)#
dot11 ssid SSID-name
Example: ap(config)# dot11 ssid mainssid
Purpose
Enters configuration mode.
SSID-name—The main SSID. The SSID may be up to 32 characters.
In the example, the new SSID is called mainssid.
Configuring Guest SSIDs
To change the name of a guest SSID, perform these steps.
SUMMARY STEPS
1. configure terminal
2. dot11 guest-ssid guest-SSID-number SSID-name
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Example: ap# configure terminal
Example: ap(config)#
dot11 guest-ssid guest-SSID-number SSID-name
Example: ap(config)# dot11 guest-ssid 1 guest1
Purpose
Enters configuration mode.
guest-SSID-number—Specify 1, 2, or 3 to identify the guest
SSID to configure.
SSID-name—The new SSID. The SSID may be up to 32 characters.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
223
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Command or Action Purpose
The example specifies a new SSID of guest1 for guest SSID number 1.
Enabling and Disabling Guest SSIDs
To enable or disable a guest SSID, follow these steps from global configuration mode:
Note The main SSID cannot be disabled. However, guest SSIDs can be enabled/disabled. By default, guest
SSIDs are disabled.
SUMMARY STEPS
1. interface Dot11Radio 0
2. [no] guest-ssid guest-SSID-number SSID-name
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Purpose
Enters interface configuration mode.
Example: ap(config)# interface Dot11Radio 0
[no] guest-ssid guest-SSID-number SSID-name Enables the guest SSID specified by guest-SSID-number and
SSID-name.
Example: ap(config-if)# guest-ssid 1 guestssid1
• guest-SSID-number—Specify 1, 2, or 3 to identify the guest
SSID to configure.
• SSID-name—The name of the guest SSID. Entering the wrong
SSID displays an error message.
Note The no form of the command disables the specified guest
SSID.
Hiding an Access Point
To hide or unhide an SSID, follow these steps from global configuration mode:
224
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Note Hiding the SSID (access point) provides a small measure of security in helping to prevent unauthorized users from accessing the network. When you hide the SSID, the SSID is not broadcasted, making wireless snooping more difficult.
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. [no] hide-ap
DETAILED STEPS
Step 1
Step 2
Command or Action Purpose
dot11 {ssid | guest-ssid} [guest-SSID-number]
SSID-name
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
Example:
• ssid—The main SSID.
• guest-ssid—A guest SSID.
ap(config)# dot11 guest-ssid 1 guestssid1
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
[no] hide-ap
Example: ap(config-ssid)# hide-ap
Hides the SSID specified in the previous step.
Note The no form of the command unhides the specified SSID.
Enabling and Disabling Client Isolation
To enable or disable client isolation for a specific SSID, follow these steps from global configuration mode:
Note Client isolation prevents a wireless client connected to a specific SSID from communicating with other wireless clients connected to the same SSID.
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. [no] isolate-clients
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
225
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Step 2
Command or Action Purpose
dot11 {ssid | guest-ssid} [guest-SSID-number]
SSID-name
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
Example: ap(config)# dot11 guest-ssid 1 guestssid1
• ssid—The main SSID.
• guest-ssid—A guest SSID.
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
[no] isolate-clients
Example: ap(config-ssid)# isolate-clients
Enables client isolation for the SSID specified in the previous step.
The no form of the command disables client isolation for the specified
SSID.
Enabling and Disabling WMM Advertise
To enable or disable WiFi Multimedia (WMM) Advertise for a specific SSID, follow these steps from global configuration mode.
Note The WiFi Multimedia (WMM) Advertise feature prioritizes media traffic to improve media transmission.
WMM Advertise is enabled by default.
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. [no] disable-wmm
DETAILED STEPS
Step 1
Command or Action dot11 {ssid | guest-ssid}
[guest-SSID-number] SSID-name
Example: ap(config)# guestssid1 dot11 guest-ssid 1
Purpose
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
• ssid—The main SSID.
• guest-ssid—A guest SSID.
• guest-SSID-number—The guest SSID number. Use this only with the
guest-ssid option.
226
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Command or Action
Step 2 [no] disable-wmm
Example: ap(config-ssid)# disable-wmm
Purpose
• SSID-name—The SSID name.
Disables the WMM Advertise feature for the SSID specified in the previous step.
The no form of the command enables the WMM Advertise feature for the specified SSID.
Note WMM Advertise is enabled by default.
Enabling and Disabling Wireless Multicast Forwarding (WMF)
To enable or disable Wireless Multicast Forwarding(WMF) for a specific SSID, follow these steps from global configuration mode:
Note The WMF feature improves multicast traffic performance.
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. [no] wmf
DETAILED STEPS
Step 1
Command or Action dot11 {ssid | guest-ssid}
[guest-SSID-number] SSID-name
Example: ap(config)# guestssid1 dot11 guest-ssid 1
Step 2 [no] wmf
Example: ap(config-ssid)# wmf
Purpose
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
• ssid—The main SSID.
• guest-ssid—A guest SSID.
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
Enables the WMF feature for the SSID specified in the previous step.
The no form of the command disables the WMF feature for the specified
SSID.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
227
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Configuring the Global Maximum Number of Clients
To set the global maximum number of clients that can connect to an AP, follow these steps from global configuration mode:
SUMMARY STEPS
1. configure terminal
2. global-max-clients number-of-clients
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Example: ap# configure terminal
Example: ap(config)#
global-max-clients number-of-clients
Example: ap(config)# global-max-clients 32
Purpose
Enters configuration mode.
Note To exit a configuration mode after completing configuration tasks, use the exit command .
Configures the maximum number of clients that can connect to an AP.
number-of-clients range: 1 to 128 clients
Configuring the Maximum Number of Clients for an SSID
To configure the maximum number of clients, follow these steps from global configuration mode:
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. max-associations number-of-clients
DETAILED STEPS
Step 1
Command or Action Purpose
dot11 {ssid | guest-ssid} [guest-SSID-number]
SSID-name
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
228
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Step 2
Command or Action
Example: ap(config)# dot11 guest-ssid 1 guestssid1
Purpose
• ssid—The main SSID.
• guest-ssid—A guest SSID.
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
max-associations number-of-clients
Example: ap(config-ssid)# max-associations 24
Configures the maximum number of clients for the SSID specified in the previous step.
number-of-clients—Range is from 1 to 128 and the default value is 16.
Configuring Authentication Options
Use the authentication command to configure authentication options for a specific SSID. By default, network authentication is Open.
To configure the authentication options, follow these steps from global configuration mode:
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. authentication authentication-options
DETAILED STEPS
Step 1
Step 2
Command or Action Purpose
dot11 {ssid | guest-ssid} [guest-SSID-number]
SSID-name
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
Example:
• ssid—The main SSID.
• guest-ssid—A guest SSID.
ap(config)# dot11 guest-ssid 1 guestssid1
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
authentication authentication-options
Example: ap(config-ssid)# authentication open
Configures authentication options for the SSID specified in the previous step.
Table 27: Authentication Command Options, on page 230
describes options for the authentication command.
The default authentication option is open.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
229
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Command or Action Purpose
What to Do Next
Table 27: Authentication Command Options, on page 230
describes options for the authentication command:
Table 27: Authentication Command Options
Option
Open authentication
Shared authentication
Syntax open shared ap(config-ssid)# shared authentication
Description
Configures open authentication.
Configures shared authentication.
802.1x Options
Authentication server port
RADIUS key
RADIUS server address
802.1x auth-port port-number Defines the UDP port for the RADIUS authentication server.
ap(config-ssid)# auth-port 2000 authentication 802.1x
Range: 0 to 65535
Default: 1812
802.1x key encryption-key ap(config-ssid)# authentication 802.1x
key ABC123ABC1
Defines the per-server encryption key.
Enter the server key in an unencrypted
(cleartext) form.
802.1x server server-IP-address Specifies a RADIUS server.
ap(config-ssid)# server 10.1.1.1
authentication 802.1x
WPA Authentication
Authentication server port
RADIUS key
WPA auth-port port-number Defines the UDP port for the RADIUS authentication server.
ap(config-ssid)# auth-port 2000 authentication WPA
Range: 0 to 65535
Default: 1812
WPA key encryption-key Defines the per-server encryption key.
ap(config-ssid)# authentication WPA key ABC123ABC1
Enter the server key in an unencrypted
(cleartext) form.
230
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Option
WPA Group Rekey Interval
RADIUS server address
WPA-PSK Authentication
WPA/WAPI passphrase
WPA Group Rekey Interval
WPA2 Authentication
Authentication server port
RADIUS key
WPA2 preauthentication
Configuring WLAN Using the CLI-based Interface
Syntax Description
WPA rekey-interval seconds ap(config-ssid)# authentication WPA rekey-interval 604800
Defines the authentication rekey interval in seconds.
Range: 0 to 2147483647 (seconds)
The example configures the rekey interval to one week (604800 seconds).
WPA server server-IP-address Specifies a RADIUS server.
ap(config-ssid)# server 10.1.1.1
authentication WPA
WPA-PSK passphrase password ap(config-ssid)# authentication
WPA-PSK passphrase MyPaSsWoRd
The passphrase for WPA-PSK.
Enter a cleartext/unencrypted WPA passphrase.
Range: 8 to 63 ASCII characters or 64 hexadecimal digits
WPA-PSK rekey-interval seconds ap(config-ssid)# authentication
WPA-PSK rekey-interval 604800
Defines the authentication rekey interval in seconds.
Range: 0 to 2147483647 (seconds)
The example configures the rekey interval to one week (604800 seconds).
WPA2 auth-port port-number ap(config-ssid)# authentication
WPA2 auth-port 2000
WPA2 key encryption-key ap(config-ssid)# authentication
WPA2 key ABC123ABC1
WPA2 preauth ap(config-ssid)#
WPA2 preauth authentication ap(config-ssid)#
WPA2 preauth no authentication
Defines the UDP port for the RADIUS authentication server.
Range: 0 to 65535
Default: 1812
Defines the per-server encryption key.
Enter the server key in an unencrypted
(cleartext) form.
Enables WPA2 preauthentication.
The no form of the command disables preauthentication.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
231
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Option
Network reauthorization interval
WPA Group Rekey Interval
RADIUS server address
WPA2-PSK Authentication
WPA/WAPI passphrase
WPA-PSK Group Rekey Interval
Syntax
WPA2 reauth-interval seconds ap(config-ssid)# authentication
WPA2 reauth-interval 604800
WPA2 rekey-interval seconds ap(config-ssid)# authentication
WPA2 rekey-interval 604800
WPA2 server server-IP-address ap(config-ssid)# authentication
WPA2 server 10.1.1.1
Description
Defines the WPA2 reauthorization interval in seconds.
Range: 0 to 2147483647 (seconds)
The example configures the reauthorization interval to one week (604800 seconds).
Defines the authentication rekey interval in seconds.
Range: 0 to 2147483647 (seconds)
The example configures the rekey interval to one week (604800 seconds).
Specifies a RADIUS server.
WPA2-PSK passphrase password The passphrase for WPA2-PSK.
ap(config-ssid)# authentication
WPA2-PSK passphrase MyPaSsWoRd
Enter a cleartext/unencrypted WPA passphrase.
Range: 8 to 63 ASCII characters or 64 hexadecimal digits
WPA2-PSK rekey-interval seconds ap(config-ssid)# authentication
WPA2-PSK rekey-interval 604800
Defines the authentication rekey interval in seconds.
Range: 0 to 2147483647 (seconds)
The example configures the rekey interval to one week (604800 seconds).
Mixed WPA2/WPA Authentication
Authentication server port
RADIUS key
Mixed-WPA2-WPA auth-port port-number ap(config-ssid)# authentication
Mixed-WPA2-WPA auth-port 2000
Defines the UDP port for the RADIUS authentication server.
Range: 0 to 65535
Default: 1812
Mixed-WPA2-WPA key encryption-key ap(config-ssid)# authentication
Mixed-WPA2-WPA key ABC123ABC1
Defines the per-server encryption key.
Enter the server key in an unencrypted
(cleartext) form.
232
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Option
WPA2 preauthentication
Syntax
Mixed-WPA2-WPA preauth ap(config-ssid)# authentication
Mixed-WPA2-WPA preauth
Description
Enables WPA2 preauthentication.
The no form of the command disables preauthentication.
ap(config-ssid)# no authentication
Mixed-WPA2-WPA preauth
Mixed-WPA2-WPA reauth-interval Network reauthorization interval
WPA Group Rekey Interval
RADIUS server address ap(config-ssid)# authentication
Mixed-WPA2-WPA reauth-interval
604800
Mixed-WPA2-WPA rekey-interval seconds ap(config-ssid)# authentication
Mixed-WPA2-WPA rekey-interval
604800
Mixed-WPA2-WPA server server-IP-address
Defines the WPA2 reauthorization interval in seconds.
Range: 0 to 2147483647 (seconds)
The example configures the reauthorization interval to one week (604800 seconds).
Defines the authentication rekey interval in seconds.
Range: 0 to 2147483647 (seconds)
The example configures the rekey interval to one week (604800 seconds).
Specifies a RADIUS server.
ap(config-ssid)# authentication
Mixed-WPA2-WPA server 10.1.1.1
Mixed WPA2/WPA-PSK Authentication
Passphrase
WPA Group Rekey Interval
Mixed-WPA2-WPA-PSK passphrase password ap(config-ssid)# authentication
Mixed-WPA2-WPA-PSK passphrase
MyPaSsWoRd
The preshared passphrase for WiFi protected access.
Enter a clear WPA passphrase.
Range: 8 to 63 ASCII characters or 64 hexadecimal digits
WPA2-PSK rekey-interval seconds Defines the authentication rekey interval in seconds.
ap(config-ssid)# authentication
Mixed-WPA2-WPA-PSK rekey-interval
604800
Range: 0 to 2147483647 (seconds)
The example configures the rekey interval to one week (604800 seconds).
Configuring Encryption Options
To configure the encryption options for a specific SSID, follow these steps from global configuration mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
233
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. encryption mode encryption-options
DETAILED STEPS
Step 1
Step 2
Command or Action Purpose
dot11 {ssid | guest-ssid} [guest-SSID-number]
SSID-name
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
Example: ap(config)# dot11 guest-ssid 1 guestssid1
• ssid—The main SSID.
• guest-ssid—A guest SSID.
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
encryption mode encryption-options
Example: ap(config-ssid)# encryption mode wep
Configures encryption options for the SSID specified in the previous step.
Table 28: Encryption Command Options, on page 234
describes options for the encryption mode command.
What to Do Next
Table 28: Encryption Command Options, on page 234
describes options for the encryption mode command:
Table 28: Encryption Command Options
Option
WEP encryption options
Syntax Description
234
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Option
Enable/Disable WEP encryption
Encryption strength
Current network key
Network key
WPA/WAPI Encryption Options
AES
Syntax Description
[no] encryption mode wep ap(config-ssid)# wep ap(config-ssid)# wep encryption mode no encryption mode wep encryption-strength [64bit | 128bit]
Enables WEP encryption. The no form of the command disables WEP encryption.
Note The WEP encryption default setting depends on the authentication option selected.
Open authentication—Default is disabled. Shared—Default is enabled; cannot disable.
802.1x—Default is enabled; cannot disable. WPA, WPA-PSK,
WPA2, WPA2-PSK, Mixed
WPA2/WPA, Mixed
WPA2/WPA-PSK—Default is disabled; cannot enable.
Configures the WEP encryption strength.
64bit—Specifies a 64-bit key.
ap(config-ssid)# encryption mode wep encryption-strength 64bit 128bit—Specifies a 128-bit key.
wep current-key key-number ap(config-ssid)# wep current-key 1 encryption mode
It is possible to configure four different network keys. This command determines which key to use currently.
key-number range: 1 to 4
wep key key-number key ap(config-ssid)# wep key 1 54321 encryption mode
Configures a network key.
key-number range: 1 to 4
key:
• For a 64-bit key:
5 ASCII characters or 10 hexadecimal digits
• For a 128-bit key:
13 ASCII characters or 26 hexadecimal digits aes ap(config-ssid)# encryption mode aes
Configures the encryption mode to AES.
Note AES is supported only under
WPA, WPA-PSK, WPA2,
WPA2-PSK, Mixed WPA2/WPA, or Mixed WPA2/WPA-PSK.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
235
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Option
TKIP+AES
Syntax tkip+aes ap(config-ssid)# tkip+aes encryption mode
Description
Configures the encryption mode to
TKIP+AES.
Note TKIP+AES is supported only under WPA, WPA-PSK, WPA2,
WPA2-PSK, Mixed WPA2/WPA, or Mixed WPA2/WPA-PSK.
Configuring the MAC Address Filter Access List
To add a MAC address to the access-list or to remove a MAC address from the access-list, follow these steps from global configuration mode :
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. [no] access-list MAC-address
DETAILED STEPS
Step 1
Step 2
Command or Action
dot11 {ssid | guest-ssid} [guest-SSID-number]
SSID-name
Example: ap(config)# dot11 guest-ssid 1 guestssid1
Purpose
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
• ssid—The main SSID.
• guest-ssid—A guest SSID.
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
[no] access-list MAC-address
Example: ap(config-ssid)# access-list
AB:12:CD:34:EF:56
Example: ap(config-ssid)# no access-list
AB:12:CD:34:EF:56
Adds the MAC address to the access list for the SSID specified in the previous step.
MAC-address—Hexadecimal characters in the following format:
HH:HH:HH:HH:HH:HH
Note The no form of the command removes a MAC address from the access list.
236
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Configuring the MAC Address Filter Mode
To select the MAC address access list mode, follow these steps from global configuration mode:
SUMMARY STEPS
1. dot11 {ssid | guest-ssid} [guest-SSID-number] SSID-name
2. [no] mac-filter-mode [allow | deny]
DETAILED STEPS
Step 1
Step 2
Command or Action Purpose
dot11 {ssid | guest-ssid} [guest-SSID-number]
SSID-name
Enters SSID configuration mode for a specific SSID. The ap(config-ssid) prompt indicates SSID configuration mode.
Example:
• ssid—The main SSID.
• guest-ssid—A guest SSID.
ap(config)# dot11 guest-ssid 1 guestssid1
• guest-SSID-number—The guest SSID number. Use this only with the guest-ssid option.
• SSID-name—The SSID name.
[no] mac-filter-mode [allow | deny]
Example: ap(config-ssid)# mac-filter-mode allow
Configures the mode for the MAC address filter feature.
• allow—To allow MAC addresses on the access list to connect:
• deny—To deny MAC addresses on the access list from connecting:
Example:
Configuring Radio Channel
To configure channel options, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. channel {channel-number | least-congested} [timer minutes-before-next-scan]
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
237
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Example: ap(config)# interface Dot11Radio 0
channel {channel-number | least-congested}
[timer minutes-before-next-scan]
Configures a specific radio channel manually or selects automatic scanning; and configures the automatic scanning timer.
Example: ap(config-if)# timer 60 channel least-congested
• channel-number—Sets a specific channel. The channel-number range is 1 to11 for American models, or 1 to 13 for European models
• least-congested—Configures automatic scanning for the least congested channel, use the least-congested option and specify the number of minutes to wait before scanning again for the best channel.
• minutes-before-next-scan—Sets the timer for automatic scanning.
Range varies from 1 to 35791394.
Configuring 802.11n Options
To configure 802.11n options, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. [no] dot11n
3. dot11n rate
4. [no] dot11n protection
5. [no] dot11n n-client-only
6. [no] dot11n rifs
7. [no] dot11n [rx-pwr-save | rx-pwr-save quiet-time seconds| pps pps-value]
DETAILED STEPS
Step 1
Command or Action interface Dot11Radio 0
Example: ap(config)#
0 interface Dot11Radio
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
238
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action
[no] dot11n dot11n rate
Purpose
Configures 802.11n radio options.
Configures the 802.11n rate:
• rate range: 0 to 15.
Table 29: Rate Options for 802.11n, on page 239
describes the 802.11n rates for each rate value.
• 54g—Uses the 54g rate.
• auto—Selects a rate automatically.
[no] dot11n protection
[no] dot11n n-client-only
[no] dot11n rifs
[no] dot11n [rx-pwr-save |
rx-pwr-save quiet-time seconds|
pps pps-value]
Enables 802.11n protection.
Enables the 802.11n client-only mode, which limits the WLAN to clients using
802.11n:
Note When the 802.11n client-only option is enabled, clients are unable to connect to SSIDs with a WEP security setting. To enable the client to connect to the SSID, change the SSID security setting so that WEP is not configured. Alternatively, the client can connect to an SSID with non-WEP security settings.
Enables Reduced Inter-Frame Space (RIFS) advertisement.
Enables the RX Chain Power Save.
• seconds —Sets the RX Chain Power Save quiet time (time interval to wait before going into power save mode): The range is from 0 to
2147483647.
• pps-value — Sets the RX Chain Power Save packets per second (PPS) threshold. The range is from 0 to 2147483647 packets per second.
1
2
3
Value
0
What to Do Next
Table 29: Rate Options for 802.11n, on page 239
describes the rate options for 802.11n, as specified by rate in the dot11n rate command:
Table 29: Rate Options for 802.11n
Rate
MCS index 0, 6.5 Mbps
MCS index 1, 13 Mbps
MCS index 2, 19.5 Mbps
MCS index 3, 26 Mbps
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
239
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
11
12
9
10
13
14
15
6
7
8
Value
4
5
Rate
MCS index 4, 39 Mbps
MCS index 5, 52 Mbps
MCS index 6, 58.5 Mbps
MCS index 7, 65 Mbps
MCS index 8, 13 Mbps
MCS index 9, 26 Mbps
MCS index 10, 39 Mbps
MCS index 11, 52 Mbps
MCS index 12, 78 Mbps
MCS index 13, 104 Mbps
MCS index 14, 117 Mbps
MCS index 15, 130 Mbps
Configuring the 54g Mode
To set the 54g mode, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. 54g-mode [auto | dot11b-only | lrs | performance]
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
54g-mode [auto | dot11b-only | lrs | performance]
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the 54g mode.
• auto—54g auto mode. Accepts 802.11b, 802.11g, and 54g clients.
This option provides the widest compatibility.
240
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Command or Action
Example: ap(config-if)#
54g-mode auto
Purpose
• dot11b-only—Accepts only 802.11b clients.
• lrs—54g Limited Rate Support (LRS). Intended for legacy 802.11b
client support.
• performance—54g Performance mode. Accepts only 54g clients, provides the fastest performance with 54g certified equipment.
Configuring the 54g Preamble Type
To set the 54g preamble type, follow these steps from global configuration mode:
Note The preamble type can be set only when 802.11n is disabled (no dot11n) and 54g-mode is either auto or
dot11b-only.
SUMMARY STEPS
1. interface Dot11Radio 0
2. 54g-mode {auto | dot11b-only} preamble {short | long}
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Example: ap(config)# interface Dot11Radio 0
54g-mode {auto | dot11b-only} preamble {short | long}
Example: ap(config-if)#
54g-mode auto preamble long
Example: ap(config-if)# short
54g-mode dot11b-only preamble
Configures 54g preamble type.
• short—Short preamble. When there are no 802.11b clients, setting preamble type to short improves performance.
• long—Long preamble. When there are both 802.11g and
802.11b clients, set preamble type to long.
• 54g-mode must be either auto or dot11b-only.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
241
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Configuring the 54g Rate
To set the 54g transmission rate, follow these steps from global configuration mode:
Note The 54g rate can be set only when the 802.11n rate is configured to use 54g rate (dot11n rate 54g) or when 802.11n is disabled (no dot11n).
SUMMARY STEPS
1. interface Dot11Radio 0
2. 54g-rate {Mbps-rate |auto}
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
54g-rate {Mbps-rate |auto}
Example: ap(config-if)#
54g-rate 54
Example:
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the rate for 54g mode.
• Mbps-rate—specifies a rate in Mbps. The following values are possible:
• 1
• 2
• 5.5
• 6
• 9
• 11
• 12
• 18
• 24
• 36
• 48
• 54
• auto—Sets the 54g rate automatically.
242
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Configuring 54g Protection
To set 54g protection, follow these steps from global configuration mode:
Note 54g protection can be set only when 802.11n is disabled.
SUMMARY STEPS
1. interface Dot11Radio 0
2. 54g-protection
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
54g-protection
Example: ap(config-if)# 54g-protection
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Enables 54g protection.
• 54g-protection—Enables the RTS/CTS protection mechanism.
• no 54g-protection—Disables 54g protection.
Configuring the Multicast Rate
To set the multicast transmission rate, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. multicast-rate {Mbps-rate | auto}
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
243
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
multicast-rate {Mbps-rate | auto}
Example: ap(config-if)# multicast-rate 54
Example: ap(config-if)# multicast-rate auto
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
• 11
• 12
• 18
• 24
• 36
• 48
• 54
Configures the multicast rate.
Mbps-rate specifies a rate in Mbps. The following values are possible:
• 1
• 2
• 5.5
• 6
• 9
auto—Sets the multicast rate automatically.
Note When 802.11n is disabled (no dot11n) and 54g-mode is configured to 802.11b only (54g-mode dot11b-only), the only accepted rates are auto, 1, 2, 5.5, or 11 Mbps. Attempting to configure any other rate displays a warning message:
Configuring the Basic Rate
To set the basic transmission rate, which is the data rate that wireless clients should support, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. basic-rate {1 | 2 | all | default}
244
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0 basic-rate {1 | 2 | all | default}
Example: ap(config-if)# basic-rate 2
Example: ap(config-if)# basic-rate all
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the basic rate.
• 1—1 and 2 Mbps
• 2—1, 2, 5.5, 6, 11, 12, and 24 Mbps
• all—All rates
• default—1, 2, 5.5, and 11 Mbps
Configuring the Fragmentation Threshold
To set the fragmentation threshold, which is the maximum packet size (bytes) before data is fragmented, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. fragment-threshold threshold-in-bytes
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
fragment-threshold threshold-in-bytes
Example: ap(config-if)# fragment-threshold 2346
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the fragmentation threshold in bytes.
threshold-in-bytes range: 256 to 2346 bytes
Default value is 2346
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
245
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Configuring the RTS Threshold
To set the request-to-send (RTS) threshold, follow these steps from global configuration mode:
Note If an access point transmits a packet larger than the threshold, it will trigger CTS (clear-to-send) protection mode.
SUMMARY STEPS
1. interface Dot11Radio 0
2. rts-threshold threshold-in-bytes
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
rts-threshold threshold-in-bytes
Example: ap(config-if)# rts-threshold 2347
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the RTS threshold in bytes.
threshold-in-bytes—Range is from 0 to 2347 bytes. Default value is 2347
Configuring the DTIM Interval
To set the Delivery Traffic Indication Message (DTIM) interval, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. dtim-interval number-of-beacons
246
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
dtim-interval number-of-beacons
Example: ap(config-if)# dtim-interval 255
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the DTIM interval that is included in beacon frames to inform clients of when next to expect buffered data from the
AP.
number-of-beacons—Range is 1 to 255 beacons.
Default is 1
Configuring the Beacon Interval
To set the beacon interval, follow these steps from global configuration mode:
SUMMARY STEPS
1. interface Dot11Radio 0
2. beacon-interval number-of-milliseconds
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
beacon-interval number-of-milliseconds
Example: ap(config-if)# beacon-interval 65535
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the beacon interval.
number-of-milliseconds—range is 1 to 65535 milliseconds
(ms) and default value is 100 milliseconds.
Configuring the Radio Transmit Power
To set the radio transmit power for WLAN, follow these steps from global configuration mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
247
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
SUMMARY STEPS
1. interface Dot11Radio 0
2. tx-pwr power-percentage
DETAILED STEPS
Step 1
Step 2
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
tx-pwr power-percentage
Example: ap(config-if)# tx-pwr 60
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
Configures the transmit power, as a percentage of the maximum power.
power-percentage—specifies the power percentage. The following values are possible:
• 20
• 40
• 60
• 80
• 100
Configuring WMM Options
To configure WiFi Multimedia (WMM) options, follow these steps from global configuration mode :
SUMMARY STEPS
1. interface Dot11Radio 0
2. [no] wmm [auto | no-ack | apsd]
DETAILED STEPS
Step 1
Command or Action interface Dot11Radio 0
Example: ap(config)# interface Dot11Radio 0
Purpose
Enters radio interface mode, indicated by the ap(config-if) prompt.
248
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Step 2
Command or Action
[no] wmm [auto | no-ack | apsd]
Example: ap(config-if)# wmm
Purpose
Enable or Disables WMM.
• auto—Configures WMM auto mode:
• no-ack—Configures no-acknowledgement for WMM
• apsd—Enables Automatic Power Save Delivery (APSD) mode for WMM.
Note When WMM is in “Auto” mode, WMM APSD must be set to
“Enabled” to enable a client to use Power Save Mode. When WMM is in “Enabled” mode, the client can use Power Save Mode regardless of whether WMM APSD is “Enabled” or “Disabled”.
Displaying Current CLI Values and Keywords
Use the show ap-config command to display the current CLI values and keywords.
SUMMARY STEPS
1. show ap-config
DETAILED STEPS
Step 1
Command or Action show ap-config
Example: ap# show ap-config
Purpose
Displays the current CLI values and keywords.
What to Do Next
Example Configuration: Displaying Current CLI Values and Keywords
This example displays current CLI values and keywords.
ap# show ap-config global-max-clients 16 dot11 ssid Cisco860 no isolate-clients no wmf max-associations 16 no hide-ap no disable-wmm no mac-filter-mode authentication open no encryption mode wep exit
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
249
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface dot11 guest-ssid 1 Cisco860_Guest1 no isolate-clients no wmf max-associations 16 no hide-ap no disable-wmm no mac-filter-mode authentication open no encryption mode wep exit dot11 guest-ssid 2 Cisco860_Guest2 no isolate-clients no wmf max-associations 16 no hide-ap no disable-wmm no mac-filter-mode authentication open no encryption mode wep exit dot11 guest-ssid 3 Cisco860_Guest3 no isolate-clients no wmf max-associations 16 no hide-ap no disable-wmm no mac-filter-mode authentication open no encryption mode wep exit interface Dot11Radio 0 no shutdown ssid Cisco860 no guest-ssid 1 Cisco860_Guest1 no guest-ssid 2 Cisco860_Guest2 no guest-ssid 3 Cisco860_Guest3 dot11n channel least-congested timer 15 dot11n rate auto dot11n protection no dot11n n-client-only dot11n rifs no dot11n rx-pwr-save dot11n rx-pwr-save quiet-time 10 dot11n rx-pwr-save pps 10
54g-rate auto multicast-rate auto basic-rate default fragment-threshold 2346 rts-threshold 2347 dtim-interval 1 beacon-interval 100 tx-pwr 100 wmm no wmm no-ack wmm apsd exit interface BVI 1 ip address 10.10.10.2
255.255.255.248
no shutdown exit
Displaying Current Channel and Power Information
Use the show controllers Dot11Radio 0 command to display the current channel and power information.
SUMMARY STEPS
1. show controllers Dot11Radio 0
250
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Command or Action show controllers Dot11Radio 0
Example: ap# show controllers Dot11Radio 0
Purpose
Displays the current channel and power information.
What to Do Next
Example ap# show controllers Dot11Radio 0 interface Dot11Radio0
Beacon Interval(ms)
DTIM Interval(beacon)
Power Control:
Current Channel:
BSS Channel:
On, HW
11
11
: 100
: 1
BSS Local Max: 30.0 dBm
BSS Local Constraint: 0.0 dB
Channel Width:
User Target:
SROM Antgain 2G:
SROM Antgain 5G:
20MHz
31.75 dBm
2.0 dB
2.0 dB
SAR:
Current rate:
Regulatory Limits:
Rate
DSSS
OFDM
MCS0_7
VHT8_9SS1
DSSS_MULTI1
OFDM_CDD1
MCS0_7_CDD1
VHT8_9SS1_CDD1
-
[MCS15] ht mcs 15 Tx Exp 0 BW 20 sgi
Chains 20MHz
1
1
1
1
2
2
2
2
19.0
13.50
13.50
-
-
10.50
10.50
-
MCS0_7_STBC
VHT8_9SS1_STBC
MCS8_15
VHT8_9SS2
DSSS_MULTI2
OFDM_CDD2
MCS0_7_CDD2
2
2
2
2
3
3
3
-
-
-
10.50
-
10.50
-
VHT8_9SS1_CDD2
MCS0_7_STBC_SPEXP1
3
3
VHT8_9SS1_STBC_SPEXP1 3
MCS8_15_SPEXP1 3
VHT8_9SS2_SPEXP1
MCS16_23
3
3
VHT8_9SS3
Core Index:
Board Limits:
Rate
DSSS
OFDM
MCS0_7
VHT8_9SS1
DSSS_MULTI1
OFDM_CDD1
MCS0_7_CDD1
3
0
Chains 20MHz
1
1
1
1
2
2
2
-
-
-
-
-
-
-
17.50
17.50
17.50
-
17.50
17.50
17.50
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
251
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
VHT8_9SS1_CDD1
MCS0_7_STBC
VHT8_9SS1_STBC
MCS8_15
VHT8_9SS2
DSSS_MULTI2
OFDM_CDD2
MCS0_7_CDD2
VHT8_9SS1_CDD2
2
2
2
2
2
3
3
3
3
-
-
-
-
-
17.50
-
17.50
-
MCS0_7_STBC_SPEXP1 3
VHT8_9SS1_STBC_SPEXP1 3
MCS8_15_SPEXP1 3
VHT8_9SS2_SPEXP1
MCS16_23
VHT8_9SS3
Power Targets:
Rate
DSSS
3
3
3
OFDM
MCS0_7
-
-
-
-
-
-
Chains 20MHz
1 16.0
1
1
12.0
12.0
VHT8_9SS1
DSSS_MULTI1
OFDM_CDD1
MCS0_7_CDD1
VHT8_9SS1_CDD1
MCS0_7_STBC
VHT8_9SS1_STBC
MCS8_15
VHT8_9SS2
DSSS_MULTI2
1
2
2
2
2
2
2
2
2
3
8.0
8.0
9.0
9.0
8.0
9.0
8.0
-
9.0
8.0
OFDM_CDD2
MCS0_7_CDD2
VHT8_9SS1_CDD2
MCS0_7_STBC_SPEXP1
VHT8_9SS1_STBC_SPEXP1 3
MCS8_15_SPEXP1 3
VHT8_9SS2_SPEXP1 3
3
3
3
3
-
-
-
-
-
-
-
MCS16_23
VHT8_9SS3
3
3
-
-
Maximum Power Target among all rates: 16.0
16.0
Last est. power : 0.0
15.75
Power Target for the current rate : 16.0
16.0
Last adjusted est. power : 0.0
15.75
Power Percentage
Channel Status:
: 100
No scan in progress.
current mac channel target channel 11
11
Displaying Current Associated Clients
Use the show dot11 associations command to display the current associated clients.
SUMMARY STEPS
1. show dot11 associations
252
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Command or Action show dot11 associations
Example: ap# show dot11 associations
Purpose
Displays the current associated clients.
What to Do Next
Example: Displaying Current Associated Clients ap# show dot11 associations
Authenticated Associated
AA:BB:CC:11:22:33 yes
Authorized no
Interface
Dot11Radio0
Displaying the SSID to BSSID Mapping
Each SSID has an associated BSSID. Use the show dot11 bssid command to display the SSID to BSSID mapping.
SUMMARY STEPS
1. show dot11 bssid
DETAILED STEPS
Step 1
Command or Action show dot11 bssid
Example: ap# show dot11 bssid
Purpose
Displays the SSID to BSSID mapping.
What to Do Next
Example: Displaying the SSID to BSSID Mapping ap# show dot11 bssid
Interface
Dot11Radio0
Dot11Radio0
BSSID Guest
A4:93:4C:01:7A:9A No
A4:93:4C:01:7A:9B Yes
Dot11Radio0
Dot11Radio0
A4:93:4C:01:7A:9C Yes
A4:93:4C:01:7A:9D Yes
SSID
Cisco860
Cisco860_Guest1
Cisco860_Guest2
Cisco860_Guest3
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
253
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Displaying the Tx/Rx Statistics
Use the show dot11 statistics command to display the current transmit/receive (tx/rx) statistics for Dot11Radio
0 interface.
SUMMARY STEPS
1. show dot11 statistics
DETAILED STEPS
Step 1
Command or Action show dot11 statistics
Example: ap# show dot11 statistics
Purpose
Displays the current tx/rx statistics for Dot11Radio 0 interface.
What to Do Next
Example: Displaying the Tx/Rx Statistics ap# show dot11 statistics rx bytes rx pkts rx errs rx drops tx bytes tx pkts tx errs tx drops
Dot11Radio0 0 0 0 0 12824 94 0 0
Displaying the BVI 1 Interface Details
Use the show interfaces BVI 1 command to display BVI 1 interface details. Details include the IP address of the router.
Tip After changing the IP address used for accessing the router, this command can be used to confirm the change. See
Setting the IP Address for the Web-based Interface, on page 221
.
SUMMARY STEPS
1. show interfaces BVI 1
254
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
DETAILED STEPS
Step 1
Command or Action show interfaces BVI 1
Example: ap# show interfaces BVI 1
Purpose
Displays the current BVI 1 interface details.
What to Do Next
Example: Displaying the BVI 1 Interface Details
This example displays BVI 1 interface details.
ap# show interfaces BVI 1
BVI1
Link encap:Ethernet HWaddr AA:11:BB:22:CC:33 inet addr:10.10.10.2
Bcast:10.10.10.7
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:260 multicast:86 unicast:0 broadcast:174
RX errors:0 dropped:0 overruns:0 frame:0
TX packets:21 multicast:0 unicast:21 broadcast:0
TX errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
RX bytes:46642 (45.5 KiB) TX bytes:1260 (1.2 KiB)
RX multicast bytes:32164 (31.4 KiB) TX multicast bytes:0 (0.0 B)
Displaying Dot11Radio 0 Interface Information
Use the show interfaces Dot11Radio 0 command to display Dot11Radio 0 interface information.
SUMMARY STEPS
1. show interfaces Dot11Radio 0
DETAILED STEPS
Step 1
Command or Action show interfaces Dot11Radio 0
Example: ap# show interfaces Dot11Radio 0
Purpose
Displays the current Dot11Radio 0 interface information.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
255
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Example: Displaying Dot11Radio 0 Interface Information
This example displays Dot11Radio 0 interface information.
ap# show interfaces Dot11Radio 0
Dot11Radio0
Link encap:Ethernet HWaddr AA:11:BB:22:CC:33
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 multicast:0 unicast:0 broadcast:0
RX errors:0 dropped:0 overruns:0 frame:160876
TX packets:267 multicast:86 unicast:0 broadcast:181
TX errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:52150 (50.9 KiB)
RX multicast bytes:0 (0.0 B) TX multicast bytes:0 (0.0 B)
Interrupt:15 Base address:0x4000
Displaying Brief Details for All Interfaces
Use the show ip interface brief command to display brief details for all interfaces.
SUMMARY STEPS
1. show ip interface brief
DETAILED STEPS
Step 1
Command or Action show ip interface brief
Example: ap# show ip interface brief
Purpose
Displays brief details for all interfaces.
What to Do Next
Example: Displaying Brief Details for All Interfaces
In the output, the Method column indicates whether the interface was user-configured or configured by DHCP.
ap# show ip interface brief
Interface IP-Address
Dot11Radio0
BVI1 unassigned
10.10.10.2
OK? Method Status
YES NVRAM up
YES NVRAM up
Protocol up up
Displaying CPU Statistics
Use the show processes cpu command to display CPU utilization statistics.
256
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
SUMMARY STEPS
1. show processes cpu
DETAILED STEPS
Step 1
Command or Action show processes cpu
Example: ap# show processes cpu
Purpose
Displays CPU utilization statistics.
Example: Displaying CPU Statistics ap# show processes cpu
CPU: 0% usr 0% sys 0% nic 90% idle 0% io 0% irq 9% sirq
Showing a Summary of Memory Usage
Use the show memory summary command to display details of current memory usage.
SUMMARY STEPS
1. show memory summary
DETAILED STEPS
Step 1
Command or Action show memory summary
Example: ap# show memory summary
Purpose
Displays details of current memory usage.
What to Do Next
Example: Showing a Summary of Memory Usage ap# show memory summary
Total(kB) Used(kB) Free(kB)
Processor 88052 44212 43840
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
257
Configuring Wireless Devices
Configuring WLAN Using the CLI-based Interface
Pinging an Address
Use the ping command to test connectivity with a specific address.
SUMMARY STEPS
1. ping {IP-address | hostname}
DETAILED STEPS
Step 1
Command or Action
ping {IP-address | hostname}
Example: ap# ping 10.0.0.0
Purpose
Tests connectivity to the specified IP address or host name.
Entering the ping command with an address specified indicates the round trip time in milliseconds for several transmissions of a small datagram.
Entering the ping command without specifying an address starts the interactive mode of the command, enabling you to enter the target address, the transmission repeat count, and the datagram size.
Changing the Administrator Password
Use the password command to change the administrator password.
Note The default login credentials are: User name: admin Password: admin When logging in for the first time, the router prompts you to change the default password.
SUMMARY STEPS
1. password old-password new-password confirm-password
DETAILED STEPS
Step 1
Command or Action Purpose
password old-password new-password confirm-password
Example:
Changes the administrator password. Note that the command requires entering the new password twice to confirm the exact text of the new password.
ap# password admin AbCdE123# AbCdE123#
258
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering the Wireless Device
Configuring the Number of Lines on Screen
Use the terminal length command to configure the number of lines displayed on the screen.
SUMMARY STEPS
1. terminal length number-of-lines
DETAILED STEPS
Step 1
Command or Action
terminal length number-of-lines
Example: ap# terminal length 40
Purpose
Sets the number of lines displayed on the screen.
number-of-lines range: 0 to 512
A value of 0 specifies that the display does not pause for scrolling.
What to Do Next
Administering the Wireless Device
This module describes the following wireless device administration tasks:
Securing Access to the Wireless Device
This section provides information about performing the following tasks to secure access to the wireless device:
Disabling the Mode Button Function
Caution This command disables password recovery. If you lose the privileged EXEC mode password for the access point after entering this command, you must contact the Cisco Technical Assistance Center (TAC) to regain access to the access point CLI.
Note To reboot the wireless device, use the service-module wlan-ap reset command from the router’s Cisco
IOS CLI. See the
Rebooting the Wireless Device, on page 277
for information about this command.
The mode button is enabled by default. To disable the access point’s mode button, follow these steps, beginning in privileged EXEC mode:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
259 OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
SUMMARY STEPS
1. configure terminal
2. no boot mode-button
3. end
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal no boot mode-button end
Purpose
Enters global configuration mode.
Disables the access point’s mode button.
Returns to privileged EXEC mode.
Note It is not necessary to save the configuration.
Dispaying the mode-button status
You can check the status of the mode button by executing the show boot or show boot mode-button command in privileged EXEC mode. The status does not appear in the running configuration. The following example shows typical responses to the show boot and show boot mode-button commands: ap# show boot
BOOT path-list: flash:/c1200-k9w7-mx-v123_7_ja.20050430/c1200-k9w7-mx.v123_7_ja.20050430
Config file: flash:/config.txt
Private Config file: flash:/private-config
Enable Break: no
Manual boot: no
Mode button: on
Enable IOS break: no
HELPER path-list:
NVRAM/Config file buffer size: 32768 ap# show boot mode-button on ap#
Note As long as the privileged EXEC password is known, you can use the boot mode-button command to restore the mode button to normal operation.
Preventing Unauthorized Access to Your Access Point
You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want the network administrators to have access to the wireless device while restricting access to users who connect through a terminal or workstation from within the local network.
To prevent unauthorized access to the wireless device, configure one of these security features:
260
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Note The characters TAB, ?, $, +, and [ are invalid characters for passwords.
Protecting Access to Privileged EXEC Commands
A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can issue after they have logged in to a network device.
Note For complete syntax and usage information for the commands used in this section, see Cisco IOS Security
Command Reference for Release 12.4
This section describes how to control access to the configuration file and privileged EXEC commands. It contains the following configuration information:
Configuring Default Password and Privilege Level
Table 30: Default Passwords and Privilege Levels , on page 261
shows the default password and privilege level configuration.
Table 30: Default Passwords and Privilege Levels
Privilege Level
Username and password
Enable password and privilege level
Enable secret password and privilege level
Line password
Default Setting
Default username is Cisco, and the default password is Cisco.
Default password is Cisco. The default is level 15 (privileged
EXEC level). The password is encrypted in the configuration file.
Default enable password is Cisco. The default is level 15
(privileged EXEC level). The password is encrypted before it is written to the configuration file.
Default password is Cisco. The password is encrypted in the configuration file.
Setting or Changing a Static Enable Password
The enable password controls access to the privileged EXEC mode.
Note The no enable password command, in global configuration mode, removes the enable password, but you should use extreme care when using this command. If you remove the enable password, you are locked out of the privileged EXEC mode.
To set or change a static enable password, follow these steps, beginning in privileged EXEC mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
261
Configuring Wireless Devices
Securing Access to the Wireless Device
SUMMARY STEPS
1. configure terminal
2. enable password password
3. end
4. show running-config
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
enable password password
Purpose
Enters global configuration mode.
Defines a new password or changes an existing password for access to privileged EXEC mode.
• The default password is Cisco.
• password —A string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. The characters TAB, ?, $, +, and [ are invalid characters for passwords.
end show running-config
Returns to privileged EXEC mode.
Verifies your entries.
copy running-config startup-config (Optional) Saves your entries in the configuration file.
What to Do Next
The enable password is not encrypted and can be read in the wireless device configuration file.
Configuration Example: Changing a Static Enable Password
The following example shows how to change the enable password to l1u2c3k4y5 . The password is not encrypted and provides access to level 15 (standard privileged EXEC mode access):
AP(config)# enable password l1u2c3k4y5
Protecting Enable and Enable Secret Passwords with Encryption
To configure encryption for enable and enable secret passwords, follow these steps, beginning in privileged
EXEC mode:
262
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Note It is recommend that you use the enable secret command because it uses an improved encryption algorithm.If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.
SUMMARY STEPS
1. configure terminal
2.
• enable password [level level] {password | encryption-type encrypted-password or
• enable secret [level level] {password | encryption-type encrypted-password
3. service password-encryption
4. end
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode.
• enable password [level level]
{password | encryption-type encrypted-password or
Defines a new password or changes an existing password for access to privileged
EXEC mode.
or
Defines a secret password, which is saved using a nonreversible encryption method.
• enable secret [level level]
{password | encryption-type encrypted-password
• level —(Optional) Range is from 0 to 15. Level 1 is normal user EXEC mode privileges. The default level is 15 (privileged EXEC mode privileges).
• password —A string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
• encryption-type —(Optional) Only type 5. Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy from anotheraccess point wireless device configuration.
service password-encryption end
Note If you specify an encryption type and then enter a clear text password, you cannot reenter privileged EXEC mode. You cannot recover a lost encrypted password by any method.
(Optional) Encrypts the password when the password is defined or when the configuration is written.
Encryption prevents the password from being readable in the configuration file.
Returns to privileged EXEC mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
263
Configuring Wireless Devices
Securing Access to the Wireless Device
Step 5
Command or Action Purpose copy running-config startup-config (Optional) Saves your entries in the configuration file.
Configuration Example: Enable Secret Passwords
This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:
AP(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Configuring Username and Password Pairs
Configure username and password pairs, which are locally stored on the wireless device. These pairs are assigned to lines or interfaces, and they authenticate each user before the user can access the wireless device.
If you have defined privilege levels, assign a specific privilege level (with associated rights and privileges) to each username and password pair.
To establish a username-based authentication system that requests a login username and a password, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. username name [privilege level] {password encryption-type password }
3. login local
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
Purpose
Enters global configuration mode.
username name [privilege level]
{password encryption-type
password }
Enters the username, privilege level, and password for each user.
• name—Specifies the user ID as one word. Spaces and quotation marks are not allowed.
• level —(Optional) Specifies the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access.
Level 1 gives user EXEC mode access.
• encryption-type —Enter 0 to specify that an unencrypted password will follow. Enter 7 to specify that a hidden password will follow.
264
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Command or Action
Step 3
Step 4
Step 5
Step 6 login local end show running-config copy running-config startup-config
Purpose
• password —The password the user must enter to gain access to the wireless device. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.
Enables local password checking at login time. Authentication is based on the username specified in Step 2.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
Note You must have at least one username configured and you must have login local set to open a Telnet session to the wireless device. If you enter no username for the only username, you can be locked out of the wireless device.
Configuring Multiple Privilege Levels
By default, Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
For example, for many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. For more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.
This section includes this configuration information:
Setting the Privilege Level for a Command
To set the privilege level for a command mode, follow these steps, beginning in privileged EXEC mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
265
Configuring Wireless Devices
Securing Access to the Wireless Device
SUMMARY STEPS
1. configure terminal
2. privilege mode level level command
3. enable password level level password
4. end
5.
• show running-config or
• show privilege
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
privilege mode level level command
Step 3
Step 4
Step 5
Step 6
enable password level level password end
• show running-config or
• show privilege copy running-config startup-config
Purpose
Enters global configuration mode.
Sets the privilege level for a command.
• mode —Enter configure for global configuration mode, exec for EXEC mode,
interface for interface configuration mode, or line for line configuration mode.
• level —Range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password.
• command —Specifies the command to which access is restricted.
Specifies the enable password for the privilege level.
• level —Range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
• password —A string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
Note The characters TAB, ?, $, +, and [ are invalid characters for passwords.
Returns to privileged EXEC mode.
Verifies your entries.
The show running-config command displays the password and access level configuration.
The show privilege command displays the privilege level configuration.
(Optional) Saves your entries in the configuration file.
266
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Configuring Multiple Privilege Levels
Note When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels. To return to the default privilege for a given command, use the no privilege
mode level level command command in global configuration mode.
Logging Into and Exiting a Privilege Level
To log in to a specified privilege level or to exit to a specified privilege level, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. enable level
2. disable level
DETAILED STEPS
Step 1
Step 2
Command or Action
enable level
disable level
Purpose
Logs in to a specified privilege level.
level — The privilege range is from 0 to 15.
Exits to a specified privilege level.
Controlling Access Point Access with RADIUS
This section describes how to control administrator access to the wireless device by using Remote
Authentication Dial-In User Service (RADIUS). For complete instructions on configuring the wireless device to support RADIUS, see the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points.
RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through authentication, authorization, and accounting
(AAA) and can be enabled only through AAA commands.
Note For complete syntax and usage information for the commands used in this section, see “Cisco IOS Security
Command Reference” .
RADIUS configuration tasks are described in the following sections:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
267
Configuring Wireless Devices
Securing Access to the Wireless Device
RADIUS Configuration
RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users who are accessing the wireless device through the CLI.
To configure AAA authentication, define a named list of authentication methods and then apply the list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any defined authentication methods are performed. The only exception is the default method list (which is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be used to authenticate a user. You can designate one or more security protocols for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—that is, the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
Configuring RADIUS Login Authentication
To configure login authentication, follow these steps, beginning in privileged EXEC mode. This procedure is required.
SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. aaa authentication login {default |list-name } method1 [ method2...
4. line [console | tty | vty] line-number [ending-line-number
5. login authentication {default | list-name
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
aaa new-model Enables AAA.
aaa authentication login {default
|list-name } method1 [ method2...
Creates a login authentication method list.
• To create a default list that is used when a named list is not specified in the
login authentication command, use the default keyword followed by the
268
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action Purpose methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
• list-name—A character string to name the list you are creating.
• method1... —Specifies the actual method the authentication algorithm tries.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Select one of these methods:
• local—Use the local username database for authentication. You must enter username information in the database. Use the username password global configuration command.
• radius—Use RADIUS authentication. You must configure the RADIUS server before you can use this authentication method. For more information, see the “Identifying the RADIUS Server Host” section of the “Configuring
Radius and TACACS+ Servers” chapter in Cisco IOS Software Configuration
Guide for Cisco Aironet Access Points.
line [console | tty | vty]
line-number [ending-line-number
Enters line configuration mode, and configures the lines to which the authentication list applies.
login authentication {default | list-name
Applies the authentication list to a line or set of lines.
• If you specify default, use the default list that you created with the aaa
authentication login command.
• list-name —Specifies the list that you created with the aaa authentication
login command.
end show running-config copy running-config startup-config
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
Defining AAA Server Groups
You can configure the wireless device to use AAA server groups to group existing server hosts for authentication. Select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups can also include multiple host entries for the same server if each entry has a unique identifier
(the combination of the IP address and UDP port number), allowing different ports to be individually defined
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
269
Configuring Wireless Devices
Securing Access to the Wireless Device as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same
RADIUS server for the same service (such as accounting), the second configured host entry acts as a failover backup to the first one.
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.
Configuring AAA Server Group
To define the AAA server group and associate a particular RADIUS server with it, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. radius-server host {hostname | ip-address } [auth-port port-number ] [acct-port port-number ] [timeout
seconds ] [retransmit retries ] [key string ]
4. aaa group server radius group-name
5. server ip-address
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal aaa new-model
Purpose
Enters global configuration mode.
Enables AAA.
radius-server host {hostname
| ip-address } [auth-port
port-number ] [acct-port
port-number ] [timeout
seconds ] [retransmit retries ]
[key string ]
Specifies the IP address or hostname of the remote RADIUS server host.
• auth-port port-number—(Optional) Specifies the user datagram protocol (UDP) destination port for authentication requests.
• acct-port port-number—(Optional) Specifies the UDP destination port for accounting requests.
• timeout seconds —(Optional) The time interval that the wireless device waits for the RADIUS server to reply before retransmitting. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting.
If no timeout is set with the radius-server host command, the setting of the
radius-server timeout command is used.
• retransmit retries—(Optional) The number of times that a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used.
270
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action aaa group server radius group-name
server ip-address end show running-config copy running-config startup-config
Purpose
• key string —(Optional) Specifies the authentication and encryption key used between the wireless device and the RADIUS daemon running on the RADIUS server.
Note The key is a text string that must match the encryption key that is used on the
RADIUS server. Always configure the key as the last item in the radius-server
host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.
To configure the wireless device to recognize more than one host entry that is associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The wireless device software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.
Defines the AAA server-group with a group name.
This command puts the wireless device in a server group configuration mode.
Associates a particular RADIUS server with the defined server group.
• Repeat this step for each RADIUS server in the AAA server group.
• Each server in the group must be previously defined in Step 2.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
Enable RADIUS login authentication: See the “Configuring RADIUS Login Authentication” section of the
“Configuring Radius and TACACS+ Servers” chapter in Cisco IOS Software Configuration Guide for Cisco
Aironet Access Points for information to enable RADIUS login authentication.
Configuration Example: AAA Group
In the following is example, the wireless device is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server, which are configured for the same services. The second host entry acts as a failover backup to the first entry.
AP(config)# aaa new-model
AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
AP(config)# aaa group server radius group1
AP(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
AP(config-sg-radius)# exit
AP(config)# aaa group server radius group2
AP(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
AP(config-sg-radius)# exit
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
271
Configuring Wireless Devices
Securing Access to the Wireless Device
Configuring RADIUS Authorization for User Privileged Access and Network Services
AAA authorization limits the services that are available to a user. When AAA authorization is enabled, the wireless device uses information retrieved from the user’s profile, which is in the local user database or on the security server, to configure the user session. The user is granted access to a requested service only if the user profile allows it.
You can use the aaa authorization command in global configuration mode with the radius keyword to set parameters that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec radius command sets these authorization parameters:
• Use RADIUS for privileged EXEC access authorization if authentication was performed by using
RADIUS.
• Use the local database if authentication was not performed by using RADIUS.
Note Authorization is bypassed for authenticated users who log in through the CLI, even if authorization has been configured.
Configuring RADIUS Authorization for User Privileged Access and Network Services
To specify RADIUS authorization for privileged EXEC access and network services, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. aaa authorization network radius
3. aaa authorization exec radius
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal aaa authorization network radius aaa authorization exec radius end
Purpose
Enters global configuration mode.
Configures the wireless device for user RADIUS authorization for all network-related service requests.
Configures the wireless device for user RADIUS authorization to determine whether the user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Returns to privileged EXEC mode.
272
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Step 5
Step 6
Command or Action show running-config copy running-config startup-config
Purpose
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
To disable authorization, use the no aaa authorization {network | exec} method1 command in global configuration mode.
Displaying the RADIUS Configuration
To display the RADIUS configuration, use the show running-config command in privileged EXEC mode.
Controlling Access Point Access with TACACS+
This section describes how to control administrator access to the wireless device using Terminal Access
Controller Access Control System Plus (TACACS+). For complete instructions on configuring the wireless
.
device to support TACACS+, see Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
Note For complete syntax and usage information for the commands used in this section, see Cisco IOS Security
Command Reference .
These sections describe TACACS+ configuration information.
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management application.
When enabled, TACACS+ can authenticate administrators who are accessing the wireless device through the
CLI.
To configure AAA authentication, you define a named list of authentication methods and then apply the list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any defined authentication methods are performed. The only exception is the default method list (which is named default ). The default method list is automatically applied to all interfaces, except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be used to authenticate a user. You can designate one or more security protocols for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users. If that method fails to respond, the software selects the next authentication method in the method list. This process continues
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
273
Configuring Wireless Devices
Securing Access to the Wireless Device until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—that is, the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
Configuring TACACS+ Login Authentication
To configure login authentication, follow these steps, beginning in privileged EXEC mode. This procedure is required.
SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. aaa authentication login {default | list-name } method1 [ method2...
4. line [console | tty | vty] line-number [ending-line-number
5. login authentication {default | list-name
6. end
7. show running-config
8. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal
Purpose
Enters global configuration mode.
Enables AAA.
aaa new-model aaa authentication login {default
| list-name } method1 [ method2...
Creates a login authentication method list.
• To create a default list that is used when a named list is not specified in the
login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
• list-name —A character string to name the list you are creating.
• method1... —Specifies the actual method the authentication algorithm tries.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Select one of these methods:
• local—Use the local username database for authentication. You must enter username information into the database. Use the username password command in global configuration mode.
• tacacs+—Use TACACS+ authentication. You must configure the
TACACS+ server before you can use this authentication method.
274
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Securing Access to the Wireless Device
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action
line [console | tty | vty]
line-number [ending-line-number
login authentication {default | list-name
Purpose
Enters line configuration mode, and configures the lines to which the authentication list applies.
Applies the authentication list to a line or set of lines.
• If you specify default, use the default list created with the aaa
authentication login command.
• list-name —Specifies the list created with the aaa authentication login command.
end show running-config copy running-config startup-config
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
To disable AAA, use the no aaa new-model command in global configuration mode. To disable AAA authentication, use the no aaa authentication login {default | list-name } method1 [method2... ] command in global configuration mode. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name } command in line configuration mode.
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the wireless device uses information retrieved from the user profile, which is located either in the local user database or on the security server, to configure the user session. The user is granted access to a requested service only if the information in the user profile allows it.
You can use the aaa authorization command in global configuration mode with the tacacs+ keyword to set parameters that restrict a user network access to privileged EXEC mode.
The aaa authorization exec tacacs+ local command sets these authorization parameters:
• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
• Use the local database if authentication was not performed by using TACACS+.
Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.
To specify TACACS+ authorization for privileged EXEC access and network services, follow these steps, beginning in privileged EXEC mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
275
Configuring Wireless Devices
Administering the Access Point Hardware and Software
SUMMARY STEPS
1. configure terminal
2. aaa authorization network tacacs+
3. aaa authorization exec tacacs+
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal aaa authorization network tacacs+ aaa authorization exec tacacs+ end show running-config copy running-config startup-config
Purpose
Enters global configuration mode.
Configures the wireless device for user TACACS+ authorization for all network-related service requests.
Configures the wireless device for user TACACS+ authorization to determine whether the user has privileged EXEC access.
The exec keyword might return user profile information (such as
autocommand information).
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs command in privileged EXEC mode.
Administering the Access Point Hardware and Software
This section contains information on performing the following tasks:
Administering the Wireless Hardware and Software
This section provides instructions for performing the following tasks:
276
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Resetting the Wireless Device to the Factory Default Configuration
To reset the wireless device hardware and software to its factory default configuration, use the service-module
wlan-ap0 reset default-config command in the router’s Cisco IOS privileged EXEC mode.
Caution Because you may lose data, use only the service-module wlan-ap0 reset command to recover from a shutdown or failed state.
Rebooting the Wireless Device
To perform a graceful shutdown and reboot the wireless device, use the service-module wlan-ap0 reload command in the router’s Cisco IOS privileged EXEC mode. At the confirmation prompt, press Enter to confirm the action, or enter n to cancel.
When running in autonomous mode, the reload command saves the configuration before rebooting. If the attempt is unsuccessful, the following message displays:
Failed to save service module configuration.
When running in Lightweight Access Point Protocol (LWAPP) mode, the reload function is typically handled by the wireless LAN controller (WLC). If you enter the service-module wlan-ap0 reload command, you will be prompted with the following message:
The AP is in LWAPP mode. Reload is normally handled by WLC controller.
Still want to proceed? [yes]
Monitoring the Wireless Device
This section provides commands for monitoring hardware on the router for displaying wireless device statistics and wireless device status.
Use the service-module wlan-ap0 statistics command in privileged EXEC mode to display wireless device statistics. The following is sample output for the command:
CLI reset count = 0
CLI reload count = 1
Registration request timeout reset count = 0
Error recovery timeout reset count = 0
Module registration count = 10
The last IOS initiated event was a cli reload at *04:27:32.041 UTC Fri Mar 8 2007
Use the service-module wlan-ap0 status command in privileged EXEC mode to display the status of the wireless device and its configuration information. The following is sample output for the command:
Service Module is Cisco wlan-ap0
Service Module supports session via TTY line 2
Service Module is in Steady state
Service Module reset on error is disabled
Getting status from the Service Module, please wait..
Image path = flash:c8xx_19xx_ap-k9w7-mx.acregr/c8xx_19xx_ap-k9w7-mx.acre
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
277
Configuring Wireless Devices
Administering the Access Point Hardware and Software gr
System uptime = 0 days, 4 hours, 28 minutes, 5 seconds
Router#d was introduced for embedded wireless LAN access points on Integrated Services
Routers.
Managing the System Time and Date
You can manage the system time and date on the wireless device automatically, by using the Simple Network
Time Protocol (SNTP), or manually, by setting the time and date on the wireless device.
Note For complete syntax and usage information for the commands used in this section, see Cisco IOS
Configuration Fundamentals Command Reference for Release 12.4 .
This section provides the following configuration information:
Understanding Simple Network Time Protocol
Simple Network Time Protocol (SNTP) is a simplified, client-only version of NTP. SNTP can only receive the time from NTP servers; it cannot provide time services to other systems. SNTP typically provides time within 100 milliseconds of the accurate time, but it does not provide the complex filtering and statistical mechanisms of NTP.
You can configure SNTP to request and accept packets from configured servers or to accept NTP broadcast packets from any source. When multiple sources are sending NTP packets, the server with the best stratum is selected. Click this URL for more information on NTP and strata: http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001075 http://www.cisco.com/en/US/docs/ios/12_1/configfun/configuration/guide/fcd303.html#wp1001075
If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If multiple servers pass both tests, the first one to send a time packet is selected. SNTP chooses a new server only if the client stops receiving packets from the currently selected server, or if (according to the above criteria) SNTP discovers a better server.
Configuring SNTP
SNTP is disabled by default. To enable SNTP on the access point, use one or both of the commands listed in
Table 31: SNTP Commands, on page 278
in global configuration mode.
Table 31: SNTP Commands
Command Purpose
sntp server {address | hostname} [version number] Configures SNTP to request NTP packets from an
NTP server.
sntp broadcast client Configures SNTP to accept NTP packets from any
NTP broadcast server.
278
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Enter the sntp server command once for each NTP server. The NTP servers must be configured to respond to the SNTP messages from the access point.
If you enter both the sntp server command and the sntp broadcast client command, the access point accepts time from a broadcast server but prefers time from a configured server, if the strata are equal. To display information about SNTP, use the show sntp EXEC command.
Time and Date Manual Configuration
If no other source of time is available, you can manually configure the time and date after restsarting the system. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the wireless device can synchronize, you do not need to manually set the system clock.
You have the options to configure the system clock, time zone and summer time.
Conffiguring Time and Date
To set the system clock manually , follow these steps, beginning in privileged EXEC mode:
Note If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock.
SUMMARY STEPS
1. clock set hh:mm:ss day month year
2. clock timezone zone hours-offset minutes-offset
3. clock summer-time zone recurring [ week day month hh:mm week day month hh:mm [ offset ]]
4.
• clock summer-time zone date [ month date year hh:mm month date year hh:mm [ offset ]] or
• clock summer-time zone date [ date month year hh:mm date month year hh:mm [ offset ]]
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
clock set hh:mm:ss day month year
Example: clock set hh
: mm
: ss month day year
Purpose
Manually sets the system clock by using one of these formats:
• hh:mm:ss —Specifies the time in hours (24-hour format), minutes, and seconds.
The time specified is relative to the configured time zone.
• day—Specifies the day by date in the month.
• month—Specifies the month by its full name.
• year—Specifies the year in four digits (no abbreviation).
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
279
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Step 2
Command or Action Purpose
clock timezone zone hours-offset minutes-offset
Sets the time zone.
Note The wireless device keeps internal time in universal time coordinated (UTC).
Use this command only for display purposes and when the time is manually set.
• zone—Enter the name of the time zone to be displayed when standard time is in effect. The default is UTC.
• hours-offset—Enter the hours offset from UTC.
• minutes-offset—(Optional) Enter the minutes offset from UTC. The minutes-offset variable in the clock timezone command in global configuration mode is available for situations where a local time zone is a percentage of an hour different from
UTC.
Step 3 clock summer-time zone
recurring [ week day month
hh:mm week day month hh:mm [
offset ]]
(Optional) Configures summer time to start and end on the specified days every year.
The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.
Summer time is disabled by default. If you specify clock summer-time zone recurring without parameters, the summer time rules default to the United States rules.
• zone —Specifies the name of the time zone (for example, PDT) to be displayed when summer time is in effect.
• week —(Optional) Specifies the week of the month (1 to 5 or last).
• day —(Optional) Specifies the day of the week (for example, Sunday).
• month —(Optional) Specifies the month (for example, January).
• hh:mm —(Optional) Specifies the time (24-hour format) in hours and minutes.
• offset —(Optional) Specifies the number of minutes to add during summer time.
The default is 60.
Step 4
• clock summer-time zone
date [ month date year
hh:mm month date year
hh:mm [ offset ]] or
• clock summer-time zone
date [ date month year
hh:mm date month year
hh:mm [ offset ]]
(Optional) Sets summer time if there is no recurring pattern. Configures summer time to start on the first date and end on the second date. The first part of the clock
summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.
Summer time is disabled by default.
• zone—Specifies the name of the time zone (for example, PDT) to be displayed when summer time is in effect.
• week —(Optional) Specifies the week of the month (1 to 5 or last).
280
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Command or Action
Step 5
Step 6
Step 7 end show running-config copy running-config startup-config
Purpose
• day —(Optional) Specifies the day of the week (for example, Sunday).
• month —(Optional) Specifies the month (for example, January).
• hh:mm —(Optional) Specifies the time (24-hour format) in hours and minutes.
• offset —(Optional) Specifies the number of minutes to add during summer time.
The default is 60.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
Note To display the time and date configuration, use the show clock [detail] command in privileged EXEC mode. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes. Until the clock is authoritative and the authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is invalid. The symbol that precedes the show clock display has this meaning:
Example Configuration : Time and Date
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00:
AP(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00
This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26,
2001, at 02:00:
AP(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00
Configuring a System Name and Prompt
Configure the system name on the wireless device to identify it. By default, the system name and prompt are
ap .
If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol (>) is appended. The prompt is updated whenever the system name changes, unless you manually configure the prompt by using the prompt command in global configuration mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
281
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Note For complete syntax and usage information for the commands used in this section, see Cisco IOS
Configuration Fundamentals Command Reference and Cisco IOS IP Addressing Services Command
Reference .
This section contains the following configuration information:
Configuring a System Name
To manually configure a system name, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. hostname name
3. end
4. show running-config
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
hostname name
Step 3
Step 4
Step 5 end show running-config copy running-config startup-config
Purpose
Enters global configuration mode.
Manually configures a system name.
The default setting is ap .
Note
Note
When you change the system name, the wireless device radios are reset, and associated client devices disassociate and quickly re-associate.
You can enter up to 63 characters for the system name. However, when the wireless device identifies itself to client devices, it uses only the first
15 characters in the system name. If it is important for client users to distinguish between devices, make sure that a unique portion of the system name appears in the first 15 characters.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Understanding DNS
The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map hostnames to IP addresses. When you configure DNS on the wireless device, you can substitute the hostname for the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.
282
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering the Access Point Hardware and Software
.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems, Inc. is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com . A specific device in this domain, such as the File Transfer Protocol (FTP) system, is identified as ftp.cisco.com
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
This section contains the following configuration information:
Default DNS Configuration
Table 32: Default DNS Configuration , on page 283
describes the default DNS configuration.
Table 32: Default DNS Configuration
Feature
DNS enable state
DNS default domain name
DNS servers
Default Setting
Disabled.
None configured.
No name server addresses are configured.
Setting Up DNS
To set up the wireless device to use the DNS, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. ip domain-name name
3. ip name-server server-address1 [ server-address2 ... server-address6
4. ip domain-lookup
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
ip domain-name name
Purpose
Enters global configuration mode.
Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name).
Do not include the initial period that separates an unqualified name from the domain name.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
283
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Step 3
Step 4
Step 5
Step 6
Step 7
Command or Action Purpose
At boot time, no domain name is configured. However, if the wireless device configuration comes from a BOOTP or DHCP server, then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information).
ip name-server server-address1
[ server-address2 ... server-address6
Specifies the address of one or more name servers to use for name and address resolution.
You can specify up to six name servers. Separate server addresses with a space. The first server specified is the primary server. The wireless device sends DNS queries to the primary server first. If that query fails, the backup servers are queried.
ip domain-lookup end
(Optional) Enables DNS-based hostname-to-address translation on the wireless device. This feature is enabled by default.
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).
Returns to privileged EXEC mode.
show running-config copy running-config startup-config
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
If you use the wireless device IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain-name command in global configuration mode. If there is a period (.) in the hostname, Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
To remove a domain name, use the no ip domain-name name command in global configuration mode. To remove a name server address, use the no ip name-server server-address command in global configuration mode. To disable DNS on the wireless device, use the no ip domain-lookup command in global configuration mode.
Displaying the DNS Configuration
To display the DNS configuration information, use the show running-config command in privileged EXEC mode.
Note When DNS is configured on the wireless device, the show running-config command sometimes displays a server IP address instead of its name.
284
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Creating a Banner
You can configure a message-of-the-day (MOTD) and a login banner. By default the MOTD and login banners are not configured.The MOTD banner appears on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).
The login banner also appears on all connected terminals. It appears after the MOTD banner and appears before the login prompts appear.
Note For complete syntax and usage information for the commands used in this section, see Cisco IOS
Configuration Fundamentals Command Reference .
This section contains the following configuration information:
Configuring a Message-of-the-Day Login Banner
You can create a single-line or multiline message banner that appears on the screen when someone logs into the wireless device.
To configure an MOTD login banner, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. banner motd c message c
3. end
4. show running-config
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
banner motd c message c end show running-config
Purpose
Enters global configuration mode.
Specifies the message of the day.
• c —Enter the delimiting character of your choice, such as a pound sign
(#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.
• message —Enter a banner message up to 255 characters. You cannot use the delimiting character in the message.
Returns to privileged EXEC mode.
Verifies your entries.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
285
Configuring Wireless Devices
Administering the Access Point Hardware and Software
Step 5
Command or Action Purpose copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example: Configuring a MOTD Banner
The following example shows how to configure a MOTD banner for the wireless device. The pound sign (#) is used as the beginning and ending delimiter:
AP(config)# banner motd
#
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
AP(config)#
This example shows the banner that results from the previous configuration:
Unix> telnet 172.2.5.4
Trying 172.2.5.4...
Connected to 172.2.5.4.
Escape character is '^]'.
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
User Access Verification
Password:
Configuring a Login Banner
You can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and appears before the login prompt appears.
To configure a login banner, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. banner login c message c
3. end
4. show running-config
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal
banner login c message c
Purpose
Enters global configuration mode.
Specifies the login message.
• c —Enter the delimiting character of your choice, such as a pound sign
(#), and press the Return key. The delimiting character signifies the
286
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering Wireless Device Communication
Step 3
Step 4
Step 5
Command or Action Purpose beginning and end of the banner text. Characters after the ending delimiter are discarded.
• message —Enter a login message up to 255 characters. You cannot use the delimiting character in the message.
end Returns to privileged EXEC mode.
show running-config Verifies your entries.
copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example Configuration: Login Banner
The following example shows how to configure a login banner for the wireless device using the dollar sign
($) as the beginning and ending delimiter:
AP(config)# banner login
$
Access for authorized users only. Please enter your username and password.
$
AP(config)#
Administering Wireless Device Communication
This section provides information about performing the following tasks:
Configuring Ethernet Speed and Duplex Settings
The Ethernet speed and duplex are set to auto by default. To configure Ethernet speed and duplex, follow these steps, beginning in privileged EXEC mode:
Note The speed and duplex settings on the wireless device Ethernet port must match the Ethernet settings on the port to which the wireless device is connected. If you change the settings on the port to which the wireless device is connected, change the settings on the wireless device Ethernet port to match.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
287
Configuring Wireless Devices
Administering Wireless Device Communication
SUMMARY STEPS
1. configure terminal
2. interface fastethernet0
3. speed {10 | 100 | auto}
4. duplex {auto | full | half}
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action configure terminal interface fastethernet0 speed {10 | 100 | auto}
Step 4
Step 5
Step 6
Step 7 duplex {auto | full | half} end show running-config copy running-config startup-config
Purpose
Enters global configuration mode.
Enters configuration interface mode.
Configures the Ethernet speed.
Note We recommend that you use auto, the default setting.
Configures the duplex setting.
Note We recommend that you use auto, the default setting.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Configuring the Access Point for Wireless Network Management
You can enable the wireless device for wireless network management. The wireless network manager (WNM) manages the devices on your wireless LAN.
Enter the following command to configure the wireless device to interact with the WNM:
AP(config)# wlccp wnm ip address ip-address
Enter the following command to check the authentication status between the WDS access point and the WNM:
AP# show wlccp wnm status
Possible statuses are not authenticated, authentication in progress, authentication fail, authenticated, and security keys setup.
288
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering Wireless Device Communication
Configuring the Access Point for Local Authentication and Authorization
You can configure AAA to operate without a server by configuring the wireless device to implement AAA in local mode. The wireless device then handles authentication and authorization. No accounting is available in this configuration.
Note You can configure the wireless device as a local authenticator for 802.1x-enabled client devices to provide a backup for your main server or to provide authentication service on a network without a RADIUS server.
See the Using the Access Point as a Local Authenticator document on Cisco.com for detailed instructions on configuring the wireless device as a local authenticator.
http://www.cisco.com/en/US/docs/routers/ access/wireless/software/guide/SecurityLocalAuthent.html
To configure the wireless device for local AAA, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. aaa new-model
3. aaa authentication login default local
4. aaa authorization exec local
5. aaa authorization network local
6. username name [privilege level] {password encryption-type password
7. end
8. show running-config
9. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action configure terminal
Purpose
Enters global configuration mode.
Enables AAA.
aaa new-model aaa authentication login default local
Sets the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces.
aaa authorization exec local Configures user AAA authorization to determine whether the user is allowed to run an EXEC shell by checking the local database.
aaa authorization network local Configures user AAA authorization for all network-related service requests.
username name [privilege level]
{password encryption-type password
Enters the local database, and establishes a username-based authentication system.
Repeat this command for each user.
• name—Specifies the user ID as one word. Spaces and quotation marks are not allowed.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
289
Configuring Wireless Devices
Administering Wireless Device Communication
Command or Action Purpose
• level—(Optional) Specifies the privilege level that the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access.
Level 0 gives user EXEC mode access.
• encryption-type—Enter 0 to specify that an unencrypted password follows.
Enter 7 to specify that a hidden password follows.
• password—Specifies the password that the user must enter to gain access to the wireless device. The password must be from 1 to 25 characters long, can contain embedded spaces, and must be the last option specified in the
username command.
Note The characters TAB, ?, $, +, and [ are invalid characters for passwords.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Step 7
Step 8
Step 9 end show running-config copy running-config startup-config
What to Do Next
Note To disable AAA, use the no aaa new-model command in global configuration mode. To disable authorization, use the no aaa authorization {network | exec} method1 command in global configuration mode.
Configuring the Authentication Cache and Profile
The authentication cache and profile feature allows the access point to cache the authentication and authorization responses for a user so that subsequent authentication and authorization requests do not need to be sent to the
AAA server.
Note On the access point, this feature is supported only for Admin authentication.
The following commands that support this feature are included in Cisco IOS Release 12.3(7):
• cache expiry
• cache authorization profile
• cache authentication profile
• aaa cache profile
290
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering Wireless Device Communication
Note See Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges, Versions 12.4(10b)JA and 12.3(8)JEC for information about these commands.
Example Configuration: Authentication Cache and Profile
The following is a configuration example for an access point configured for Admin authentication using
TACACS+ with the authorization cache enabled. Although this example is based on a TACACS server, the access point could be configured for Admin authentication using RADIUS: version 12.3
no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption
!
hostname ap
!
!
username Cisco password 7 123A0C041104 username admin privilege 15 password 7 01030717481C091D25 ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap server 192.168.134.229 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac server 192.168.134.229 auth-port 1645 acct-port 1646
!
aaa group server radius rad_acct server 192.168.134.229 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin server 192.168.134.229 auth-port 1645 acct-port 1646 cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin server 192.168.133.231
cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local cache tac_admin group tac_admin aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local cache tac_admin group tac_admin aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache all
!
aaa session-id common
!
!
!
bridge irb
!
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
291
Configuring Wireless Devices
Administering Wireless Device Communication
!
interface Dot11Radio0 no ip address no ip route-cache shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled
!
interface Dot11Radio1 no ip address no ip route-cache shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled
!
interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled
!
interface BVI1 ip address 192.168.133.207 255.255.255.0
no ip route-cache
!
ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1
!
tacacs-server host 192.168.133.231 key 7 105E080A16001D1908 tacacs-server directed-request radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.134.229 auth-port 1645 acct-port 1646 key 7 111918160405041E00 radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0 transport preferred all transport output all line vty 0 4 transport preferred all transport input all transport output all line vty 5 15 transport preferred all transport input all transport output all
!
end
292
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering Wireless Device Communication
Configuring the Access Point to Provide DHCP Service
By default, access points are configured to receive IP settings from a DHCP server on your network. You can also configure an access point to act as a DHCP server to assign IP settings to devices on both wired and wireless LANs.
Note When you configure the access point as a DHCP server, it assigns IP addresses to devices on its subnet.
The devices communicate with other devices on the subnet but not beyond it. If data needs to be passed beyond the subnet, you must assign a default router. The IP address of the default router should be on the same subnet as the access point configured as the DHCP server.
For detailed information on DHCP-related commands and options, see the DHCP part in Cisco IOS IP
Addressing Services Configuration Guide, Release 12.4
at: http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_Products_
Configuration_Guide_Chapter.html
http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_Products_Configuration_Guide_Chapter.html
The following sections describe how to configure the wireless device to act as a DHCP server:
Setting up the DHCP Server
To configure an access point to provide DHCP service and to specify a default router, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. ip dhcp excluded-address low_address [high_address]
3. ip dhcp pool pool_name
4. network subnet_number [mask | prefix-length]
5. lease {days [hours] [minutes] | infinite}
6. default-router address [address2 ... address 8]
7. end
8. show running-config
9. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action configure terminal
Example:
AP# configure terminal
Purpose
Enters global configuration mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
293
Configuring Wireless Devices
Administering Wireless Device Communication
Step 6
Step 7
Step 8
Step 9
Step 2
Step 3
Step 4
Step 5
Command or Action ip dhcp excluded-address
low_address [high_address]
Purpose
Excludes the wireless device IP address from the range of addresses that the wireless device assigns.
• Enter the IP address in four groups of characters, such as 10.91.6.158.
• The wireless device assumes that all IP addresses in a DHCP address pool subnet are available for assigning to DHCP clients. You must specify the
IP addresses that the DHCP server should not assign to clients.
• (Optional) To enter a range of excluded addresses, enter the address at the low end of the range, followed by the address at the high end of the range.
ip dhcp pool pool_name
network subnet_number [mask |
prefix-length]
lease {days [hours] [minutes] |
infinite}
Creates a name for the pool of IP addresses that the wireless device assigns in response to DHCP requests, and enters DHCP configuration mode.
Assigns the subnet number for the address pool. The wireless device assigns IP addresses within this subnet.
(Optional) Assigns a subnet mask for the address pool, or specifies the number of bits that compose the address prefix. The prefix is an alternative way of assigning the network mask. The prefix length must be preceded by a forward slash (/).
Configures the duration of the lease for IP addresses assigned by the wireless device.
• days —Lease duration in number of days.
• hours —(Optional) Lease duration in number of hours.
• minutes —(Optional) Lease duration in number of minutes.
• infinite—Sets the lease duration to infinite.
default-router address [address2 ...
address 8]
Specifies the IP address of the default router for DHCP clients on the subnet.
end
Note One IP address is required; however, you can specify up to eight addresses in one command line.
Returns to privileged EXEC mode.
show running-config Verifies your entries.
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
What to Do Next
Example Configuration: Setting up the DHCP Sever
294
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering Wireless Device Communication
The following example shows how to configure the wireless device as a DHCP server, how to exclude a range of IP address, and how to assign a default router:
AP# configure terminal
AP(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.20
AP(config)# ip dhcp pool wishbone
AP(dhcp-config)# network 172.16.1.0 255.255.255.0
AP(dhcp-config)# lease 10
AP(dhcp-config)# default-router 172.16.1.1
AP(dhcp-config)# end
Monitoring and Maintaining the DHCP Server Access Point
The following sections describe commands you can use to monitor and maintain the DHCP server access point: show Commands
To display information about the wireless device as DHCP server, enter the commands in
Commands for DHCP Server , on page 295
, in privileged EXEC mode.
Table 33: Show Commands for DHCP Server
Command
show ip dhcp conflict [address]
show ip dhcp database [url] show ip dhcp server statistics
Purpose
Displays a list of all address conflicts recorded by a specific DHCP Server. Enter the wireless device IP address to show conflicts recorded by the wireless device.
Displays recent activity on the DHCP database.
Note Use this command in privileged EXEC mode.
Displays count information about server statistics and messages sent and received.
clear Commands
To clear DHCP server variables, use the commands in
Table 34: Clear Commands for DHCP Server, on page
295 , in privileged EXEC mode.
Table 34: Clear Commands for DHCP Server
Command clear ip dhcp binding {address | *}
Purpose
Deletes an automatic address binding from the DHCP database. Specifying the address argument clears the automatic binding for a specific (client) IP address.
Specifying an asterisk (*) clears all automatic bindings.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
295
Configuring Wireless Devices
Administering Wireless Device Communication
Command
clear ip dhcp conflict {address | *} clear ip dhcp server statistics
Purpose
Clears an address conflict from the DHCP database.
Specifying the address argument clears the conflict for a specific IP address. Specifying an asterisk (*) clears conflicts for all addresses.
Resets all DHCP server counters to 0.
debug Command
To enable DHCP server debugging, use the following command in privileged EXEC mode: debug ip dhcp server {events | packets | linkage}
Use the no form of the command to disable debugging for the wireless device DHCP server.
Configuring the Access Point for Secure Shell
This section describes how to configure the Secure Shell (SSH) feature.
Note For complete syntax and usage information for the commands used in this section, see the “Secure Shell
Commands” section in the Cisco IOS Security Command Reference for Release 12.4.
Understanding SSH
SSH is a protocol that provides a secure, remote connection to a Layer 2 or Layer 3 device. There are two versions of SSH: SSH version 1 and SSH version 2. This software release supports both SSH versions. If you do not specify the version number, the access point defaults to version 2.
SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. The SSH feature has an SSH server and an SSH integrated client. The client supports the following user authentication methods:
For more information about SSH, see Part 5, “Other Security Features” in the Cisco IOS Security Configuration
Guide for Release 12.4 .
Note The SSH feature in this software release does not support IP Security (IPsec).
Configuring SSH
Before configuring SSH, download the cryptographic software image from Cisco.com. For more information, see release notes for this release.
For information about configuring SSH and displaying SSH settings, see Part 6, “Other Security Features ” in Cisco IOS Security Configuration Guide for Release 12.4 , which is available at: http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html
296
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring Wireless Devices
Administering Wireless Device Communication
Client ARP Caching
You can configure the wireless device to maintain an address resolution protocol (ARP) cache for associated client devices. Maintaining an ARP cache on the wireless device reduces the traffic load on your wireless
LAN. ARP caching is disabled by default.
This section contains this information:
Understanding Client ARP Caching
ARP caching on the wireless device reduces the traffic on your wireless LAN by stopping ARP requests for client devices at the wireless device. Instead of forwarding ARP requests to client devices, the wireless device responds to requests on behalf of associated client devices.
When ARP caching is disabled, the wireless device forwards all ARP requests through the radio port to associated clients. The client that receives the ARP request responds. When ARP caching is enabled, the wireless device responds to ARP requests for associated clients and does not forward requests to clients. When the wireless device receives an ARP request for an IP address not in the cache, the wireless device drops the request and does not forward it. In its beacon, the wireless device includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life.
When a non-Cisco client device is associated to an access point and is not passing data, the wireless device might not know the client IP address. If this situation occurs frequently on your wireless LAN, you can enable optional ARP caching. When ARP caching is optional, the wireless device responds on behalf of clients with
IP addresses known to the wireless device but forwards out of its radio port any ARP requests addressed to unknown clients. When the wireless device learns the IP addresses for all associated clients, it drops ARP requests not directed to its associated clients.
Configuring Client ARP Caching
To configure the wireless device to maintain an ARP cache for associated clients, follow these steps, beginning in privileged EXEC mode:
SUMMARY STEPS
1. configure terminal
2. dot11 arp-cache [optional]
3. end
4. show running-config
5. copy running-config startup-config
DETAILED STEPS
Step 1
Step 2
Command or Action configure terminal dot11 arp-cache [optional]
Purpose
Enters global configuration mode.
Enables ARP caching on the wireless device.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
297
Configuring Wireless Devices
Administering Wireless Device Communication
Step 3
Step 4
Step 5
Command or Action end show running-config copy running-config startup-config
Purpose
(Optional) Use the optional keyword to enable ARP caching only for the client devices whose IP addresses are known to the wireless device.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
What to Do Next
Example: Configure ARP Caching
The following example shows how to configure ARP caching on an access point:
AP# configure terminal
AP(config)# dot11 arp-cache
AP(config)# end
Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging
This feature modifies the way that point-to-multipoint bridging can be configured to operate on multiple
VLANs with the ability to control traffic rates on each VLAN.
Note A rate-limiting policy can be applied only to Fast Ethernet ingress ports on non-root bridges.
In a typical scenario, multiple-VLAN support permits users to set up point-to-multipoint bridge links with remote sites, with each remote site on a separate VLAN. This configuration provides the capability for separating and controlling traffic to each site. Rate limiting ensures that no remote site consumes more than a specified amount of the entire link bandwidth. Only uplink traffic can be controlled by using the Fast Ethernet ingress ports of non-root bridges.
Using the class-based policing feature, you can specify the rate limit and apply it to the ingress of the Ethernet interface of a non-root bridge. Applying the rate at the ingress of the Ethernet interface ensures that all incoming
Ethernet packets conform to the configured rate.
298
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
11
Configuring PPP over Ethernet with NAT
This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco 890 series Integrated Services Routers (ISRs).
•
•
•
•
•
Configuration Example, page 308
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
299
Configuring PPP over Ethernet with NAT
Overview
Overview
Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the
PPPoE session, it can be encrypted, filtered, and so forth.
Figure 15: PPP over Ethernet with NAT
shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.
Figure 15: PPP over Ethernet with NAT
3
4
5
6
7
1
2
Multiple networked devices—Desktops, laptop PCs, switches
Fast Ethernet LAN interface (inside interface for NAT)
PPPoE client—Cisco 860, Cisco 880, or Cisco 890 ISRs
Point at which NAT occurs
Fast Ethernet WAN interface (outside interface for NAT)
Cable modem or other server that is connected to the Internet
PPPoE session between the client and a PPPoE server
PPPoE
The PPPoE client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
300
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over Ethernet with NAT
NAT
A PPPoE session is initiated on the client side by the Cisco 819, Cisco 860, or Cisco 880 ISRs. An established
PPPoE client session can be terminated in one of two ways:
• By entering the clear vpdn tunnel pppoe command. The PPPoE client session is terminated, and the
PPPoE client immediately tries to reestablish the session. This also occurs if the session has a timeout.
• By entering the no pppoe-client dial-pool number command to clear the session. The PPPoE client does not attempt to reestablish the session.
NAT
NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.
Configuration Tasks
Perform the following tasks to configure this network scenario:
An example showing the results of these configuration tasks is shown in the
Configuration Example, on page
308 .
Configure the Virtual Private Dialup Network Group Number
Configuring a virtual private dialup network (VPDN) enables multiple clients to communicate through the router by way of a single IP address.
To configure a VPDN, perform the following steps, starting in global configuration mode:
SUMMARY STEPS
1. vpdn enable
2. vpdn-group name
3. request-dialin
4. protocol {l2tp | pppoe}
5. exit
6. exit
DETAILED STEPS
Step 1
Command or Action vpdn enable
Example:
Router(config)# vpdn enable
Purpose
Enables VPDN on the router.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
301 OL-31704-02
Configuring PPP over Ethernet with NAT
Configure Ethernet WAN Interfaces
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action vpdn-group name
Purpose
Creates and associates a VPDN group with a customer or
VPDN profile.
Example:
Router(config)# vpdn-group 1 request-dialin Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel.
Example:
Router(config-vpdn)# request-dialin
protocol {l2tp | pppoe} Specifies the type of sessions the VPDN subgroup can establish.
Example:
Router(config-vpdn-req-in)# protocol pppoe exit Exits request-dialin VPDN group configuration mode.
Example:
Router(config-vpdn-req-in)# exit exit
Example:
Router(config-vpdn)# exit
Exits VPDN configuration mode and returns to global configuration mode.
Configure Ethernet WAN Interfaces
In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100 Mbps-Ethernet interface on both the inside and the outside.
To configure the Fast Ethernet WAN interfaces, perform these steps, starting in global configuration mode:
SUMMARY STEPS
1. interface type number
2. pppoe-client dial-pool-number number
3. no shutdown
4. exit
302
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over Ethernet with NAT
Configure the Dialer Interface
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action interface type number
Purpose
Enters interface configuration mode for WAN interface.
Example:
Router(config)# interface fastethernet 4 or
Example:
Router(config)# interface gigabitethernet 4
pppoe-client dial-pool-number number Configures the PPPoE client and specifies the dialer interface to use for cloning.
Example:
Router(config-if)# pppoe-client dial-pool-number
1 no shutdown Enables the Fast Ethernet interface and the configuration changes just made to it.
Example:
Router(config-if)# no shutdown exit Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.
Example:
Router(config-if)# exit
What to Do Next
Ethernet Operations, Administration, and Maintenance
Ethernet Operations, Administration, and Maintenance (OAM) is a protocol for installing, monitoring, and troubleshooting Ethernet metropolitan-area networks (MANs) and Ethernet WANs. It relies on a new, optional sublayer in the data link layer of the Open Systems Interconnection (OSI) model. The OAM features covered by this protocol are Discovery, Link Monitoring, Remote Fault Detection, Remote Loopback, and Cisco
Proprietary Extensions.
For setup and configuration information about Ethernet OAM, see Using Ethernet Operations, Administration, and Maintenance at: Carrier Ethernet Configuration Guide .
Configure the Dialer Interface
The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access. Multiple PPPoE client sessions can be configured on a Fast Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
303
Configuring PPP over Ethernet with NAT
Configure the Dialer Interface
To configure a dialer interface for one of the Fast Ethernet LAN interfaces on the router, complete the following steps, starting in global configuration mode:
SUMMARY STEPS
1. interface dialer dialer-rotary-group-number
2. ip address negotiated
3. ip mtu bytes
4. encapsulation encapsulation-type
5. ppp authentication {protocol1 [protocol2...]}
6. dialer pool number
7. dialer-group group-number
8. exit
9. dialer-listdialer-group protocolprotocol-name {permit | deny | list access-list-number | access-group}
10. ip routeprefix mask {interface-type interface-number}
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
interface dialer dialer-rotary-group-number
Purpose
Creates a dialer interface and enters interface configuration mode.
• Range is from 0 to 255.
Example:
Router(config)# interface dialer 0 ip address negotiated Specifies that the IP address for the interface is obtained through
PPP/IPCP (IP Control Protocol) address negotiation.
Example:
Router(config-if)# ip address negotiated
ip mtu bytes
Example:
Router(config-if)# ip mtu 1492
encapsulation encapsulation-type
Sets the size of the IP maximum transmission unit (MTU).
• The default minimum is 128 bytes. The maximum for
Ethernet is 1492 bytes.
Sets the encapsulation type to PPP for the data packets being transmitted and received.
Example:
Router(config-if)# encapsulation ppp
ppp authentication {protocol1 [protocol2...]} Sets the PPP authentication method to Challenge Handshake
Authentication Protocol (CHAP).
Example:
Router(config-if)# ppp authentication chap
For details about this command and additional parameters that can be set, see Cisco IOS Security Command Reference.
304
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over Ethernet with NAT
Configure Network Address Translation
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action
dialer pool number
Purpose
Specifies the dialer pool that is used to connect to a specific destination subnetwork.
Example:
Router(config-if)# dialer pool 1
dialer-group group-number Assigns the dialer interface to a dialer group.
• Range is from 1 to 10.
Example:
Router(config-if)# dialer-group 1 exit
Tip Using a dialer group controls access to your router.
Exits the dialer 0 interface configuration mode and returns to global configuration mode.
Example:
Router(config-if)# exit
dialer-listdialer-group protocolprotocol-name
{permit | deny | list access-list-number |
access-group}
Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.
For details about this command and additional parameters that can be set, see Cisco IOS Dial Technologies Command Reference.
Example:
Router(config)# dialer-list 1 protocol ip permit
ip routeprefix mask {interface-type
interface-number}
Sets the IP route for the default gateway for the dialer 0 interface.
Example:
Router(config)# ip route 10.10.25.2
255.255.255.255 dialer 0
Configure Network Address Translation
Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation.
You can configure NAT for either static or dynamic address translations.
To configure the outside Fast Ethernet WAN interface with dynamic NAT, perform these steps, beginning in global configuration mode:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
305
Configuring PPP over Ethernet with NAT
Configure Network Address Translation
SUMMARY STEPS
1. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
2. Do one of the following:
• ip nat inside source {list access-list-number} {interface type number | pool name} [overload]
• Router(config)# ip nat inside source list 1 interface dialer
0 overload
• Router(config)# ip nat inside source list acl1 pool pool1
3. interface type number
4. ip nat {inside | outside}
5. no shutdown
6. exit
7. interface type number
8. ip nat {inside | outside}
9. no shutdown
10. exit
11. access-list access-list-number {deny | permit} source [source-wildcard]
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action Purpose
ip nat pool name start-ip end-ip {netmask netmask |
prefix-length prefix-length}
Creates pool of global IP addresses for NAT.
Example:
Router(config)# ip nat pool pool1 192.168.1.0
192.168.2.0 netmask 255.255.252.0
Do one of the following: Enables dynamic translation of addresses on the inside interface.
• ip nat inside source {list access-list-number}
{interface type number | pool name} [overload] The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the
• Router(config)# ip nat inside source list 1 interface dialer dialer interface 0 .
0 overload
The second example shows the addresses permitted by access
• Router(config)# ip nat inside source list acl1 pool pool1 list acl1 to be translated to one of the addresses specified in the NAT pool pool1 .
interface type number
Example:
Router(config)# interface vlan 1
Enters configuration mode for the VLAN (on which the Fast
Ethernet LAN interfaces [FE0–FE3] reside) to be the inside interface for NAT.
306
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over Ethernet with NAT
Configure Network Address Translation
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Command or Action
ip nat {inside | outside}
Purpose
Identifies the specified VLAN interface as the NAT inside interface.
Example:
Router(config-if)# ip nat inside no shutdown Enables the configuration changes just made to the Ethernet interface.
Example:
Router(config-if)# no shutdown exit Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.
Example:
Router(config-if)# exit interface type number Enters configuration mode for the Fast Ethernet WAN interface
(FE4) to be the outside interface for NAT.
Example:
Router(config)# interface fastethernet 4
ip nat {inside | outside} Identifies the specified WAN interface as the NAT outside interface.
Example:
Router(config-if)# ip nat outside no shutdown Enables the configuration changes just made to the Ethernet interface.
Example:
Router(config-if)# no shutdown exit Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.
Example:
Router(config-if)# exit
access-list access-list-number {deny | permit} source
[source-wildcard]
Defines a standard access list indicating which addresses need translation.
Example:
Note All other addresses are implicitly denied.
Router(config)# access-list 1 permit
192.168.1.0 255.255.255.0
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
307
Configuring PPP over Ethernet with NAT
Configuration Example
What to Do Next
Note To use NAT with a virtual-template interface, you must configure a loopback interface. See
for information on configuring a loopback interface.
For complete information on the NAT commands, see the Cisco NX-OS Release 4.1 documentation set. For more general information on NAT concepts, see
Cisco IOS Software Basic Skills
.
Configuration Example
The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter.
The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside
Note Commands marked by “(default)” are generated automatically when you run the show running-config command.
vpdn enable vpdn-group 1 request-dialin protocol pppoe
!
interface vlan 1 ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast (default) ip nat inside interface FastEthernet 4 no ip address no ip directed-broadcast (default) ip nat outside pppoe enable group global pppoe-client dial-pool-number 1 no sh
!
interface dialer 0 ip address negotiated ip mtu 1492 encapsulation ppp ppp authentication chap dialer pool 1 dialer-group 1
!
dialer-list 1 protocol ip permit ip nat inside source list 1 interface dialer 0 overload ip classless (default) ip route 10.10.25.2 255.255.255.255 dialer 0 ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.0
ip nat inside source list acl1 pool pool1
!
308
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over Ethernet with NAT
Verifying Your Configuration
Verifying Your Configuration
Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoE with NAT configuration.
You should see verification output similar to the following example:
Router# show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet4
Inside interfaces:
Vlan1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Dialer0 refcount 0
Queued Packets: 0
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
309
Verifying Your Configuration
Configuring PPP over Ethernet with NAT
310
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
12
Configuring PPP over ATM with NAT
This chapter provides an overview of Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) clients and network address translation (NAT) that can be configured on the Cisco 860 and Cisco 880 series
Integrated Services Routers (ISRs).
•
•
Configure the Dialer Interface, page 313
•
Configure the ATM WAN Interface, page 315
•
Configure DSL Signaling Protocol, page 316
•
Configure Network Address Translation, page 318
•
Configuration Example, page 321
Overview
Multiple PCs can be connected to the LAN behind the router. Before traffic from the PCs is sent to the PPPoA session, it can be encrypted, filtered, and so forth. PPP over ATM provides a network solution with simplified address handling and straight user verification like a dial network.
Figure 16: PPP over ATM with NAT, on
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
311
Overview
Configuring PPP over ATM with NAT page 312 shows a typical deployment scenario with a PPPoA client and NAT configured on the Cisco router.
This scenario uses a single static IP address for the ATM connection.
Figure 16: PPP over ATM with NAT
4
5
6
1
2
3
Small business with multiple networked devices—desktops, laptop PCs, switches
Fast Ethernet LAN interface (inside interface for NAT, 192.168.1.1/24)
PPPoA Client
Point at which NAT occurs
ATM WAN interface (outside interface for NAT)
PPPoA session between the client and a PPPoA server at the ISP
In this scenario, the small business or remote user on the Fast Ethernet LAN can connect to an Internet service provider (ISP) using the integrated xDSL WAN interface on the Cisco 860 and Cisco 880 series ISRs.
The Fast Ethernet interface carries the data packet through the LAN and off-loads it to the PPP connection on the ATM interface. The ATM traffic is encapsulated and sent over the xDSL interface. The dialer interface is used to connect to the ISP.
PPPoA
The PPPoA Client feature on the router provides PPPoA client support on ATM interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoA client sessions can be configured on an ATM interface, but each session must use a separate dialer interface and a separate dialer pool.
A PPPoA session is initiated on the client side by the Cisco 860 or Cisco 880 series router.
NAT
NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.
312
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over ATM with NAT
Configure the Dialer Interface
Configuration Tasks
Perform the following tasks to configure this network scenario:
•
Configure the Dialer Interface, on page 313
•
Configure the ATM WAN Interface, on page 315
•
Configure DSL Signaling Protocol, on page 316
•
Configure Network Address Translation, on page 318
An example showing the results of these configuration tasks is shown in the
Configuration Example, on page
321 .
Configure the Dialer Interface
The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. It is also used for cloning virtual access.
Multiple PPPoA client sessions can be configured on an ATM interface, but each session must use a separate dialer interface and a separate dialer pool.
Perform these steps to configure a dialer interface for the ATM interface on the router, starting in global configuration mode.
SUMMARY STEPS
1. interface dialer dialer-rotary-group-number
2. ip address negotiated
3. ip mtu bytes
4. encapsulation encapsulation-type
5. ppp authentication {protocol1 [protocol2...]}
6. dialer pool number
7. dialer-group group-number
8. exit
9. dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}
10. ip route prefix mask {interface-type interface-number}
DETAILED STEPS
Step 1
Command or Action
interface dialer dialer-rotary-group-number
Example:
Router(config)# interface dialer 0
Purpose
Creates a dialer interface (numbered 0–255), and enters into interface configuration mode.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
313 OL-31704-02
Configuring PPP over ATM with NAT
Configure the Dialer Interface
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action ip address negotiated
Purpose
Specifies that the IP address for the dialer interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation.
Example:
Router(config-if)# ip address negotiated ip mtu bytes
Example:
Router(config-if)# dialer-group 1 exit
Sets the size of the IP maximum transmission unit (MTU). The default minimum is 128 bytes. The maximum for ATM is 4470 bytes.
Example:
Router(config-if)# ip mtu 4470
encapsulation encapsulation-type Sets the encapsulation type to PPP for the data packets being transmitted and received.
Example:
Router(config-if)# encapsulation ppp
ppp authentication {protocol1 [protocol2...]} Sets the PPP authentication method.
Example:
The example applies the Challenge Handshake Authentication
Protocol (CHAP).
Router(config-if)# ppp authentication chap For details about this command and additional parameters that can be set, see the Cisco IOS Security Command Reference.
dialer pool number Specifies the dialer pool to use to connect to a specific destination subnetwork.
Example:
Router(config-if)# dialer pool 1
dialer-group group-number Assigns the dialer interface to a dialer group (1–10).
Tip Using a dialer group controls access to your router.
Exits the dialer 0 interface configuration.
Example:
Router(config-if)# exit
dialer-list dialer-group protocol protocol-name
{permit | deny | list access-list-number |
access-group}
Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.
For details about this command and additional parameters that can be set, see the Cisco IOS Dial Technologies Command Reference.
Example:
Router(config)# dialer-list 1 protocol ip permit
ip route prefix mask {interface-type
interface-number}
Sets the IP route for the default gateway for the dialer 0 interface.
314
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over ATM with NAT
Configure the ATM WAN Interface
Command or Action
Example:
Router(config)# ip route 10.10.25.2
0.255.255.255 dialer 0
Purpose
For details about this command and additional parameters that can be set, see the Cisco IOS IP Command Reference, Volume 1 of 4:
Routing Protocols.
What to Do Next
Repeat these steps for any additional dialer interfaces or dialer pools needed.
Configure the ATM WAN Interface
Perform these steps to configure the ATM interface, beginning in global configuration mode.
SUMMARY STEPS
1. interface type number
2. pvc vpi/vci
3. encapsulation {aal5auto | aal5autoppp virtual-template number [group group-name] | aal5ciscoppp
virtual-template number | aal5mux protocol | aal5nlpid | aal5snap}
4. dialer pool-member number
5. no shutdown
6. exit
DETAILED STEPS
Step 1
Step 2
Command or Action interface type number
Example:
Router(config)# interface atm 0
pvc vpi/vci
Example:
Router(config-if)# pvc 8/35
Purpose
Enters interface configuration mode for the ATM interface (labeled
ADSLoPOTS or G.SHDSL on the back of your router).
Note This interface was initially configured during basic router configuration. See the
.
Creates an ATM PVC for each end node (up to ten) with which the router communicates. Enters ATM virtual circuit configuration mode.
When a PVC is defined, AAL5SNAP encapsulation is defined by default.
Use the encapsulation command to change this, as shown in
.
The VPI and VCI arguments cannot be simultaneously specified as zero; if one is 0, the other cannot be 0.
For details about this command and additional parameters that can be set, see the Cisco IOS Wide-Area Networking Command Reference.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
315 OL-31704-02
Configuring PPP over ATM with NAT
Configure DSL Signaling Protocol
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose encapsulation {aal5auto | aal5autoppp
virtual-template number [group group-name]
| aal5ciscoppp virtual-template number |
aal5mux protocol | aal5nlpid | aal5snap}
Specifies the encapsulation type for the PVC and points back to the dialer interface.
For details about this command and additional parameters that can be set, see the Cisco IOS Wide-Area Networking Command Reference.
Example:
Router(config-if-atm-vc)# encapsulation aal5mux ppp dialer
dialer pool-member number Specifies the ATM interface as a member of a dialer profile dialing pool.
The pool number must be in the range of 1–255.
Example:
Router(config-if-atm-vc)# dialer pool-member 1 no shutdown Enables interface and configuration changes just made to the ATM interface.
Example:
Router(config-if-atm-vc)# no shutdown exit Exits configuration mode for the ATM interface.
Example:
Router(config-if)# exit
Example:
Router(config)#
Configure DSL Signaling Protocol
DSL signaling must be configured on the ATM interface for connection to your ISP. The Cisco 887 and Cisco
867 ISRs support ADSL signaling over POTS and the Cisco 886 ISR supports ADSL signaling over ISDN.
The Cisco 888 ISR supports G.SHDSL.
Configuring ADSL
The default configuration for ADSL signaling is shown in
Table 35: Default ADSL Configuration, on page
317 .
316
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over ATM with NAT
Configuring ADSL
Table 35: Default ADSL Configuration
Attribute
Operating mode
Description
Specifies the operating mode of the digital subscriber line (DSL) for an ATM interface.
• ADSL over POTS—ANSI or ITU full rate, or automatic selection.
• ADSL over ISDN—ITU full rate, ETSI, or automatic selection.
Default Value
Auto
Loss of margin
Training log
Specifies the number of times a loss of margin may occur.
—
Toggles between enabling the training log and disabling the training log.
Disabled
If you wish to change any of these settings, use one of the following commands in global configuration mode.
• dsl operating-mode (from the ATM interface configuration mode)
• dsl lom integer
• dsl enable-training-log
See the Cisco IOS Wide-Area Networking Command Reference for details of these commands.
Verifying the Configuration
You can verify that the configuration is set the way you want by using the show dsl interface atm command from privileged EXEC mode.
Router# show dsl interface atm 0
ATM0
Alcatel 20190 chipset information
ATU-R (DS)
Modem Status: Showtime (DMTDSL_SHOWTIME)
DSL Mode:
ITU STD NUM:
ITU G.992.5 (ADSL2+) Annex A
0x03
Chip Vendor ID: 'STMI'
Chip Vendor Specific: 0x0000
Chip Vendor Country: 0x0F
Modem Vendor ID: 'CSCO'
Modem Vendor Specific: 0x0000
Modem Vendor Country: 0xB5
Serial Number Near:
Serial Number Far:
Modem VerChip ID: C196 (3)
DFE BOM: DFE3.0 Annex A (1)
Capacity Used: 82%
Noise Margin: 12.5 dB
Output Power:
Attenuation:
FEC ES Errors:
ES Errors:
SES Errors:
11.5 dBm
5.5 dB
0
1
1
ATU-C (US)
0x2
'BDCM'
0x6193
0xB5
'
99%
5.5 dB
12.0 dBm
0.0 dB
0
287
0
'
0x0000
0x00
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
317
Configuring PPP over ATM with NAT
Configure Network Address Translation
LOSES Errors:
UES Errors:
1
0
Defect Status: None
Last Fail Code: None
Watchdog Counter: 0x56
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction:
Interrupts:
0x00
4147 (0 spurious)
PHY Access Err: 0
Activations: 3
LED Status: ON
0
276233
None
LED On Time:
LED Off Time:
Init FW:
Operation FW:
FW Source:
FW Version:
100
100 init_AMR-4.0.015_no_bist.bin
AMR-4.0.015.bin
embedded
4.0.15
Speed (kbps):
Cells:
Reed-Solomon EC:
CRC Errors:
Header Errors:
Total BER:
DS Channel1
Leakage Average BER:
Interleave Delay:
Bitswap:
Bitswap success:
Bitswap failure:
0
0E-0
0E-0
0
ATU-R (DS) enabled
LOM Monitoring : Disabled
0
0
0
0
0
0
DS Channel0 US Channel1
19999 0
0
0
0
0
65535E-0
0
0
0
0
65535E-255
36
ATU-C (US) enabled
0
0
0
DMT Bits Per Bin
000: 0 0 0 0 F F F F F F F F F F F F
010: 0 0 3 0 F F F F F F F F F F F F
020: F F F F F F F F F F F F F F F F
....
DSL: Training log buffer capability is not enabled
Router#
US Channel0
1192
1680867
0
326
131
11
Configure Network Address Translation
Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation.
You can configure NAT for either static or dynamic address translations.
Perform these steps to configure the outside ATM WAN interface with dynamic NAT, beginning in global configuration mode:
318
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over ATM with NAT
Configure Network Address Translation
SUMMARY STEPS
1. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
2. Do one of the following:
• ip nat inside source {list access-list-number} {interface type number | pool name} [overload]
• Example 1:
Router(config)# ip nat inside source list 1 interface dialer
0 overload
• Example 2:
Router(config)# ip nat inside source list acl1 pool pool1
3. interface type number
4. ip nat {inside | outside}
5. no shutdown
6. exit
7. interface type number
8. ip nat {inside | outside}
9. no shutdown
10. exit
11. access-list access-list-number {deny | permit} source [source-wildcard]
DETAILED STEPS
Step 1
Step 2
Command or Action
ip nat pool name start-ip end-ip {netmask netmask |
prefix-length prefix-length}
Purpose
Creates pool of global IP addresses for NAT.
Example:
Router(config)# ip nat pool pool1 192.168.1.0
192.168.2.0 netmask 255.255.255.0
Do one of the following: Enables dynamic translation of addresses on the inside interface.
• ip nat inside source {list access-list-number}
{interface type number | pool name} [overload] The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the
• Example 1: dialer interface 0 .
Router(config)# ip nat inside source list
1 interface dialer
0 overload
The second example shows the addresses permitted by access list acl1 to be translated to one of the addresses specified in
• Example 2: the NAT pool pool1 .
Router(config)# ip nat inside source list acl1 pool pool1
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
319
Configuring PPP over ATM with NAT
Configure Network Address Translation
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Command or Action interface type number
Example:
Router(config)# interface vlan 1 ip nat {inside | outside}
Purpose
Enters configuration mode for the VLAN (on which the Fast
Ethernet LAN interfaces [FE0–FE3] reside) to be the inside interface for NAT.
Applies NAT to the Fast Ethernet LAN interface as the inside interface.
Example:
Router(config-if)# ip nat inside no shutdown
Example:
Router(config-if)# no shutdown exit
Enables the configuration changes just made to the Ethernet interface.
Exits configuration mode for the Fast Ethernet interface.
Example:
Router(config-if)# exit interface type number
Example:
Router(config)# interface atm 0 ip nat {inside | outside}
Enters configuration mode for the ATM WAN interface
(ATM0) to be the outside interface for NAT.
Identifies the specified WAN interface as the NAT outside interface.
Example:
Router(config-if)# ip nat outside no shutdown Enables the configuration changes just made to the Ethernet interface.
Example:
Router(config-if)# no shutdown exit Exits configuration mode for the ATM interface.
Example:
Router(config-if)# exit
access-list access-list-number {deny | permit} source
[source-wildcard]
Defines a standard access list permitting addresses that need translation.
Example:
Note All other addresses are implicitly denied.
Router(config)# access-list 1 permit
192.168.1.0 255.255.255.0
320
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring PPP over ATM with NAT
Configuration Example
What to Do Next
Note If you want to use NAT with a virtual-template interface, you must configure a loopback interface. See
for information on configuring the loopback interface.
For complete information on NAT commands, see the Cisco NX-OS Release 4.1 documentation set.
Configuration Example
The following configuration example shows a portion of the configuration file for a client in the PPPoA scenario described in this chapter.
The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside.
Note Commands marked by “(default)” are generated automatically when you run the show running-config command.
!
interface Vlan1 ip address 192.168.1.1 255.255.255.0
ip nat inside ip virtual-reassembly (default)
!
interface ATM0 no ip address ip nat outside ip virtual-reassembly no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1
!
!
dsl operating-mode auto interface Dialer0 ip address negotiated ip mtu 1492 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap
!
ip classless (default)
!
ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit ip route 10.10.25.2 0.255.255.255 dialer 0
!
Cisco 800 Series Integrated Services Routers Software Configuration Guide
321 OL-31704-02
Configuring PPP over ATM with NAT
Verifying Your Configuration with NAT
Verifying Your Configuration with NAT
Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoA client with NAT configuration. You should see verification output similar to the following example:
Router# show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
ATM0
Inside interfaces:
Vlan1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 1 interface Dialer0 refcount 0
Queued Packets: 0
322
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
13
Environmental and Power Management
This chapter explains the environmental and power Management features.
•
Environmental and Power Management, page 323
•
Cisco EnergyWise Support, page 324
Environmental and Power Management
The Cisco 819 integrated services routers are equipped with sensors in the router body for monitoring the environment temperature and logging the temperature every 30 seconds. There are four sensors located on the four corners of the router chassis. There is an additional System Ambient sensor and a 3G sensor.
The corner sensors display the following message:
• Error message on the console—When the temperature ranges are outside the set temperature thresholds, the monitor displays an error message. Different temperature ranges are set for different SKUs of the router:
â—¦Cisco 819G (non-hardened): 0 to 60 degrees celcius
â—¦Cisco 819HG (hardened): –25 to 75 degrees celcius
• SNMP Traps—syslog messages are created when the temperature is outside the specified range.
• Server “call home” feature—The server callhome feature is already enabled to call Cisco TAC in the event of very high or low temperatures.
In addition to the corner sensors, the System Ambient and 3G sensors also log the temperature every 30 seconds onto bootflash memory.
Any time the temperature is above the high threshold, or lower than the low threshold, the temperature information will be saved in non-volatile memory region and is also displayed as part of this output.
Use the show environment command to check the temperature of the router. You can also use this command to display the power usage and the power consumption of the unit at the end.
The following is a sample output for the show environment command: router# show environment
Cisco 800 Series Integrated Services Routers Software Configuration Guide
323 OL-31704-02
Environmental and Power Management
Cisco EnergyWise Support
SYSTEM WATTAGE
===============
Board Power consumption is: 4.851 W
Power Supply Loss: 1.149 W
Total System Power consumption is: 6.000 W
REAL TIME CLOCK BATTERY STATUS
==============================
Battery OK (checked at power up)
TEMPERATURE STATUS
==================
Sensor Current High/Low
Name Temperature Status Threshold
--------------------- -------------- -------------- ---------
Sensor 1
Sensor 2
Sensor 3
Sensor 4
3G Modem Sensor
36
34
40
38
System Ambient Sensor 35
33
Normal
Normal
Normal
Normal
Normal
Normal
Environmental information last updated 00:00:26 ago
60/0
60/0
60/0
60/0
60/0
85/0
Note If the modem temperature goes up to 85 degrees for non-hardened or 90 degrees for hardened version, a warning message appears. The router automatically shuts down if the temperature goes higher than 108 degrees.
Cisco EnergyWise Support
The Cisco 819 ISRs have hardware and software features for reducing power consumption. The hardware features include high-efficiency AC power supplies and electrical components with built-in power saving features, such as RAM select and clock gating. For more information, see Cisco 819 Integrated Services
Router Hardware Installation Guide.
The software features include Cisco EnergyWise, a power efficiency management feature that powers down unused modules and disable unused clocks to the modules and peripherals on the router.
The Cisco 819 ISRs must be running Cisco IOS Release 15.0(1)M or later to support EnergyWise. Detailed configuration procedures are included in
Cisco EnergyWise Configuration Guide, EnergyWise Phase 1 and Cisco EnergyWise Configuration Guide,
EnergyWise Phase 2.
324
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
14
4G LTE Wireless WAN
The Cisco Fourth-Generation Long-Term Evolution (4G LTE) Wireless WAN (WWAN) offers a highly secure, simplified, and cost-effective WAN alternative to DSL or Frame Relay. In areas where terrestrial broadband services (cable, DSL, or T1) are not available or are expensive, 4G LTE WWAN connectivity can be a viable alternative. The Cisco 819 Series 4G LTE ISRs, Cisco C880 Series 4G LTE ISRs, and Cisco
C890 Series 4G LTE ISRs support 4G LTE and 3G cellular networks and Cisco 880G series ISRs support
3G cellular networks.
•
4G LTE Support on Cisco 800 Series ISRs, page 325
•
3G Support on Cisco 880G series ISRs, page 328
4G LTE Support on Cisco 800 Series ISRs
Effective with Cisco IOS Release 15.2(4)M1, the multimode 4G LTE feature is supported on Cisco 819 Series
4G LTE ISRs. Cisco C880 Series 4G LTE ISRs, and Cisco C890 Series 4G LTE ISRs also support 4G LTE feature effective with Cisco IOS Release 15.4(3)T. Cisco 819 Series 4G LTE ISRs, Cisco C880 Series 4G
LTE ISRs, and Cisco C890 Series 4G LTE ISRs support the following modes:
• 4G LTE—4G LTE mobile specification provides multi-megabit bandwidth, more efficient radio network, latency reduction, and improved mobility. LTE solutions target new cellular networks. These networks initially support up to 100 Mb/s peak rates in the downlink and up to 50 Mb/s peak rates in the uplink.
The throughput of these networks is higher than the existing 3G networks.
• 3G Evolution High-Speed Packet Access (HSPA/HSPA+) Mode—HSPA is a UMTS-based 3G network.
It supports High-Speed Downlink Packet Access (HSDPA) and High-Speed Uplink Packet Access
(HSUPA) data for improved download and upload speeds. Evolution High-Speed Packet Access (HSPA+) supports Multiple Input/Multiple Output (MIMO) antenna capability.
• 3G Evolution-Data Optimized (EVDO or DOrA) Mode—EVDO is a 3G telecommunications standard for the wireless transmission of data through radio signals, typically for broadband Internet access. DOrA refers to EVDO Rev-A. EVDO uses multiplexing techniques including Code Division Multiple Access
(CDMA), as well as Time Division Multiple Access (TDMA), to maximize both individual users' throughput and the overall system throughput.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
325 OL-31704-02
4G LTE Wireless WAN
How to Configure Cisco 800 Series 4G LTE ISRs
How to Configure Cisco 800 Series 4G LTE ISRs
For instructions on how to configure the 4G LTE features on Cisco 819 Series 4G LTE ISRs, Cisco C880
Series 4G LTE ISRs, and Cisco C890 Series 4G LTE ISRs, see Cisco 4G LTE Software Installation Guide.
Note For Cisco 800 Series 4G LTE ISRs, use slot "0" for all commands.
Configuration Examples for Cisco 800 Series 4G LTE ISRs
The following examples show how to configure the cellular interface for Cisco 800 Series 4G LTE ISRs:
Example: Basic Cellular Configuration
The following example shows how to configure the cellular interface to be used as primary and is configured as the default route: chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
!
!
controller Cellular 0
!
!
interface Cellular0 ip address negotiated encapsulation slip load-interval 30 dialer in-band dialer idle-timeout 0 dialer string lte dialer-group 1 no peer default ip address async mode interactive routing dynamic
!
dialer-list 1 protocol ip permit
!
line 3 script dialer lte modem InOut no exec transport input all transport output all
!
Example: Dialer-Watch Configuration without External Dialer Interface
The following example shows how to configure the dialer-watch without external dialer interface. The bold text is used to indicate important commands that are specific to the dialer-watch: chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK" interface Cellular0 ip address negotiated encapsulation slip dialer in-band dialer string LTE dialer watch-group 1
326
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
4G LTE Wireless WAN
Configuration Examples for Cisco 800 Series 4G LTE ISRs async mode interactive
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60 dialer watch-list 1 delay connect 1
!
ip route 0.0.0.0 0.0.0.0 cellular 0 line 3 script dialer LTE modem InOut no exec transport input all transport output all
Example: Dialer-Persistent Configuration with External Dialer Interface
The following example shows how to configure the dialer-persistent with external dialer interface. The bold text is used to indicate important commands that are specific to the dialer-persistent: interface Cellular0 ip address negotiated encapsulation slip dialer in-band dialer pool-member 1 async mode interactive routing dynamic interface Dialer1 ip address negotiated encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string lte dialer persistent dialer-group 1
!
dialer-list 1 protocol ip permit ip route 0.0.0.0 0.0.0.0 dialer 1 line 3 script dialer lte modem InOut no exec transport input all transport output all
Example: GRE Tunnel over Cellular Interface Configuration
The following example shows how to configure the static IP address when a GRE tunnel interface is configured with ip address unnumbered cellular interface:
Note The GRE tunnel configuration is supported only if the service providers provide a public IP address on the LTE interface.
Note For service providers using a private IP address, the point-to-point static GRE tunnel cannot be set up with a private IP address at one end and a public IP address on the other end.
interface Tunnel2 ip unnumbered <internal LAN interface GE0/0 etc.> tunnel source Cellular0 tunnel destination a.b.c.d
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
327
4G LTE Wireless WAN
3G Support on Cisco 880G series ISRs interface Cellular0 ip address negotiated encapsulation slip no ip mroute-cache dialer in-band dialer string lte dialer-group 1 async mode interactive
! traffic of interest through the tunnel/cellular interface ip route x.x.x.x 255.0.0.0 Tunnel2
! route for the tunnel destination via cellular ip route a.b.c.d 255.255.255.255 cellular 0
Modem Firmware Upgrade
For instructions on how to upgrade the modem firmware for Cisco 800 Series 4G LTE ISRs, see the "Modem
Firmware Upgrade" section in Cisco 4G LTE Software Installation Guide.
Troubleshooting
For information on the troubleshooting procedures for Cisco 800 Series 4G LTE ISRs, see the "Troubleshooting" section in Cisco 4G LTE Software Installation Guide.
3G Support on Cisco 880G series ISRs
The Cisco 880G series Integrated Services Routers (ISR) with embedded third-generation (3G) wireless WAN
(WWAN) option provide collaborative business solutions for secure data communication to small businesses and enterprises.
The Cisco 880G series ISRS are available for the following 3G standards:
• GSM and UMTS models based on third-generation partner project (3GPP) that support HSPA+, HSPA,
UMTS, EDGE, and GPRS.
For information on how to configure 3G HSPA or HSPA+ on Cisco 880G series ISRs, see the following links:
â—¦ http://www.cisco.com/en/US/docs/routers/access/1800/1861/software/feature/guide/mrwls_hspa.html
â—¦ http://www.cisco.com/en/US/docs/routers/access/1800/1861/software/feature/guide/mrwlsgsm.html
• CDMA models based on 3GPP2, that support EVDO, EVDO Rev A modes.
For information on how to configure EVDO on Cisco 880G series ISRs, see the following links:
â—¦ http://www.cisco.com/en/US/docs/routers/access/1800/1861/software/feature/guide/mrwls_evdo.html
â—¦ http://www.cisco.com/en/US/docs/routers/access/1800/1861/software/feature/guide/mrwlcdma.html
For detailed information on supported Cisco 880G series models, see Cisco 880G series ISR data sheet at: http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps10082/data_sheet_c78-682548.html
328
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
15
Configuring a LAN with DHCP and VLANs
The Cisco 819, Cisco 860 and Cisco 880 Integrated Services Routers (ISRs) support clients on both physical
LANs and virtual LANs (VLANs).
•
Configuring a LAN with DHCP and VLANs, page 329
•
Configuring DHCP and VLANs, page 330
Configuring a LAN with DHCP and VLANs
The Cisco 819, Cisco 860 and Cisco 880 Integrated Services Routers (ISRs) support clients on both physical
LANs and virtual LANs (VLANs). The routers can use the Dynamic Host Configuration Protocol (DHCP) to enable automatic assignment of IP configurations for nodes on these networks.
The figure below shows a typical deployment scenario with two physical LANs connected by the router and two VLANs.
Figure 17: Physical and Virtual LANs with DHCP Configured on the Cisco Router
OL-31704-02
1 Fast Ethernet LAN (with multiple networked devices)
Cisco 800 Series Integrated Services Routers Software Configuration Guide
329
Configuring a LAN with DHCP and VLANs
DHCP
2
3
4
Router and DHCP server—Cisco 819, Cisco 860, or
Cisco 880 ISR—connected to the Internet
VLAN 1
VLAN 2
DHCP
DHCP, which is described in RFC 2131, uses a client/server model for address allocation. As an administrator, you can configure your Cisco 800 series router to act as a DHCP server, providing IP address assignment and other TCP/IP-oriented configuration information to your workstations. DHCP frees you from having to manually assign an IP address to each client.
When you configure a DHCP server, you must configure the server properties, policies, and DHCP options.
Note Whenever you change server properties, you must reload the server with the configuration data from the
Network Registrar database.
VLANs
The Cisco 819, Cisco 860 and Cisco 880 routers support four Fast Ethernet ports on which you can configure
VLANs.
VLANs enable networks to be segmented and formed into logical groups of users, regardless of the user’s physical location or LAN connection.
Configuring DHCP and VLANs
Note The procedures in this chapter assume you have already configured basic router features, as well as PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see the
and
Configuring a VPN Using Easy VPN and an IPSec Tunnel, on page 337
as appropriate for your router.
Configuring DHCP
Perform these steps to configure your router for DHCP operation, beginning in global configuration mode:
330
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a LAN with DHCP and VLANs
Configuring DHCP
SUMMARY STEPS
1. ip domain name name
2. ip name-server server-address1 [server-address2...server-address6]
3. ip dhcp excluded-address low-address [high-address]
4. ip dhcp pool name
5. network network-number [mask | prefix-length]
6. import all
7. default-router address [address2...address8]
8. dns-server address [address2...address8]
9. domain-name domain
10. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
ip domain name name
Purpose
Identifies the default domain that the router uses to complete unqualified hostnames (names without a dotted-decimal domain name).
Example:
Router(config)# ip domain smallbiz.com
ip name-server server-address1
[server-address2...server-address6]
Specifies the address of one or more Domain Name System
(DNS) servers to use for name and address resolution.
Example:
Router(config)# ip name-server192.168.11.12
ip dhcp excluded-address low-address [high-address]
Example:
Specifies IP addresses that the DHCP server should not assign to DHCP clients. In this example, we are excluding the router address.
Router(config)# ip dhcp excluded-address
192.168.9.0
ip dhcp pool name Creates a DHCP address pool on the router and enters DHCP pool configuration mode. The name argument can be a string or an integer.
Example:
Router(config)# ip dhcp pool dpool1
Router(config-dhcp)#
network network-number [mask | prefix-length] Defines subnet number (IP) address for the DHCP address pool, optionally including the mask.
Example:
Router(config-dhcp)#network 10.10.0.0
255.255.255.0
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
331
Configuring a LAN with DHCP and VLANs
Configuring DHCP
Step 6
Step 7
Step 8
Step 9
Step 10
Command or Action import all
Purpose
Imports DHCP option parameters into the DHCP portion of the router database.
Example:
Router(config-dhcp)# import all
default-router address [address2...address8] Specifies up to eight default routers for a DHCP client.
Example:
Router(config-dhcp)#default-router 10.10.10.10
dns-server address [address2...address8] Specifies up to eight DNS servers available to a DHCP client.
Example:
Router(config-dhcp)# dns-server 192.168.35.2
domain-name domain Specifies the domain name for a DHCP client.
Example:
Router(config-dhcp)#domain-name cisco.com
exit
Example:
Router(config-dhcp)# exit
Exits DHCP configuration mode and enters global configuration mode.
Configuration Example: DHCP
The following configuration example shows a portion of the configuration file for the DCHP configuration described in this chapter: ip dhcp excluded-address 192.168.9.0
!
ip dhcp pool dpool1 import all network 10.10.0.0 255.255.255.0
default-router 10.10.10.10
dns-server 192.168.35.2
domain-name cisco.com
!
ip domain name smallbiz.com
ip name-server 192.168.11.12
Verifying Your DHCP Configuration
Use the following commands to view your DHCP configuration:
• show ip dhcp import—Displays the optional parameters imported into the DHCP server database.
332
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a LAN with DHCP and VLANs
Configuring VLANs
• show ip dhcp pool—Displays information about the DHCP address pools.
• show ip dhcp server statistics—Displays the DHCP server statistics, such as the number of address pools, bindings, and so forth.
Router# show ip dhcp import
Address Pool Name: dpool1
Router# show ip dhcp pool
Pool dpool1 :
Utilization mark (high/low)
Subnet size (first/next)
Total addresses
Leased addresses
: 100 / 0
: 0 / 0
: 254
: 0
Pending event : none
1 subnet is currently in the pool :
Current index
10.10.0.1
IP address range
10.10.0.1
Router# show ip dhcp server statistics
Memory usage 15419
Address pools 1
- 10.10.0.254
Database agents 0
Automatic bindings 0
Manual bindings
Expired bindings
0
0
Malformed messages 0
Secure arp entries 0
Message Received
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
Message
BOOTREPLY
DHCPOFFER
DHCPACK
DHCPNAK
Router#
0
0
0
0
0
0
Sent
0
0
0
0
Leased addresses
0
Configuring VLANs
Perform these steps to configure VLANs on your router, beginning in global configuration mode:
SUMMARY STEPS
1. vlan vlan_id
2. exit
DETAILED STEPS
Step 1
Command or Action
vlan vlan_id
Example:
Router# config t
Router(config)#vlan 2
Purpose
Enters VLAN configuration mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
333
Configuring a LAN with DHCP and VLANs
Assigning a Switch Port to a VLAN
Step 2
Command or Action exit
Example:
Router(configvlan)#exit
Purpose
Updates the VLAN database, propagates it throughout the administrative domain, and returns to global configuration mode.
Assigning a Switch Port to a VLAN
Perform these steps to assign a switch port to a VLAN, beginning in global configuration mode:
SUMMARY STEPS
1. interface switch port id
2. switchport access vlan vlan-id
3. end
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action
interface switch port id
Example:
Router(config)#interface FastEthernet 2
switchport access vlan vlan-id
Example:
Router(config-if)# switchport access vlan 2 end
Example:
Router(config-if)#end
Purpose
Specifies the switch port that you want to assign to the
VLAN.
Assigns a port to the VLAN.
Exits interface mode and returns to privileged EXEC mode.
Verifying Your VLAN Configuration
Use the following commands to view your VLAN configuration.
334
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a LAN with DHCP and VLANs
Verifying Your VLAN Configuration
• show—Entered from VLAN database mode. Displays summary configuration information for all configured VLANs.
• show vlan-switch—Entered from privileged EXEC mode. Displays detailed configuration information for all configured VLANs.
Router# vlan database
Router(vlan)# show
VLAN ISL Id: 1
Name: default
Media Type: Ethernet
VLAN 802.10 Id: 100001
State: Operational
MTU: 1500
Translational Bridged VLAN: 1002
Translational Bridged VLAN: 1003
VLAN ISL Id: 2
Name: VLAN0002
Media Type: Ethernet
VLAN 802.10 Id: 100002
State: Operational
MTU: 1500
VLAN ISL Id: 3
Name: red-vlan
Media Type: Ethernet
VLAN 802.10 Id: 100003
State: Operational
MTU: 1500
VLAN ISL Id: 1002
Name: fddi-default
Media Type: FDDI
VLAN 802.10 Id: 101002
State: Operational
MTU: 1500
Bridge Type: SRB
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1003
VLAN ISL Id: 1003
Name: token-ring-default
Media Type: Token Ring
VLAN 802.10 Id: 101003
State: Operational
MTU: 1500
Bridge Type: SRB
Ring Number: 0
Bridge Number: 1
Parent VLAN: 1005
Maximum ARE Hop Count: 7
Maximum STE Hop Count: 7
Backup CRF Mode: Disabled
Translational Bridged VLAN: 1
Translational Bridged VLAN: 1002
VLAN ISL Id: 1004
Name: fddinet-default
Media Type: FDDI Net
VLAN 802.10 Id: 101004
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM
VLAN ISL Id: 1005
Name: trnet-default
Media Type: Token Ring Net
VLAN 802.10 Id: 101005
State: Operational
MTU: 1500
Bridge Type: SRB
Bridge Number: 1
STP Type: IBM
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
335
Configuring a LAN with DHCP and VLANs
Verifying Your VLAN Configuration
Router# show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0, Fa1, Fa3
2 VLAN0002 active Fa2
1002 fddi-default
1003 token-ring-default
1004 fddinet-default
1005 trnet-default active active active active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 1002 1003
2 enet 100002
1002 fddi 101002
1003 tr 101003
1004 fdnet 101004
1005 trnet 101005
1500 -
1500 -
-
-
1500 1005 0
1500 -
1500 -
-
-
-
1
1
-
-
-
-
srb ibm ibm -
0
1
1
0
0
0
1003
1002
0
0
336
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
16
Configuring a VPN Using Easy VPN and an IPSec
Tunnel
This chapter provides an overview of the creation of Virtual Private Networks (VPNs) that can be configured on the Cisco 819, Cisco 860, and Cisco 880 series Integrated Services Routers (ISRs).
•
Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 337
•
Configuring the IKE Policy, page 339
•
Configuring Group Policy Information, page 341
•
Applying Mode Configuration to the Crypto Map, page 342
•
Enabling Policy Lookup, page 343
•
Configuring IPSec Transforms and Protocols, page 344
•
Configuring the IPSec Crypto Method and Parameters, page 345
•
Applying the Crypto Map to the Physical Interface, page 346
•
Creating an Easy VPN Remote Configuration , page 347
•
Verifying Your Easy VPN Configuration, page 349
•
Configuration Examples for VPN and IPSec, page 349
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections, which perform a high level of authentication and which encrypt the data between two particular endpoints.
Two types of VPNs are supported—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
337 OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Configuring a VPN Using Easy VPN and an IPSec Tunnel
The example in this chapter illustrates the configuration of a remote access VPN that uses the Cisco Easy
VPN and an IP Security (IPSec) tunnel to configure and secure the connection between the remote client and the corporate network. The figure below shows a typical deployment scenario.
Figure 18: Remote Access VPN Using IPSec Tunnel
4
5
6
1
2
3
Remote, networked users
VPN client—Cisco 860 and Cisco 880 series ISRs
Router—Providing the corporate office network access
VPN server—Easy VPN server
Corporate office with a network address of 10.1.1.1
IPSec tunnel
Cisco Easy VPN
The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the
Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, WINS server addresses, and split-tunneling flags, to be defined at a
VPN server that is acting as an IPSec server.
An Easy VPN server-enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Easy VPN server-enabled devices allow remote routers to act as Easy VPN Remote nodes.
The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources
338
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Configuring the IKE Policy at the central site. Resources at the client site are unavailable to the central site. Network extension mode allows users at the central site to access network resources on the client site.
After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 819, Cisco 860, and Cisco 880 series ISRs. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.
Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network
Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server.
Configuration Tasks
Perform the following tasks to configure your router for this network scenario:
•
Configuring the IKE Policy, on page 339
•
Configuring Group Policy Information, on page 341
•
Applying Mode Configuration to the Crypto Map, on page 342
•
Enabling Policy Lookup, on page 343
•
Configuring IPSec Transforms and Protocols, on page 344
•
Configuring the IPSec Crypto Method and Parameters, on page 345
•
Applying the Crypto Map to the Physical Interface, on page 346
•
Creating an Easy VPN Remote Configuration , on page 347
An example showing the results of these configuration tasks is provided in the
.
Note The procedures in this chapter assume that you have already configured basic router features as well as
PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks, see
,
Configuring PPP over Ethernet with NAT
,
Configuring PPP over ATM with NAT
, and
Configuring a LAN with DHCP and VLANs, on page 329
as appropriate for your router.
Note The examples shown in this chapter refer only to the endpoint configuration on the Cisco 819, 860 and
880 series routers. Any VPN connection requires both endpoints to be configured properly to function.
See the software configuration documentation as needed to configure the VPN for other router models.
Configuring the IKE Policy
To configure the Internet Key Exchange (IKE) policy, perform these steps, beginning in global configuration mode:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
339 OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Configuring the IKE Policy
SUMMARY STEPS
1. crypto isakmp policy priority
2. encryption {des | 3des | aes | aes 192 | aes 256}
3. hash {md5 | sha}
4. authentication {rsa-sig | rsa-encr | pre-share}
5. group {1 | 2 | 5}
6. lifetime seconds
7. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Command or Action Purpose
crypto isakmp policy priority
Example:
Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest.
Also enters the Internet Security Association Key and Management
Protocol (ISAKMP) policy configuration mode.
Router(config)# crypto isakmp policy 1 encryption {des | 3des | aes | aes 192 | aes 256} Specifies the encryption algorithm used in the IKE policy.
The example specifies 168-bit data encryption standard (DES).
Example:
Router(config-isakmp)# encryption 3des hash {md5 | sha}
Example:
Specifies the hash algorithm used in the IKE policy.
The example specifies the Message Digest 5 (MD5) algorithm. The default is Secure Hash standard (SHA-1).
Router(config-isakmp)# hash md5
authentication {rsa-sig | rsa-encr | pre-share} Specifies the authentication method used in the IKE policy.
The example specifies a pre-shared key.
Example:
Router(config-isakmp)# authentication pre-share
group {1 | 2 | 5} Specifies the Diffie-Hellman group to be used in an IKE policy.
Example:
Router(config-isakmp)#group 2
lifetime seconds
Example:
Router(config-isakmp)# lifetime 480
Specifies the lifetime, in seconds, for an IKE security association
(SA).
• Acceptable values are from 60 to 86400.
340
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Configuring Group Policy Information
Step 7
Command or Action exit
Example:
Router(config-isakmp)# exit
Purpose
Exits ISAKMP policy configuration mode and returns to global configuration mode.
Configuring Group Policy Information
To configure the group policy, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto isakmp client configuration group {group-name | default}
2. key name
3. dns primary-server
4. domain name
5. exit
6. ip local pool {default | poolname} [low-ip-address [high-ip-address]]
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action crypto isakmp client configuration group
{group-name | default}
Purpose
Creates an IKE policy group containing attributes to be downloaded to the remote client.
Also enters the Internet Security Association Key and
Management Protocol (ISAKMP) group policy configuration mode.
Example:
Router(config)# crypto isakmp client configuration group rtr-remote
Router(config-isakmp-group)#
key name Specifies the IKE pre-shared key for the group policy.
Example:
Router(config-isakmp-group)# key secret-password dns primary-server
Example:
Router(config-isakmp-group)# dns 10.50.10.1
Specifies the primary Domain Name System (DNS) server for the group.
Note To specify Windows Internet Naming Service (WINS) servers for the group, use the wins command.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
341 OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Applying Mode Configuration to the Crypto Map
Step 4
Step 5
Step 6
Command or Action
domain name
Purpose
Specifies group domain membership.
Example:
Router(config-isakmp-group)# domain company.com
exit Exits ISAKMP policy configuration mode and returns to global configuration mode.
Example:
Router(config-isakmp-group)# exit
Router(config)#
ip local pool {default | poolname} [low-ip-address
[high-ip-address]]
Example:
Router(config)# ip local pool dynpool
30.30.30.20 30.30.30.30
Specifies a local address pool for the group.
For details about this command and additional parameters that can be set, see Cisco IOS Dial Technologies Command
Reference .
Applying Mode Configuration to the Crypto Map
To apply mode configuration to the crypto map, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto map map-name isakmp authorization list list-name
2. crypto map tag client configuration address [initiate | respond]
DETAILED STEPS
Step 1
Command or Action Purpose
crypto map map-name isakmp authorization list list-name
Example:
Applies mode configuration to the crypto map and enables key lookup (IKE queries) for the group policy from an authentication, authorization, and accounting (AAA) server.
Router(config)# crypto map dynmap isakmp authorization list rtr-remote
342
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Enabling Policy Lookup
Step 2
Command or Action
crypto map tag client configuration address [initiate | respond]
Purpose
Configures the router to reply to mode configuration requests from remote clients.
Example:
Router(config)# crypto map dynmap client configuration address respond
Enabling Policy Lookup
To enable policy lookup through AAA, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. aaa new-model
2. aaa authentication login {default | list-name} method1 [method2...]
3. aaa authorization {network | exec | commands level | reverse-access | configuration} {default |
list-name} [method1 [method2...]]
4. username name {nopassword | password password | password encryption-type encrypted-password}
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action aaa new-model
Purpose
Enables the AAA access control model.
Example:
Router(config)# aaa new-model
aaa authentication login {default | list-name} method1
[method2...]
Specifies AAA authentication of selected users at login, and specifies the method used.
• This example uses a local authentication database.
Example:
Router(config)# aaa authentication login rtr-remote local
aaa authorization {network | exec | commands level
| reverse-access | configuration} {default | list-name}
[method1 [method2...]]
Note You could also use a RADIUS server for this. For details, see Cisco IOS Security Configuration Guide and
Cisco IOS Security Command Reference .
Specifies AAA authorization of all network-related service requests, including PPP, and specifies the method of authorization.
• This example uses a local authorization database.
Example:
Router(config)# aaa authorization network rtr-remote local
Cisco 800 Series Integrated Services Routers Software Configuration Guide
343 OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Configuring IPSec Transforms and Protocols
Step 4
Command or Action
username name {nopassword | password password
| password encryption-type encrypted-password}
Purpose
Note You could also use a RADIUS server for this. For details, see the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference .
Establishes a username-based authentication system.
Example:
Router(config)# username Cisco password 0 Cisco
Configuring IPSec Transforms and Protocols
A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow.
During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as a part of both peer configurations.
To specify the IPSec transform set and protocols, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]
2. crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}
DETAILED STEPS
Step 1
Step 2
Command or Action Purpose
crypto ipsec transform-set transform-set-name transform1
[transform2] [transform3] [transform4]
Example:
Defines a transform set—an acceptable combination of
IPSec security protocols and algorithms.
See Cisco IOS Security Command Reference for details about the valid transforms and combinations.
Router(config)# crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
Example:
crypto ipsec security-association lifetime {seconds seconds
| kilobytes kilobytes}
Specifies global lifetime values used when IPSec security associations are negotiated.
Example:
Router(config)# crypto ipsec security-association lifetime seconds 86400
344
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Configuring the IPSec Crypto Method and Parameters
What to Do Next
Note With manually established security associations, there is no negotiation with the peer, and both sides must specify the same transform set.
Configuring the IPSec Crypto Method and Parameters
A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peers, even if the router does not know all the crypto map parameters (for example, IP address).
To configure the IPSec crypto method, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto dynamic-map dynamic-map-name dynamic-seq-num
2. set transform-set transform-set-name [transform-set-name2...transform-set-name6]
3. reverse-route
4. exit
5. crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
DETAILED STEPS
Step 1
Step 2
Step 3
Command or Action Purpose
crypto dynamic-map dynamic-map-name dynamic-seq-num
Example:
Router(config)# crypto dynamic-map dynmap 1
Creates a dynamic crypto map entry and enters crypto map configuration mode.
See Cisco IOS Security Command Reference for details about this command.
Router(config-crypto-map)#
set transform-set transform-set-name
[transform-set-name2...transform-set-name6]
Specifies which transform sets can be used with the crypto map entry.
Example:
Router(config-crypto-map)# set transform-set vpn1 reverse-route
Example:
Router(config-crypto-map)# reverse-route
Creates source proxy information for the crypto map entry.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
345 OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Applying the Crypto Map to the Physical Interface
Step 4
Step 5
Command or Action exit
Purpose
Exits crypto map configuration mode and returns to global configuration mode.
Example:
Router(config-crypto-map)# exit
Router(config)#
crypto map map-name seq-num [ipsec-isakmp] [dynamic
dynamic-map-name] [discover] [profile profile-name]
Creates a crypto map profile.
Example:
Router(config)# crypto map static-map 1 ipsec-isakmp dynamic dynmap
Applying the Crypto Map to the Physical Interface
The crypto maps must be applied to each interface through which IP Security (IPSec) traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet.
To apply a crypto map to an interface, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. interface type number
2. crypto map map-name
3. exit
DETAILED STEPS
Step 1
Step 2
Command or Action
interface type number
Example:
Router(config)# interface fastethernet 4
Router(config-if)#
crypto map map-name
Purpose
Enters the interface configuration mode for the interface to which the crypto map applies.
Applies the crypto map to the interface.
346
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Creating an Easy VPN Remote Configuration
Step 3
Command or Action
Example:
Router(config-if)# crypto map static-map exit
Example:
Router(config-crypto-map)# exit
Router(config)#
Purpose
See Cisco IOS Security Command Reference for details about this command.
Exits interface configuration mode and returns to global configuration mode.
Creating an Easy VPN Remote Configuration
The router acting as the IPSec remote router must create an Easy VPN remote configuration and assign it to the outgoing interface.
To create the remote configuration, perform these steps, beginning in global configuration mode:
SUMMARY STEPS
1. crypto ipsec client ezvpn name
2. group group-name key group-key
3. peer {ipaddress | hostname}
4. mode {client | network-extension | network extension plus}
5. exit
6. interface type number
7. crypto ipsec client ezvpn name [outside | inside]
8. exit
DETAILED STEPS
Step 1
Command or Action
crypto ipsec client ezvpn name
Example:
Router(config)# crypto ipsec client ezvpn ezvpnclient
Router(config-crypto-ezvpn)#
Purpose
Creates a Cisco Easy VPN remote configuration, and enters
Cisco Easy VPN remote configuration mode.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
347 OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Creating an Easy VPN Remote Configuration
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Command or Action
group group-name key group-key
Example:
Router(config-crypto-ezvpn)# group ezvpnclient key secret-password
Purpose
Specifies the IPSec group and IPSec key value for the VPN connection.
Router(config-crypto-ezvpn)#
peer {ipaddress | hostname}
Example:
Router(config-crypto-ezvpn)# peer 192.168.100.1
Specifies the peer IP address or hostname for the VPN connection.
Note A hostname can be specified only when the router has a DNS server available for hostname resolution.
Router(config-crypto-ezvpn)#
mode {client | network-extension | network extension
plus}
Specifies the VPN mode of operation.
Example:
Router(config-crypto-ezvpn)# mode client
Router(config-crypto-ezvpn)# exit Exits Cisco Easy VPN remote configuration mode and returns to global configuration mode.
Example:
Router(config-crypto-ezvpn)# exit
Router(config)#
interface type number
Example:
Router(config)# interface fastethernet 4
Router(config-if)#
crypto ipsec client ezvpn name [outside | inside]
Enters the interface configuration mode for the interface to which the Cisco Easy VPN remote configuration applies.
Note For routers with an ATM WAN interface, this command would be interface atm 0.
Example:
Router(config-if)# crypto ipsec client ezvpn ezvpnclient outside
Router(config-if)# exit
Assigns the Cisco Easy VPN remote configuration to the WAN interface.
This command causes the router to automatically create the
NAT or port address translation (PAT) and access list configuration needed for the VPN connection.
Exits interface configuration mode and returns to global configuration mode.
Example:
Router(config-crypto-ezvpn)# exit
Router(config)#
348
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring a VPN Using Easy VPN and an IPSec Tunnel
Verifying Your Easy VPN Configuration
Verifying Your Easy VPN Configuration
Router# show crypto ipsec client ezvpn
Tunnel name :ezvpnclient
Inside interface list:vlan 1
Outside interface:fastethernet 4
Current State:IPSEC_ACTIVE
Last Event:SOCKET_UP
Address:8.0.0.5
Mask:255.255.255.255
Default Domain:cisco.com
Configuration Examples for VPN and IPSec
The following configuration example shows a portion of the configuration file for the VPN and IPSec tunnel described in this chapter.
!
aaa new-model
!
aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common
!
username Cisco password 0 Cisco
!
crypto isakmp policy 1 encryption 3des authentication pre-share group 2 lifetime 480
!
crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1
domain company.com
pool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap 1 set transform-set vpn1
!
reverse-route crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key secret-password mode client peer 192.168.100.1
!
interface fastethernet 4 crypto ipsec client ezvpn ezvpnclient outside crypto map static-map
!
interface vlan 1
Cisco 800 Series Integrated Services Routers Software Configuration Guide
349 OL-31704-02
Configuration Examples for VPN and IPSec
!
crypto ipsec client ezvpn ezvpnclient inside
Configuring a VPN Using Easy VPN and an IPSec Tunnel
350
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
17
Configuring Cisco Multimode G.SHDSL EFM/ATM
This chapter provides a link to a document that describes the configuration of the Cisco Multimode 4-pair
G.SHDSL Ethernet in the first mile (EFM)/Asynchronous Transfer Mode (ATM) WAN port. This functionality is provided by the Cisco C888-EA-K9 fixed Integrated Services Router (ISR).
The following guide describes this functionality for multiple products, including enhanced high-speed WAN interface cards (EHWICs) and the C888-EA-K9 router:
Configuring Cisco Multimode G.SHDSL EFM/ATM in Cisco ISR G2 is available at the following location: http://www.cisco.com/en/US/docs/routers/access/interfaces/software/feature/guide/GSHDSL_EFM_ATM_
HWICS.html
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
351
Configuring Cisco Multimode G.SHDSL EFM/ATM
352
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
18
Configuring VDSL2 Bonding and Single-Wire Pair
Very-high-bit-rate digital subscriber line 2 (VDSL2) bonding combines two copper wire pairs to increase the capacity or extend the copper network's reach. For a customer, this means enhanced data rate and operation on longer loops. A single-wire pair enables you to configure profile 8a through 17a and ADSL on line 0, and profile 8a through 30a on line 1. VDSL2 bonding and single-wire pair are supported on C897VAB-K9 series router.
This chapter contains the following sections:
•
•
Configuring Bonding in Auto Mode, page 354
•
Configuring Bonding in VDSL2 Mode, page 354
•
Configuring a Single-Wire Pair on Line 0, page 355
•
Configuring a Single-Wire Pair on Line 1, page 356
•
Configuration Examples, page 357
Restrictions
The following restrictions are applicable to VDSL2 bonding on the Cisco 800 Series Routers:
• VDSL2 bonding is supported only on the C897VAB-K9 Series Router.
• Even though C897VAB-K9 is a bonding SKU, bonding is not the default configuration. The ADSL mode and VDSL single-wire mode are supported in the default configuration. You should enable bonding using the line-mode bonding command.
• The no line-mode bonding and default line-mode bonding commands change the configuration to
'single-wire' on Line 0, which is the default configuration.
• The line-mode configuration is removed from the router whenever you change the operating mode. You have to run the command again in the new operating mode to configure bonding.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
353 OL-31704-02
Configuring VDSL2 Bonding and Single-Wire Pair
Configuring Bonding in Auto Mode
Configuring Bonding in Auto Mode
You can configure bonding either in auto mode or VDSL2. The default configuration is auto.
Perform the following tasks to configure bonding in auto mode:
SUMMARY STEPS
1. configure terminal
2. controller VDSL slot
3. operating mode mode
4. line-mode bonding
5. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action configure terminal
Example: router#configure terminal
controller VDSL slot
Example: router(config)# controller vdsl 0
operating mode mode
Example: router(config)# operating mode auto line-mode bonding
Example: router(config-controller)# line-mode bonding exit
Example: router(config-controller)# exit
Purpose
Enters global configuration mode when using the console port.
Enters controller configuration mode.
Specifies the operating mode. The operating mode is auto.
Enables bonding mode in CPE.
Exits controller configuration mode.
Configuring Bonding in VDSL2 Mode
Perform the following tasks to configure bonding in VDSL2 mode:
354
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring VDSL2 Bonding and Single-Wire Pair
Configuring a Single-Wire Pair on Line 0
SUMMARY STEPS
1. configure terminal
2. controller VDSL slot
3. operating mode mode
4. line-mode bonding
5. exit
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Command or Action
configure terminal
Example: router#configure terminal
controller VDSL slot
Example: router(config)# controller vdsl 0
operating mode mode
Example: router(config)# operating mode vdsl2 line-mode bonding
Example: router(config-controller)# line-mode bonding exit
Example: router(config-controller)# exit
Purpose
Enters global configuration mode when using the console port.
Enters controller configuration mode.
Specifies the operating mode. The operating mode is VDSL2.
Enables bonding mode in CPE.
Exits the controller mode.
Configuring a Single-Wire Pair on Line 0
Perform the following tasks to configure single-wire pair on line 0:
SUMMARY STEPS
1. configure terminal
2. controller VDSL slot
3. line-mode single-wire line line-number
4. exit
Cisco 800 Series Integrated Services Routers Software Configuration Guide
355 OL-31704-02
Configuring VDSL2 Bonding and Single-Wire Pair
Configuring a Single-Wire Pair on Line 1
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Command or Action configure terminal
Purpose
Enters global configuration mode when using the console port.
Example: router#configure terminal
controller VDSL slot Enters controller configuration mode.
Example: router(config)# controller vdsl 0
line-mode single-wire line line-number Enables 8a through 17a profile and ADSL on line 0 in single-wire (nonbonding) mode.
Example: router(config-controller)# line-mode single-wire line 0 exit Exits controller configuration mode.
Example: router(config-controller)# exit
Configuring a Single-Wire Pair on Line 1
Perform the following tasks to configure single-wire pair on line 1.
SUMMARY STEPS
1. configure terminal
2. controller VDSL slot
3. line-mode single-wire line line-number [profile 30a]
4. exit
DETAILED STEPS
Step 1
Command or Action configure terminal
Example: router#configure terminal
Purpose
Enters global configuration mode when using the console port.
356
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Configuring VDSL2 Bonding and Single-Wire Pair
Configuration Examples
Step 2
Step 3
Step 4
Command or Action
controller VDSL slot
Purpose
Enters controller configuration mode.
Example: router(config)# controller vdsl 0
line-mode single-wire line line-number [profile 30a]
Example: router(config-controller)# line-mode single-wire line 1 profile 30a
Enables profile 8a through 30a profile on line 1 in single-wire (non-bonding) mode. If profile 30a is not specified, profiles 8a to 17a are enabled on that line.
exit Exits the controller mode.
Example: router(config-controller)# exit
Configuration Examples
The following example shows how to enable bonding in auto mode: router# configure terminal router(config)# controller vdsl 0 router(config)# operating mode auto router(config-controller)# line-mode bonding router(config-controller)# exit
The following example shows how to enable VDSL2 bonding: router# configure terminal router(config)# controller vdsl 0 router(config)# operating mode vdsl2 router(config-controller)# line-mode bonding router(config-controller)# exit
The following example shows how to remove bonding: router# configure terminal router(config)# controller vdsl 0 router(config)# no operating mode router(config-controller)# no line-mode bonding router(config-controller)# exit
The following example shows how to enable profile 8a through 17a on line 0: router# configure terminal router(config)# controller vdsl 0 router(config-controller)# line-mode single-wire line 0 router(config-controller)# exit
The following example shows how to enable profile 30a on line 1: router# configure terminal router(config)# controller vdsl 0 router(config-controller)# line-mode single-wire line 1 profile 30a router(config-controller)# exit
The following example shows how to remove profile 30a from line 1: router# configure terminal router(config)# controller vdsl 0
Cisco 800 Series Integrated Services Routers Software Configuration Guide
357 OL-31704-02
Configuring VDSL2 Bonding and Single-Wire Pair
Configuration Examples router(config-controller)# no line-mode single-wire line 1 router(config-controller)# exit
358
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
19
Deployment Scenarios
This chapter describes and shows some typical deployment scenarios for the Cisco 860, Cisco 880, and Cisco
890 series Intergrated Services Routers (ISRs):
•
About the Deployment Scenarios, page 359
•
Enterprise Small Branch, page 360
•
Internet Service and IPSec VPN with 3G, page 361
•
•
Enterprise Wireless Deployments with LWAPP, page 363
•
Enterprise Small Branch Office Deployment , page 364
About the Deployment Scenarios
Major features of the Cisco ISRs include:
• 3G wireless data connectivity backup (some Cisco 880 series ISRs)
• Voice capabilities (some Cisco 880 series ISRs)
• Embedded wireless device (optional)
• Power over Ethernet (all Cisco 880 series ISRs)
3G Wireless Backup
Some Cisco 880 series ISRs have 3G wireless data backup capability. See
Configuring Backup Data Lines and Remote Management
for details.
Voice
Some Cisco 880 series ISRs contain voice capabilities. Refer to the Cisco IOS Voice Configuration Library for details.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
359 OL-31704-02
Deployment Scenarios
Enterprise Small Branch
Embedded Wireless Device
• Cisco 860 series, Cisco 880 series, and Cisco 890 ISRs have an optional wireless device that runs its own version of the Cisco IOS software.
â—¦Cisco 890 Series ISRs with embedded access points are eligible to upgrade from autonomous software to Cisco Unified software, if the router is running the IP Base feature set and Cisco IOS
12.4(22)YB software.
â—¦Cisco 880 Series ISRs with embedded access points are eligible to upgrade from autonomous software to Cisco Unified software, if the router is running the advipservices feature set and Cisco
IOS 12.4(20)T software.
â—¦Cisco 860 Series ISRs with embedded access points are not eligible to upgrade from autonomous software to Cisco Unified software.
Note To use the embedded access point in a Cisco Unified Architecture, the Cisco Wireless LAN Configuration
(WLC) must be running version 5.1 or later.
See
for upgrade information.
Power Over Ethernet
All Cisco 880 Series ISRs contain PoE capabilities. See Cisco 860 Series, Cisco 880 Series, and Cisco 890
Series Integrated Services Routers Hardware Installation Guide for details.
Enterprise Small Branch
The figure below shows an Enterprise Small Branch deployment that uses the following technologies and features:
• Group Encrypted Transport VPN (GETVPN) for highly scalable secure branch connectivity
• Cisco IOS firewall (FW) policies that secure the front line of network connectivity and provide network and application layer protection to the enterprise network
• Voice and multicast applications
360
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Deployment Scenarios
Internet Service and IPSec VPN with 3G
• Quality of service (QoS) prioritizes critical applications and ensures timely delivery of latency- sensitive and mission-critical applications
Figure 19: Enterprise Small Branch
Internet Service and IPSec VPN with 3G
The figure below shows a remote office deployment that uses 3G wireless technology for both backup and primary applications to communicate to their enterprise data center. Besides providing direct Internet access employing Network Address Translation (NAT), Cisco 880 series ISRs can provide tunneled Virtual Private
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
361
Deployment Scenarios
SMB Applications
Network (VPN) service using IP Security and Generic Routing Encapsulation (IPSec+GRE) for secure and private communication over the public Internet.
Figure 20: Internet Service and IPSec VPN with 3G
SMB Applications
The figure below shows a small-to medium-size business deployment (SMB) that uses the following technologies and features at each branch office:
• Easy VPN with Virtual Tunnel Interface (VTI) to simplify secure VPN for remote offices and teleworkers.
• Deep packet inspection firewall for security. Firewalls provide the first level of access checking. They work with other security technologies, including intrusion prevention, encryption, and endpoint security, to provide a well-rounded defense-in-depth enterprise security system.
• Inline Intrusion Prevention Systems (IPS) protection provides additional security, and is a core facet of the Cisco Self-Defending Network. Cisco IOS IPS helps enable the network to defend itself with the intelligence to accurately classify, identify, and stop or block malicious or damaging traffic in real time.
• QoS provides timely delivery of latency-sensitive and mission-critical applications.
• ISDN connectivity backup provides network redundancy in the event that the primary service provider link fails.
362
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Deployment Scenarios
• Support for existing analog voice and fax capabilities.
Figure 21: Small-to Medium-Size Business
Enterprise Wireless Deployments with LWAPP
Enterprise Wireless Deployments with LWAPP
The figure below shows an Enterprise wireless LAN deployment using Lightweight Access Point Protocol
(LWAPP) and the following technologies and features:
• Broadband Internet access and VPN connection to a central site.
• Hybrid Remote Edge Access Point (H-REAP) provides wireless LAN services to remote and branch offices without using a wireless LAN controller at each location. With HREAP, organizations can bridge traffic locally, tunnel traffic over the WAN, or tunnel traffic over LWAPP on a per Service Set Identifier
(SSID).
• Dynamic RF management with Cisco Wireless Control System (WCS).
Cisco 800 Series Integrated Services Routers Software Configuration Guide
363 OL-31704-02
Enterprise Small Branch Office Deployment
• Ability to mix and match embedded access points with external access points.
Figure 22: Wireless LAN with LWAPP
Deployment Scenarios
Enterprise Small Branch Office Deployment
The figure below shows a small branch office or teleworker deployment that uses a gigabit Ethernet fiber connection through the SFP port.
Figure 23: Enterprise Small Branch office Deployment
364
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
C H A P T E R
20
Troubleshooting Cisco 800 Series Routers
Use the information in this chapter to help isolate problems you might encounter or to rule out the router as the source of a problem.
•
•
Before Contacting Cisco or Your Reseller, page 365
•
ADSL Troubleshooting, page 366
•
SHDSL Troubleshooting, page 366
•
VDSL2 Troubleshooting, page 367
•
show interfaces Troubleshooting Command, page 367
•
ATM Troubleshooting Commands, page 369
•
Software Upgrade Methods, page 374
•
Recovering a Lost Password, page 374
•
Cisco Configuration Professional Express, page 379
Getting Started
Before troubleshooting a software problem, you must connect a terminal or PC to the router by using the light-blue console port. (For information on making this connection, see the documentation listed in the
.) With a connected terminal or PC, you can view status messages from the router and enter commands to troubleshoot a problem.
You can also remotely access the interface (Ethernet, ADSL, or telephone) by using Telnet. The Telnet option assumes that the interface is up and running.
Before Contacting Cisco or Your Reseller
If you cannot locate the source of a problem, contact your local reseller for advice. Before you call, you should have the following information ready:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
365 OL-31704-02
Troubleshooting Cisco 800 Series Routers
ADSL Troubleshooting
• Chassis type and serial number
• Maintenance agreement or warranty information
• Type of software and version number
• Date you received the hardware
• Brief description of the problem
• Brief description of the steps you have taken to isolate the problem
ADSL Troubleshooting
If you experience trouble with the ADSL connection, verify the following:
• The ADSL line is connected and is using pins 3 and 4. For more information on the ADSL connection, see the hardware guide for your router.
• The ADSL CD LED is on. If it is not on, the router may not be connected to the DSL access multiplexer
(DSLAM). For more information on the ADSL LEDs, see the hardware installation guide specific for your router.
• The correct Asynchronous Transfer Mode (ATM) virtual path identifier/virtual circuit identifier (VPI/VCI) is being used.
• The DSLAM supports discrete multi-tone (DMT) Issue 2.
• The ADSL cable that you connect to the Cisco router must be 10BASE-T Category 5, unshielded twisted-pair (UTP) cable. Using regular telephone cable can introduce line errors.
SHDSL Troubleshooting
Symmetrical high-data-rate digital subscriber line (SHDSL) is available on the Cisco 888 routers. If you experience trouble with the SHDSL connection, verify the following:
• The SHDSL line is connected and using pins 3 and 4. For more information on the G.SHDSL connection, see the hardware guide for your router.
• The G.SHDSL LED is on. If it is not on, the router may not be connected to the DSL access multiplexer
(DSLAM). For more information on the G.SHDSL LED, see the hardware installation guide specific for your router.
• The correct asynchronous transfer mode (ATM) virtual path identifier/virtual circuit identifier (VPI/VCI) is being used.
• The DSLAM supports the G.SHDSL signaling protocol.
Use the show controllers dsl 0 command in EXEC mode to view an SHDSL configuration.
366
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Troubleshooting Cisco 800 Series Routers
VDSL2 Troubleshooting
VDSL2 Troubleshooting
Very-high-data-rate digital subscriber line 2 (VDSL2) is available on the Cisco 887 routers. If you experience trouble with the VDSL2 connection, verify the following:
• The VDSL2 line is connected and using pins 3 and 4. For more information on the VDSL2 connection, see the hardware guide for your router.
• The VDSL2 LED CD light is on. If it is not on, the router may not be connected to the DSL access multiplexer (DSLAM). For more information on the VDSL2 LED, see the hardware installation guide specific for your router.
• The DSLAM supports the VDSL2 signaling protocol.
Use the show controllers vdsl 0 command in EXEC mode to view a VDSL2 configuration. The debug vdsl
0 daemon state command can be used to enable the debug messages that print the state transition of VDSL2 training.
If there is trouble with the VDSL firmware file, you can reload or upgrade it without upgrading your Cisco
IOS image. Use the command:
controller vdsl 0 firmware flash:<firmware file name> to load the firmware file into the VDSL modem chipset. Then enter shutdown/no shutdown commands on the controller vdsl 0 interface. After this, the new firmware will be downloaded and the VDSL2 line starts training up.
Note Cisco 860VAE series ISRs require that the router be reloaded (IOS reload) before the new VDSL firmware will be loaded.
If the command is not present or the named firmware file is corrupt or not available, the default firmware file
flash:vdsl.bin is checked to be present and not corrupt. The firmware in this file is then downloaded to the modem chipset.
Note Cisco 860VAE series ISRs will state the reason of failure during bootup if the new VDSL firmware fails to load after IOS reload.
show interfaces Troubleshooting Command
Use the show interfaces command to display the status of all physical ports (Ethernet, Fast Ethernet, and
ATM) and logical interfaces on the router.
Table 36: show interfaces Command Output Description , on page
368 describes messages in the command output.
The following example shows how to view the status of Ethernet or Fast Ethernet Interfaces:
Router# show interfaces ethernet 0 **similar output for show interfaces fastethernet 0 command **
Ethernet0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is 0000.Oc13.a4db
(bia0010.9181.1281)
Internet address is 170.1.4.101/24
Cisco 800 Series Integrated Services Routers Software Configuration Guide
367 OL-31704-02
Troubleshooting Cisco 800 Series Routers show interfaces Troubleshooting Command
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255., txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
The following example shows how to view the status of ATM Interfaces:
Router# show interfaces atm 0
ATM0 is up, line protocol is up
Hardware is PQUICC_SAR (with Alcatel ADSL Module)
Internet address is 14.0.0.16/8
MTU 1500 bytes, sub MTU 1500, BW 640 Kbit, DLY 80 usec, reliability 40/255, txload 1/255, rxload 1/255
Encapsulation ATM, loopback not set
Keepalive not supported
Encapsulation(s):AAL5, PVC mode
10 maximum active VCs, 1 current VCCs
VC idle disconnect time:300 seconds
Last input 01:16:31, output 01:16:31, output hang never
Last clearing of "show interface" counters never
Input queue:0/75/0 (size/max/drops); Total output drops:0
Queueing strategy:Per VC Queueing
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
512 packets input, 59780 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 1024 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
426 packets output, 46282 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
The following example shows how to view the status of Dialer Interfaces:
Router# show interfaces dialer 1
Dialer 1 is up, line protocol is up
Hardware is Dialer interface
Internet address is 1.1.1.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec, reliability
255/255. txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
LCP Closed
The table below describes possible command output for the show interfaces command.
Table 36: show interfaces Command Output Description
Output
For ATM Interfaces
ATM 0 is up, line protocol is up
ATM 0 is down, line protocol is down
Cause
The ATM line is up and operating correctly.
• The ATM interface has been disabled with the shutdown command.
or
• The ATM line is down, possibly because the
ADSL cable is disconnected or because the wrong type of cable is connected to the ATM port.
368
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Troubleshooting Cisco 800 Series Routers
ATM Troubleshooting Commands
Output
ATM 0.n is up, line protocol is up
Cause
The specified ATM subinterface is up and operating correctly.
ATM 0.n is administratively down, line protocol is down
The specified ATM subinterface has been disabled with the shutdown command.
ATM 0.n is down, line protocol is down The specified ATM subinterface is down, possibly because the ATM line has been disconnected (by the service provider).
For Ethernet/Fast Ethernet Interfaces
Ethernet/Fast Ethernet n is up, line protocol is up
For Dialer Interfaces
Dialer n is up, line protocol is up
The specified Ethernet/Fast Ethernet interface is connected to the network and operating correctly.
Ethernet/Fast Ethernet n is up, line protocol is down The specified Ethernet/Fast Ethernet interface has been correctly configured and enabled, but the
Ethernet cable might be disconnected from the LAN.
Ethernet/Fast Ethernet n is administratively down, line protocol is down
The specified Ethernet/Fast Ethernet interface has been disabled with the shutdown command, and the interface is disconnected.
The specified dialer interface is up and operating correctly.
Dialer n is down, line protocol is down
• This is a standard message and may not indicate anything is actually wrong with the configuration.
or
• If you are having problems with the specified dialer interface, this can mean it is not operating, possibly because the interface has been brought down with the shutdown command, or the
ADSL cable is disconnected.
ATM Troubleshooting Commands
Use the following commands to troubleshoot your ATM interface:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
369 OL-31704-02
Troubleshooting Cisco 800 Series Routers ping atm interface Command
ping atm interface Command
Use the ping atm interface command to determine whether a particular PVC is in use. The PVC does not need to be configured on the router to use this command. The below example shows the use of this command to determine whether PVC 8/35 is in use.
The following example shows how to determine if a PVC is in use:
Router# ping atm interface atm 0 8 35 seg-loopback
Type escape sequence to abort.
Sending 5, 53-byte segment OAM echoes, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 148/148/148 ms
This command sends five OAM F5 loopback packets to the DSLAM (segment OAM packets). If the PVC is configured at the DSLAM, the ping is successful.
To test whether the PVC is being used at the aggregator, enter the following command:
Router# ping atm interface atm 0 8 35 end-loopback
Type escape sequence to abort.
Sending 5, 53-byte end-to-end OAM echoes, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 400/401/404 ms
This command sends end-to-end OAM F5 packets, which are echoed back by the aggregator.
show atm interface Command
To display ATM-specific information about an ATM interface, use the show atm interface atm 0 command
from privileged EXEC mode.
The following example shows how to view information about an ATM interface:
Router# show atm interface atm 0
Interface ATM0:
AAL enabled: AAL5 , Maximum VCs:11, Current VCCs:0
Maximum Transmit Channels:0
Max. Datagram Size:1528
PLIM Type:INVALID - 640Kbps, Framing is INVALID,
DS3 lbo:short, TX clocking:LINE
0 input, 0 output, 0 IN fast, 0 OUT fast
Avail bw = 640
Config. is ACTIVE
The table below describes some of the fields shown in the command output.
Table 37: show atm interface Command Output Description
Field
ATM interface
AAL enabled
Description
Interface number. Always 0 for the Cisco 860 and
Cisco 880 series access routers.
Type of AAL enabled. The Cisco 860 and Cisco 880 series access routers support AAL5.
370
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Troubleshooting Cisco 800 Series Routers debug atm Commands
Field
Maximum VCs
Current VCCs
Maximum Transmit Channels
Max Datagram Size
PLIM Type
Description
Maximum number of virtual connections this interface supports.
Number of active virtual channel connections (VCCs).
Maximum number of transmit channels.
Configured maximum number of bytes in the largest datagram.
Physical layer interface module (PLIM) type.
debug atm Commands
Use the debug commands to troubleshoot configuration problems that you might be having on your network.
The debug commands provide extensive, informative displays to help you interpret any possible problems.
Guidelines for Using Debug Commands
Read the following guidelines before using debug commands to ensure appropriate results.
• All debug commands are entered in privileged EXEC mode.
• To view debugging messages on a console, enter the logging console debug command.
• Most debug commands take no arguments.
• To disable debugging, enter the undebug all command.
• To use debug commands during a Telnet session on your router, enter the terminal monitor command.
Caution Debugging is assigned a high priority in your router CPU process, and it can render your router unusable.
For this reason, use debug commands only to troubleshoot specific problems. The best time to use debug commands is during periods of low network traffic so that other activity on the network is not adversely affected.
You can find additional information and documentation about the debug commands in the Cisco IOS Debug
Command Reference .
debug atm errors Command
Use the debug atm errors command to display ATM errors. The no form of this command disables debugging output.
The following example shows how to view the ATM errors:
Router# debug atm errors
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
371
Troubleshooting Cisco 800 Series Routers debug atm Commands
ATM errors debugging is on
Router#
01:32:02:ATM(ATM0.2):VC(3) Bad SAP received 4500
01:32:04:ATM(ATM0.2):VC(3) Bad SAP received 4500
01:32:06:ATM(ATM0.2):VC(3) Bad SAP received 4500
01:32:08:ATM(ATM0.2):VC(3) Bad SAP received 4500
01:32:10:ATM(ATM0.2):VC(3) Bad SAP received 4500
debug atm events Command
Use the debug atm events command to display events that occur on the ATM interface processor and to diagnose problems in an ATM network. This command provides an overall picture of the stability of the network. The no form of this command disables debugging output.
If the interface is successfully communicating with the Digital Subscriber Line Access Multiplexer (DSLAM) at the telephone company, the modem state is 0x10. If the interface is not communicating with the DSLAM, the modem state is 0x8. Note that the modem state does not transition to 0x10.
The following example shows how to view the ATM interface processor events-success:
Router# debug atm events
Router#
00:02:57: DSL: Send ADSL_OPEN command.
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Sent command 0x5
00:02:57: DSL: Received response: 0x26
00:02:57: DSL: Unexpected response 0x26
00:02:57: DSL: Send ADSL_OPEN command.
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Sent command 0x5
00:03:00: DSL: 1: Modem state = 0x8
00:03:02: DSL: 2: Modem state = 0x10
00:03:05: DSL: 3: Modem state = 0x10
00:03:07: DSL: 4: Modem state = 0x10
00:03:09: DSL: Received response: 0x24
00:03:09: DSL: Showtime!
00:03:09: DSL: Sent command 0x11
00:03:09: DSL: Received response: 0x61
00:03:09: DSL: Read firmware revision 0x1A04
00:03:09: DSL: Sent command 0x31
00:03:09: DSL: Received response: 0x12
00:03:09: DSL: operation mode 0x0001
00:03:09: DSL: SM: [DMTDSL_DO_OPEN -> DMTDSL_SHOWTIME]
The following example shows how to view the ATM interface processor events—failure:
Router# debug atm events
Router#
00:02:57: DSL: Send ADSL_OPEN command.
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Sent command 0x5
00:02:57: DSL: Received response: 0x26
00:02:57: DSL: Unexpected response 0x26
00:02:57: DSL: Send ADSL_OPEN command.
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Using subfunction 0xA
00:02:57: DSL: Sent command 0x5
00:03:00: DSL: 1: Modem state = 0x8
00:03:00: DSL: 1: Modem state = 0x8
00:03:00: DSL: 1: Modem state = 0x8
00:03:00: DSL: 1: Modem state = 0x8
00:03:00: DSL: 1: Modem state = 0x8
00:03:00: DSL: 1: Modem state = 0x8
372
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Troubleshooting Cisco 800 Series Routers debug atm Commands
debug atm packet Command
Use the debug atm packet command to display all process-level ATM packets for both outbound and inbound packets. The output reports information online when a packet is received or a transmission is attempted. The
no form of this command disables debugging output.
Caution Because the debug atm packet command generates a significant amount of output for every packet processed, use it only when network traffic is low, so that other system activities are not adversely affected.
The command syntax is: debug atm packet [interface atm number [vcd vcd-number ][vc vpi/vci number]] no debug atm packet [interface atm number [vcd vcd-number ][vc vpi/vci number]] where the keywords are defined as follows:
interface atm number (Optional) ATM interface or subinterface number.
vcd vcd-number (Optional) Number of the virtual circuit designator (VCD).
vc vpi/vci number VPI/VCI value of the ATM PVC.
The below example shows sample output for the debug atm packet command.
Router# debug atm packet
Router#
01:23:48:ATM0(O):
VCD:0x1 VPI:0x1 VCI:0x64 DM:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
01:23:48:4500 0064 0008 0000 FF01 9F80 0E00 0010 0E00 0001 0800 A103 0AF3 17F7 0000
01:23:48:0000 004C BA10 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
01:23:48:ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
01:23:48:ABCD ABCD ABCD ABCD ABCD
01:23:48:
01:23:48:ATM0(I):
VCD:0x1 VPI:0x1 VCI:0x64 Type:0x0 SAP:AAAA CTL:03 OUI:000000 TYPE:0800 Length:0x70
01:23:48:4500 0064 0008 0000 FE01 A080 0E00 0001 0E00 0010 0000 A903 0AF3 17F7 0000
01:23:48:0000 004C BA10 ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
01:23:48:ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD ABCD
01:23:48:ABCD ABCD ABCD ABCD ABCD
01:23:48:
The table below describes some of the fields shown in the debug atm packet command output.
Table 38: debug atm packet Command Output Description
Field
ATM0
(O)
VCD: 0xn
VPI: 0xn
DM: 0xn
Description
Interface that is generating the packet.
Output packet. (I) would mean receive packet.
Virtual circuit associated with this packet, where n is some value.
Virtual path identifier for this packet, where n is some value.
Descriptor mode bits, where n is some value.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
373
Troubleshooting Cisco 800 Series Routers
Software Upgrade Methods
Field
Length: n
Description
Total length of the packet (in bytes) including the
ATM headers.
Software Upgrade Methods
Several methods are available for upgrading software on the Cisco 860 and Cisco 880 series Integrated Services
Routers, including:
• Copy the new software image to flash memory over the LAN or WAN while the existing Cisco IOS software image is operating.
• Copy the new software image to flash memory over the LAN while the boot image (ROM monitor) is operating.
• Copy the new software image over the console port while in ROM monitor mode.
• From ROM monitor mode, boot the router from a software image that is loaded on a TFTP server. To use this method, the TFTP server must be on the same LAN as the router.
Recovering a Lost Password
To recover a lost enable or lost enable-secret password:
1
Change the Configuration Register, on page 374
2
3
Reset the Password and Save Your Changes, on page 377
(for lost enable secret passwords only)
4
Reset the Configuration Register Value, on page 378
Note Recovering a lost password is only possible when you are connected to the router through the console port. These procedures cannot be performed through a Telnet session.
Tip See the “Hot Tips” section on Cisco.com for additional information on replacing enable secret passwords.
Change the Configuration Register
To change a configuration register, follow these steps:
374
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Troubleshooting Cisco 800 Series Routers
Change the Configuration Register
SUMMARY STEPS
1. Connect an ASCII terminal or a PC running a terminal emulation program to the CONSOLE port on the
Fthe router.
2. Configure the terminal to operate at 9600 baud, 8 data bits, no parity, and 1 stop bit.
3. At the privileged EXEC prompt (router_name #), enter the show version command to display the existing configuration register value (shown in bold at the bottom of this output example):
4. Record the setting of the configuration register.
5. To enable the break setting (indicated by the value of bit 8 in the configuration register), enter the
config-register 0x01 command from privileged EXEC mode.
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Step 5
Connect an ASCII terminal or a PC running a terminal emulation program to the CONSOLE port on the Fthe router.
Configure the terminal to operate at 9600 baud, 8 data bits, no parity, and 1 stop bit.
At the privileged EXEC prompt (router_name #), enter the show version command to display the existing configuration register value (shown in bold at the bottom of this output example):
Example:
Router# show version
Cisco IOS Software, C880 Software (C880-ADVENTERPRISEK9-M), Version 12.3(nightly
.PCBU_WIRELESS041110) NIGHTLY BUILD, synced to haw_t_pi1_pcbu HAW_T_PI1_PCBU_200
40924
Copyright (c) 1986-2004 by Cisco Systems, Inc.
Compiled Thu 11-Nov-04 03:37 by jsomebody
ROM: System Bootstrap, Version 1.0.0.6(20030916:100755) [jsomebody],
DEVELOPMENT SOFTWARE
Router uptime is 2467 minutes
System returned to ROM by power-on
System image file is "flash:c880-adventerprisek9-mz.pcbu_wireless.041110"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply use. Delivery of Cisco cryptographic products does not imply
Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to [email protected].
Cisco 877 (MPC8272) processor (revision 0x00) with 59392K/6144K bytes of memory.
Processor board ID
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
Record the setting of the configuration register.
To enable the break setting (indicated by the value of bit 8 in the configuration register), enter the config-register 0x01 command from privileged EXEC mode.
• Break enabled—Bit 8 is set to 0.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
375
Troubleshooting Cisco 800 Series Routers
Change the Configuration Register
• Break disabled (default setting)—Bit 8 is set to 1.
Reset the Router
To reset the router, follow these steps:
SUMMARY STEPS
1. If break is enabled, go to
. If break is disabled, turn the router off (O), wait 5 seconds, and turn it on (|) again. Within 60 seconds, press the Break key. The terminal displays the ROM monitor prompt. Go to
.
2. Press break. The terminal displays the following prompt:
3. Enter confreg 0x142 to reset the configuration register:
4. Initialize the router by entering the reset command:
5. Enter no in response to the prompts until the following message is displayed:
6. Press Return. The following prompt appears:
7. Enter the enable command to enter enable mode. Configuration changes can be made only in enable mode:
8. Enter the show startup-config command to display an enable password in the configuration file:
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
If break is enabled, go to
. If break is disabled, turn the router off (O), wait 5 seconds, and turn it on
(|) again. Within 60 seconds, press the Break key. The terminal displays the ROM monitor prompt. Go to
page 376 .
Note Some terminal keyboards have a key labeled Break . If your keyboard does not have a Break key, see the documentation that came with the terminal for instructions on how to send a break.
Press break. The terminal displays the following prompt:
Example: rommon 2>
Enter confreg 0x142 to reset the configuration register:
Example: rommon 2> confreg 0x142
Initialize the router by entering the reset command:
Example: rommon 2> reset
The router cycles its power, and the configuration register is set to 0x142. The router uses the boot ROM system image, indicated by the system configuration dialog:
376
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Troubleshooting Cisco 800 Series Routers
Reset the Password and Save Your Changes
Step 5
Step 6
Step 7
Step 8
Example:
--- System Configuration Dialog ---
Enter no in response to the prompts until the following message is displayed:
Example:
Press RETURN to get started!
Press Return. The following prompt appears:
Example:
Router>
Enter the enable command to enter enable mode. Configuration changes can be made only in enable mode:
Example:
Router> enable
The prompt changes to the privileged EXEC prompt:
Example:
Router#
Enter the show startup-config command to display an enable password in the configuration file:
Example:
Router# show startup-config
What to Do Next
If you are recovering an enable password, do not perform the steps in the following
Save Your Changes, on page 377
section. Instead, complete the password recovery process by performing the steps in the
Reset the Configuration Register Value, on page 378
section.
If you are recovering an enable secret password, it is not displayed in the show startup-config command output. Complete the password recovery process by performing the steps in the following
Reset the Password and Save Your Changes, on page 377
section.
Reset the Password and Save Your Changes
To reset your password and save the changes, follow these steps:
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
377
Troubleshooting Cisco 800 Series Routers
Reset the Configuration Register Value
SUMMARY STEPS
1. Enter the configure terminal command to enter global configuration mode:
2. Enter the enable secret command to reset the enable secret password in the router:
3. Enter exit to exit global configuration mode:
4. Save your configuration changes:
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Enter the configure terminal command to enter global configuration mode:
Example:
Router# configure terminal
Enter the enable secret command to reset the enable secret password in the router:
Example:
Router(config)# enable secret password
Enter exit to exit global configuration mode:
Example:
Router(config)# exit
Save your configuration changes:
Example:
Router# copy running-config startup-config
Reset the Configuration Register Value
To reset the configuration register value after you have recovered or reconfigured a password, follow these steps:
SUMMARY STEPS
1. Enter the configure terminal command to enter global configuration mode:
2. Enter the configure register command and the original configuration register value that you recorded.
3. Enter exit to exit configuration mode:
4. Reboot the router, and enter the recovered password.
378
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Troubleshooting Cisco 800 Series Routers
Cisco Configuration Professional Express
DETAILED STEPS
Step 1
Step 2
Step 3
Step 4
Enter the configure terminal command to enter global configuration mode:
Example:
Router# configure terminal
Enter the configure register command and the original configuration register value that you recorded.
Example:
Router(config)# config-reg value
Enter exit to exit configuration mode:
Example:
Router(config)# exit
Note To return to the configuration being used before you recovered the lost enable password, do not save the configuration changes before rebooting the router.
Reboot the router, and enter the recovered password.
Cisco Configuration Professional Express
After you connect the cables and power up the router, we recommend that you use the Cisco CP Express web-based application to configure the initial router settings.
For instructions on how to use Cisco CP Express to configure the router see the Cisco CP Express User’s
Guide .
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
379
Cisco Configuration Professional Express
Troubleshooting Cisco 800 Series Routers
380
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
A P P E N D I X
A
Cisco IOS Software Basic Skills
Understanding how to use Cisco IOS software can save you time when you are configuring your router. If you are already familiar with Cisco IOS software, go to one of the following chapters:
•
•
This appendix contains the following sections which provide basic information:
•
Configuring the Router from a PC, page 381
•
Understanding Command Modes, page 382
•
•
Enable Secret Passwords and Enable Passwords, page 385
•
Entering Global Configuration Mode, page 386
•
•
Saving Configuration Changes, page 388
•
Configuring the Router from a PC
You can configure your router from a PC that is connected through the console port by using terminal emulation software. The PC uses this software to send commands to your router. The table below lists some common types of terminal emulation software that you can use, depending on the operating system that you are running.
Table 39: Types of Terminal Emulation Software
PC Operating System Terminal Emulation Software
Windows 95, Windows 98, Windows 2000, Windows
NT, Windows XP
HyperTerm (included with Windows software),
ProComm Plus
Windows 3.1
Terminal (included with Windows software)
Cisco 800 Series Integrated Services Routers Software Configuration Guide
381 OL-31704-02
Cisco IOS Software Basic Skills
Understanding Command Modes
PC Operating System
Macintosh
Terminal Emulation Software
ProComm, VersaTerm
You can use the terminal emulation software to change settings for the router that is connected to the PC.
Configure the software to the following standard VT-100 emulation settings so that your PC can communicate with your router:
• 9600 baud
• 8 data bits
• No parity
• 1 stop bit
• No flow control
These settings should match the default settings of your router. To change the router baud, data bits, parity, or stop bits settings, you must reconfigure parameters in the ROM monitor. For more information, see ROM
Monitor .
To change the router flow control setting, use the flowcontrol command in global configuration mode.
For information on how to enter global configuration mode so that you can configure your router, see the
Entering Global Configuration Mode, on page 386
section later in this chapter.
Understanding Command Modes
This section describes the Cisco IOS command mode structure. Each command mode supports specific Cisco
IOS commands. For example, you can use the interface type number command only from global configuration mode.
The following Cisco IOS command modes are hierarchical. When you begin a router session, you are in user
EXEC mode.
• User EXEC
• Privileged EXEC
• Global configuration
The table below lists the command modes that are used in this guide, describes how to access each mode, shows the prompt for each mode, and explains how to exit to a mode or enter another mode. Because each mode configures different router elements, you might need to enter and exit modes frequently. You can see a list of available commands for a particular mode by entering a question mark (?) at the prompt. For a description of each command, including syntax, see the Cisco IOS Release 12.3 documentation set.
382
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Cisco IOS Software Basic Skills
Understanding Command Modes
Table 40: Command Modes Summary
Mode
User EXEC
Privileged EXEC
Access Method
Begin a session with your router.
Enter the enable command from user
EXEC mode.
Prompt
Router>
Router#
Global configuration Enter the configure command from privileged EXEC mode.
Router (config)#
Mode Exit and Entrance About This Mode
To exit a router session, enter the logout command.
Use this mode to:
• Change terminal settings.
• Perform basic tests.
• Display system information.
• To exit to user
EXEC mode, enter the disable command.
Use this mode to:
• Configure your router operating parameters.
• To enter global configuration mode, enter the configure command.
• Perform the verification steps shown in this guide.
To prevent unauthorized changes to your router configuration, protect access to this mode by using a password as described in the
page 385 .
• To exit to privileged EXEC mode, enter the
exit or end command, or press
Ctrl-Z.
Use this mode to configure parameters that apply to your router globally.
From this mode you can access the following modes:
• To enter interface configuration mode, enter the interface command.
• Interface configuration
• Router configuration
• Line configuration
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
383
Cisco IOS Software Basic Skills
Getting Help
Mode
Interface configuration
Access Method
Enter the interface command (with a specific interface, such as interface atm 0) from global configuration mode.
Prompt
Router (config-if)#
Router configuration Enter one of the router commands followed by the appropriate keyword—for example
router rip—from global configuration mode.
Router (config- router)#
Mode Exit and Entrance About This Mode
• To exit to global configuration mode, enter the
exit command.
• To exit to privileged EXEC mode, enter the
end command, or press Ctrl-Z.
• To enter subinterface configuration mode, specify a subinterface by using the interface command.
Use this mode to configure parameters for the router Ethernet and serial interfaces or subinterfaces.
• To exit to global configuration mode, enter the
exit command.
• To exit to privileged EXEC mode, enter the
end command, or press Ctrl-Z.
Use this mode to configure an IP routing protocol.
Line configuration Enter the line command with the desired line number and optional line type, for example, line 0, from global configuration mode.
Router (config- line)#
• To exit to global configuration mode, enter the
exit command.
• To exit to privileged EXEC mode, enter the
end command, or press Ctrl-Z.
Use this mode to configure parameters for the terminal line.
Getting Help
You can use the question mark (?) and arrow keys to help you enter commands.
384
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Cisco IOS Software Basic Skills
Enable Secret Passwords and Enable Passwords
For a list of available commands for a prticular command mode, enter a question mark:
.
.
.
Router> ?
access-enable access-profile clear
Create a temporary access-list entry
Apply user-profile to interface
Reset functions
To complete a command, enter a few known characters followed by a question mark (with no space):
Router> sh?
* s=show set show slip systat
For a list of command variables, enter the command followed by a space and a question mark:
Router> show ?
.
.
.
clock Display the system clock dialer Dialer parameters and statistics exception exception information
.
.
.
To redisplay a command that you previously entered, press the Up Arrow key. You can continue to press the
Up Arrow key for more commands.
Enable Secret Passwords and Enable Passwords
By default, the router ships without password protection. Because many privileged EXEC commands are used to set operating parameters, you should password-protect these commands to prevent unauthorized use.
You can use two commands to do this:
• enable secret password—A very secure, encrypted password.
• enable password—A less secure, unencrypted local password.
Both the enable and enable secret passwords control access to various privilege levels (0 to 15). The enable password is intended for local use and is thus unencrypted. The enable secret password is intended for network use; that is, in environments where the password crosses the network or is stored on a TFTP server. You must enter an enable secret or enable password with a privilege level of 1 to gain access to privileged EXEC mode commands.
For maximum security, the passwords should be different. If you enter the same password for both during the setup process, your router accepts the passwords, but warns you that they should be different.
An enable secret password can contain from 1 to 25 uppercase and lowercase alphanumeric characters. An
enable password can contain any number of uppercase and lowercase alphanumeric characters. In both cases, a number cannot be the first character. Spaces are also valid password characters; for example, two words is a valid password. Leading spaces are ignored; trailing spaces are recognized.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
385 OL-31704-02
Cisco IOS Software Basic Skills
Entering Global Configuration Mode
Entering Global Configuration Mode
To make any configuration changes to your router, you must be in global configuration mode. This section describes how to enter global configuration mode while using a terminal or PC that is connected to your router console port.
To enter global configuration mode, follow these steps:
SUMMARY STEPS
1. After your router boots up, enter the enable or enable secret command:
2. If you have configured your router with an enable password, enter it when you are prompted.
3. Enter the configure terminal command to enter global configuration mode:
DETAILED STEPS
Step 1
Step 2
Step 3
After your router boots up, enter the enable or enable secret command:
Example:
Router> enable
If you have configured your router with an enable password, enter it when you are prompted.
The enable password does not appear on the screen when you enter it. This example shows how to enter privileged EXEC mode:
Example:
Password: enable_password
Router#
Privileged EXEC mode is indicated by the pound sign (#) in the prompt. You can now make changes to your router configuration.
Enter the configure terminal command to enter global configuration mode:
Example:
Router# configure terminal
Router(config)#
You can now make changes to your router configuration.
Using Commands
This section provides some tips about entering Cisco IOS commands at the command-line interface (CLI).
386
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Cisco IOS Software Basic Skills
Abbreviating Commands
Abbreviating Commands
You only have to enter enough characters for the router to recognize the command as unique. This example shows how to enter the show version command:
Router # sh v
Undoing Commands
If you want to disable a feature or undo a command that you entered, you can enter the keyword no before most commands; for example, no ip routing.
Command-Line Error Messages
The table below lists some error messages that you might encounter while using the CLI to configure your router.
Table 41: Common CLI Error Messages
Error Message
% Ambiguous command:
"show con"
% Incomplete command.
Meaning
You did not enter enough characters for your router to recognize the command.
How to Get Help
Reenter the command, followed by a question mark (?) with no space between the command and the question mark.
The possible keywords that you can enter with the command are displayed.
You did not enter all the keywords or values required by this command.
Reenter the command, followed by a question mark (?) with no space between the command and the question mark.
The possible keywords that you can enter with the command are displayed.
% Invalid input detected at
‘^’ marker.
You entered the command incorrectly. The error occurred where the caret mark (^) appears.
Enter a question mark (?) to display all the commands that are available in this particular command mode.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
387
Cisco IOS Software Basic Skills
Saving Configuration Changes
Saving Configuration Changes
You must enter the copy running-config startup-config command to save your configuration changes to
NVRAM so that they are not lost if there is a system reload or power outage. This example shows how to use this command to save your changes:
Router# copy running-config startup-config
Destination filename [startup-config]?
Press Return to accept the default destination filename startup-config , or enter your desired destination filename and press Return.
It might take a minute or two to save the configuration to NVRAM. After the configuration has been saved, the following message appears:
Building configuration...
Router#
Summary
Now that you have reviewed some Cisco IOS software basics, you can begin to configure your router.
Remember:
• You can use the question mark (?) and arrow keys to help you enter commands.
• Each command mode restricts you to a set of commands. If you are having difficulty entering a command, check the prompt, and then enter the question mark (?) for a list of available commands. You might be in the wrong command mode or using the wrong syntax.
• To disable a feature, enter the keyword no before the command; for example, no ip routing.
• Save your configuration changes to NVRAM so that they are not lost if there is a system reload or power outage.
Where to Go Next:
To configure your router, go to
and
388
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
A P P E N D I X
B
Concepts
This appendix contains conceptual information that may be useful to Internet service providers or network administrators when they configure Cisco routers.
•
•
•
•
Routing Protocol Options, page 390
•
PPP Authentication Protocols, page 391
•
•
Network Address Translation, page 393
•
•
•
•
•
•
ADSL
OL-31704-02
ADSL is a technology that allows both data and voice to be transmitted over the same line. It is a packet-based network technology that allows high-speed transmission over twisted-pair copper wire on the local loop (“last mile”) between a network service provider (NSP) central office and the customer site, or on local loops created within either a building or a campus.
The benefit of ADSL over a serial or dialup line is that it is always on and always connected, increasing bandwidth and lowering the costs compared with a dialup or leased line. ADSL technology is asymmetric in that it allows more bandwidth from an NSP central office to the customer site than from the customer site to the central office. This asymmetry, combined with always-on access (which eliminates call setup), makes
ADSL ideal for Internet and intranet surfing, video on demand, and remote LAN access.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
389
Concepts
SHDSL
SHDSL
SHDSL is a technology based on the G.SHDSL (G.991.2) standard that allows both data and voice to be transmitted over the same line. SHDSL is a packet-based network technology that allows high-speed transmission over twisted-pair copper wire between a network service provider (NSP) central office and a customer site, or on local loops created within either a building or a campus.
G.SHDSL devices can extend the reach from central offices and remote terminals to approximately 26,000 feet (7925 m), at symmetrical data rates from 72 kbps up to 2.3 Mbps. In addition, it is repeatable at lower speeds, which means there is virtually no limit to its reach.
SHDSL technology is symmetric in that it allows equal bandwidth between an NSP central office and a customer site. This symmetry, combined with always-on access (which eliminates call setup), makes SHDSL ideal for LAN access.
Network Protocols
Network protocols enable the network to pass data from its source to a specific destination over LAN or WAN links. Routing address tables are included in the network protocols to provide the best path for moving the data through the network.
IP
The best-known Transmission Control Protocol/Internet Protocol (TCP/IP) at the internetwork layer is IP, which provides the basic packet delivery service for all TCP/IP networks. In addition to the physical node addresses, the IP protocol implements a system of logical host addresses called IP addresses. The IP addresses are used by the internetwork and higher layers to identify devices and to perform internetwork routing. The
Address Resolution Protocol (ARP) enables IP to identify the physical address that matches a given IP address.
IP is used by all protocols in the layers above and below it to deliver data, which means that all TCP/IP data flows through IP when it is sent and received regardless of its final destination.
IP is a connectionless protocol, which means that IP does not exchange control information (called a handshake) to establish an end-to-end connection before transmitting data. In contrast, a connection-oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it. When the handshaking is successful, the computers have established a connection. IP relies on protocols in other layers to establish the connection if connection-oriented services are required.
Internet Packet Exchange (IPX) exchanges routing information using Routing Information Protocol (RIP), a dynamic distance-vector routing protocol. RIP is described in more detail in the following sections.
Routing Protocol Options
Routing protocols include the following:
• Routing Information Protocol (RIP)
• Enhanced Interior Gateway Routing Protocol (Enhanced IGRP)
The table below shows the difference between RIP and Enhanced IGRP.
390
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Concepts
RIP
Table 42: RIP and Enhanced IGRP Comparison
Protocol
RIP
Enhanced IGRP
Ideal Topology
Suited for topologies with
15 or fewer hops.
Hop count. Maximum hop count is 15. Best route is one with lowest hop count.
Suited for large topologies with 16 or more hops to reach a destination.
Metric Routing Updates
By default, every 30 seconds. You can reconfigure this value and also use triggered extensions to RIP.
Distance information.
Based on a successor, which is a neighboring router that has a least-cost path to a destination that is guaranteed to not be part of a routing loop.
Hello packets sent every
5 seconds, as well as incremental updates sent when the state of a destination changes.
RIP
RIP is an associated protocol for IP, and is widely used for routing protocol traffic over the Internet. RIP is a distance-vector routing protocol, which means that it uses distance (hop count) as its metric for route selection.
Hop count is the number of routers that a packet must traverse to reach its destination. For example, if a particular route has a hop count of 2, then a packet must traverse two routers to reach its destination.
By default, RIP routing updates are broadcast every 30 seconds. You can reconfigure the interval at which the routing updates are broadcast. You can also configure triggered extensions to RIP so that routing updates are sent only when the routing database is updated. For more information on triggered extensions to RIP, see the Cisco IOS Release 12.3 documentation set.
Enhanced IGRP
Enhanced IGRP is an advanced Cisco-proprietary distance-vector and link-state routing protocol, which means it uses a metric more sophisticated than distance (hop count) for route selection. Enhanced IGRP uses a metric based on a successor, which is a neighboring router that has a least-cost path to a destination that is guaranteed not to be part of a routing loop. If a successor for a particular destination does not exist but neighbors advertise the destination, the router must recompute a route.
Each router that is running Enhanced IGRP sends hello packets every 5 seconds to inform neighboring routers that it is functioning. If a particular router does not send a hello packet within a prescribed period, Enhanced
IGRP assumes that the state of a destination has changed and sends an incremental update.
Because Enhanced IGRP supports IP, you can use one routing protocol for multiprotocol network environments, minimizing the size of the routing tables and the amount of routing information.
PPP Authentication Protocols
The Point-to-Point Protocol (PPP) encapsulates network-layer protocol information over point-to-point links.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
391 OL-31704-02
Concepts
PAP
PAP
CHAP
PPP originated as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation. PPP supports these functions by providing an extensible Link Control Protocol
(LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities.
The current implementation of PPP supports two security authentication protocols to authenticate a PPP session:
• Password Authentication Protocol (PAP)
• Challenge Handshake Authentication Protocol (CHAP)
PPP with PAP or CHAP authentication is often used to inform the central site which remote routers are connected to it.
PAP uses a two-way handshake to verify the passwords between routers. To understand how PAP works, imagine a network topology in which a remote office Cisco router is connected to a corporate office Cisco router. After the PPP link is established, the remote office router repeatedly sends a configured username and password until the corporate office router accepts the authentication.
PAP has the following characteristics:
• The password portion of the authentication is sent across the link in clear text (not scrambled or encrypted).
• PAP provides no protection from playback or repeated trial-and-error attacks.
• The remote office router controls the frequency and timing of the authentication attempts.
CHAP uses a three-way handshake to verify passwords. To understand how CHAP works, imagine a network topology in which a remote office Cisco router is connected to a corporate office Cisco router.
After the PPP link is established, the corporate office router sends a challenge message to the remote office router. The remote office router responds with a variable value. The corporate office router checks the response against its own calculation of the value. If the values match, the corporate office router accepts the authentication. The authentication process can be repeated anytime after the link is established.
CHAP has the following characteristics:
• The authentication process uses a variable challenge value rather than a password.
• CHAP protects against playback attack through the use of the variable challenge value, which is unique and unpredictable. Repeated challenges limit the time of exposure to any single attack.
• The corporate office router controls the frequency and timing of the authentication attempts.
392
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Concepts
TACACS+
Note We recommend using CHAP because it is the more secure of the two protocols.
TACACS+
Cisco 860 and Cisco 880 series routers support the Terminal Access Controller Access Control System Plus
(TACACS+) protocol through Telnet. TACACS+ is a Cisco-proprietary authentication protocol that provides remote access authentication and related network security services, such as event logging. User passwords are administered in a central database rather than in individual routers. TACACS+ also provides support for separate modular authentication, authorization, and accounting (AAA) facilities that are configured at individual routers.
Network Address Translation
Network Address Translation (NAT) provides a mechanism for a privately addressed network to access registered networks, such as the Internet, without requiring a registered subnet address. This mechanism eliminates the need for host renumbering and allows the same IP address range to be used in multiple intranets.
NAT is configured on the router at the border of an inside network (a network that uses nonregistered IP addresses) and an outside network (a network that uses a globally unique IP address; in this case, the Internet).
NAT translates the inside local addresses (the nonregistered IP addresses assigned to hosts on the inside network) into globally unique IP addresses before sending packets to the outside network.
With NAT, the inside network continues to use its existing private or obsolete addresses. These addresses are converted into legal addresses before packets are forwarded onto the outside network. The translation function is compatible with standard routing; the feature is required only on the router connecting the inside network to the outside domain.
Translations can be static or dynamic. A static address translation establishes a one-to-one mapping between the inside network and the outside domain. Dynamic address translations are defined by describing the local addresses to be translated and the pool of addresses from which to allocate outside addresses. Allocation occurs in numeric order, and multiple pools of contiguous address blocks can be defined.
NAT eliminates the need to readdress all hosts that require external access, saving time and money. It also conserves addresses through application port-level multiplexing. With NAT, internal hosts can share a single registered IP address for all external communications. In this type of configuration, relatively few external addresses are required to support many internal hosts, thus conserving IP addresses.
Because the addressing scheme on the inside network may conflict with registered addresses already assigned within the Internet, NAT can support a separate address pool for overlapping networks and translate as appropriate.
Easy IP (Phase 1)
The Easy IP (Phase 1) feature combines Network Address Translation (NAT) and PPP/Internet Protocol
Control Protocol (IPCP). This feature enables a Cisco router to automatically negotiate its own registered
WAN interface IP address from a central server and to enable all remote hosts to access the Internet using this single registered IP address. Because Easy IP (Phase 1) uses existing port-level multiplexed NAT functionality within Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
393 OL-31704-02
Concepts
Easy IP (Phase 2)
The Easy IP (Phase 1) feature combines NAT and PPP/IPCP. With NAT, the router translates the nonregistered
IP addresses used by the LAN devices into the globally unique IP address used by the dialer interface. The ability of multiple LAN devices to use the same globally unique IP address is known as overloading. NAT is configured on the router at the border of an inside network (a network that uses nonregistered IP addresses) and an outside network (a network that uses a globally unique IP address; in this case, the Internet).
With PPP/IPCP, Cisco routers automatically negotiate a globally unique (registered) IP address for the dialer interface from the ISP router.
Easy IP (Phase 2)
The Easy IP (Phase 2) feature combines Dynamic Host Configuration Protocol (DHCP) server and relay.
DHCP is a client-server protocol that enables devices on an IP network (the DHCP clients) to request configuration information from a DHCP server. DHCP allocates network addresses from a central pool on an as-needed basis. DHCP is useful for assigning IP addresses to hosts that are temporarily connected to the network or for sharing a limited pool of IP addresses among a group of hosts that do not need permanent IP addresses.
DHCP frees you from having to assign an IP address to each client manually.
DHCP configures the router to forward User Datagram Protocol (UDP) broadcasts, including IP address requests, from DHCP clients. DHCP allows for increased automation and fewer network administration problems by:
• Eliminating the need for the manual configuration of individual computers, printers, and shared file systems
• Preventing the simultaneous use of the same IP address by two clients
• Allowing configuration from a central site
Network Interfaces
This section describes the network interface protocols that Cisco 860 and Cisco 880 series routers support.
The following network interface protocols are supported:
• Ethernet
• ATM for DSL
Ethernet
Ethernet is a baseband LAN protocol that transports data and voice packets to the WAN interface using carrier sense multiple access collision detect (CSMA/CD). The term is now often used to refer to all CSMA/CD
LANs. Ethernet was designed to serve in networks with sporadic, occasionally heavy traffic requirements.
The IEEE 802.3 specification was developed in 1980, based on the original Ethernet technology.
Under the Ethernet CSMA/CD media-access process, any host on a CSMA/CD LAN can access the network at any time. Before sending data, CSMA/CD hosts listen for traffic on the network. A host wanting to send data waits until it detects no traffic before it transmits. Ethernet allows any host on the network to transmit whenever the network is quiet. A collision occurs when two hosts listen for traffic, hear none, and then transmit
394
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Concepts
ATM for DSL simultaneously. In this situation, both transmissions are damaged, and the hosts must retransmit at some later time. Algorithms determine when the colliding hosts should retransmit.
ATM for DSL
Asynchronous Transfer Mode (ATM) is a high-speed multiplexing and switching protocol that supports multiple traffic types, including voice, data, video, and imaging.
ATM is composed of fixed-length cells that switch and multiplex all information for the network. An ATM connection is simply used to transfer bits of information to a destination router or host. The ATM network is considered a LAN with high bandwidth availability. Unlike a LAN, which is connectionless, ATM requires certain features to provide a LAN environment to the users.
Each ATM node must establish a separate connection to every node in the ATM network that it needs to communicate with. All such connections are established through a permanent virtual circuit (PVC).
PVC
A PVC is a connection between remote hosts and routers. A PVC is established for each ATM end node with which the router communicates. The characteristics of the PVC that are established when it is created are set by the ATM adaptation layer (AAL) and the encapsulation type. An AAL defines the conversion of user information into cells. An AAL segments upper-layer information into cells at the transmitter and reassembles the cells at the receiver.
Cisco routers support the AAL5 format, which provides a streamlined data transport service that functions with less overhead and affords better error detection and correction capabilities than AAL3/4. AAL5 is typically associated with variable bit rate (VBR) traffic and unspecified bit rate (UBR) traffic.
ATM encapsulation is the wrapping of data in a particular protocol header. The type of router that you are connecting to determines the type of ATM PVC encapsulation.
The routers support the following encapsulation types for ATM PVCs:
• LLC/SNAP (RFC 1483)
• VC-MUX (RFC 1483)
• PPP (RFC 2364)
Each PVC is considered a complete and separate link to a destination node. Users can encapsulate data as needed across the connection. The ATM network disregards the contents of the data. The only requirement is that data be sent to the ATM subsystem of the router in a manner that follows the specific AAL format.
Dialer Interface
A dialer interface assigns PPP features (such as authentication and IP address assignment method) to a PVC.
Dialer interfaces are used when configuring PPP over ATM.
Dialer interfaces can be configured independently of any physical interface and applied dynamically as needed.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
395
Concepts
Dial Backup
Dial Backup
Dial backup provides protection against WAN downtime by allowing a user to configure a backup modem line connection. The following can be used to bring up the dial backup feature in Cisco IOS software:
Backup Interface
A backup interface is an interface that stays idle until certain circumstances occur, such as WAN downtime, at which point it is activated. The backup interface can be a physical interface such as a Basic Rate Interface
(BRI), or an assigned backup dialer interface to be used in a dialer pool. While the primary line is up, the backup interface is placed in standby mode. In standby mode, the backup interface is effectively shut down until it is enabled. Any route associated with the backup interface does not appear in the routing table.
Because the backup interface command is dependent on the router’s identifying that an interface is physically down, it is commonly used to back up ISDN BRI connections, asynchronous lines, and leased lines. The interfaces to such connections go down when the primary line fails, and the backup interface quickly identifies such failures.
Floating Static Routes
Floating static routes are static routes that have an administrative distance greater than the administrative distance of dynamic routes. Administrative distances can be configured on a static route so that the static route is less desirable than a dynamic route. In this manner, the static route is not used when the dynamic route is available. However, if the dynamic route is lost, the static route can take over, and the traffic can be sent through this alternative route. If this alternative route uses a dial-on-demand routing (DDR) interface, then that interface can be used as a backup feature.
Dialer Watch
Dialer watch is a backup feature that integrates dial backup with routing capabilities. Dialer watch provides reliable connectivity without having to define traffic of interest to trigger outgoing calls at the central router.
Hence, dialer watch can be considered regular DDR with no requirement for traffic of interest. By configuring a set of watched routes that define the primary interface, you can monitor and track the status of the primary interface as watched routes are added and deleted.
When a watched route is deleted, dialer watch checks for at least one valid route for any of the IP addresses or networks being watched. If there is no valid route, the primary line is considered down and unusable. If there is a valid route for at least one of the watched IP networks defined and the route is pointing to an interface other than the backup interface configured for dialer watch, the primary link is considered up and dialer watch does not initiate the backup link.
QoS
QoS refers to the capability of a network to provide better service to selected network traffic over various technologies, including ATM, Ethernet and IEEE 802.1 networks, and IP-routed networks that may use any or all of these underlying technologies. Primary goals of QoS include dedicated bandwidth, controlled jitter
396
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Concepts
IP Precedence and latency (required by some real-time and interactive traffic), and improved loss characteristics. QoS technologies provide the elemental building blocks for future business applications in campus, WAN, and service provider networks.
QoS must be configured throughout your network, not just on your router running VoIP, to improve voice network performance. Not all QoS techniques are appropriate for all network routers. Edge routers and backbone routers in your network do not necessarily perform the same operations; the QoS tasks they perform might differ as well. To configure your IP network for real-time voice traffic, you need to consider the functions of both edge and backbone routers in your network.
QoS software enables complex networks to control and predictably service a variety of networked applications and traffic types. Almost any network can take advantage of QoS for optimum efficiency, whether it is a small corporate network, an Internet service provider, or an enterprise network.
IP Precedence
You can partition traffic in up to six classes of service using IP Precedence (two others classes are reserved for internal network use). The queuing technologies throughout the network can then use this signal to expedite handling.
Features such as policy-based routing and committed access rate (CAR) can be used to set precedence based on extended access-list classification. This allows considerable flexibility for precedence assignment, including assignment by application or user, by destination and source subnet, and so on. Typically this functionality is deployed as close to the edge of the network (or administrative domain) as possible, so that each subsequent network element can provide service based on the determined policy.
IP Precedence can also be set in the host or network client with the signaling used optionally. IP Precedence enables service classes to be established using existing network queuing mechanisms (such as class-based weighted fair queueing [CBWFQ]) with no changes to existing applications or complicated network requirements.
PPP Fragmentation and Interleaving
With multiclass multilink PPP interleaving, large packets can be multilink-encapsulated and fragmented into smaller packets to satisfy the delay requirements of real-time voice traffic; small real-time packets, which are not multilink encapsulated, are transmitted between fragments of the large packets. The interleaving feature also provides a special transmit queue for the smaller, delay-sensitive packets, enabling them to be transmitted earlier than other flows. Interleaving provides the delay bounds for delay-sensitive voice packets on a slow link that is used for other best-effort traffic.
In general, multilink PPP with interleaving is used in conjunction with CBWFQ and RSVP or IP Precedence to ensure voice packet delivery. Use multilink PPP with interleaving and CBWFQ to define how data is managed; use Resource Reservation Protocol (RSVP) or IP Precedence to give priority to voice packets.
CBWFQ
In general, class-based weighted fair queuing (CBWFQ) is used in conjunction with multilink PPP and interleaving and RSVP or IP Precedence to ensure voice packet delivery. CBWFQ is used with multilink PPP to define how data is managed; RSVP or IP Precedence is used to give priority to voice packets.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
397
Concepts
RSVP
There are two levels of queuing; ATM queues and Cisco IOS queues. CBWFQ is applied to Cisco IOS queues.
A first-in-first-out (FIFO) Cisco IOS queue is automatically created when a PVC is created. If you use CBWFQ to create classes and attach them to a PVC, a queue is created for each class.
CBWFQ ensures that queues have sufficient bandwidth and that traffic gets predictable service. Low-volume traffic streams are preferred; high-volume traffic streams share the remaining capacity, obtaining equal or proportional bandwidth.
RSVP
RSVP enables routers to reserve enough bandwidth on an interface to ensure reliability and quality performance.
RSVP allows end systems to request a particular QoS from the network. Real-time voice traffic requires network consistency. Without consistent QoS, real-time traffic can experience jitter, insufficient bandwidth, delay variations, or information loss. RSVP works in conjunction with current queuing mechanisms. It is up to the interface queuing mechanism (such as CBWFQ) to implement the reservation.
RSVP works well on PPP, HDLC, and similar serial-line interfaces. It does not work well on multi-access
LANs. RSVP can be equated to a dynamic access list for packet flows.
You should configure RSVP to ensure QoS if the following conditions describe your network:
• Small-scale voice network implementation
• Links slower than 2 Mbps
• Links with high utilization
• Need for the best possible voice quality
Low Latency Queuing
Low latency queuing (LLQ) provides a low-latency strict priority transmit queue for real-time traffic. Strict priority queuing allows delay-sensitive data to be dequeued and sent first (before packets in other queues are dequeued), giving delay-sensitive data preferential treatment over other traffic.
Access Lists
With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session and the packet therefore belongs to an established session.) This filter criterion would be part of an access list applied permanently to an interface.
398
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
A P P E N D I X
C
ROM Monitor
The ROM monitor firmware runs when the router is powered up or reset. The firmware helps to initialize the processor hardware and boot the operating system software. You can use the ROM monitor to perform certain configuration tasks, such as recovering a lost password or downloading software over the console port. If there is no Cisco IOS software image loaded on the router, the ROM monitor runs the router.
This appendix contains the following sections:
•
Entering the ROM Monitor, page 399
•
ROM Monitor Commands, page 400
•
ROM Monitor Command Descriptions, page 401
•
Disaster Recovery with TFTP Download, page 402
•
Configuration Register, page 405
•
•
ROM Monitor Debug Commands, page 407
•
Exiting the ROM Monitor, page 409
Entering the ROM Monitor
To use the ROM monitor, you must be using a terminal or PC that is connected to the router over the console port.
Perform these steps to configure the router to boot up in ROM monitor mode the next time it is rebooted.
SUMMARY STEPS
1. enable
2. configure terminal
3. config-reg 0x0
4. exit
5. reload
Cisco 800 Series Integrated Services Routers Software Configuration Guide
399 OL-31704-02
ROM Monitor
ROM Monitor Commands
DETAILED STEPS
Step 1
Command or Action enable
Step 2
Step 3
Step 4
Step 5 configure terminal config-reg 0x0 exit reload
Purpose
Enters privileged EXEC mode.
Enter your password if prompted.
Enters global configuration mode.
Resets the configuration register.
Exits global configuration mode.
Reboots the router with the new configuration register value. The router remains in
ROM monitor and does not boot the Cisco IOS software.
As long as the configuration value is 0x0, you must manually boot the operating system from the console. See the boot command in the “
” section in this appendix.
After the router reboots, it is in ROM monitor mode. The number in the prompt increments with each new line.
What to Do Next
Timesaver Break (system interrupt) is always enabled for 60 seconds after the router reboots, regardless of whether it is set to on or off in the configuration register. During this 60-second window, you can break to the
ROM monitor prompt by pressing the Break key.
ROM Monitor Commands
Enter ? or help at the ROM monitor prompt to display a list of available commands and options, as follows: rommon 1 > ?
alias set and display aliases command boot break confreg cont boot up an external process set/show/clear the breakpoint configuration register utility continue executing a downloaded image context cookie copy delete dir display the context of a loaded image display contents of cookie PROM in hex
Copy a file-copy [-b <buffer_size>] <src_file> <dst_file>
Delete file(s)-delete <filenames ...>
List files in directories-dir <directory> dis dnld format frame fsck help history meminfo display instruction stream serial download a program module
Format a filesystem-format <filessystem> print out a selected stack frame
Check filesystem consistency-fsck <filesystem> monitor builtin command help monitor command history main memory information
400
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
ROM Monitor
ROM Monitor Commands for 860VAE ISRs mkdir more rename repeat reset rmdir set stack sync sysret tftpdnld unalias unset xmodem
Create dir(s)-mkdir <dirnames ...>
Concatenate (type) file(s)-cat <filenames ...>
Rename a file-rename <old_name> <new_name> repeat a monitor command system reset
Remove a directory display the monitor variables produce a stack trace write monitor environment to NVRAM print out info from last system return tftp image download unset an alias unset a monitor variable x/ymodem image download
ROM Monitor Commands for 860VAE ISRs
Cisco 866VAE, 867VAE, 866VAE-K9, and 867VAE-K9 ISRs support the following ROM monitor commands.
Enter ? or help at the ROM monitor prompt to display a list of available commands and options, as follows: rommon 1 > ?
alias set and display aliases command boot confreg delete boot up an external process configuration register utility
Delete file(s)-delete <filenames ...> dev dir format help history meminfo repeat
List the device table
List files in directories-dir <directory>
Format a filesystem-format <filessystem> monitor builtin command help monitor command history main memory information repeat a monitor command reset set showmon sync tftpdnld unalias unset system reset display the monitor variables display currently selected ROM monitor write monitor environment to NVRAM tftp image download unset an alias unset a monitor variable
Commands are case sensitive. You can halt any command by pressing the Break key on a terminal. If you are using a PC, most terminal emulation programs halt a command when you press the Ctrl and the Break keys at the same time. If you are using another type of terminal emulator or terminal emulation software, see the documentation for that product for information on how to send a Break command.
ROM Monitor Command Descriptions
The table below describes the most commonly used ROM monitor commands.
Table 43: Commonly Used ROM Monitor Commands
Command
help or ?
Description
Displays a summary of all available ROM monitor commands.
Cisco 800 Series Integrated Services Routers Software Configuration Guide
401 OL-31704-02
ROM Monitor
Disaster Recovery with TFTP Download
Command
-?
reset or i
dir device: boot commands b b flash: [filename]
Description
Displays information about command syntax; for example: rommon 16 > dis -?
usage : dis [addr] [length]
The output for this command is slightly different for the xmodem download command: rommon 11 > xmodem -?
xmodem: illegal option -- ?
usage: xmodem [-cyrxu] <destination filename>
-c CRC-16
-y ymodem-batch protocol
-r copy image to dram for launch
-x do not launch on download completion
-u upgrade ROMMON, System will reboot after upgrade
Resets and initializes the router, similar to a power up.
Lists the files on the named device; for example, flash memory files: rommon 4 > dir flash:
Directory of flash:/
2 -rwx 10283208 <date> c880-advsecurityk9-mz
9064448 bytes available (10289152 bytes used)
For more information about the ROM monitor boot commands, see the Cisco IOS Configuration
Fundamentals and Network Management Guide .
Boots the first image in flash memory.
Attempts to boot the image directly from the first partition of flash memory. If you do not enter a filename, this command will boot this first image in flash memory.
Disaster Recovery with TFTP Download
The standard way to load new software on your router is to use the copy tftp flash privileged EXEC command from the Cisco IOS software command-line interface (CLI). However, if the router is unable to boot Cisco
IOS software, you can load new software while in ROM monitor mode.
This section describes how to load a Cisco IOS software image from a remote TFTP server to the router flash memory. Use the tftpdnld command only for disaster recovery, because it erases all existing data in flash memory before downloading a new software image to the router.
402
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
ROM Monitor
TFTP Download Command Variables
TFTP Download Command Variables
This section describes the system variables that can be set in ROM monitor mode and that are used during the TFTP download process. There are both required variables and optional variables.
Note The commands described in this section are case sensitive and must be entered exactly as shown.
Required Variables
These variables must be set with these commands before you use the tftpdnld command:
Variable
IP address of the router.
Command
IP_ADDRESS= ip_address
Subnet mask of the router.
IP address of the default gateway of the router.
IP_SUBNET_MASK= ip_address
DEFAULT_GATEWAY= ip_address
IP address of the TFTP server from which the software will be downloaded.
TFTP_SERVER= ip_address
Name of the file that will be downloaded to the router.
TFTP_FILE= filename
Optional Variables
These variables can be set with these commands before using the tftpdnld command:
Variable Command
Configures how the router displays file download progress.
0—No progress is displayed.
1—Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting.
2—Detailed progress is displayed during the file download process; for example:
TFTP_VERBOSE= setting
• Initializing interface.
• Interface link state up.
• ARPing for 1.4.0.1
• ARP reply for 1.4.0.1 received. MAC address
00:00:0c:07:ac:01
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
403
ROM Monitor
Using the TFTP Download Command
Variable Command
Number of times the router attempts ARP and TFTP download. The default is 7.
TFTP_RETRY_COUNT= retry_times
Length of time, in seconds, before the download process times out. The default is 2,400 seconds (40 minutes).
TFTP_TIMEOUT= time
Whether or not the router performs a checksum test on the downloaded image:
1—Checksum test is performed.
0—No checksum test is performed.
TFTP_CHECKSUM=setting
Using the TFTP Download Command
To download a file through TFTP perform these steps in ROM monitor mode
SUMMARY STEPS
1. Use the appropriate commands to enter all the required variables and any optional variables described in preceding sections.
2. Enter the tftpdnld command as follows:
3. If you are sure that you want to continue, enter y in response to the question in the output:
DETAILED STEPS
Step 1
Step 2
Use the appropriate commands to enter all the required variables and any optional variables described in preceding sections.
Enter the tftpdnld command as follows:
Example: rommon 1 > tftpdnld -r
Note The -r variable is optional. Entering this variable downloads and boots the new software but does not save the software to flash memory. You can then use the image that is in flash memory the next time you enter the reload command.
You will see output similar to the following:
Example:
IP_ADDRESS: 10.3.6.7
IP_SUBNET_MASK: 255.255.0.0
DEFAULT_GATEWAY: 10.3.0.1
TFTP_SERVER: 192.168.254.254
404
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
ROM Monitor
Configuration Register
Step 3
TFTP_FILE: c880-advsecurityk9-mz
Do you wish to continue? y/n: [n]:
If you are sure that you want to continue, enter y in response to the question in the output:
Example:
Do you wish to continue? y/n: [n]: y
The router begins to download the new file.
If you mistakenly entered yes, you can enter Ctrl-C or Break to stop the transfer before the flash memory is erased.
Configuration Register
The virtual configuration register is in nonvolatile RAM (NVRAM) and has the same functionality as other
Cisco routers. You can view or modify the virtual configuration register from either the ROM monitor or the operating system software. Within the ROM monitor, you can change the configuration register by entering the register value in hexadecimal format, or by allowing the ROM monitor to prompt you for the setting of each bit.
Changing the Configuration Register Manually
To change the virtual configuration register from the ROM monitor manually, enter the confreg command followed by the new value of the register in hexadecimal format, as shown in the following example: rommon 1 > confreg 0x2101
You must reset or power cycle for new config to take effect rommon 2 >
The value is always interpreted as hexadecimal. The new virtual configuration register value is written into
NVRAM but does not take effect until you reset or reboot the router.
Changing the Configuration Register Using Prompts
Entering the confreg command without an argument displays the contents of the virtual configuration register and a prompt to alter the contents by describing the meaning of each bit.
In either case, the new virtual configuration register value is written into NVRAM but does not take effect until you reset or reboot the router.
The following display shows an example of entering the confreg command: rommon 7> confreg
Configuration Summary enabled are: console baud: 9600 boot: the ROM Monitor do you wish to change the configuration? y/n [n]: y enable “diagnostic mode”? y/n [n]: y enable “use net in IP bcast address”? y/n [n]:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
405 OL-31704-02
ROM Monitor
Console Download enable “load rom after netboot fails”? y/n [n]: enable “use all zero broadcast”? y/n [n]: enable “break/abort has effect”? y/n [n]: enable “ignore system config info”? y/n [n]: change console baud rate? y/n [n]: y enter rate: 0 = 9600, 1 = 4800, 2 = 1200, 3 = 2400 [0]: 0 change the boot characteristics? y/n [n]: y enter to boot:
0 = ROM Monitor
1 = the boot helper image
2-15 = boot system
[0]: 0
Configuration Summary enabled are: diagnostic mode console baud: 9600 boot: the ROM Monitor do you wish to change the configuration? y/n [n]:
You must reset or power cycle for new config to take effect
Console Download
You can use console download, which is a ROM monitor function, to download either a software image or a configuration file over the router console port. After download, the file is either saved to the mini-flash memory module or to main memory for execution (image files only).
Use console download when you do not have access to a TFTP server.
Note If you want to download a software image or a configuration file to the router over the console port, you must use the ROM monitor dnld command.
Note If you are using a PC to download a Cisco IOS image over the router console port at 115,200 bps, ensure that the PC serial port is using a 16550 universal asynchronous transmitter/receiver (UART). If the PC serial port is not using a 16550 UART, we recommend using a speed of 38,400 bps or less when downloading a Cisco IOS image over the console port.
The following are the syntax and descriptions for the xmodem console download command:
xmodem [-cyrx] destination_file_name c Optional. Performs the download using 16-bit cyclic redundancy check (CRC-16) error checking to validate packets. Default is 8-bit CRC.
406
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
ROM Monitor
Error Reporting y r x destination_file_name
Optional. Sets the router to perform the download using Ymodem protocol. The default is Xmodem protocol. The protocols differ as follows:
• Xmodem supports a 128-block transfer size.
Ymodem supports a 1024-block transfer size.
• Ymodem uses CRC-16 error checking to validate each packet. Depending on the device that the software is being downloaded from, this function might not be supported by Xmodem.
Optional. Image is loaded into DRAM for execution.
The default is to load the image into flash memory.
Optional. Image is loaded into DRAM without being executed.
Name of the system image file or the system configuration file. In order for the router to recognize it, the name of the configuration file must be
router_confg.
Follow these steps to run Xmodem:
Step 1Move the image file to the local drive where Xmodem will execute.
Step 2Enter the xmodem command.
Error Reporting
Because the ROM monitor console download uses the console to perform the data transfer, when an error occurs during a data transfer, error messages are only displayed on the console once the data transfer is terminated.
If you have changed the baud rate from the default rate, the error message is followed by a message telling you to restore the terminal to the baud rate specified in the configuration register.
ROM Monitor Debug Commands
Most ROM monitor debugging commands are functional only when Cisco IOS software has crashed or is halted. If you enter a debugging command and Cisco IOS crash information is not available, you see the following error message:
"xxx: kernel context state is invalid, can not proceed."
The following are ROM monitor debugging commands:
Cisco 800 Series Integrated Services Routers Software Configuration Guide
407 OL-31704-02
ROM Monitor
ROM Monitor Debug Commands
• stack or k—Produces a stack trace; for example: rommon 6> stack
Stack trace:
PC = 0x801111b0
Frame 00: FP = 0x80005ea8
Frame 01: FP = 0x80005eb4
Frame 02: FP = 0x80005f74
Frame 03: FP = 0x80005f9c
Frame 04: FP = 0x80005fac
Frame 05: FP = 0x80005fc4
PC = 0x801111b0
PC = 0x80113694
PC = 0x8010eb44
PC = 0x80008118
PC = 0x80008064
PC = 0xfff03d70
• context—Displays processor context; for example: rommon 7> context
CPU context of the most recent exception:
PC = 0x801111b0 MSR = 0x00009032 CR = 0x53000035 LR = 0x80113694
CTR = 0x801065e4 XER = 0xa0006d36 DAR = 0xffffffff DSISR = 0xffffffff
DEC = 0xffffffff TBU = 0xffffffff TBL = 0xffffffff IMMR = 0xffffffff
R0 = 0x00000000 R1 = 0x80005ea8 R2 = 0xffffffff R3 = 0x00000000
R4 = 0x8fab0d76 R5 = 0x80657d00 R6 = 0x80570000 R7 = 0x80570000
R8 = 0x00000000 R9 = 0x80570000 R10 = 0x0000954c R11 = 0x00000000
R12 = 0x00000080 R13 = 0xffffffff R14 = 0xffffffff R15 = 0xffffffff
R16 = 0xffffffff R17 = 0xffffffff R18 = 0xffffffff R19 = 0xffffffff
R20 = 0xffffffff R21 = 0xffffffff R22 = 0xffffffff R23 = 0xffffffff
R24 = 0xffffffff R25 = 0xffffffff R26 = 0xffffffff R27 = 0xffffffff
R28 = 0xffffffff R29 = 0xffffffff R30 = 0xffffffff R31 = 0xffffffff
• frame—Displays an individual stack frame.
• sysret—Displays return information from the last booted system image. This information includes the reason for terminating the image, a stack dump of up to eight frames, and, if an exception is involved, the address where the exception occurred; for example: rommon 8> sysret
System Return Info: count: 19, reason: user break pc:0x801111b0, error address: 0x801111b0
Stack Trace:
FP: 0x80005ea8, PC: 0x801111b0
FP: 0x80005eb4, PC: 0x80113694
FP: 0x80005f74, PC: 0x8010eb44
FP: 0x80005f9c, PC: 0x80008118
FP: 0x80005fac, PC: 0x80008064
FP: 0x80005fc4, PC: 0xfff03d70
FP: 0x80005ffc, PC: 0x00000000
FP: 0x00000000, PC: 0x00000000
• meminfo—Displays size in bytes, starting address, available range of main memory, the starting point and size of packet memory, and size of NVRAM; for example: rommon 9> meminfo
Main memory size: 40 MB.
Available main memory starts at 0x10000, size 40896KB
IO (packet) memory size: 5 percent of main memory.
NVRAM size: 32KB
408
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
ROM Monitor
Exiting the ROM Monitor
Exiting the ROM Monitor
You must set the configuration register to a value from 0x2 to 0xF for the router to boot a Cisco IOS image from flash memory upon startup or reloading.
The following example shows how to reset the configuration register and cause the router to boot a Cisco IOS image stored in flash memory: rommon 1 > confreg 0x2101
You must reset or power cycle for new config to take effect: rommon 2 > boot
The router will boot the Cisco IOS image in flash memory. The configuration register will change to 0x2101 the next time the router is reset or power cycled.
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
409
Exiting the ROM Monitor
ROM Monitor
410
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
I N D E X
802.11d
802.11g
802.1H
A
ADSL
configuring
Aironet extensions
antenna
selection
antenna command
ARP
caching
ATM
interface, configuring for PPPoA
authentication
RADIUS
login
TACACS+
login
authorization
with RADIUS
with TACACS+
B backoff
bandwidth
banners
configuring
login
message-of-the-day login
when displayed
beacon dtim-period command
beacon period command
binary synchronous communications
Seebisync
OL-31704-02 bisync (binary synchronous communicatons), primary and secondary roles
blocking communication between clients
bridge-group command
C carrier busy test
CHAP
ppp
Cisco 2500 series routers, low-speed serial interfaces
Cisco 2520 to Cisco 2523 routers
synchronous or asynchronous, setting
client ARP caching
client communication, blocking
client power level, limiting
clocks
internal, enabling
signal, inverting
command-line access to router
configuration example
commands
168, 186, 191, 195, 196, 199, 201, 203, 204, 205, 206, 207, 208,
antenna
beacon dtim-period
beacon period
bridge-group
dot11 extension aironet
dot11 interface-number carrier busy
fragment-threshold
interface dot11radio
ip domain-name
packet retries
payload-encapsulation
power client
power local
rts retries
rts threshold
setting privilege levels
show dsl interface atm
slot-time-short
Cisco 800 Series Integrated Services Routers Software Configuration Guide
IN-1
Index commands (continued) speed
switchport protected
world-mode
commands station role
compression
HDLC
configuration examples
command-line access
DHCP server
dynamic routes
EIGRP
PPPoA with NAT
PPPoE with NAT
static route
configuration prerequisites
configuring
21, 22, 39, 41, 42, 45, 76, 193, 300, 301, 303, 318, 329
RIP
DHCP server
dialer interface
dynamic routes
EIGRP, IP
Fast Ethernet WAN interface
global parameters
IP EIGRP
loopback interface
NATNAT
configuring with PPPoA
PPPoE with NAT
RIP
static routes
VLANs
WAN interface
connections, secure remote
corporate network, connecting to
crypto software image
D
Data Beacon Rate
data rate setting
data retries
default configuration
DNS
RADIUS
TACACS+
default configuration, viewing
delivery traffic indication message (DTIM)
DHCP
configuring DHCP server
IP address assignment
DHCP server
configuration example
configuring access point as
configuring router as
verify configuration
dialer interface
configuring
diversity
DNS
default configuration
displaying the configuration
overview
setting up
Domain Name System
See DNS
domain names
DNS
dot11 extension aironet command
dot11 interface-number carrier busy command
DSL signaling protocol
DTIM
DTR (data terminal ready)
signal pulsingMCI interface card
pulsing DTR signal onserial interfaces
DTR signal pulsing
duplex, Ethernet port
dynamic routes
configuration example
configuring
E
EIGRP
configuration example
enable secret password
encapsulation method
encapsulations
ATM-DXI
synchronous serialencapsulations
HDLCHDLC
encapsulation, default for serial interfaces
encrypted software image
encryption for passwords
Ethernet speed and duplex settings
F fallback role
Fast Ethernet WAN interface, configuring
fragment-threshold command
fragmentation threshold
IN-2
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Index
Frame Relay
serial interfaces
K key features
G gain
global parameters, setting up
H half-duplex DCE state machine
constant carrier mode
controlled-carrier mode
receive (figure)
transmit (figure)
half-duplex DTE state machine
receive (figure)
transmit
transmit (figure)
half-duplex timer command
half-duplex timer cts-delay command
half-duplex timer cts-drop-timeout command
half-duplex timer dcd-drop-delay command
half-duplex timer dcd-txstart-delay command
half-duplex timer rts-drop-delay command
half-duplex timer rts-timeout command
half-duplex timer transmit-delay command
half-duplex timers, tuning
HDLC (High Level Data Link Control)
compression
L
LAN with DHCP and VLANs, configuring
LCP (Link Control Protocol)
limiting client power level
line coding, NRZI
Local Management Interface (LMI)
login authentication
with RADIUS
with TACACS+
login banners
loopback interface, configuring
M maximum data retries
Maximum RTS Retries
MCS rates
media-type half-duplex command
message-of-the-day (MOTD)
messages
to users through banners
mode (role)
mode button
disabling
enabling
Multiprotocol Label Switching control processor (MPLSCP)
I inter-client communication, blocking
interface dot11radio command
interface port labels (table)
interfaces
151, 157, 158, 159, 161, 162, 163, 164
configuration (examples)
low-speed serial
async commands supported
configuring
constant-carrier mode
half-duplex DCE state machine
half-duplex DTE state machine
sync commands supported
synchronous or asynchronous, setting
synchronous serial
internal clock, enabling
ip domain-name command
IP routing, setting up
OL-31704-02
N
NAT
configuration example
configuring with PPPoE
Network Control Protocols (NCPs)
NRZI (nonreturn to zero inverted)
encoding
P packet retries command
packet size (fragment)
parameters, setting up global
passwords
encrypting
overview
Cisco 800 Series Integrated Services Routers Software Configuration Guide
IN-3
Index passwords (continued) setting
enable
enable secret
with usernames
payload-encapsulation command
point-to-multipoint bridging
multiple VLAN and rate limitingrate limiting
configuring for non-root bridgemultiple VLAN
configuring for non-root bridge
port labels for interfaces
ports, protected
power client command
power level
on client devices
power local command
power-save client device
PPP
MS-CHAP
ppp
PAP
authentication
serial interface
ppp authentication command
PPPoA, configuration example
PPPoE
configuration example
configuring
verifying your configuration
prerequisites, for configuration
preventing unauthorized access
privilege levels
logging into
overview
setting a command with
protected ports
Public Secure Packet Forwarding (PSPF)
pulse-time command
R radio
activity
congestion
interface
preamble
RADIUS
configuring
authentication
authorization
default configuration
defining AAA server groups
RADIUS (continued) displaying the configuration
limiting the services to the user
Remote Authentication Dial-In User Service
See RADIUS
request to send (RTS)
restricting access
overview
passwords and privilege levels
RADIUS
TACACS+
RFC
1042
RIP
configuring
roaming
role (mode)
role in radio network
rts retries command
RTS threshold
rts threshold command
S sample configuration
sdlc cts-delay command
See half-duplex timer command
sdlc rts-timeout command
See half-duplex timer command
secure remote connections
Secure Shell
See SSH
serial interface
link state
PPP encapsulation
serial interfaces
configuring
low-speed
synchronous
encapsulation
supporting cards
transmit delaytransmit delay, serial interface
serial line, encapsulation
serial, low-speed
DTE, transmit
short slot time
show controllers command
show dsl interface atm command
show process cpu command
signals, pulsing DTR
Simple Network Time Protocol
See SNTP
IN-4
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
Index slot-time-short command
SNTP
overview
software compression
HDLC
LAPB
PPP
speed command
SSH
configuring
crypto software image
described
displaying settings
Stacker compressor
static routes
configuration
configuration example
configuring
station role command
switchport protected command
synchronous serial interface
encapsulation methods
overview
system clock
configuring
manually
displaying the time and date
system name
manual configuration
See also DNS [system name
zzz]
system prompt
default setting
T
TACACS+
configuring
authorization
login authentication
default configuration
displaying the configuration
TACACS+ (continued) limiting the services to the user
TCP/IP-oriented configuration
Terminal Access Controller Access Control System Plus
See TACACS+
time
See SNTP and system clock
transmit clock, inverting
transmitter-delay command
U unauthorized access
universal workgroup bridge
username-based authentication
V verify
DHCP server configuration
PPPoE with NAT configuration
VLAN configuration
viewing default configuration
virtual private dialup network group number, configuring
VLANs
configuring
verify configuration
VPDN group number, configuring
W
WAN interface, configuring
Wi-Fi Protected Access (WPA)
workgroup bridge
maximum number of clients allowed
world mode
world mode roamingworld mode
always on setting
world-mode command
OL-31704-02
Cisco 800 Series Integrated Services Routers Software Configuration Guide
IN-5
Index
IN-6
Cisco 800 Series Integrated Services Routers Software Configuration Guide
OL-31704-02
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 1 Cisco 800 Series Integrated Services Routers Software Configuration Guide
- 3 Contents
- 23 Preface
- 23 Audience
- 23 Document Organization
- 25 Document Conventions
- 26 Related Documentation
- 27 Obtaining Documentation and Submitting a Service Request
- 29 Product Overview
- 29 Information About Cisco 800 Series ISRs
- 29 Cisco 860 Series ISRs
- 30 Features of Cisco 860 Series ISRs
- 30 4-port 10/100 FE LAN Switch of Cisco 860 Series ISRs
- 30 Security Features for Cisco 860 Series ISRs
- 30 802.11n Wireless LAN Option for Cisco 860 Series ISRs
- 30 Features of Cisco 860VAE Series ISRs
- 30 General Features of Cisco 860 VAE Series Routers
- 32 Interfaces of Cisco 860 VAE Series ISRs
- 33 IOS Images for Cisco 860 VAE Series ISRs
- 33 Cisco 880 Series ISRs
- 33 Models of Cisco 880 Series ISRs
- 35 Common Features of Cisco 880 Series ISRs
- 35 4-port 10/100 FE LAN Switch of Cisco 880 Series ISRs
- 35 802.11n Wireless LAN Option of Cisco 880 Series ISRs
- 35 Real-Time Clock of Cisco 880 Series ISRs
- 36 Security Features of Cisco 880 Series ISRs
- 36 Voice Features of Cisco 880 Series ISRs
- 36 Cisco 890 Series ISRs
- 37 8-port 10/100 FE LAN Switch of Cisco 890 Series ISRs
- 37 802.11n Wireless LAN Option of Cisco 890 Series ISRs
- 37 Real-Time Clock of Cisco 890 Series ISRs
- 37 Security Features of Cisco 890 Series ISRs
- 38 Cisco 810 Series ISRs
- 38 Features of Cisco 812 Series ISRs
- 38 3G Features of Cisco 812 Series ISR
- 39 WLAN Features of Cisco 812 Series ISR
- 39 Dual Radio of Cisco 812 Series ISR
- 39 Cleanair Technology of Cisco 812 Series ISR
- 39 Dynamic Frequency Selection of Cisco 812 Series ISR
- 39 Platform Features of Cisco 812 Series ISR
- 40 TFTP with Ethernet WAN Interface Feature of Cisco 812 Series ISR
- 40 SKU Information for Cisco 812 Series ISR
- 40 Features of Cisco 819 Series ISRs
- 40 3G Features of Cisco 819 Series ISRs
- 41 WLAN Features of Cisco 819 Series ISRs
- 41 4G LTE Features of Cisco 819 Series ISRs
- 41 Platform Features of Cisco 819 Series ISRs
- 41 Security Features of Cisco 819 Series ISRs
- 42 SKU Information for Cisco 819 Series ISRs
- 42 Licensing for Cisco 800 Series ISRs
- 42 Selecting Feature Sets for Cisco 800 Series ISRs
- 43 Basic Router Configuration
- 43 Interface Ports
- 44 Default Configuration
- 45 Information Needed for Configuration
- 47 Configuring Command-Line Access
- 49 Configuring Global Parameters
- 50 Configuring WAN Interfaces
- 50 Configuring a Gigabit Ethernet WAN Interface
- 51 Configuring the Cellular Wireless WAN Interface
- 52 Prerequisites for Configuring the 3G Wireless Interface
- 52 Restrictions for Configuring the Cellular Wireless Interface
- 53 Data Account Provisioning
- 53 Verifying Signal Strength and Service Availability
- 54 Configuring a GSM Modem Data Profile
- 55 CDMA Modem Activation and Provisioning
- 57 Configuring a Cellular Interface
- 59 Configuring DDR
- 61 Examples for Configuring Cellular Wireless Interfaces
- 62 Basic Cellular Interface Configuration
- 62 Tunnel over Cellular Interface Configuration
- 63 Configuration for 8705 modem
- 63 Configuring Dual SIM for Cellular Networks
- 65 Configuring Router for Image and Config Recovery Using Push Button
- 66 Output When Button Is Not Pushed: Example
- 66 Output When Button Is Pushed: Example
- 67 Push Button in WLAN AP
- 67 Configuring the Fast Ethernet LAN Interfaces
- 67 Configuring a Loopback Interface
- 69 Configuring Static Routes
- 70 Configuring Dynamic Routes
- 70 Configuring Routing Information Protocol
- 73 Configuring Enhanced Interior Gateway Routing Protocol
- 75 Configuring Ethernet CFM and Y.1731 Performance Monitoring on Layer 3 Interfaces
- 75 Configuring a Network Interface Device on the L3 Interface
- 75 Configuring the NID
- 77 Configuration Example
- 77 Verifying the NID Configuration
- 78 Troubleshooting the NID Configuration
- 78 Ethernet Data Plane Loopback
- 79 Restrictions for Configuring Ethernet Data Plane Loopback
- 80 Configuring External Ethernet Data Plane Loopback
- 82 Configuration Examples for Ethernet Data Plane Loopback
- 82 Verifying the Ethernet Data Plane Loopback Configuration
- 83 Troubleshooting the Ethernet Data Plane Loopback Configuration
- 84 CFM Support on Routed Port and Port MEP
- 84 Restrictions for Configuring Ethernet CFM
- 85 Configuring Ethernet CFM (Port MEP)
- 87 Configuration Example for Ethernet CFM (Port MEP)
- 87 Verifying the Ethernet CFM Configuration on a Port MEP
- 89 Configuring Ethernet CFM (Single-Tagged Packets)
- 91 Configuration Example for Ethernet CFM (Single-Tagged Packets)
- 91 Verifying the Ethernet CFM Configuration for Single-Tagged Packets
- 93 Configuring Ethernet CFM (Double-Tagged Packets)
- 96 Configuration Example for Ethernet CFM (Double-Tagged Packets)
- 96 Verififying the Ethernet CFM Configuration for Double-Tagged Packets
- 98 Troubleshooting Ethernet CFM Configuration
- 99 Support for Y.1731 Performance Monitoring on Routed Port (L3 Subinterface)
- 99 Frame Delay
- 99 Restrictions for Configuring Two-Way Delay Measurement
- 100 Configuring Two-Way Delay Measurement
- 101 Configuration Examples for Two-Way Delay Measurement
- 102 Verifying Two-Way Delay Measurement Configuration
- 104 Troubleshooting Two-Way Delay Measurement Configuration
- 107 Configuring Power Management
- 107 Monitoring Power Usage with EnergyWise
- 107 Configuring Power-over-Ethernet
- 107 Enabling/Disabling Power-over-Ethernet
- 108 Verifying the Power-over-Ethernet Configuration on the Interface
- 109 Configuring Security Features
- 109 Authentication, Authorization, and Accounting
- 110 Configuring AutoSecure
- 110 Configuring Access Lists
- 111 Access Groups
- 111 Configuring Cisco IOS Firewall
- 112 Configuring Cisco IOS IPS
- 112 URL Filtering
- 113 Configuring VPN
- 115 Configuring a VPN over an IPSec Tunnel
- 115 Configuring the IKE Policy
- 117 Configuring Group Policy Information
- 118 Applying Mode Configuration to the Crypto Map
- 118 Enabling Policy Lookup
- 119 Configuring IPSec Transforms and Protocols
- 120 Configuring the IPSec Crypto Method and Parameters
- 121 Applying the Crypto Map to the Physical Interface
- 122 Creating a Cisco Easy VPN Remote Configuration
- 125 Configuring a Site-to-Site GRE Tunnel
- 129 Configuring Backup Data Lines and Remote Management
- 130 Configuring Backup Interfaces
- 131 Configuring Cellular Dial-on-Demand Routing Backup
- 131 Configuring DDR Backup Using Dialer Watch
- 133 Configuring DDR Backup Using Floating Static Route
- 134 Cellular Wireless Modem as Backup with NAT and IPsec Configuration
- 137 Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port
- 141 Example for specifying an IP address for the ATM interface through PPP and IPCP address negotiation and dial backup
- 143 Configuring Data Line Backup and Remote Management Through the ISDN S/T Port
- 146 Configuring ISDN Settings
- 148 Configuring Aggregator and ISDN Peer Router
- 149 Configuring Gigabit Ethernet Failover Media
- 150 Configuring Auto-Detect
- 151 Configuring Third-Party SFPs
- 154 Example for Configuring Third-Party SFPs
- 155 Configuring Ethernet Switches
- 155 Switch Port Numbering and Naming
- 156 Restrictions for the FE Switch
- 156 Ethernet Switches
- 156 VLANs and VLAN Trunk Protocol
- 156 Inline Power
- 156 Layer 2 Ethernet Switching
- 156 802.1x Authentication
- 157 Spanning Tree Protocol
- 157 Cisco Discovery Protocol
- 157 Switched Port Analyzer
- 157 IGMP Snooping
- 158 Storm Control
- 158 Overview of SNMP MIBs
- 158 BRIDGE-MIB for Layer 2 Ethernet Switching
- 159 MAC Address Notification
- 159 Configuring Ethernet Switches
- 160 Configuring VLANs
- 160 VLANs on the FE and GE Switch Ports
- 161 VLANs on the GE Port and GE ESW Port of Wireless APs
- 162 Configuring Layer 2 Interfaces
- 162 Configuring 802.1x Authentication
- 162 Configuring Spanning Tree Protocol
- 163 Configuring MAC Table Manipulation
- 163 Configuring Cisco Discovery Protocol
- 164 Configuring the Switched Port Analyzer
- 164 Configuring Power Management on the Interface
- 164 Configuring IP Multicast Layer 3 Switching
- 164 Configuring IGMP Snooping
- 165 Configuring Per-Port Storm Control
- 165 Configuring Separate Voice and Data Subnets
- 165 Managing the Switch
- 167 Configuring Voice Functionality
- 167 Voice Ports
- 168 Analog and Digital Voice Port Assignments
- 168 Voice Port Configuration
- 168 Call Control Protocols
- 168 SIP
- 169 MGCP
- 169 H.323
- 169 Dial Peer Configuration
- 169 Other Voice Features
- 169 Real-Time Transport Protocols
- 170 Dual Tone Multi Frequency Relay
- 170 CODECs
- 170 SCCP-Controlled Analog Ports with Supplementary Features
- 171 Fax Services
- 171 Fax Pass-Through
- 171 Cisco Fax Relay
- 171 T.37 Store-and-Forward Fax
- 171 T.38 Fax Relay
- 171 Unified Survival Remote Site Telephony
- 172 Verification of Voice Configuration
- 173 Configuring the Serial Interface
- 173 Configuring the Serial Interface
- 174 Legacy Protocol Transport
- 175 Configuring Serial Interfaces
- 175 Cisco HDLC Encapsulation
- 175 PPP Encapsulation
- 176 Multilink PPP
- 177 Keepalive Timer
- 177 Frame Relay Encapsulation
- 178 LMI on Frame Relay Interfaces
- 178 Configuring Serial Interfaces
- 179 Configuring a Synchronous Serial Interface
- 179 Specifying a Synchronous Serial Interface
- 179 Specifying Synchronous Serial Encapsulation
- 180 Configuring PPP
- 180 Configuring Bisync
- 180 Configuring Compression of HDLC Data
- 181 Using the NRZI Line-Coding Format
- 182 Enabling the Internal Clock
- 182 Inverting the Transmit Clock Signal
- 183 Setting Transmit Delay
- 183 Configuring DTR Signal Pulsing
- 184 Ignoring DCD and Monitoring DSR as Line Up/Down Indicator
- 184 Specifying the Serial Network Interface Module Timing
- 185 Specifying the Serial Network Interface Module Timing
- 185 Configuring Low-Speed Serial Interfaces
- 185 Half-Duplex DTE and DCE State Machines
- 186 Half-Duplex DTE State Machines
- 187 Half-Duplex DCE State Machines
- 189 Placing a Low-Speed Serial Interface in Constant-Carrier Mode
- 190 Tuning Half-Duplex Timers
- 190 Changing Between Synchronous and Asynchronous Modes
- 191 Changing Between Synchronous and Asynchronous Modes
- 192 Examples for Interface Enablement Configuration
- 192 Examples for Low-Speed Serial Interface
- 192 Examples for Synchronous or Asynchronous Mode
- 193 Example for Half-Duplex Timers
- 195 Configuring Wireless Devices
- 195 Wireless Device Overview
- 195 Software Modes for Wireless Devices
- 196 Management Options for Wirelss Device
- 196 Root Access Point
- 197 Central Unit in an All-Wireless Network
- 198 Cisco ScanSafe
- 199 TFTP support with Ethernet WAN interface
- 199 LEDs for Cisco 819 Series ISRs
- 202 Basic Wireless Configuration for Cisco 800 Series ISR
- 202 Starting a Wireless Configuration Session
- 204 Closing the Session
- 205 Configuring Wireless Settings
- 205 Cisco Express Setup
- 205 Cisco IOS Command Line Interface
- 205 Configuring the Radio
- 206 Configuring Wireless Security Settings
- 206 Configuring Authentication
- 206 Configuring WEP and Cipher Suites
- 207 Configuring Wireless VLANs and Assigning SSIDs
- 209 Configuring Wireless Quality of Service
- 209 Configuring the Access Point in Hot Standby Mode
- 210 Upgrading to Cisco Unified Software
- 210 Preparing for the Upgrade
- 210 Secure an IP Address on the Access Point
- 210 Example Configuration: Secure an IP Address on the Access Point
- 210 Confirm that the Mode Setting is Enabled
- 211 Performing the Upgrade
- 211 Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode
- 212 Downgrading the Software on the Access Point
- 212 Recovering Software on the Access Point
- 212 Related Documentation
- 214 Configuring Radio Settings
- 214 Enabling the Radio Interface
- 215 Wireless Device Roles in a Radio Network
- 216 Configuring the Wireless Device Roles in a Radio Network
- 217 Configuring Dual-Radio Fallback
- 217 Radio Tracking
- 217 Fast Ethernet Tracking
- 218 MAC-Address Tracking
- 218 Overview of Radio Data Rates
- 219 Configuring Radio Data Rates
- 221 Configuration Example: Configuring Radio Data Rates
- 221 Configuring MCS Rates
- 223 Configuration Example: MCS Rates
- 223 Configuring Radio Transmit Power
- 224 Limiting the Power Level for Associated Client Devices
- 225 Configuring Radio Channel Settings
- 226 Configuring Wireless Channel Width
- 227 Enabling and Disabling World Mode
- 227 Enabling World Mode
- 228 Disabling and Enabling Short Radio Preambles
- 228 Disabling Short Radio Preambles
- 229 Transmit and Receive Antennas
- 229 Configuring Transmit and Recieve Antennas
- 230 Disabling and Enabling Aironet Extensions
- 231 Disabling Aironet Extensions
- 232 Ethernet Encapsulation Transformation Method
- 232 Configuring the Ethernet Encapsulation Transformation Method
- 233 Enabling and Disabling Public Secure Packet Forwarding
- 233 Configuring Public Secure Packet Forwarding
- 234 Configuring Protected Ports
- 235 Beacon Period and the DTIM
- 235 Configuring the Beacon Period and the DTIM
- 236 RTS Threshold and Retries
- 236 Configuring RTS Threshold and Retries
- 237 Maximum Data Retries
- 237 Configuring the Maximum Data Retries
- 238 Configuring the Fragmentation Threshold
- 238 Configuring the Fragment Threshold
- 239 Enabling Short Slot Time for 802.11g Radios
- 239 Performing a Carrier Busy Test
- 239 Configuring VoIP Packet Handling
- 240 Configuring WLAN
- 240 Configuring WLAN Using the Web-based Interface
- 240 Connecting to the Web-based WLAN Interface
- 241 Address for Accessing Web-based Interface
- 241 DHCP Server Configuration
- 241 Subnet
- 241 Displaying Device Information
- 241 Displaying Connection Statistics
- 241 Configuring Access to the Web-based Interface
- 242 Configuring Basic Wireless Settings
- 243 Configuring Security
- 243 Configuring MAC Filtering
- 243 Configuring Advanced Wireless Settings
- 246 Station Information
- 246 Configuring the Password for Connecting to the Web-based Interface
- 247 Saving the Wireless LAN Configuration to a File
- 247 Loading a Wireless LAN Configuration File
- 247 Restoring the Default Configuration
- 247 Configuring WLAN Using the CLI-based Interface
- 247 WLAN CLI Interface
- 248 Displaying Command Information for WLAN CLI
- 248 Example : Displaying Command Information for WLAN CLI
- 248 Connecting to the WLAN CLI Interface
- 248 Example: Configuring a Loopback Interface
- 249 Example: Accessing WLAN CLI Using Telnet Through the Loopback Interface
- 249 Exiting from the WLAN CLI Interface
- 249 Setting the IP Address for the Web-based Interface
- 250 Enabling and Disabling WLAN
- 250 Configuring the Main SSID
- 251 Configuring Guest SSIDs
- 252 Enabling and Disabling Guest SSIDs
- 252 Hiding an Access Point
- 253 Enabling and Disabling Client Isolation
- 254 Enabling and Disabling WMM Advertise
- 255 Enabling and Disabling Wireless Multicast Forwarding (WMF)
- 256 Configuring the Global Maximum Number of Clients
- 256 Configuring the Maximum Number of Clients for an SSID
- 257 Configuring Authentication Options
- 261 Configuring Encryption Options
- 264 Configuring the MAC Address Filter Access List
- 265 Configuring the MAC Address Filter Mode
- 265 Configuring Radio Channel
- 266 Configuring 802.11n Options
- 268 Configuring the 54g Mode
- 269 Configuring the 54g Preamble Type
- 270 Configuring the 54g Rate
- 271 Configuring 54g Protection
- 271 Configuring the Multicast Rate
- 272 Configuring the Basic Rate
- 273 Configuring the Fragmentation Threshold
- 274 Configuring the RTS Threshold
- 274 Configuring the DTIM Interval
- 275 Configuring the Beacon Interval
- 275 Configuring the Radio Transmit Power
- 276 Configuring WMM Options
- 277 Displaying Current CLI Values and Keywords
- 278 Displaying Current Channel and Power Information
- 280 Displaying Current Associated Clients
- 281 Displaying the SSID to BSSID Mapping
- 282 Displaying the Tx/Rx Statistics
- 282 Displaying the BVI 1 Interface Details
- 283 Displaying Dot11Radio 0 Interface Information
- 284 Example: Displaying Dot11Radio 0 Interface Information
- 284 Displaying Brief Details for All Interfaces
- 284 Displaying CPU Statistics
- 285 Example: Displaying CPU Statistics
- 285 Showing a Summary of Memory Usage
- 286 Pinging an Address
- 286 Changing the Administrator Password
- 287 Configuring the Number of Lines on Screen
- 287 Administering the Wireless Device
- 287 Securing Access to the Wireless Device
- 287 Disabling the Mode Button Function
- 288 Dispaying the mode-button status
- 288 Preventing Unauthorized Access to Your Access Point
- 289 Protecting Access to Privileged EXEC Commands
- 289 Configuring Default Password and Privilege Level
- 289 Setting or Changing a Static Enable Password
- 290 Configuration Example: Changing a Static Enable Password
- 290 Protecting Enable and Enable Secret Passwords with Encryption
- 292 Configuration Example: Enable Secret Passwords
- 292 Configuring Username and Password Pairs
- 293 Configuring Multiple Privilege Levels
- 295 Configuring Multiple Privilege Levels
- 295 Controlling Access Point Access with RADIUS
- 296 RADIUS Configuration
- 296 Configuring RADIUS Login Authentication
- 297 Defining AAA Server Groups
- 299 Configuration Example: AAA Group
- 300 Configuring RADIUS Authorization for User Privileged Access and Network Services
- 301 Displaying the RADIUS Configuration
- 301 Controlling Access Point Access with TACACS+
- 301 Default TACACS+ Configuration
- 302 Configuring TACACS+ Login Authentication
- 303 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
- 304 Displaying the TACACS+ Configuration
- 304 Administering the Access Point Hardware and Software
- 304 Administering the Wireless Hardware and Software
- 305 Resetting the Wireless Device to the Factory Default Configuration
- 305 Rebooting the Wireless Device
- 305 Monitoring the Wireless Device
- 306 Managing the System Time and Date
- 306 Understanding Simple Network Time Protocol
- 306 Configuring SNTP
- 307 Time and Date Manual Configuration
- 309 Example Configuration : Time and Date
- 309 Configuring a System Name and Prompt
- 310 Configuring a System Name
- 310 Understanding DNS
- 313 Creating a Banner
- 313 Configuring a Message-of-the-Day Login Banner
- 314 Example: Configuring a MOTD Banner
- 314 Configuring a Login Banner
- 315 Example Configuration: Login Banner
- 315 Administering Wireless Device Communication
- 315 Configuring Ethernet Speed and Duplex Settings
- 316 Configuring the Access Point for Wireless Network Management
- 317 Configuring the Access Point for Local Authentication and Authorization
- 318 Configuring the Authentication Cache and Profile
- 319 Example Configuration: Authentication Cache and Profile
- 321 Configuring the Access Point to Provide DHCP Service
- 321 Setting up the DHCP Server
- 323 Monitoring and Maintaining the DHCP Server Access Point
- 324 Configuring the Access Point for Secure Shell
- 324 Understanding SSH
- 324 Configuring SSH
- 325 Client ARP Caching
- 325 Understanding Client ARP Caching
- 325 Configuring Client ARP Caching
- 326 Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging
- 327 Configuring PPP over Ethernet with NAT
- 328 Overview
- 328 PPPoE
- 329 NAT
- 329 Configuration Tasks
- 329 Configure the Virtual Private Dialup Network Group Number
- 330 Configure Ethernet WAN Interfaces
- 331 Configure the Dialer Interface
- 333 Configure Network Address Translation
- 336 Configuration Example
- 337 Verifying Your Configuration
- 339 Configuring PPP over ATM with NAT
- 339 Overview
- 341 Configure the Dialer Interface
- 343 Configure the ATM WAN Interface
- 344 Configure DSL Signaling Protocol
- 344 Configuring ADSL
- 345 Verifying the Configuration
- 346 Configure Network Address Translation
- 349 Configuration Example
- 350 Verifying Your Configuration with NAT
- 351 Environmental and Power Management
- 351 Environmental and Power Management
- 352 Cisco EnergyWise Support
- 353 4G LTE Wireless WAN
- 353 4G LTE Support on Cisco 800 Series ISRs
- 354 How to Configure Cisco 800 Series 4G LTE ISRs
- 354 Configuration Examples for Cisco 800 Series 4G LTE ISRs
- 354 Example: Basic Cellular Configuration
- 354 Example: Dialer-Watch Configuration without External Dialer Interface
- 355 Example: Dialer-Persistent Configuration with External Dialer Interface
- 355 Example: GRE Tunnel over Cellular Interface Configuration
- 356 Modem Firmware Upgrade
- 356 Troubleshooting
- 356 3G Support on Cisco 880G series ISRs
- 357 Configuring a LAN with DHCP and VLANs
- 357 Configuring a LAN with DHCP and VLANs
- 358 DHCP
- 358 VLANs
- 358 Configuring DHCP and VLANs
- 358 Configuring DHCP
- 360 Configuration Example: DHCP
- 360 Verifying Your DHCP Configuration
- 361 Configuring VLANs
- 362 Assigning a Switch Port to a VLAN
- 362 Verifying Your VLAN Configuration
- 365 Configuring a VPN Using Easy VPN and an IPSec Tunnel
- 365 Configuring a VPN Using Easy VPN and an IPSec Tunnel
- 367 Configuring the IKE Policy
- 369 Configuring Group Policy Information
- 370 Applying Mode Configuration to the Crypto Map
- 371 Enabling Policy Lookup
- 372 Configuring IPSec Transforms and Protocols
- 373 Configuring the IPSec Crypto Method and Parameters
- 374 Applying the Crypto Map to the Physical Interface
- 375 Creating an Easy VPN Remote Configuration
- 377 Verifying Your Easy VPN Configuration
- 377 Configuration Examples for VPN and IPSec
- 379 Configuring Cisco Multimode G.SHDSL EFM/ATM
- 381 Configuring VDSL2 Bonding and Single-Wire Pair
- 381 Restrictions
- 382 Configuring Bonding in Auto Mode
- 382 Configuring Bonding in VDSL2 Mode
- 383 Configuring a Single-Wire Pair on Line 0
- 384 Configuring a Single-Wire Pair on Line 1
- 385 Configuration Examples
- 387 Deployment Scenarios
- 387 About the Deployment Scenarios
- 388 Enterprise Small Branch
- 389 Internet Service and IPSec VPN with 3G
- 390 SMB Applications
- 391 Enterprise Wireless Deployments with LWAPP
- 392 Enterprise Small Branch Office Deployment
- 393 Troubleshooting Cisco 800 Series Routers
- 393 Getting Started
- 393 Before Contacting Cisco or Your Reseller
- 394 ADSL Troubleshooting
- 394 SHDSL Troubleshooting
- 395 VDSL2 Troubleshooting
- 395 show interfaces Troubleshooting Command
- 397 ATM Troubleshooting Commands
- 398 ping atm interface Command
- 398 show atm interface Command
- 399 debug atm Commands
- 399 Guidelines for Using Debug Commands
- 399 debug atm errors Command
- 400 debug atm events Command
- 401 debug atm packet Command
- 402 Software Upgrade Methods
- 402 Recovering a Lost Password
- 402 Change the Configuration Register
- 404 Reset the Router
- 405 Reset the Password and Save Your Changes
- 406 Reset the Configuration Register Value
- 407 Cisco Configuration Professional Express
- 409 Cisco IOS Software Basic Skills
- 409 Configuring the Router from a PC
- 410 Understanding Command Modes
- 412 Getting Help
- 413 Enable Secret Passwords and Enable Passwords
- 414 Entering Global Configuration Mode
- 414 Using Commands
- 415 Abbreviating Commands
- 415 Undoing Commands
- 415 Command-Line Error Messages
- 416 Saving Configuration Changes
- 416 Summary
- 417 Concepts
- 417 ADSL
- 418 SHDSL
- 418 Network Protocols
- 418 IP
- 418 Routing Protocol Options
- 419 RIP
- 419 Enhanced IGRP
- 419 PPP Authentication Protocols
- 420 PAP
- 420 CHAP
- 421 TACACS+
- 421 Network Address Translation
- 421 Easy IP (Phase 1)
- 422 Easy IP (Phase 2)
- 422 Network Interfaces
- 422 Ethernet
- 423 ATM for DSL
- 423 PVC
- 423 Dialer Interface
- 424 Dial Backup
- 424 Backup Interface
- 424 Floating Static Routes
- 424 Dialer Watch
- 424 QoS
- 425 IP Precedence
- 425 PPP Fragmentation and Interleaving
- 425 CBWFQ
- 426 RSVP
- 426 Low Latency Queuing
- 426 Access Lists
- 427 ROM Monitor
- 427 Entering the ROM Monitor
- 428 ROM Monitor Commands
- 429 ROM Monitor Commands for 860VAE ISRs
- 429 ROM Monitor Command Descriptions
- 430 Disaster Recovery with TFTP Download
- 431 TFTP Download Command Variables
- 431 Required Variables
- 431 Optional Variables
- 432 Using the TFTP Download Command
- 433 Configuration Register
- 433 Changing the Configuration Register Manually
- 433 Changing the Configuration Register Using Prompts
- 434 Console Download
- 435 Error Reporting
- 435 ROM Monitor Debug Commands
- 437 Exiting the ROM Monitor
- 439 INDEX