Cisco 819 Series Integrated Services
Routers Software Configuration Guide
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-23590-02
September 2, 2013
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL:
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
Dual-Radio3-1
Images Supported3-2
CleanAir Technology3-2
Dynamic Frequency Selection3-2
LEDs3-2
3-3
CHAPTER
CHAPTER
OL-23590-02
44G LTE Wireless WAN4-1
5Basic Router Configuration5-1
Interface Ports5-2
Default Configuration5-2
Information Needed for Configuration5-3
Configuring Command-Line Access5-5
Example5-7
Configuring Global Parameters5-8
Cisco 819 Series Integrated Services Routers Software Configuration Guide
1
Contents
Configuring WAN Interfaces5-9
Configuring a Gigabit Ethernet WAN Interface5-9
Configuring the Cellular Wireless WAN Interface5-10
Prerequisites for Configuring the 3G Wireless Interface5-11
Restrictions for Configuring the Cellular Wireless Interface5-11
Data Account Provisioning5-12
Configuring a Cellular Interface5-16
Configuring DDR5-17
Examples for Configuring Cellular Wireless Interfaces5-20
Configuring Dual SIM for Cellular Networks5-22
Configuring Router for Image and Config Recovery Using Push Button5-23
Output When Button Is Not Pushed: Example5-24
Output When Button Is Pushed: Example5-24
Push Button in WLAN AP5-25
Configuring the Fast Ethernet LAN Interfaces5-25
Configuring DDR Backup Using Dialer Watch6-3
Configuring DDR Backup Using Floating Static Route6-5
Cellular Wireless Modem as Backup with NAT and IPsec Configuration6-5
Configuring Dial Backup and Remote Management Through the Console Port6-8
Example6-13
Cisco 819 Series Integrated Services Routers Software Configuration Guide
2
OL-23590-02
Contents
CHAPTER
CHAPTER
7Environmental and Power Management7-1
Cisco EnergyWise Support7-2
8Configuring the Serial Interface8-1
Legacy Protocol Transport8-2
Configuring Serial Interfaces8-2
Information About Configuring Serial Interfaces8-3
Configuring Half-Duplex and Bisync for Synchronous Serial Port Adapters on Cisco 819
ISRs8-8
Configuring Compression of HDLC Data8-9
Using the NRZI Line-Coding Format 8-9
Enabling the Internal Clock8-10
Inverting the Transmit Clock Signal8-10
Setting Transmit Delay8-11
Configuring DTR Signal Pulsing8-11
Ignoring DCD and Monitoring DSR as Line Up/Down Indicator8-11
Specifying the Serial Network Interface Module Timing8-12
Configuring Low-Speed Serial Interfaces 8-14
Understanding Half-Duplex DTE and DCE State Machines8-14
Changing Between Synchronous and Asynchronous Modes8-18
CHAPTER
OL-23590-02
Configuration Examples8-19
Interface Enablement Configuration: Examples8-19
Low-Speed Serial Interface: Examples8-20
Synchronous or Asynchronous Mode: Examples8-20
Half-Duplex Timers: Example8-20
9Configuring Security Features9-1
Authentication, Authorization, and Accounting9-1
Cisco 819 Series Integrated Services Routers Software Configuration Guide
3
Contents
Configuring AutoSecure9-2
Configuring Access Lists9-2
Access Groups9-3
Configuring Cisco IOS Firewall9-3
Configuring Cisco IOS IPS9-4
URL Filtering9-4
Configuring VPN9-4
Remote Access VPN9-5
Site-to-Site VPN9-6
Configuration Examples9-7
Configure a VPN over an IPSec Tunnel9-7
Configure the IKE Policy9-7
Configure Group Policy Information9-9
Apply Mode Configuration to the Crypto Map9-10
Enable Policy Lookup9-11
Configure IPSec Transforms and Protocols9-12
Configure the IPSec Crypto Method and Parameters9-12
Apply the Crypto Map to the Physical Interface9-14
Where to Go Next9-14
Create a Cisco Easy VPN Remote Configuration9-15
Configuration Example9-16
Configure a Site-to-Site GRE Tunnel9-17
Configuration Example9-19
CHAPTER
4
10Configuring the Ethernet Switches10-1
Switch Port Numbering and Naming10-1
Restrictions for the FE Switch10-1
Information About Ethernet Switches10-2
VLANs and VLAN Trunk Protocol10-2
Layer 2 Ethernet Switching10-2
802.1x Authentication10-2
Spanning Tree Protocol10-2
Cisco Discovery Protocol10-2
Switched Port Analyzer10-3
IGMP Snooping10-3
Storm Control10-3
Fallback Bridging10-3
Overview of SNMP MIBs10-3
BRIDGE-MIB for Layer 2 Ethernet Switching10-4
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
MAC Address Notification10-5
How to Configure Ethernet Switches10-6
Configuring VLANs10-6
VLANs on the FE Ports10-6
VLANs on the GE Port10-7
Configuring Layer 2 Interfaces10-7
Configuring 802.1x Authentication10-8
Configuring Spanning Tree Protocol10-8
Configuring MAC Table Manipulation10-9
Configuring Cisco Discovery Protocol10-9
Configuring the Switched Port Analyzer10-10
Configuring IP Multicast Layer 3 Switching10-10
Configuring IGMP Snooping10-10
Configuring Per-Port Storm Control10-10
Configuring Fallback Bridging10-11
Managing the Switch10-12
Contents
CHAPTER
CHAPTER
11Configuring PPP over Ethernet with NAT11-1
PPPoE11-2
NAT11-2
Configuration Tasks11-2
Configure the Virtual Private Dialup Network Group Number11-2
Configure the Fast Ethernet WAN Interfaces11-3
Configure the Dialer Interface11-4
Configure Network Address Translation11-6
Configuration Example11-9
Verifying Your Configuration11-11
12Configuring a LAN with DHCP and VLANs12-1
DHCP12-1
VLANs12-2
Configuration Tasks12-2
Configure DHCP12-2
Configuration Example12-4
Verify Your DHCP Configuration12-4
Configure VLANs12-5
Assign a Switch Port to a VLAN12-6
Verify Your VLAN Configuration12-7
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
5
Contents
CHAPTER
APPENDIX
13Configuring a VPN Using Easy VPN and an IPSec Tunnel13-1
Cisco Easy VPN13-2
Configuration Tasks 13-3
Configure the IKE Policy13-3
Configure Group Policy Information13-5
Apply Mode Configuration to the Crypto Map13-6
Enable Policy Lookup13-7
Configure IPSec Transforms and Protocols13-8
Configure the IPSec Crypto Method and Parameters13-8
Apply the Crypto Map to the Physical Interface13-10
Create an Easy VPN Remote Configuration13-10
IP PrecedenceB-8
PPP Fragmentation and InterleavingB-8
CBWFQB-8
RSVPB-8
Low Latency QueuingB-9
Contents
APPENDIX
Access ListsB-9
CROM MonitorC-1
Entering the ROM MonitorC-1
ROM Monitor CommandsC-2
Command DescriptionsC-3
Disaster Recovery with TFTP DownloadC-3
TFTP Download Command VariablesC-4
Required VariablesC-4
Optional VariablesC-5
Using the TFTP Download CommandC-5
ExamplesC-6
Configuration RegisterC-10
Changing the Configuration Register ManuallyC-11
Changing the Configuration Register Using PromptsC-11
Console DownloadC-12
Command DescriptionC-12
Error ReportingC-13
APPENDIX
OL-23590-02
Debug CommandsC-13
Exiting the ROM MonitorC-14
DCommon Port AssignmentsD-1
Cisco 819 Series Integrated Services Routers Software Configuration Guide
7
Contents
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8
OL-23590-02
Product Overview
This chapter provides an overview of the features available for the Cisco 819 Integrated Services Routers
(ISRs) and contains the following sections:
•General Description, page 1-1
•SKU Information, page 1-3
•New Features, page 1-3
General Description
The Cisco 819 ISRs provide Internet, VPN, data, and backup capability to corporate teleworkers and
remote and small offices of fewer than 20 users. These routers are capable of bridging and multiprotocol
routing between LAN and WAN ports and provide advanced features such as antivirus protection.
The Cisco 819 ISRs are fixed-configuration data routers that provide four 10/100 Fast Ethernet (FE), 1
Gigabit Ethernet (GE), and WAN connections over Serial and Cellular (3G) interface.
CHAP T ER
1
The Cisco 819HGW and Cisco 819HWD ISRs support WiFi radios (AP802H-AGN). A Wireless Local
Area Network (WLAN) implements a flexible data communication system frequently augmenting rather
than replacing a wired LAN within a building or campus. WLANs use radio frequency to transmit and
receive data over the air, minimizing the need for wired connections.
The Cisco 819HG-4G and Cisco 819G-4G support multimode 4G LTE and have embedded Sierra
Wireless multimode modem.
NoteCisco 819 ISR is used to refer to Cisco 819G , Cisco 819HG, Cisco 819H, Cisco 819HWD, Cisco
819HGW, Cisco 819HG-4G, and Cisco 819G-4G ISRs unless specifically called out otherwise.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
1-1
General Description
283010
Chapter 1 Product Overview
Figure 1-1 shows the Cisco 819HG ISR.
Figure 1-1Cisco 819HG Integrated Services Router
Figure 1-2 shows the Cisco 819HGW ISR.
Figure 1-2Cisco 819HGW Integrated Services Router
1-2
285479
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 1 Product Overview
SKU Information
For the complete list of SKUs available in Cisco 819 ISRs, see SKU Information.
New Features
This section lists the software, platform, and security features supported by the Cisco 819 ISRs.
•3G Features, page 1-3
•WLAN Features, page 1-4
•4G LTE Features, page 1-4
•Platform Features, page 1-4
•Security Features, page 1-4
NoteThe WAAS Express feature is not supported. This feature will be supported for 3G and 4G interfaces
with later IOS releases.
SKU Information
3G Features
•Modem control and management
•Asynchronous transport (AT) command set
•Wireless Host Interface Protocol (WHIP)
•Control and Status (CNS) for out-of-band modem control and status
•Diagnostic Monitor (DM) logging
•Account provisioning
•Modem firmware upgrade
•SIM locking and unlocking
•MEP unlocking
•OMA-DM activation
•Dual SIM card slots
•Link persistence
•SMS Services
•Global Positioning System (GPS) Services
•3G MIB
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
1-3
New Features
WLAN Features
•Dual Radio
•CleanAir Technology
•Dynamic Frequency Selection
4G LTE Features
•IPv4 bearer
•MIPv4, NEMOv4, RFC 3025
•IPv4 subnet behind LTE UE interface
•Evolved High-Rate Packet Data (EHRPD), which allows seamless handoff between 4G LTE and 3G
•Seamless hand-off between LTE and EHRPD network (C819(H)G-4G-V-K9 only)
•Support for UMTS service as a fallback option from LTE service (C819(H)G-4G-A-K9 and
•Seamless handoff between LTE and UMTS service (C819(H)G-4G-A-K9 and C819(H)G-4G-G-K9
•Remote access to Qualcomm diagnostic monitor port
Chapter 1 Product Overview
services (C819(H)G-4G-V-K9 only)
C819(H)G-4G-G-K9 only)
only)
•OTA-DM including wireless configuration FOTA (C819(HG-4G-V-K9 only)
•Mini USB type 2 connector for modem provisioning
Platform Features
For the complete list of Cisco 819 ISR platform features, see Platform Features for Cisco 819 ISRs.
Security Features
The Cisco 819 ISRs provide the following security features:
•Intrusion Prevention System (IPS)
•Dynamic Multipoint VPN (DMVPN)
•IPsec
•Quality of service (QoS)
•Firewall
•URL filtering
1-4
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
CHAP T ER
2
Wireless Device Overview
The Cisco 819 ISRs provide Internet, VPN, data, and backup capability to corporate teleworkers and
remote and small offices of fewer than 20 users. These fixed routers are capable of bridging and
multiprotocol routing between LAN and WAN ports and provide advanced features such as antivirus
protection.
The fixed 3G routers can be used as the primary WAN connectivity and as a backup for critical
applications and can also be used as the primary WAN connection.
NoteThere are two SIM card slots in the Cisco 819 ISRs. For information on how to install the SIM cards,
see Cisco 819 Integrated Services Router Hardware Installation Guide.
•ScanSafe, page 2-1
•TFTP support with Ethernet WAN interface, page 2-2
•LEDs, page 2-2
ScanSafe
OL-23590-02
The Cisco Integrated Services Router G2 (ISR G2) family delivers numerous security services, including
firewall, intrusion prevention, and VPN. These security capabilities have been extended with Cisco ISR
Web Security with Cisco ScanSafe for a web security and web filtering solution that requires no
additional hardware or client software.
Cisco ISR Web Security with Cisco ScanSafe enables branch offices to intelligently redirect web traffic
to the cloud to enforce granular security and acceptable use policies over user web traffic. With this
solution, you can deploy market-leading web security quickly and can easily protect branch office users
from web-based threats, such as viruses, while saving bandwidth, money, and resources.
For more information, see Cisco ISR Web Security with Cisco ScanSafe Solution Guide.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
2-1
TFTP support with Ethernet WAN interface
TFTP support with Ethernet WAN interface
Trivial File Transfer Protocol (TFTP) is a file transfer protocol notable for its simplicity. It is generally
used for automated transfer of configuration or boot files between machines in a local environment.
The Cisco 819H ISR supports TFTP with Ethernet WAN interface that supports data transfer rate of 10
Mbps.
For more information, see the “Using the TFTP Download Command” section on page C-5.
NoteThis feature is supported in all Cisco 819 ISRs that have ROMMON version 15.2(2r)T and above.
NoteTFTP download using switch port is supported in Cisco 819HGW SKUs only.
LEDs
Chapter 2 Wireless Device Overview
The LED is located on the front panel of the router. Table 2-1 describes the 3G LED for the Cisco 819
ISR.
Ta b l e 2-13G LED Descriptions
LEDColorDescription
SYSYellowFPGA download is complete.
Green (blinking)ROMMON is operational.
Green (solid)IOS is operational.
Green (four blinks
during bootup)
OffAfter powering up, when FPGA is being downloaded (in
ACTGreenNetwork activity on FE Switch ports, GE WAN port, 3G
OffNo network activity.
WWANGreenModule is powered on and connected but not transmitting
Green (slow blinking)Module is powered on and searching for connection.
Green (fast blinking)Module is transmitting or receiving.
OffModule is not powered.
GPSGreen (solid)Standalone GPS.
Green (slow blinking)GPS is acquiring.
Yellow (solid)Assisted GPS.
Yellow (slow blinking)Assisted GPS is acquiring.
OffGPS is not configured.
Reset button has been pushed during the bootup.
ROMMON).
cellular interface, and serial interfaces.
or receiving.
2-2
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 2 Wireless Device Overview
Table 2-13G LED Descriptions (continued)
LEDColorDescription
RSSIGreen (solid)Signal > –60
1,2
SIM
3G One blink green and
1. Not applicable to Verizon and Sprint EVDO modems.
2. There is only one LED to indicate the status two SIMs. A one-blink pattern represents the status of the SIM in slot 0, followed
by a two-blink pattern for the SIM in slot 1.
Very strong signal
Green (four blinks and
then a long pause)
Green (two blinks and
then a long pause)
Green (one blink and
then a long pause)
Signal <= –60 to 74
Strong signal
Signal <= –75 to –89
Fair signal
Signal <= –90 to –109
Marginal signal
OffSignal <= –110
Unusable signal
Green / Yellow (one
SIM in slot 0 active, SIM in slot 1 is not.
green blink followed by
two yellow blinks)
Yellow / Green (one
SIM in slot 1 active, SIM in slot 0 is not.
yellow blink followed
by two greenblinks)
Off / Green (two green
No SIM in slot 0, SIM present in slot 1.
blinks and then pause)
Green / Off (Slow single
SIM present in slot0, no SIM in slot 1.
green blink and then
pause)
Off / OffNo SIM present in either slots.
For 1xRTT, EGPRS, GPRS service.
then pause
Two blink green and
For EVDO, EVDO/1xRTT, UMTS.
then pause
Three blink green and
For EVDO/1xRTT RevA, HSPA, HSUPA/HSDPA.
then pause
Green (solid)For HSPA PLUS.
LEDs
OL-23590-02
Use the following show commands to check the LED status for your router:
•show platform led (for all LEDs)
•show controller cellular 0 (for 3G LEDs)
The following is a sample output from the show platform led command and shows the LED status:
router# show platform led
Cisco 819 Series Integrated Services Routers Software Configuration Guide
2-3
LEDs
Chapter 2 Wireless Device Overview
LED STATUS:
==========
LEDS : SYSTEM WWAN RSSI GPS
STATUS: GREEN GREEN GREEN(2 BLINK) OFF
LEDS : ACTIVITY SIM(slot0 / slot1) 3G
STATUS: OFF GREEN / YELLOW GREEN
LAN PORTS : FE0 FE1 FE2 FE3
LINK/ENABLE LED : OFF OFF OFF OFF
SPEED LED : Unknown Unknown Unknown Unknown
PORT : GE-WAN0
LINK/ENABLE LED : OFF
SPEED LED : Unknown
The following is a sample output from the show controllers cellular command showing the 3G LED
status:
router# show controllers cellular 0
Interface Cellular0
3G Modem-QuadBand HSPA+R7/HSPA/UMTS QuadBand EDGE/GPRS Global and GPS,
Cellular modem configuration:
Modem is recognized as valid
manufacture id: 0x00001199 product id: 0x000068A3
Sierra Wireless Mini Card MC8705 HSPA+R7 modem.
Cellular Dual SIM details:
---------------------------
SIM 0 is present
SIM 0 is active SIM
Modem Management Statistics
--------------------------Modem resets = 2
Last known modem state = 'application' mode
Packets sent = 2508, Packets received = 44621, Packets pending = 0
DIP MDM link status retry count = 0 pdp context = 0
DIP MDM link up pending = 0 pdp context = 0
IDB Cellular0: DIP profile id = 255
RSSI LED : 3-blink Green <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Service LED : 3-blink Green <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
SIM LED : Slot0 - Green; Slot1 - Off <<<<<<<<<<<<<<<<<<<<<<<
GPS LED : Off <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
GPS NMEA port = Disabled (Stream OFF)
DM port = Disabled
:
:
:
B
2-4
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
CHAP T ER
3
Wireless Local Area Network
A Wireless Local Area Network (WLAN) implements a flexible data communication system frequently
augmenting rather than replacing a wired LAN within a building or campus. WLANs use radio frequency
to transmit and receive data over the air, minimizing the need for wired connections.
The Cisco 819HGW and Cisco 819HWD ISRs have a Host router software running on the first core. The
second core runs the WLAN Access Point software.
If WLAN is not supported in an SKU, all 1 GB DRAM memory is allocated to the first core. For the
SKUs that support WLAN, 128 MB out of the 1 GB main memory is allocated to the second core.
If WLAN is not supported in an SKU, all 1 GB compact flash memory is allocated to the first core. For
the SKUs that support WLAN, 64 MB out of the 1 GB main memory is allocated to the second core.
NoteWLAN is only supported on Cisco 819HGW and Cisco 819HWD ISRs introduced in IOS release
15.2(4)M1.
WLAN Features
The Cisco 819HGW and Cisco 819HWD ISRs support the following features:
•Dual-Radio, page 3-1
•Images Supported, page 3-2
•CleanAir Technology, page 3-2
•Dynamic Frequency Selection, page 3-2
•LEDs, page 3-2
Dual-Radio
This release supports Cisco 802 Access Points (AP802). The AP802 is an integrated access point on the
Next Generation of Cisco 819HGW Cisco 819HWD ISRs.
The access point is a wireless LAN transceiver that acts as the connection point between wireless and
wired networks or as the center point of a standalone wireless network. In large installations, the roaming
functionality provided by multiple access points enables wireless users to move freely throughout the
facility while maintaining uninterrupted access to the network.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
3-1
WLAN Features
AP802 Dual Radio contains two different types of wireless radio that can support connections on both
2.4 GHz used by 802.11b, 802.11g, and 802.11n and 5 GHz used by 802.11a and 802.11n.
With the dual-radio/dual-band IEEE 802.11n access point, the Cisco 819HGW and Cisco 819HWD ISRs
offer a secure, integrated access point in a single device. The ISRs support both autonomous and unified
modes and are backward compatible with 802.11a/b/g.
The routers support IEEE 802.11n draft 2.0 and use multiple-input, multiple-output (MIMO) technology
that provides increased throughput, reliability, and predictability.
For complete information on how to configure wireless device and radio settings, see Basic Wireless
Device Configuration and Configuring Radio Settings.
Images Supported
For the images supported in the AP802 Dual radio, see Minimum software version needed to support
AP802.
CleanAir Technology
Chapter 3 Wireless Local Area Network
The CleanAir is a new wireless technology that intelligently avoids Radio Frequency (RF) to protect
802.11n performance. For more information, see
in all SKUs.
Dynamic Frequency Selection
The Dynamic Frequency Selection (DFS) is the process of detecting radar signals that must be protected
against 802.11a interference and upon detection switching the 802.11a operating frequency to one that
is not interfering with the radar systems. Transmit Power Control (TPC) is used to adapt the transmission
power based on regulatory requirements and range information.
NoteThe DFS functionality is disabled for FCC SKUs pending FCC certification. For more information, see
Dynamic Frequency Selection and IEEE 802.11h Transmit Power Control.
LEDs
The WLAN LED is located at the front panel of the router. Tab le 3-1 describes the WLAN LED for the
Cisco 819HGW and Cisco 819HWD ISRs.
Cisco CleanAir Technology. This feature is supported
3-2
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 3 Wireless Local Area Network
Ta b l e 3-1WLAN LED Descriptions
WLAN LEDColorDescription
Boot loader
status sequence
Association
status
Operating statusBlinking BlueSoftware upgrade in progress.
Boot loader
errors
Cisco IOS errors RedSoftware failure. Try to disconnect and reconnect the unit
WLAN Features
Blinking GreenBoard initialization in progress.
Initializing FLASH file system.
Initializing Ethernet.
Ethernet is OK.
Starting Cisco IOS.
Initialization successful.
GreenNormal operating condition with no wireless client
associated.
BlueNormal operating condition with at least one wireless
client associated.
Rapidly cycling through
Access point location command invoked.
Blue, Green, Red, and
White
Blinking RedEthernet link not operational.
Blinking Red and BlueFLASH file system failure.
Blinking Red and OffEnvironment variable failure.
Bad MAC address.
Ethernet failure during image recovery.
Boot environment failure.
No Cisco image file.
Boot failure.
power.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
3-3
WLAN Features
Chapter 3 Wireless Local Area Network
3-4
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
CHAP T ER
4
4G LTE Wireless WAN
The Cisco 819HG-4G and Cisco 819G-4G LTE ISRs support 4G LTE and 3G cellular networks.
For instructions on how to configure the 4G LTE features on your Cisco 819 ISR, see the Cisco 4G LTE
Software Installation Guide.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
4-1
Chapter 4 4G LTE Wireless WAN
4-2
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
CHAP T ER
5
Basic Router Configuration
This chapter provides procedures for configuring the basic parameters of your Cisco router, including
global parameter settings, routing protocols, interfaces, and command-line access. It also describes the
default configuration on startup.
•Interface Ports, page 5-2
•Default Configuration, page 5-2
•Information Needed for Configuration, page 5-3
•Configuring Command-Line Access, page 5-5
•Configuring Global Parameters, page 5-8
•Configuring WAN Interfaces, page 5-9
•Configuring a Loopback Interface, page 5-25
•Configuring Static Routes, page 5-27
•Configuring Dynamic Routes, page 5-28
OL-23590-02
NoteIndividual router models may not support every feature described in this guide. Features that are not
supported by a particular router are indicated whenever possible.
NoteFor instructions on how to configure the 4G LTE features on your Cisco 819 ISR, see the Cisco 4G LTE
Software Installation Guide.
This chapter includes configuration examples and verification steps, as available.
For complete information on how to access global configuration mode, see the “Entering Global
Configuration Mode” section on page A-5.
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-1
Interface Ports
Interface Ports
Table 5-1 lists the interfaces that are supported for each router and their associated port labels on the
equipment.
Ta b l e 5-1Supported Interfaces and Associated Port Labels by Cisco Router
RouterInterfacePort Label
Cisco 819 Router 4-port Fast Ethernet LAN LAN, FE0–FE3
Gigabit Ethernet WANGE WAN 0
SerialSerial
Mini USB for 3G port
3G RSVD
Provisioning
Console/Aux portCON/AUX
Chapter 5 Basic Router Configuration
NoteThere are two labels for the associated antennas with the labels: Main and DIV/GPS.
Default Configuration
When you first boot up your Cisco router, some basic configuration has already been performed. All of
the LAN and WAN interfaces have been created, console and vty ports are configured, and the inside
interface for Network Address Translation (NAT) has been assigned. Use the show
command to view the initial configuration, as shown in the following example for a Cisco 819 ISR:
Router# show running
Building configuration...
Current configuration : 977 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
no aaa new-model
ip source-route
ip cef
no ipv6 cef
license udi pid CISCO819G-G-K9 sn FHK1429768Q
controller Cellular 0
interface Cellular0
no ip address
encapsulation ppp
interface Ethernet-wan0
no ip address
shutdown
duplex auto
running-config
5-2
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
Chapter 5 Basic Router Configuration
speed auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Serial0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Vlan1
no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
logging esm config
control-plane
line con 0
no modem enable
line aux 0
line 3
no exec
line 7
stopbits 1
speed 115200
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
Information Needed for Configuration
Information Needed for Configuration
You need to gather some or all of the following information, depending on your planned network
scenario, before configuring your network:
•If you are setting up an Internet connection, gather the following information:
–
PPP client name that is assigned as your login name
PPP password to access your Internet service provider (ISP) account
–
DNS server IP address and default gateways
•If you are setting up a connection to a corporate network, you and the network administrator must
generate and share the following information for the WAN interfaces of the routers:
–
PPP authentication type: CHAP or PAP
–
PPP client name to access the router
–
PPP password to access the router
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
5-3
Information Needed for Configuration
•If you are setting up IP routing:
–
Generate the addressing scheme for your IP network.
•If you are setting up the serial interface:
–
Mode of operation (sync, async, bisync)
–
Clock rate depending on the mode
–
IP address depending on the mode
•If you are setting up 3G:
–
You must have service availability on the Cisco 819 ISR from a carrier, and you must have
network coverage where your router will be physically placed. For a complete list of supported
carriers, see the data sheet at
–
You must subscribe to a service plan with a wireless service provider and obtain a SIM card.
–
You must install the SIM card before configuring the 3G Cisco 819 ISR. For instructions on how
to install the SIM card, see
3.7G (HSPA+)/3.5G (HSPA).
•You must install the required antennas before you configure the 3G for Cisco 819 ISR. See the
following URLs for instructions on how to install the antennas:
Chapter 5 Basic Router Configuration
Cisco 3G Wireless Connectivity Solutions.
Cisco 800 Series RoutersConfiguring Cisco EHWIC and 880G for
Router(config-line)# line vty 0 4
Router(config-line)#
Specifies a unique password for the console
terminal line.
Enables password checking at terminal session
login.
Sets the interval that the EXEC command
interpreter waits until user input is detected. The
default is 10 minutes. Optionally, add seconds to
the interval value.
This example shows a timeout of 5 minutes and
30
seconds. Entering a timeout of 0 0 specifies
never to time out.
Specifies a virtual terminal for remote console
access.
Cisco 819 Series Integrated Services Router Software Configuration Guide
Specifies a unique password for the virtual
terminal line.
OL-23590-02
Chapter 5 Basic Router Configuration
CommandPurpose
Step 7
login
Example:
Router(config-line)# login
Router(config-line)#
Configuring Command-Line Access
Enables password checking at the virtual terminal
session login.
Example
Step 8
end
Exits line configuration mode and returns to
privileged EXEC mode.
Example:
Router(config-line)# end
Router#
The following configuration shows the command-line access commands.
You do not need to input the commands marked “default.” These commands appear automatically in the
configuration file generated when you use the show running-config command.
!
line con 0
exec-timeout 10 0
password 4youreyesonly
login
transport input none (default)
stopbits 1 (default)
line vty 0 4
password secret
login
!
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-7
Configuring Global Parameters
Configuring Global Parameters
To configure selected global parameters for your router, perform these steps:
The Cisco 819 ISRs provide a Third-Generation (3G) wireless interface for use over Global System for
Mobile Communications (GSM) and code division multiple access (CDMA) networks. The interface is
a 34-millimetre embedded mini express card.
Sets the IP address and subnet mask for the
specified Gigabit Ethernet interface.
Enables the Ethernet interface, changing its
state from administratively down to
administratively up.
Exits configuration mode for the Gigabit
Ethernet interface and returns to global
configuration mode.
5-10
Its primary application is WAN connectivity as a backup data link for critical data applications. However,
the 3G wireless interface can also function as the router’s primary WAN connection.
To configure the 3G cellular wireless interface, follow these guidelines and procedures:
•Prerequisites for Configuring the 3G Wireless Interface, page 5-11
•Restrictions for Configuring the Cellular Wireless Interface, page 5-11
•Data Account Provisioning, page 5-12
•Configuring a Cellular Interface, page 5-16
•Configuring DDR, page 5-17
•Examples for Configuring Cellular Wireless Interfaces, page 5-20
•Configuring Dual SIM for Cellular Networks, page 5-22
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
Chapter 5 Basic Router Configuration
Prerequisites for Configuring the 3G Wireless Interface
The following are prerequisites to configuring the 3G wireless interface:
•You must have wireless service from a carrier, and you must have network coverage where your
router will be physically placed. For a complete list of supported carriers, see the data sheet at:
www.cisco.com/go/m2m
•You must subscribe to a service plan with a wireless service provider and obtain a SIM card (GSM
modem only) from the service provider.
•You must check your LEDs for signal strength, as described in Tab le 2-1.
•You should be familiar with the Cisco IOS software. See Cisco IOS documentation beginning with
Cisco IOS Release 12.4(15)XZ or later for Cisco 3G Wireless support.
•To configure your GSM data profile, you need the following information from your service provider:
–
Username
–
Password
–
Access point name (APN)
•To configure your CDMA (CDMA only) data profile for manual activation, you need the following
information from your service provider:
–
Master Subsidy Lock (MSL) number
–
Mobile Directory number (MDN)
Configuring WAN Interfaces
–
Mobile Station Identifier (MSID)
–
Electronic Serial Number (ESN)
•Check the LED located on the front panel of the router for signal strength and other indications.
Table 2-1 describes the 3G LEDs for the Cisco 819 ISR.
Restrictions for Configuring the Cellular Wireless Interface
The following restrictions apply to configuring the Cisco 3G wireless interface:
•A data connection can be originated only by the 3G wireless interface. Remote dial-in is not
supported.
•Because of the shared nature of wireless communications, the experienced throughput varies
depending on the number of active users or the amount of congestion in a given network.
•Cellular networks have higher latency than wired networks. Latency rates depend on the technology
and carrier. Latency may be higher when there is network congestion.
•VoIP is currently not supported.
•Any restrictions that are part of the terms of service from your carrier also apply to the Cisco 3G
wireless interface.
•Inserting a different type of modem from what was previously removed requires configuration
changes and you must reload the system.
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-11
Configuring WAN Interfaces
Data Account Provisioning
NoteTo provision your modem, you must have an active wireless account with a service provider. A SIM card
must be installed in a GSM 3G wireless card.
To provision your data account, follow these procedures:
•Verifying Signal Strength and Service Availability, page 5-12
•Configuring a GSM Modem Data Profile, page 5-13
•CDMA Modem Activation and Provisioning, page 5-14
Verifying Signal Strength and Service Availability
To verify the signal strength and service availability on your modem, use the following commands in
privileged EXEC mode.
SUMMARY STEPS
Chapter 5 Basic Router Configuration
DETAILED STEPS
Command or ActionPurpose
Step 1
show cellular 0 network
Example:
Router# show cellular 0 network
Step 2
show cellular 0 hardware
1. show cellular 0 network
2. show cellular 0 hardware
3. show cellular 0 connection
4. show cellular 0 gps
5. show cellular 0 radio
6. show cellular 0 profile
7. show cellular 0 security
8. show cellular 0 sms
9. show cellular 0 all
Displays information about the carrier network, cell
site, and available service.
Displays the cellular modem hardware information.
Step 3
5-12
Example:
Router# show cellular 0 hardware
show cellular 0 connection
Example:
Router# show cellular 0 connection
Cisco 819 Series Integrated Services Router Software Configuration Guide
Displays the current active connection state and data
statistics.
OL-23590-02
Chapter 5 Basic Router Configuration
Command or ActionPurpose
Step 4
show cellular 0 gps
Example:
Router# show cellular 0 gps
Step 5
show cellular 0 radio
Example:
Router# show cellular 0 radio
Step 6
show cellular 0 profile
Example:
Router# show cellular 0 profile
Step 7
show cellular 0 security
Example:
Router# show cellular 0 security
Step 8
show cellular 0 sms
Configuring WAN Interfaces
Displays the cellular gps information.
Shows the radio signal strength.
NoteThe RSSI should be better than –90 dBm for
steady and reliable connection.
Shows information about the modem data profiles
created.
Shows the security information for the modem, such
as SIM and modem lock status.
Displays the cellular sms information.
Example:
Router# show cellular 0 sms
Step 9
show cellular 0 all
Example:
Router# show cellular 0 all
Configuring a GSM Modem Data Profile
To configure or create a new modem data profile, enter the following command in privileged EXEC
mode.
Shows consolidated information about the modem,
such as the profiles that were created, the radio
signal strength, the network security, and so on.
Creates a new modem data profile. See Table 5-2 for
details about the command parameters.
Example:
Router# gsm profile create 2 <apn-name> chap
username password ipv4
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-13
Configuring WAN Interfaces
Table 5-2 lists the modem data profile parameters.
Ta b l e 5-2Modem Data Profile Parameters
profile numberNumber for the profile that you are creating. You can create up to 16
apnAccess point name. You must get this information from the service provider.
authenticationType of authentication, for example, CHAP, PAP.
UsernameUsername provided by your service provider.
PasswordPassword provided by your service provider.
CDMA Modem Activation and Provisioning
Activation procedures may differ, depending upon your carrier. Consult your carrier and perform one of
the following procedures as appropriate:
•Manual activation
•Activating using over-the-air service provisioning
The following table lists the activation and provisioning processes supported by different wireless
carriers.
Chapter 5 Basic Router Configuration
profiles.
Ta b l e 5-3
Activation and Provisioning ProcessCarrier
Manual Activation using MDN, MSID, MSL Sprint
OTASP1 Activation
IOTA2 for Data Profile refresh
1. OTASP = Over the Air Service Provisioning.
2. IOTA = Internet Over the Air.
Verizon Wireless
Sprint
Manual Activation
NoteYou must have valid mobile directory number (MDN), mobile subsidy lock (MSL), and mobile station
identifier (MSID) information from your carrier before you start this procedure.
To configure a modem profile manually, use the following command, beginning in EXEC mode:
cellular unit cdma activate manual mdn msid msl
Besides being activated, the modem data profile is provisioned through the Internet Over the Air (IOTA)
process. The IOTA process is initiated automatically when you use the cellular unit cdma activate manual mdn msid msl command.
The following is a sample output from this command:
router# cellular 0 cdma activate manual 1234567890 1234567890 12345
NAM 0 will be configured and will become Active
Modem will be activated with following Parameters
MDN :1234567890; MSID :1234567890; SID :1234; NID 12:
Checking Current Activation Status
Modem activation status: Not Activated
Begin Activation
5-14
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
Chapter 5 Basic Router Configuration
Account activation - Step 1 of 5
Account activation - Step 2 of 5
Account activation - Step 3 of 5
Account activation - Step 4 of 5
Account activation - Step 5 of 5
Secure Commit Result: Succeed
Done Configuring - Resetting the modem
The activation of the account is Complete
Waiting for modem to be ready to start IOTA
Beginning IOTA
router#
*Feb 6 23:29:08.459: IOTA Status Message Received. Event: IOTA Start, Result: SUCCESS
*Feb 6 23:29:08.459: Please wait till IOTA END message is received
*Feb 6 23:29:08.459: It can take up to 5 minutes
*Feb 6 23:29:27.951: OTA State = SPL unlock, Result = Success
*Feb 6 23:29:32.319: OTA State = Parameters committed to NVRAM, Result = Success
*Feb 6 23:29:40.999: Over the air provisioning complete; Result:Success
*Feb 6 23:29:41.679: IOTA Status Message Received. Event: IOTA End, Result: SUCCESS
The IOTA start and end must have “success” as the resulting output. If you receive an error message, you
can run IOTA independently by using the cellular cdma activate iota command.
Your carrier may require periodic refreshes of the data profile. Use the following command to refresh
the data profile:
cellular cdma activate iota
Configuring WAN Interfaces
Activating with Over-the-Air Service Provisioning
To provision and activate your modem using Over-the-Air Service Provisioning (OTASP), use the
following command, beginning in EXEC mode.
NoteYou need to obtain the phone number for use with this command from your carrier. The standard OTASP
calling number is *22899.
The following is a sample output from this command:
router# cellular 0 cdma activate otasp *22899
Beginning OTASP activation
OTASP number is *22899
819H#
OTA State = SPL unlock, Result = Success
router#
OTA State = PRL downloaded, Result = Success
OTA State = Profile downloaded, Result = Success
OTA State = MDN downloaded, Result = Success
OTA State = Parameters committed to NVRAM, Result = Success
Over the air provisioning complete; Result:Success
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-15
Configuring WAN Interfaces
Configuring a Cellular Interface
To configure the cellular interface, enter the following commands, beginning in privileged EXEC mode.
SUMMARY STEPS
1. configure terminal
2. interface cellular 0
3. encapsulation ppp
4. ppp chap hostname hostname
5. ppp chap password 0 password
6. asynchronous mode interactive
7. ip address negotiated
NoteThe PPP Challenge Handshake Authentication Protocol (CHAP) authentication parameters that you use
in this procedure must be the same as the username and password provided by your carrier and
configured only under the GSM profile. CDMA does not require a username or password.
Chapter 5 Basic Router Configuration
DETAILED STEPS
Command or ActionPurpose
Step 1
configure terminal
Example:
Router# configure terminal
Step 2
interface cellular 0
Example:
Router (config)# interface cellular 0
Step 3
encapsulation ppp
Example:
Router (config-if)# encapsulation ppp
Step 4
ppp chap hostname hostname
Example:
Router (config-if)# ppp chap hostname cisco@wwan.ccs
Step 5
ppp chap password 0 password
Enters global configuration mode from the terminal.
Specifies the cellular interface.
Specifies PPP encapsulation for an interface
configured for dedicated asynchronous mode or
dial-on-demand routing (DDR).
Defines an interface-specific Challenge Handshake
Authentication Protocol (CHAP) hostname. This
must match the username given by the carrier.
Applies to GSM only.
Defines an interface-specific CHAP password. This
must match the password given by the carrier.
5-16
Example:
Router (config-if)# ppp chap password 0 cisco
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
Chapter 5 Basic Router Configuration
Command or ActionPurpose
Step 6
asynchronous mode interactive
Example:
Router (config-if)# asynchronous mode interactive
Step 7
ip address negotiated
Example:
Router (config-if)# ip address negotiated
NoteWhen the cellular interface requires a static IP address, the address may be configured as ip address
negotiated. Through IP Control Protocol (IPCP), the network ensures that the correct static IP address
is allocated to the device. If a tunnel interface is configured with the ip address unnumbered <cellular
interface> command, the actual static IP address must be configured under the cellular interface, in place
of ip address negotiated. For a sample cellular interface configuration, see the
Configuration” section on page 5-20.
Configuring WAN Interfaces
Returns a line from dedicated asynchronous network
mode to interactive mode, enabling the slip and ppp
commands in privileged EXEC mode.
Specifies that the IP address for a particular
interface is obtained via PPP and IPCP address
negotiation.
“Basic Cellular Interface
Configuring DDR
SUMMARY STEPS
Perform these steps to configure dial-on-demand routing (DDR) for the cellular interface.
The following example shows how to configure the static IP address when a tunnel interface is
configured with the ip address unnumbered <cellular interface> command:
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer string hspa
dialer-group 1
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 1 permit any
dialer-list 1 protocol ip permit
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-21
Chapter 5 Basic Router Configuration
Configuring WAN Interfaces
line 3
script dialer hspa+
modem InOut
no exec
transport input all
Configuring Dual SIM for Cellular Networks
The Dual SIM feature implements auto-switch and failover between two cellular networks on a Cisco
819 ISR. This feature is enabled by default with SIM slot 0 being the primary slot and slot 1 being the
secondary (failover) slot.
NoteFor instructions on how to configure the Dual SIM feature for 4G LTE cellular networks, see the Cisco
4G LTE Software Installation Guide.
You can configure the Dual SIM feature using the following commands:
CommandSyntaxDescription
gsm failovertimer
gsm sim authenticate
gsm sim max-retry
gsm sim primary slot
gsm sim profile
gsm failovertimer <1-7>
gsm sim authenticate <0,7><pin> slot <0-1>
gsm sim max-retry <0-65535>
gsm sim primary slot <0-1>
gsm sim profile <1-16> slot <0-1>
Sets the failover timer in minutes.
Verifies the SIM CHV1 code.
Specifies the maximum number of
failover retries. The default value is 10.
Modifies the primary slot assignment.
Configures the SIM profile.
Note the following:
•For auto-switch and failover to work, configure the SIM profile for slots 0 and 1 using the gsm sim
profile command.
•For auto-switch and failover to work, configure the chat script without a specific profile number.
•If no SIM profile is configured, profile #1 is used by default.
•If no GSM failover timer is configured, the default failover timeout is 2 minutes.
•If no GSM SIM primary slot is configured, the default primary SIM is slot 0.
The following example shows you how to set the SIM switchover timeout period to 3 minutes:
router(config-controller)# gsm failovertimer 3
The following example shows you how to authenticate using an unencrypted pin:
Perform the following commands to manually switch the SIM:
CommandSyntaxDescription
cellular GSM SIM
gsm sim
gsm sim unblock
gsm sim change-pin
gsm sim activate slot
cellular GSM SIM {lock | unlock}
cellular <unit> gsm sim [lock | unlock]<pin>
cellular <unit> gsm sim unblock <puk> <newpin>
cellular <unit> gsm sim change-pin <oldpin>
<newpin>
cellular <unit> gsm sim activate slot <slot_no>
Locks or unlocks the SIM.
Locks or unlocks the gsm SIM.
Unblocks the gsm SIM.
Changes the PIN of the SIM.
Activates the GSM SIM.
The following command forces the modem to connect to SIM1:
Router# cellular 0 gsm sim activate slot 1
Configuring WAN Interfaces
Configuring Router for Image and Config Recovery Using Push Button
A push button feature is available on the Cisco 819 ISR. The reset button on the front panel of the router
enables this feature.
Perform the following steps to use this feature:
Step 1Unplug power.
Step 2Press the reset button on the front panel of the router.
Step 3Power up the sytem while holding down the reset button.
The system LED blinks four times indicating that the router has accepted the button push.
Using this button takes effect only during ROMMON initialization. During a warm reboot, pressing this
button has no impact on performance.
pushed during ROMMON initialization.
Table 5-4 shows the high level functionality when the button is
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-23
Configuring WAN Interfaces
Ta b l e 5-4Push Button Functionality during ROMMON Initialization
ROMMON BehaviorIOS Behavior
•Boots using default baud rate.
•Performs auto-boot.
•Loads the *.default image if available on
NoteIf no *.default image is available, the
Examples of names for default images:
c800-universalk9-mz.SPA.default,
c-800-universalk9_npe-mz.151T.default,
image.default
NoteYou can only have one configuration file
compact flash
ROMMON will boot up with the first
Cisco IOS image on flash.
with *.cfg option. Having more than one
file will result in uncertain operational
behavior.
Chapter 5 Basic Router Configuration
If the configuration named *.cfg is available in
nvram storage or flash storage, IOS will perform a
backup of the original configuration and will boot
up using this configuration.
NoteYou can only have one configuration file
with *.cfg option. Having more than one
file will result in uncertain operational
behavior.
Use the show platform command to display the current bootup mode for the router. The following
sections show sample outputs when the button is not pushed and when the button is pushed.
Output When Button Is Not Pushed: Example
router# show platform boot-record
Platform Config Boot Record :
============================
Configuration Register at boot time : 0x0
Reset Button Status at Boot Time : Not Pressed
Startup-config Backup Status at Boot: No Status
Startup-config(backup file)location : No Backup
Golden config file at location : No Recovery Detected
Config Recovery Status : No Status
Output When Button Is Pushed: Example
router# show platform boot-record
Platform Config Boot Record :
============================
Configuration Register at boot time : 0x0
Reset Button Status at Boot Time : Pressed
Startup-config Backup Status at Boot: Ok
Startup-config(backup file)location : flash:/startup.backup.19000716-225840-UTC
Golden config file at location : flash:/golden.cfg
Config Recovery Status : Ok
5-24
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
Chapter 5 Basic Router Configuration
Push Button in WLAN AP
When the push button on the front panel is pressed, WLAN AP will perform both image and
configuration recovery.
To perform image recovery, WLAN will go into the boot loader so that the user can download the image
from the bootloader prompt.
To perform configuration recovery, WLAN AP will overwrite the contents of flash:/config.txt with the
contents of flash:/cpconfig-ap802.cfg file if available in flash drive. Otherwise, flash:/config.txt will
be deleted.
Configuring the Fast Ethernet LAN Interfaces
The Fast Ethernet LAN interfaces on your router are automatically configured as part of the default
VLAN and are not configured with individual addresses. Access is provided through the VLAN. You
may assign the interfaces to other VLANs if you want. For more information about creating VLANs, see
the
“Configuring the Ethernet Switches” section on page 10-1.
Configuring a Loopback Interface
Configuring a Loopback Interface
The loopback interface acts as a placeholder for the static IP address and provides default routing
information.
Perform these steps to configure a loopback interface, beginning in global configuration mode:
SUMMARY STEPS
1. interface type number
2. ip address ip-address mask
3. exit
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-25
Configuring a Loopback Interface
DETAILED STEPS
Step 1
CommandPurpose
interface type number
Enters configuration mode for the loopback
interface.
Sets the IP address and subnet mask for the
loopback interface.
Example:
Router(config-if)# ip address 10.108.1.1
255.255.255.0
Router(config-if)#
exit
Exits configuration mode for the loopback
interface and returns to global configuration
Example:
Router(config-if)# exit
Router(config)#
mode.
The loopback interface in this sample configuration is used to support Network Address Translation
(NAT) on the virtual-template interface. This configuration example shows the loopback interface
configured on the Fast Ethernet interface with an IP address of 200.200.100.1/24, which acts as a static
IP address. The loopback interface points back to virtual-template1, which has a negotiated IP address.
!
interface loopback 0
ip address 200.200.100.1 255.255.255.0 (static IP address)
ip nat outside
!
interface Virtual-Template1
ip unnumbered loopback0
no ip directed-broadcast
ip nat outside
!
Verifying Configuration
To verify that you have properly configured the loopback interface, enter the show interface loopback
command. You should see a verification output similar to the following example:
Router# show interface loopback 0
Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 200.200.100.1/24
MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Cisco 819 Series Integrated Services Router Software Configuration Guide
Another way to verify the loopback interface is to ping it:
Router# ping 200.200.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Configuring Static Routes
Configuring Static Routes
SUMMARY STEPS
DETAILED STEPS
Step 1
Step 2
Static routes provide fixed routing paths through the network. They are manually configured on the
router. If the network topology changes, the static route must be updated with a new route. Static routes
are private routes unless they are redistributed by a routing protocol.
Follow these steps to configure static routes, beginning in global configuration mode.
1. ip route prefix mask {ip-address | interface-type interface-number [ip-address]}
2. end
CommandPurpose
ip route prefix mask {ip-address |
interface-type interface-number
[ip-address]}
Example:
Router(config)# ip route 192.168.1.0
255.255.0.0 10.10.10.2
Router(config)#
end
Specifies the static route for the IP packets.
For details about this command and about
additional parameters that can be set, see
Cisco
IOS IP Routing: Protocol-Independent Command
Reference.
Exits router configuration mode and enters
privileged EXEC mode.
Example:
Router(config)# end
Router#
OL-23590-02
For general information on static routing, see the “Floating Static Routes” section on page B-5.
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-27
Configuring Dynamic Routes
Example
In the following configuration example, the static route sends out all IP packets with a destination IP
address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Fast Ethernet interface to another
device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured PVC.
You do not need to enter the command marked “(default).” This command appears automatically in the
configuration file generated when you use the show running-config command.
!
ip classless (default)
ip route 192.168.1.0 255.255.255.0 10.10.10.2!
Verifying Configuration
To verify that you have properly configured static routing, enter the show ip route command and look
for static routes signified by the “S.”
You should see a verification output similar to the following:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Chapter 5 Basic Router Configuration
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.108.1.0 is directly connected, Loopback0
S* 0.0.0.0/0 is directly connected, FastEthernet0
Configuring Dynamic Routes
In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or
topology. Changes in dynamic routes are shared with other routers in the network.
The Cisco routers can use IP routing protocols, such as Routing Information Protocol (RIP) or Enhanced
Interior Gateway Routing Protocol (EIGRP), to learn routes dynamically. You can configure either of
these routing protocols on your router.
•Configuring Routing Information Protocol, page 5-29
Disables automatic summarization of subnet routes
into network-level routes. This allows subprefix
Example:
Router(config-router)# no auto-summary
Router(config-router)#
end
routing information to pass across classfull
network boundaries.
Exits router configuration mode and enters
privileged EXEC mode.
Example:
Router(config-router)# end
Router#
For general information on RIP, see the “RIP” section on page B-2.
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-29
Configuring Dynamic Routes
Example
The following configuration example shows RIP version 2 enabled in IP network 10.0.0.0 and
192.168.1.0.
To see this configuration, use the show running-config command from privileged EXEC mode.
!
Router# show running-config
router rip
version 2
network 10.0.0.0
network 192.168.1.0
no auto-summary
!
Verifying Configuration
To verify that you have properly configured RIP, enter the show ip route command and look for RIP
routes signified by “R.” You should see a verification output like the following example:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Chapter 5 Basic Router Configuration
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.108.1.0 is directly connected, Loopback0
R 3.0.0.0/8 [120/1] via 2.2.2.1, 00:00:02, Ethernet0/0
To configure Enhanced Interior Gateway Routing Protocol (EIGRP), perform these steps, beginning in
global configuration mode:
SUMMARY STEPS
1. router eigrp as-number
2. network ip-address
3. end
5-30
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
Chapter 5 Basic Router Configuration
DETAILED STEPS
CommandPurpose
Step 1
router eigrp as-number
Example:
Router(config)# router eigrp 109
Router(config)#
Configuring Dynamic Routes
Enters router configuration mode and enables
EIGRP on the router. The autonomous-system
number identifies the route to other EIGRP routers
and is used to tag the EIGRP information.
Example
Step 2
Step 3
network ip-address
Specifies a list of networks on which EIGRP is to
be applied, using the IP address of the network of
Exits router configuration mode and enters
privileged EXEC mode.
Example:
Router(config-router)# end
Router#
For general information on EIGRP concept, see the “Enhanced IGRP” section on page B-3.
The following configuration example shows the EIGRP routing protocol enabled in IP networks
192.145.1.0 and 10.10.12.115. The EIGRP autonomous system number is 109.
To see this configuration, use the show running-config command, beginning in privileged EXEC mode.
!
router eigrp 109
network 192.145.1.0
network 10.10.12.115
!
Verifying Configuration
To verify that you have properly configured IP EIGRP, enter the show ip route command and look for
EIGRP routes indicated by “D.” You should see a verification output similar to the following:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.108.1.0 is directly connected, Loopback0
D 3.0.0.0/8 [90/409600] via 2.2.2.1, 00:00:02, Ethernet0/0
OL-23590-02
Cisco 819 Series Integrated Services Router Software Configuration Guide
5-31
Configuring Dynamic Routes
Chapter 5 Basic Router Configuration
5-32
Cisco 819 Series Integrated Services Router Software Configuration Guide
OL-23590-02
CHAP T ER
6
Configuring Backup Data Lines and Remote
Management
This chapter describes configuring backup data lines and remote management in the following sections:
•Configuring Dial Backup and Remote Management Through the Console Port, page 6-8.
The Cisco 819 Integrated Services Router (ISR) supports backup data connectivity with a backup data
line that enables them to mitigate WAN downtime.
Cisco 819 ISRs also support remote management functions through the auxiliary port on any Cisco 819
series ISRs.
NoteOn the Cisco 819 ISRs, the console port and the auxiliary port are on the same physical RJ-45 port.
Therefore, the two ports cannot be activated simultaneously. You must use the command-line interface
(CLI) to enable the desired function.
Configuring Backup Interfaces
When the router receives an indication that the primary interface is down, the backup interface becomes
enabled. After the primary connection has been restored for a specified period, the backup interface is
disabled.
Even if the backup interface comes out of standby mode, the router does not enable the backup interface
unless the router receives the traffic specified for that backup interface.
Table 6-1 shows the backup interfaces available for each Cisco 819 ISR, along with their port
designations. Basic configurations for these interfaces are given in the “Configuring WAN Interfaces”
section on page 5-9.
Ta b l e 6-1Model Number and Data Line Backup Capabilities
Router Model Number3G
819Yes
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
6-1
Configuring Backup Interfaces
SUMMARY STEPS
DETAILED STEPS
Step 1
Chapter 6 Configuring Backup Data Lines and Remote Management
To configure your router with a backup interface, perform these steps, beginning in global configuration
mode:
To monitor the primary connection and initiate the backup connection over the cellular interface when
needed, the router can use one of the following methods:
•Backup Interface—The backup interface that stays in standby mode until the primary interface line
protocol is detected as down and then is brought up. See the
section on page 6-1.
•Dialer Watch—Dialer watch is a backup feature that integrates dial backup with routing capabilities.
See the
•Floating Static Route—The route through the backup interface has an administrative distance that
“Configuring DDR Backup Using Dialer Watch” section on page 6-3.
is greater than the administrative distance of the primary connection route and therefore would not
be in the routing table until the primary interface goes down. When the primary interaface goes
down, the floating static route is used. See the
“Configuring DDR Backup Using Floating Static
Route” section on page 6-5
NoteYou cannot configure a backup interface for the cellular interface and any other asynchronous serial
interface.
“Configuring Backup Interfaces”
Configuring DDR Backup Using Dialer Watch
To initiate dialer watch, you must configure the interface to perform dial-on-demand routing (DDR) and
backup. Use traditional DDR configuration commands, such as dialer maps, for DDR capabilities. To
enable dialer watch on the backup interface and create a dialer list, use the following commands in
interface configuration mode.
Enters global configuration mode from the terminal.
Example:
Router# configure terminal
Step 2
ip routenetwork-number network-mask
{ip-address | interface} [administrative distance]
[name name]
Establishes a floating static route with the
configured administrative distance through the
specified interface.
A higher administrative distance should be
Example:
Router (config)# ip route 0.0.0.0 Dialer 2 track 234
configured for the route through the backup
interface, so that the backup interface is used only
when the primary interface is down.
Cellular Wireless Modem as Backup with NAT and IPsec Configuration
The following example shows how to configure the 3G wireless modem as backup with NAT and IPsec
on either GSM or CDMA networks.
NoteThe receive and transmit speeds cannot be configured. The actual throughput depends on the cellular
network service.
Current configuration : 3433 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
!
!
no aaa new-model
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key gsm address 128.107.241.234
!
!
crypto ipsec transform-set gsm ah-sha-hmac esp-3des
!
crypto map gsm1 10 ipsec-isakmp
set peer 128.107.241.234
set transform-set gsm
match address 103
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.4.0.254
!
ip dhcp pool gsmpool
network 10.4.0.0 255.255.0.0
dns-server 66.209.10.201 66.102.163.231
default-router 10.4.0.254
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
chat-script gsm "" "atdt*98*1#" TIMEOUT 30 "CONNECT"
!
!
archive
log config
hidekeys
!
!
interface 0
no ip address
ip virtual-reassembly
load-interval 30
no ilmi-keepalive
!
interface 0.1 point-to-point
backup interface Cellular0
ip nat outside
ip virtual-reassembly
pvc 0/35
pppoe-client dial-pool-number 2
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
Chapter 6 Configuring Backup Data Lines and Remote Management
6-6
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 6 Configuring Backup Data Lines and Remote Management
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive
no ppp lcp fast-start
ppp chap hostname chunahayev@wwan.ccs
ppp chap password 0 B7uhestacr
ppp ipcp dns request
crypto map gsm1
!
interface Vlan1
description used as default gateway address for DHCP clients
ip address 10.4.0.254 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Dialer2
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap password 0 cisco
ppp ipcp dns request
crypto map gsm1
!
ip local policy route-map track-primary-if
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer2 track 234
ip route 0.0.0.0 0.0.0.0 Cellular0 254
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map nat2cell interface Cellular0 overload
!
ip sla 1
icmp-echo 209.131.36.158 source-interface Dialer2
timeout 1000
frequency 2
ip sla schedule 1 life forever start-time now
access-list 1 permit any
access-list 2 permit 10.4.0.0 0.0.255.255
access-list 3 permit any
access-list 101 permit ip 10.4.0.0 0.0.255.255 any
access-list 102 permit icmp any host 209.131.36.158
access-list 103 permit ip host 166.136.225.89 128.107.0.0 0.0.255.255
access-list 103 permit ip host 75.40.113.246 128.107.0.0 0.0.255.255
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
!
!
Cisco 819 Series Integrated Services Routers Software Configuration Guide
6-7
Configuring Dial Backup and Remote Management Through the Console Port
!
route-map track-primary-if permit 10
match ip address 102
set interface Dialer2
!
route-map nat2cell permit 10
match ip address 101
match interface Cellular0
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 3
exec-timeout 0 0
script dialer gsm
login
modem InOut
no exec
line vty 0 4
login
!
scheduler max-task-time 5000
!
webvpn cef
end
Chapter 6 Configuring Backup Data Lines and Remote Management
Configuring Dial Backup and Remote Management Through the
Console Port
When customer premises equipment, such as a Cisco 819 ISR, is connected to an ISP, an IP address is
dynamically assigned to the router or the IP address may be assigned by the router peer through the
centrally managed function. The dial backup feature can be added to provide a failover route in case the
primary line fails. The Cisco 819 ISRs can use the auxiliary port for dial backup and remote
management.
6-8
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 6 Configuring Backup Data Lines and Remote Management
82269
A1
3
2
2
C
B
BC
2
Internet
PSTN
Figure 6-1 shows the network configuration used for remote management access and for providing
backup to the primary WAN line.
Figure 6-1Dial Backup and Remote Management Through the Auxiliary Port
Configuring Dial Backup and Remote Management Through the Console Port
1 Cisco 819 routerAMain WAN link; primary connection to Internet service provider
2ModemBDial backup; serves as a failover link for Cisco 819 routers when
primary line goes down
3PCCRemote management; serves as dial-in access to allow changes or
updates to Cisco IOS configurations
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
6-9
Configuring Dial Backup and Remote Management Through the Console Port
To configure dial backup and remote management for these routers, perform these steps, beginning in
global configuration mode:
SUMMARY STEPS
1. ip name-server server-address
2. ip dhcp pool name
3. exit
4. chat-script script-name expect-send
5. interface type number
6. exit
7. interface type number
8. dialer watch-group group-number
9. exit
10. ip nat inside source {list access-list-number}{interface type number | pool name} [overload]
11. ip route prefix mask {ip-address | interface-type interface-number [ip-address]}
Creates a DHCP address pool on the router and
enters DHCP pool configuration mode. The name
argument can be a string or an integer.
•Configure the DHCP address pool. For
sample commands that you can use in DHCP
pool configuration mode, see the
“Example”
section on page 6-13.
Exits config-dhcp mode and enters global
configuration mode.
Configures a chat script used in dial-on-demand
routing (DDR) to give commands for dialing a
modem and for logging in to remote systems. The
defined script is used to place a call over a modem
connected to the PSTN.
Creates and enters configuration mode for the
asynchronous interface.
Configure the asynchronous interface. For sample
commands that you can use in asynchronous
interface configuration mode, see the
The following configuration example specifies an IP address for the interface through PPP and IPCP
address negotiation and dial backup over the console port:
!
ip name-server 192.168.28.12
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool 1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
! Need to use your own correct ISP phone number.
modemcap entry MY-USER_MODEM:MSC=&F1S0=1
chat-script Dialout ABORT ERROR ABORT BUSY ““ “AT” OK “ATDT 5555102\T”
TIMEOUT 45 CONNECT \c
!
!
!
!
interface vlan 1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
6-13
Configuring Dial Backup and Remote Management Through the Console Port
! Dial backup and remote management physical interface.
interface Async1
no ip address
encapsulation ppp
dialer in-band
dialer pool-member 3
async default routing
async dynamic routing
async mode dedicated
ppp authentication pap callin
!
interface ATM0
mtu 1492
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
! Primary WAN link.
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username account password 7 pass
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp mask request
!
! Dialer backup logical interface.
interface Dialer3
ip address negotiated
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 3
dialer idle-timeout 60
dialer string 5555102 modem-script Dialout
dialer watch-group 1
!
! Remote management PC IP address.
peer default ip address 192.168.2.2
no cdp enable
!
! Need to use your own ISP account and password.
ppp pap sent-username account password 7 pass
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp mask request
!
! IP NAT over Dialer interface using route-map.
ip nat inside source route-map main interface Dialer1 overload
ip nat inside source route-map secondary interface Dialer3 overload
ip classless
!
! When primary link is up again, distance 50 will override 80 if dial backup
! has not timed out. Use multiple routes because peer IP addresses are alternated
! among them when the CPE is connected.
ip route 0.0.0.0 0.0.0.0 64.161.31.254 50
ip route 0.0.0.0 0.0.0.0 66.125.91.254 50
ip route 0.0.0.0 0.0.0.0 64.174.91.254 50
ip route 0.0.0.0 0.0.0.0 63.203.35.136 80
Chapter 6 Configuring Backup Data Lines and Remote Management
6-14
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 6 Configuring Backup Data Lines and Remote Management
ip route 0.0.0.0 0.0.0.0 63.203.35.137 80
ip route 0.0.0.0 0.0.0.0 63.203.35.138 80
ip route 0.0.0.0 0.0.0.0 63.203.35.139 80
ip route 0.0.0.0 0.0.0.0 63.203.35.140 80
ip route 0.0.0.0 0.0.0.0 63.203.35.141 80
ip route 0.0.0.0 0.0.0.0 Dialer1 150
no ip http server
ip pim bidir-enable
!
! PC IP address behind CPE.
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
!
! Watch multiple IP addresses because peers are alternated
! among them when the CPE is connected.
dialer watch-list 1 ip 64.161.31.254 255.255.255.255
dialer watch-list 1 ip 64.174.91.254 255.255.255.255
dialer watch-list 1 ip 64.125.91.254 255.255.255.255
!
! Dial backup will kick in if primary link is not available
! 5 minutes after CPE starts up.
dialer watch-list 1 delay route-check initial 300
dialer-list 1 protocol ip permit
!
! Direct traffic to an interface only if the dialer is assigned an IP address.
route-map main permit 10
match ip address 101
match interface Dialer1
!
route-map secondary permit 10
match ip address 103
match interface Dialer3
!
! Change console to aux function.
line con 0
exec-timedout 0 0
modem enable
stopbits 1
line aux 0
exec-timeout 0 0
! To enable and communicate with the external modem properly.
script dialer Dialout
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
exec-timeout 0 0
password cisco
login
!
scheduler max-task-time 5000
end
Configuring Dial Backup and Remote Management Through the Console Port
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
6-15
Configuring Dial Backup and Remote Management Through the Console Port
Chapter 6 Configuring Backup Data Lines and Remote Management
6-16
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
CHAP T ER
7
Environmental and Power Management
The Cisco 819 integrated services routers are equipped with sensors in the router body for monitoring
the environment temperature and logging the temperature every 30 seconds.There are four sensors
located on the four corners of the router chassis. There is an additonal System Ambient sensor and a 3G
sensor.
The corner sensors display the following message:
•Error message on the console—When the temperature ranges are outside the set temperature
thresholds, the monitor displays an error message. Different temperature ranges are set for different
SKUs of the router:
–
Cisco 819G (non-hardened): 0 to 60 degrees celcius
–
Cisco 819HG (hardened): –25 to 75 degrees celcius
•SNMP Traps—syslog messages are created when the temperature is outside the specified range.
•Server “call home” feature—The server callhome feature is already enabled to call Cisco TAC in th e
event of very high or low temperatures.
In addition to the corner sensors, the System Ambient and 3G sensors also log the temperature every 30
seconds onto bootflash memory.
Any time the temperature is above the high threshold, or lower than the low threshold, the temperature
information will be saved in non-volatile memory region and is also displayed as part of this output.
OL-23590-02
Use the show environment command to check the temperature of the router. You can also use this
command to display the power usage and the power consumption of the unit at the end.
The following is a sample output for the show environment command:
router# show environment
SYSTEM WATTAGE
===============
Board Power consumption is: 4.851 W
Power Supply Loss: 1.149 W
Total System Power consumption is: 6.000 W
REAL TIME CLOCK BATTERY STATUS
==============================
Battery OK (checked at power up)
TEMPERATURE STATUS
==================
Sensor Current High/Low
Name Temperature Status Threshold
Cisco 819 Series Integrated Services Routers Software Configuration Guide
7-1
Cisco EnergyWise Support
Sensor 1 36 Normal 60/0
Sensor 2 34 Normal 60/0
Sensor 3 40 Normal 60/0
Sensor 4 38 Normal 60/0
System Ambient Sensor 35 Normal 60/0
3G Modem Sensor 33 Normal 85/0
Environmental information last updated 00:00:26 ago
NoteIf the modem temperature goes up to 85 degrees for non-hardened or 90 degrees for hardened version, a
warning message appears. The router automatically shuts down if the temperature goes higher than 108
degrees.
Cisco EnergyWise Support
The Cisco 819 ISRs have hardware and software features for reducing power consumption. The
hardware features include high-efficiency AC power supplies and electrical components with built-in
power saving features, such as RAM select and clock gating. For more information, see
The software features include Cisco EnergyWise, a power efficiency management feature that powers
down unused modules and disable unused clocks to the modules and peripherals on the router.
The Cisco 819 ISRs must be running Cisco IOS Release 15.0(1)M or later to support EnergyWise.
Detailed configuration procedures are included in Cisco EnergyWise Configuration Guide, EnergyWise
Phase 1 and Cisco EnergyWise Configuration Guide, EnergyWise Phase 2.
7-2
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
CHAP T ER
8
Configuring the Serial Interface
This chapter describes configuring serial interface management in the following sections:
•Legacy Protocol Transport, page 8-2
•Configuring Serial Interfaces, page 8-2
•Information About Configuring Serial Interfaces, page 8-3
•How to Configure Serial Interfaces, page 8-6
•Configuration Examples, page 8-19
The Cisco 819 Integrated Services Router (ISR) supports synchronous by default and asynchronous
serial interface protocols.
Configuring the serial interface in the Cisco 819 ISR allows you to enable applications such as WAN
access, legacy protocol transport, console server, and dial access server. It also allows remote network
management, external dial-modem access, low-density WAN aggregation, legacy protocol transport, and
high port-density support.
Serial interfaces enables the following features:
•WAN access and aggregation
•Legacy protocol transport
•Dial access server
Serial interfaces can be used to provide WAN access for remote sites. With support for serial speeds up
to 8 Mbps, it is ideal for low- and medium-density WAN aggregation.
Figure 8-1WAN Concentration
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-1
Legacy Protocol Transport
Legacy Protocol Transport
Serial and synchronous/asynchronous ports are ideally suited to transport legacy traffic across a TCP/IP
network, facilitating network convergence. Legacy protocols supported by Cisco IOSR Software
include:
The Cisco 819 ISRs use Cisco Smart Serial connectors. The supported cables are noted in Tab le 8-1.
Ta b l e 8-1Smart Serial Cabling for Cisco 819 ISRs
Product NumberCable TypeLengthConnector Type
CAB-SS-V35MT V.35 DTE10 ft (3m)Male
CAB-SS-V35FC 10 ft (3m) Female V.35 DCE 10 ft (3m)Female
CAB-SS-232MT EIA/TIA-232 DTE 10 ft (3m)Male
CAB-SS-232FCEIA/TIA-232 DTE 10 ft (3m)Female
CAB-SS-449MTEIA/TIA-449 DTE 10 ft (3m)Male
CAB-SS-449FCEIA/TIA-449 DTE 10 ft (3m)Female
CAB-SS-X21MT X.21 DTE10 ft (3m)Male
CAB-SS-X21FCX.21 DTE10 ft (3m)Female
CAB-SS-530MTEIA/TIA-530 DTE 10 ft (3m)Male
CAB-SS-530AMTEIA/TIA-232 DTE 10 ft (3m)Male
Configuring Serial Interfaces
When the router receives an indication that the primary interface is down, the backup interface becomes
enabled. After the primary connection has been restored for a specified period, the backup interface is
disabled.
Even if the backup interface comes out of standby mode, the router does not enable the backup interface
unless the router receives the traffic specified for that backup interface.
8-2
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
Information About Configuring Serial Interfaces
Information About Configuring Serial Interfaces
To configure serial interfaces, you must understand the following concept:
•Cisco HDLC Encapsulation, page 8-3
•PPP Encapsulation, page 8-3
•Keepalive Timer, page 8-4
•Frame Relay Encapsulation, page 8-5
Cisco HDLC Encapsulation
Cisco High-Level Data Link Controller (HDLC) is the Cisco proprietary protocol for sending data over
synchronous serial links using HDLC. Cisco HDLC also provides a simple control protocol called Serial
Line Address Resolution Protocol (SLARP) to maintain serial link keepalives. Cisco HDLC is the
default for data encapsulation at Layer 2 (data link) of the Open System Interconnection (OSI) stack for
efficient packet delineation and error control.
NoteCisco HDLC is the default encapsulation type for the serial interfaces.
When the encapsulation on a serial interface is changed from HDLC to any other encapsulation type, the
configured serial subinterfaces on the main interface inherit the newly changed encapsulation and they
do not get deleted.
Cisco HDLC uses keepalives to monitor the link state, as described in the “Keepalive Timer” section on
page 8-4.
PPP Encapsulation
PPP is a standard protocol used to send data over synchronous serial links. PPP also provides a Link
Control Protocol (LCP) for negotiating properties of the link. LCP uses echo requests and responses to
monitor the continuing availability of the link.
NoteWhen an interface is configured with PPP encapsulation, a link is declared down and full LCP
negotiation is re-initiated after five echo request (ECHOREQ) packets are sent without receiving an echo
response (ECHOREP).
PPP provides the following Network Control Protocols (NCPs) for negotiating properties of data
protocols that will run on the link:
•IP Control Protocol (IPCP) to negotiate IP properties
OL-23590-02
•Multiprotocol Label Switching control processor (MPLSCP) to negotiate MPLS properties
•Cisco Discovery Protocol control processor (CDPCP) to negotiate CDP properties
•IPv6CP to negotiate IP Version 6 (IPv6) properties
•Open Systems Interconnection control processor (OSICP) to negotiate OSI properties
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-3
Information About Configuring Serial Interfaces
PPP uses keepalives to monitor the link state, as described in the “Keepalive Timer” section on page 8-4.
PPP supports the following authentication protocols, which require a remote device to prove its identity
before allowing data traffic to flow over a connection:
•Challenge Handshake Authentication Protocol (CHAP)—CHAP authentication sends a challenge
message to the remote device. The remote device encrypts the challenge value with a shared secret
and returns the encrypted value and its name to the local router in a response message. The local
router attempts to match the remote device’s name with an associated secret stored in the local
username or remote security server database; it uses the stored secret to encrypt the original
challenge and verify that the encrypted values match.
•Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)—MS-CHAP is the Microsoft
version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; in
this case, authentication occurs between a personal computer using Microsoft Windows NT or
Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
•Password Authentication Protocol (PAP)—PAP authentication requires the remote device to send a
name and a password, which are checked against a matching entry in the local username database
or in the remote security server database.
Use the ppp authentication command in interface configuration mode to enable CHAP, MS-CHAP, and
PAP on a serial interface.
Chapter 8 Configuring the Serial Interface
NoteEnabling or disabling PPP authentication does not effect the local router’s willingness to authenticate
itself to the remote device.
Multilink PPP
Multilink Point-to-Point Protocol (MLPPP) is supported on the Cisco 819 ISR serial interface. MLPPP
provides a method for combining multiple physical links into one logical link. The implementation of
MLPPP combines multiple PPP serial interfaces into one multilink interface. MLPPP performs the
fragmenting, reassembling, and sequencing of datagrams across multiple PPP links.
MLPPP provides the same features that are supported on PPP Serial interfaces with the exception of
QoS. It also provides the following additional features:
•Fragment sizes of 128, 256, and 512 bytes
•Long sequence numbers (24-bit)
•Lost fragment detection timeout period of 80 ms
•Minimum-active-links configuration option
•LCP echo request/reply support over multilink interface
•Full T1 and E1 framed and unframed links
Keepalive Timer
8-4
Cisco keepalives are useful for monitoring the link state. Periodic keepalives are sent to and received
from the peer at a frequency determined by the value of the keepalive timer. If an acceptable keepalive
response is not received from the peer, the link makes the transition to the down state. As soon as an
acceptable keepalive response is obtained from the peer or if keepalives are disabled, the link makes the
transition to the up state.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
NoteThe keepalive command applies to serial interfaces using HDLC or PPP encapsulation. It does not apply
to serial interfaces using Frame Relay encapsulation.
For each encapsulation type, a certain number of keepalives ignored by a peer triggers the serial interface
to transition to the down state. For HDLC encapsulation, three ignored keepalives causes the interface
to be brought down. For PPP encapsulation, five ignored keepalives causes the interface to be brought
down. ECHOREQ packets are sent out only when LCP negotiation is complete (for example, when LCP
is open).
Use the keepalive command in interface configuration mode to set the frequency at which LCP sends
ECHOREQ packets to its peer. To restore the system to the default keepalive interval of 10 seconds, use
the keepalive command with the no keyword. To disable keepalives, use the keepalive disable
command. For both PPP and Cisco HDLC, a keepalive of 0 disables keepalives and is reported in the
show running-config command output as keepalive disable.
When LCP is running on the peer and receives an ECHOREQ packet, it responds with an ECHOREP
packet, regardless of whether keepalives are enabled on the peer.
Keepalives are independent between the two peers. One peer end can have keepalives enabled; the other
end can have them disabled. Even if keepalives are disabled locally, LCP still responds with ECHOREP
packets to the ECHOREQ packets it receives. Similarly, LCP also works if the period of keepalives at
each end is different.
Information About Configuring Serial Interfaces
Frame Relay Encapsulation
When Frame Relay encapsulation is enabled on a serial interface, the interface configuration is
hierarchical and comprises the following elements:
•The serial main interface comprises the physical interface and port. If you are not using the serial
interface to support Cisco HDLC and PPP encapsulated connections, then you must configure
subinterfaces with permanent virtual circuits (PVCs) under the serial main interface. Frame Relay
connections are supported on PVCs only.
•Serial subinterfaces are configured under the serial main interface. A serial subinterface does not
actively carry traffic until you configure a PVC under the serial subinterface. Layer 3 configuration
typically takes place on the subinterface.
•When the encapsulation on a serial interface is changed from HDLC to any other encapsulation type,
the configured serial subinterfaces on the main interface inherit the newly changed encapsulation
and they do not get deleted.
•Point-to-point PVCs are configured under a serial subinterface. You cannot configure a PVC directly
under a main interface. A single point-to-point PVC is allowed per subinterface. PVCs use a
predefined circuit path and fail if the path is interrupted. PVCs remain active until the circuit is
removed from either configuration. Connections on the serial PVC support Frame Relay
encapsulation only.
NoteThe administrative state of a parent interface drives the state of the subinterface and its PVC. When the
administrative state of a parent interface or subinterface changes, so does the administrative state of any
child PVC configured under that parent interface or subinterface.
OL-23590-02
To configure Frame Relay encapsulation on serial interfaces, use the encapsulation (Frame Relay
VC-bundle) command.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-5
How to Configure Serial Interfaces
Frame Relay interfaces support two types of encapsulated frames:
•Cisco (default)
•IETF
Use the encap command in PVC configuration mode to configure Cisco or IETF encapsulation on a
PVC. If the encapsulation type is not configured explicitly for a PVC, then that PVC inherits the
encapsulation type from the main serial interface.
NoteCisco encapsulation is required on serial main interfaces that are configured for MPLS. IETF
encapsulation is not supported for MPLS.
Before you configure Frame Relay encapsulation on an interface, you must verify that all prior
Layer 3 configuration is removed from that interface. For example, you must ensure that there is no IP
address configured directly under the main interface; otherwise, any Frame Relay configuration done
under the main interface will not be viable.
LMI on Frame Relay Interfaces
Chapter 8 Configuring the Serial Interface
The Local Management Interface (LMI) protocol monitors the addition, deletion, and status of PVCs.
LMI also verifies the integrity of the link that forms a Frame Relay UNI interface. By default, cisco LMI
is enabled on all PVCs.
If the LMI type is cisco (the default LMI type), the maximum number of PVCs that can be supported
under a single interface is related to the MTU size of the main interface. Use the following formula to
calculate the maximum number of PVCs supported on a card or SPA:
(MTU - 13)/8 = maximum number of PVCs
NoteThe default setting of the mtu command for a serial interface is 1504 bytes. Therefore, the default
numbers of PVCs supported on a serial interface configured with cisco LMI is 186.
How to Configure Serial Interfaces
This section contains the following tasks:
•Configuring a Synchronous Serial Interface, page 8-6
•Configuring Low-Speed Serial Interfaces, page 8-14
Configuring a Synchronous Serial Interface
8-6
Synchronous serial interfaces are supported on various serial network interface cards or systems. This
interface supports full-duplex operation at T1 (1.544 Mbps) and E1 (2.048 Mbps) speeds.
To configure a synchronous serial interface, perform the tasks in the following sections. Each task in the
list is identified as either required or optional.
•Specifying a Synchronous Serial Interface, page 8-7 (Required)
•Specifying Synchronous Serial Encapsulation, page 8-7 (Optional)
•Configuring PPP, page 8-8 (Optional)
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
•Configuring Half-Duplex and Bisync for Synchronous Serial Port Adapters on Cisco 819 ISRs,
page 8-8 (Optional)
•Configuring Compression of HDLC Data, page 8-9 (Optional)
•Using the NRZI Line-Coding Format, page 8-9 (Optional)
•Enabling the Internal Clock, page 8-10 (Optional)
•Inverting the Transmit Clock Signal, page 8-10 (Optional)
•Setting Transmit Delay, page 8-11 (Optional)
•Configuring DTR Signal Pulsing, page 8-11 (Optional)
•Ignoring DCD and Monitoring DSR as Line Up/Down Indicator, page 8-11 (Optional)
•Specifying the Serial Network Interface Module Timing, page 8-12 (Optional)
See the “Configuration Examples” section on page 8-19 for examples of configuration tasks described
in this chapter.
Specifying a Synchronous Serial Interface
How to Configure Serial Interfaces
To specify a synchronous serial interface and enter interface configuration mode, use one of the
following commands in global configuration mode.
CommandPurpose
Router(config)# interfaceserial 0
Enters interface configuration mode.
Specifying Synchronous Serial Encapsulation
By default, synchronous serial lines use the High-Level Data Link Control (HDLC) serial encapsulation
method, which provides the synchronous framing and error detection functions of HDLC without
windowing or retransmission. The synchronous serial interfaces support the following serial
encapsulation methods:
•HDLC
•Frame Relay
•PPP
•Synchronous Data Link Control (SDLC)
•SMDS
•Cisco Serial Tunnel (STUN)
•Cisco Bisync Serial Tunnel (BSTUN)
•X.25-based encapsulations
To define the encapsulation method, use the following command in interface configuration mode.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Configures synchronous serial encapsulation.
8-7
How to Configure Serial Interfaces
NoteYou cannot use the physical-layer async command for frame-relay encapsulation.
Encapsulation methods are set according to the type of protocol or application you configure in the
Cisco
IOS software.
•PPP is described in Configuring Media-Independent PPP and Multilink PPP.
•The remaining encapsulation methods are defined in their respective books and chapters describing
the protocols or applications. Serial encapsulation methods are also discussed in the
Interface and Hardware Component Command Reference, under the encapsulation command.
By default, synchronous interfaces operate in full-duplex mode. To configure an SDLC interface for
half-duplex mode, use the following command in interface configuration mode.
CommandPurpose
Router(config-if)# half-duplex
Configures an SDLC interface for half-duplex mode.
Binary synchronous communication (Bisync) is a half-duplex protocol. Each block of transmission is
acknowledged explicitly. To avoid the problem associated with simultaneous transmission, there is an
implicit role of primary and secondary stations. The primary sends the last block again if there is no
response from the secondary within the period of block receive timeout.
Chapter 8 Configuring the Serial Interface
Cisco IOS
To configure the serial interface for full-duplex mode, use the following command in interface
configuration mode.
CommandPurpose
Router(config-if)# full-duplex
Specifies that the interface can run Bisync using switched RTS
signals.
Configuring PPP
To configure PPP, refer to the Configuring Media-Independent PPP and Multilink PPP.
Configuring Half-Duplex and Bisync for Synchronous Serial Port Adapters on Cisco 819 ISRs
The synchronous serial port adapters on Cisco 819 ISRs support half-duplex and Bisync. Bisync is a
character-oriented data-link layer protocol for half-duplex applications. In half-duplex mode, data is sent
one direction at a time. Direction is controlled by handshaking the Request to Send (RST) and Clear to
Configuring Bisync
Send (CTS) control lines. These are described in the
To configure the Bisync feature on the synchronous serial port adapters on Cisco 819 ISRs, refer to the
Block Serial Tunneling (BSTUN) Overview. All commands listed in this section apply to the synchronous
serial port adapters on Cisco 891 ISRs. Any command syntax that specifies an interface number supports
the Cisco
891 ISRs slot/port syntax.
“Configuring Bisync” section on page 8-8.
8-8
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
Configuring Compression of HDLC Data
You can configure point-to-point software compression on serial interfaces that use HDLC
encapsulation. Compression reduces the size of a HDLC frame via lossless data compression. The
compression algorithm used is a Stacker (LZS) algorithm.
Compression is performed in software and might significantly affect system performance. We
recommend that you disable compression if CPU load exceeds 65 percent. To display the CPU load, use
the show process cpu EXEC command.
If the majority of your traffic is already compressed files, you should not use compression.
To configure compression over HDLC, use the following commands in interface configuration mode.
SUMMARY STEPS
1. encapsulation hdlc
2. compress stac
DETAILED STEPS
How to Configure Serial Interfaces
Command or ActionPurpose
Step 1
Step 2
encapsulation hdlc
Example:
Router(config-if)# encapsulation hdlc
compress stac
Example:
Router(config-if)# compress stac
Using the NRZI Line-Coding Format
The nonreturn-to-zero (NRZ) and nonreturn-to-zero inverted (NRZI) formats are supported on the
Cisco
819 serial ports.
NRZ and NRZI are line-coding formats that are required for serial connections in some environments.
NRZ encoding is most common. NRZI encoding is used primarily with EIA/TIA-232 connections in
IBM environments.
The default configuration for all serial interfaces is NRZ format. The default is no nrzi-encoding.
To enable NRZI format, use one of the following commands in interface configuration mode.
SUMMARY STEPS
Enables encapsulation of a single protocol on the
serial line.
Enables compression.
OL-23590-02
1. nrzi-encoding
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-9
How to Configure Serial Interfaces
DETAILED STEPS
Command or ActionPurpose
Step 1
nrzi-encoding
Chapter 8 Configuring the Serial Interface
Enables NRZI encoding format.
Example:
Router(config-if)# nrzi-encoding
or
Router(config-if)# nrzi-encoding [mark]
Enabling the Internal Clock
When a DTE does not return a transmit clock, use the following interface configuration command on the
router to enable the internally generated clock on a serial interface:
SUMMARY STEPS
1. transmit-clock-internal
DETAILED STEPS
Command or ActionPurpose
Step 1
transmit-clock-internal
Example:
Router(config-if)# transmit-clock-internal
Enables NRZI encoding format for router.
Enables the internally generated clock on a serial
interface.
Inverting the Transmit Clock Signal
Systems that use long cables or cables that are not transmitting the TxC signal (transmit echoed clock
line, also known as TXCE or SCTE clock) can experience high error rates when operating at the higher
transmission speeds. For example, if the interface on the PA-8T and PA-4T+ synchronous serial port
adapters is reporting a high number of error packets, a phase shift might be the problem. Inverting the
clock signal can correct this shift. To invert the clock signal, use the following commands in interface
configuration mode.
SUMMARY STEPS
1. invert txclock
2. invert rxclock
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-10
OL-23590-02
Chapter 8 Configuring the Serial Interface
DETAILED STEPS
Command or ActionPurpose
Step 1
Step 2
invert txclock
Example:
Router(config-if)# invert txclock
invert rxclock
Example:
Router(config-if)# invert rxclock
Setting Transmit Delay
It is possible to send back-to-back data packets over serial interfaces faster than some hosts can receive
them. You can specify a minimum dead time after transmitting a packet to remove this condition. This
setting is available for serial interfaces on the MCI and SCI interface cards and for the HSSI or MIP. Use
one of the following commands, as appropriate for your system, in interface configuration mode.
How to Configure Serial Interfaces
Inverts the clock signal on an interface.
Inverts the phase of the RX clock on the UIO serial
interface, which does not use the T1/E1 interface.
CommandPurpose
Router(config-if)# transmitter-delay
microseconds
Router(config-if)# transmitter-delay
hdlc-flags
Sets the transmit delay on the MCI and SCI synchronous serial interfaces.
Sets the transmit delay on the HSSI or MIP.
Configuring DTR Signal Pulsing
You can configure pulsing Data Terminal Ready (DTR) signals on all serial interfaces. When the serial
line protocol goes down (for example, because of loss of synchronization), the interface hardware is reset
and the DTR signal is held inactive for at least the specified interval. This function is useful for handling
encrypting or other similar devices that use the toggling of the DTR signal to reset synchronization. To
configure DTR signal pulsing, use the following command in interface configuration mode.
CommandPurpose
Router(config-if)# pulse-time seconds
Configures DTR signal pulsing.
Ignoring DCD and Monitoring DSR as Line Up/Down Indicator
By default, when the serial interface is operating in DTE mode, it monitors the Data Carrier Detect
(DCD) signal as the line up/down indicator. By default, the attached DCE device sends the DCD signal.
When the DTE interface detects the DCD signal, it changes the state of the interface to up.
In some configurations, such as an SDLC multidrop environment, the DCE device sends the Data Set
Ready (DSR) signal instead of the DCD signal, which prevents the interface from coming up. To tell the
interface to monitor the DSR signal instead of the DCD signal as the line up/down indicator, use the
following command in interface configuration mode.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-11
How to Configure Serial Interfaces
SUMMARY STEPS
DETAILED STEPS
Command or ActionPurpose
Step 1
ignore-dcd
Example:
Router(config-if)# ignore-dcd
CautionUnless you know for certain that you really need this feature, be very careful using this command. It will
Chapter 8 Configuring the Serial Interface
1. ignore-dcd
Configures the serial interface to monitor the DSR
signal as the line up/down indicator.
hide the real status of the interface. The interface could actually be down and you will not know just by
looking at show displays.
Specifying the Serial Network Interface Module Timing
On Cisco 819 ISRs, you can specify the serial Network Interface Module timing signal configuration.
When the board is operating as a DCE and the DTE provides terminal timing (SCTE or TT), you can
configure the DCE to use SCTE from the DTE. When running the line at high speeds and long distances,
this strategy prevents phase shifting of the data with respect to the clock.
To configure the DCE to use SCTE from the DTE, use the following command in interface configuration
mode.
SUMMARY STEPS
1. dce-terminal-timing enable
DETAILED STEPS
Command or ActionPurpose
Step 1
dce-terminal-timing enable
Example:
Router(config-if)# dce-terminal-timing enable
When the board is operating as a DTE, you can invert the TXC clock signal it gets from the DCE that
the DTE uses to transmit data. Invert the clock signal if the DCE cannot receive SCTE from the DTE,
the data is running at high speeds, and the transmission line is long. Again, this prevents phase shifting
of the data with respect to the clock.
To configure the interface so that the router inverts the TXC clock signal, use the following command in
interface configuration mode.
Configures the DCE to use SCTE from the DTE.
8-12
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
SUMMARY STEPS
1. dte-invert-txc
DETAILED STEPS
Command or ActionPurpose
Step 1
dte-invert-txc
Example:
Router(config-if)# dte-invert-txc
How to Configure Serial Interfaces
Specifies timing configuration to invert TXC clock
signal.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-13
How to Configure Serial Interfaces
Configuring Low-Speed Serial Interfaces
This section describes how to configure low-speed serial interfaces and contains the following sections:
•Understanding Half-Duplex DTE and DCE State Machines, page 8-14
•Changing Between Synchronous and Asynchronous Modes, page 8-18
For configuration examples, see the “Low-Speed Serial Interface: Examples” section on page 8-20.
Understanding Half-Duplex DTE and DCE State Machines
The following sections describe the communication between half-duplex DTE transmit and receive state
machines and half-duplex DCE transmit and receive state machines.
Half-Duplex DTE State Machines
As shown in Figure 3, the half-duplex DTE transmit state machine for low-speed interfaces remains in
the ready state when it is quiescent. When a frame is available for transmission, the state machine enters
the transmit delay state and waits for a time period, which is defined by the half-duplex timer transmit-delay command. The default is 0 milliseconds. Transmission delays are used for debugging
half-duplex links and assisting lower-speed receivers that cannot process back-to-back frames.
Chapter 8 Configuring the Serial Interface
Figure 3Half-Duplex DTE Transmit State Machine
8-14
After idling for a defined number of milliseconds (ms), the state machine asserts a request to send (RTS)
signal and changes to the wait-clear-to-send (CTS) state for the DCE to assert CTS. A timeout timer with
a value set by the half-duplex timer rts-timeout command starts. The default is 3 ms. If the timeout
timer expires before CTS is asserted, the state machine returns to the ready state and deasserts RTS. If
CTS is asserted before the timer expires, the state machine enters the transmit state and sends the frames.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
Once there are no more frames to transmit, the state machine transitions to the wait transmit finish state.
The machine waits for the transmit FIFO in the serial controller to empty, starts a delay timer with a value
defined by the half-duplex timer rts-drop-delay interface command, and transitions to the wait RTS
drop delay state.
When the timer in the wait RTS drop delay state expires, the state machine deasserts RTS and transitions
to the wait CTS drop state. A timeout timer with a value set by the half-duplex timer cts-drop-timeout
interface command starts, and the state machine waits for the CTS to deassert. The default is 250
Once the CTS signal is deasserted or the timeout timer expires, the state machine transitions back to the
ready state. If the timer expires before CTS is deasserted, an error counter is incremented, which can be
displayed by issuing the show controllers command for the serial interface in question.
As shown in Figure 4, a half-duplex DTE receive state machine for low-speed interfaces idles and
receives frames in the ready state. A giant frame is any frame whose size exceeds the maximum
transmission unit (MTU). If the beginning of a giant frame is received, the state machine transitions to
the in giant state and discards frame fragments until it receives the end of the giant frame. At this point,
the state machine transitions back to the ready state and waits for the next frame to arrive.
Figure 4Half-Duplex DTE Receive State Machine
How to Configure Serial Interfaces
ms.
An error counter is incremented upon receipt of the giant frames. To view the error counter, use the
show
interfaces command for the serial interface in question.
Half-Duplex DCE State Machines
As shown in Figure 5, for a low-speed serial interface in DCE mode, the half-duplex DCE transmit state
machine idles in the ready state when it is quiescent. When a frame is available for transmission on the
serial interface, such as when the output queues are no longer empty, the state machine starts a timer
(based on the value of the half-duplex timer transmit-delay command, in milliseconds) and transitions
to the transmit delay state. Similar to the DTE transmit state machine, the transmit delay state gives you
the option of setting a delay between the transmission of frames; for example, this feature lets you
compensate for a slow receiver that loses data when multiple frames are received in quick succession.
The default transmit-delay value is 0 ms; use the half-duplex timer transmit-delay interface
configuration command to specify a delay value not equal to 0.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-15
How to Configure Serial Interfaces
Figure 5Half-Duplex DCE Transmit State Machine
Chapter 8 Configuring the Serial Interface
After the transmit delay state, the next state depends on whether the interface is in constant-carrier mode
(the default) or controlled-carrier mode.
If the interface is in constant-carrier mode, it passes through the following states:
1. The state machine passes to the transmit state when the transmit-delay timer expires. The state
machine stays in the transmit state until there are no more frames to transmit.
2. When there are no more frames to transmit, the state machine passes to the wait transmit finish state,
where it waits for the transmit FIFO to empty.
3. Once the FIFO empties, the DCE passes back to the ready state and waits for the next frame to
appear in the output queue.
If the interface is in controlled-carrier mode, the interface performs a handshake using the data carrier
detect (DCD) signal. In this mode, DCD is deasserted when the interface is idle and has nothing to
transmit. The transmit state machine transitions through the states as follows:
1. After the transmit-delay timer expires, the DCE asserts DCD and transitions to the DCD-txstart
delay state to ensure a time delay between the assertion of DCD and the start of transmission. A
timer is started based on the value specified using the dcd-txstart-delay command. (This timer has
a default value of 100 ms; use the half-duplex timer dcd-txstart-delay interface configuration
command to specify a delay value.)
2. When this delay timer expires, the state machine transitions to the transmit state and transmits
frames until there are no more frames to transmit.
3. After the DCE transmits the last frame, it transitions to the wait transmit finish state, where it waits
for transmit FIFO to empty and the last frame to transmit to the wire. Then DCE starts a delay timer
by specifying the value using the dcd-drop-delay command. (This timer has the default value of
100 ms; use the half-duplex timer dcd-drop-delay interface configuration command to specify a
delay value.)
8-16
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
4. The DCE transitions to the wait DCD drop delay state. This state causes a time delay between the
transmission of the last frame and the deassertion of DCD in the controlled-carrier mode for DCE
transmits.
5. When the timer expires, the DCE deasserts DCD and transitions back to the ready state and stays
there until there is a frame to transmit on that interface.
As shown in Figure 6, the half-duplex DCE receive state machine idles in the ready state when it is
quiescent. It transitions out of this state when the DTE asserts RTS. In response, the DCE starts a timer
based on the value specified using the cts-delay command. This timer delays the assertion of CTS
because some DTE interfaces expect this delay. (The default value of this timer is 0 ms; use the
half-duplex timer cts-delay interface configuration command to specify a delay value.)
Figure 6Half-Duplex DCE Receive State Machine
How to Configure Serial Interfaces
When the timer expires, the DCE state machine asserts CTS and transitions to the receive state. It stays
in the receive state until there is a frame to receive. If the beginning of a giant frame is received, it
transitions to the in giant state and keeps discarding all the fragments of the giant frame and transitions
back to the receive state.
Transitions back to the ready state occur when RTS is deasserted by the DTE. The response of the DCE
to the deassertion of RTS is to deassert CTS and go back to the ready state.
Placing a Low-Speed Serial Interface in Constant-Carrier Mode
To return a low-speed serial interface to constant-carrier mode from controlled-carrier mode, use the
following command in interface configuration mode.
SUMMARY STEPS
1. no half-duplex controlled-carrier
DETAILED STEPS
Command or ActionPurpose
Step 1
no half-duplex controlled-carrier
Example:
Router(config-if)# no half-duplex controlled-carrier
Places a low-speed serial interface in
constant-carrier mode.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-17
How to Configure Serial Interfaces
Tuning Half-Duplex Timers
To optimize the performance of half-duplex timers, use the following command in interface
configuration mode.
CommandPurpose
Router(config-if)# half-duplex timer {cts-delay value |
cts-drop-timeout value |
dcd-drop-delay value | dcd-txstart-delay value |
rts-drop-delay value | rts-timeout value |
transmit-delay value}
Tunes half-duplex timers.
The timer tuning commands permit you to adjust the timing of the half-duplex state machines to suit the
particular needs of their half-duplex installation.
Note that the half-duplex timer command and its options replaces the following two timer tuning
commands that are available only on high-speed serial interfaces:
•sdlc cts-delay
•sdlc rts-timeout
Chapter 8 Configuring the Serial Interface
Changing Between Synchronous and Asynchronous Modes
To specify the mode of a low-speed serial interface as either synchronous or asynchronous, use the
following command in interface configuration mode.
SUMMARY STEPS
1. physical-layer {sync | async}
DETAILED STEPS
Command or ActionPurpose
Step 1
physical-layer {sync | async}
Specifies the mode of a low-speed interface as either
synchronous or asynchronous.
Example:
Router(config-if)# physical-layer sync
This command applies only to low-speed serial interfaces available on Cisco 2520 through Cisco 2523
routers.
NoteWhen you make a transition from asynchronous mode to synchronous mode in serial interfaces, the
interface state becomes down by default. You should then use the no shutdown option to bring the
interface up.
8-18
In synchronous mode, low-speed serial interfaces support all interface configuration commands
available for high-speed serial interfaces, except the following two commands:
•sdlc cts-delay
•sdlc rts-timeout
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 8 Configuring the Serial Interface
When placed in asynchronous mode, low-speed serial interfaces support all commands available for
standard asynchronous interfaces. The default is synchronous mode.
NoteWhen you use this command, it does not appear in the output of the show running-config and show
startup-config commands because the command is a physical-layer command.
To return to the default mode (synchronous) of a low-speed serial interface on a Cisco 2520 through
Cisco
2523 router, use the following command in interface configuration mode.
SUMMARY STEPS
1. no physical-layer
DETAILED STEPS
Command or ActionPurpose
Step 1
no physical-layer
Configuration Examples
Returns the interface to its default mode, which is
synchronous.
Example:
Router(config-if)# no physical-layer
Configuration Examples
Interface Enablement Configuration: Examples
The following example illustrates how to begin interface configuration on a serial interface. It assigns
PPP encapsulation to serial interface 0.
interface serial 0
encapsulation ppp
The same example on the router, assigning PPP encapsulation to port 0 in slot 1, requires the following
commands:
interface serial 1/0
encapsulation ppp
The following example shows how to configure the access server so that it will use the default address
pool on all interfaces except interface 7, on which it will use an address pool called lass:
ip address-pool local
ip local-pool lass 172.30.0.1
async interface
interface 7
peer default ip address lass
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
8-19
Configuration Examples
Low-Speed Serial Interface: Examples
The section includes the following configuration examples for low-speed serial interfaces:
•Synchronous or Asynchronous Mode: Examples, page 8-20
•Half-Duplex Timers: Example, page 8-20
Synchronous or Asynchronous Mode: Examples
The following example shows how to change a low-speed serial interface from synchronous to
asynchronous mode:
interface serial 2
physical-layer async
The following examples show how to change a low-speed serial interface from asynchronous mode back
to its default synchronous mode:
interface serial 2
physical-layer sync
Chapter 8 Configuring the Serial Interface
or
interface serial 2
no physical-layer
The following example shows some typical asynchronous interface configuration commands:
interface serial 2
physical-layer async
ip address 10.0.0.2 255.0.0.0
async default ip address 10.0.0.1
async mode dedicated
async default routing
The following example shows some typical synchronous serial interface configuration commands
available when the interface is in synchronous mode:
interface serial 2
physical-layer sync
ip address 10.0.0.2 255.0.0.0
no keepalive
ignore-dcd
nrzi-encoding
no shutdown
Half-Duplex Timers: Example
The following example shows how to set the cts-delay timer to 1234 ms and the transmit-delay timer to
50
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
CHAP T ER
9
Configuring Security Features
This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the
primary Cisco framework for implementing selected security features that can be configured on the
Cisco
819 Integrated Services Routers (ISRs).
This chapter contains the following sections:
•Authentication, Authorization, and Accounting, page 9-1
•Configuring AutoSecure, page 9-2
•Configuring Access Lists, page 9-2
•Configuring Cisco IOS Firewall, page 9-3
•Configuring Cisco IOS IPS, page 9-4
•URL Filtering, page 9-4
•Configuring VPN, page 9-4
Authentication, Authorization, and Accounting
AAA network security services provide the primary framework through which you set up access control
on your router. Authentication provides the method of identifying users, including login and password
dialog, challenge and response, messaging support, and, depending on the security protocol you choose,
encryption. Authorization provides the method for remote access control, including one-time
authorization or authorization for each service, per-user account list and profile, user group support, and
support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet.
Accounting provides the method for collecting and sending security server information used for billing,
auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP),
number of packets, and number of bytes.
AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If
your router is acting as a network access server, AAA is the means through which you establish
communication between your network access server and your RADIUS, TACACS+, or Kerberos security
server.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
9-1
Configuring AutoSecure
For information about configuring AAA services and supported security protocols, see Securing User
The AutoSecure feature disables common IP services that can be exploited for network attacks and
enables IP services and features that can aid in the defense of a network when under attack. These IP
services are all disabled and enabled simultaneously with a single command, greatly simplifying security
configuration on your router. For a complete description of the AutoSecure feature, see the
feature document.
Configuring Access Lists
Access lists permit or deny network traffic over an interface based on source IP address, destination IP
address, or protocol. Access lists are configured as standard or extended. A standard access list either
permits or denies passage of packets from a designated source. An extended access list allows
designation of both the destination and the source, and it allows designation of individual protocols to
be permitted or denied passage.
For more complete information on creating access lists, see Security Configuration Guide: Access
Control Lists, Cisco IOS Release 12.4T.
An access list is a series of commands with a common tag to bind them together. The tag is either a
number or a name.
Table 9-1 lists the commands used to configure access lists.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 9 Configuring Security Features
To create, refine, and manage access lists, see Security Configuration Guide: Access Control Lists, Cisco
IOS Release 12.4T.
Access Groups
An access group is a sequence of access list definitions bound together with a common name or number.
An access group is enabled for an interface during interface configuration. Use the following guidelines
when creating access groups.
•The order of access list definitions is significant. A packet is compared against the first access list
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is
compared with the next access list and so on.
•All parameters must match the access list before the packet is permitted or denied.
•There is an implicit “deny all” at the end of all sequences.
For information on configuring and managing access groups, see Securing the Data Plane Configuration
Guide Library, Cisco IOS Release 12.4.
Configuring Cisco IOS Firewall
Configuring Cisco IOS Firewall
The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and
the state of network connections is monitored. Stateful firewall is superior to static access lists because
access lists can only permit or deny traffic based on individual packets, not based on streams of packets.
Also, because Cisco
by examining application layer data, which static access lists cannot examine.
To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command
in interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list
is created to allow the passage of return traffic. The timeout parameter specifies the length of time the
dynamic access list remains active without return traffic passing through the router. When the timeout
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are
not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules
can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out
command when you configure an interface at the firewall.
For additional information about configuring a Cisco IOS Firewall, see Securing the Data Plane
The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol
(SIP) applications. SIP inspection provides basic inspect functionality (SIP packet inspection and
detection of pin-hole openings), as well as protocol conformance and application security. For more
information, see
IOS Firewall inspects the packets, decisions to permit or deny traffic can be made
Cisco IOS Firewall: SIP Enhancements: ALG and AIC.
OL-23590-02
Cisco 819 Series Integrated Services Routers Software Configuration Guide
9-3
Configuring Cisco IOS IPS
Configuring Cisco IOS IPS
Cisco IOS Intrusion Prevention System (IPS) technology is available on Cisco 819 ISRs and enhances
perimeter firewall protection by taking appropriate action on packets and flows that violate the security
policy or represent malicious network activity.
Cisco IOS IPS identifies attacks using “signatures” to detect patterns of misuse in network traffic.
Cisco
IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow
through the router, scanning each to match known IPS signatures. When Cisco
suspicious activity, it responds before network security can be compromised, it logs the event, and,
depending on configuration, it does one of the following:
•Sends an alarm
•Drops suspicious packets
•Resets the connection
•Denies traffic from the source IP address of the attacker for a specified amount of time
•Denies traffic on the connection for which the signature was seen for a specified amount of time
For additional information about configuring Cisco IOS IPS, see Securing the Data Plane Configuration
Guide Library, Cisco IOS Release 12.4.
Chapter 9 Configuring Security Features
IOS IPS detects
URL Filtering
Cisco 819 ISRs provide category based URL filtering. The user provisions URL filtering on the ISR by
selecting categories of websites to be permitted or blocked. An external server, maintained by a third
party, will be used to check for URLs in each category. Permit and deny policies are maintained on the
ISR. The service is subscription based, and the URLs in each category are maintained by the third-party
vendor.
For additional information about configuring URL filtering, see Subscription-based Cisco IOS Content
Filtering.
Configuring VPN
A virtual private network (VPN) connection provides a secure connection between two networks over a
public network such as the Internet. Cisco 819 ISRs support two types of VPNs-site-to-site and remote
access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote
access VPNs are used by remote clients to log in to a corporate network. Two examples are given in this
section: remote access VPN and site-to-site VPN.
•Remote Access VPN, page 9-5
•Site-to-Site VPN, page 9-6
•Configuration Examples, page 9-7
•Configure a VPN over an IPSec Tunnel, page 9-7
•Create a Cisco Easy VPN Remote Configuration, page 9-15
•Configure a Site-to-Site GRE Tunnel, page 9-17
9-4
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
Chapter 9 Configuring Security Features
2
1
121782
Internet
3
4
5
6
Remote Access VPN
The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to
configure and secure the connection between the remote client and the corporate network.
shows a typical deployment scenario.
Figure 9-1Remote Access VPN Using IPSec Tunnel
Configuring VPN
Figure 9-1
1Remote networked users
2VPN client—Cisco 819 access router
3Router—Providing the corporate office network access
4VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside
interface address 210.110.101.1
5Corporate office with a network address of 10.1.1.1
6IPSec tunnel
The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing
the Cisco
Unity Client protocol. This protocol allows most VPN parameters, such as internal IP
addresses, internal subnet masks, DHCP server addresses, Windows Internet Naming Service (WINS)
server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000
concentrator that is acting as an IPSec server.
A Cisco Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote
workers who are running Cisco Easy VPN Remote software on PCs. Cisco
devices allow remote routers to act as Cisco
Easy VPN Remote nodes.
Easy VPN server-enabled
The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network
access resources at the central site. Resources at the client site are unavailable to the central site.
Network extension mode allows users at the central site (where the VPN 3000 series concentrator is
extension mode. Client mode is the default configuration and allows only devices at the client site to
located) to access network resources on the client site.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
OL-23590-02
9-5
Configuring VPN
Internet
3
1
2457
6
8
9
After the IPSec server has been configured, a VPN connection can be created with minimal configuration
on an IPSec client, such as a supported Cisco
connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding
VPN tunnel connection.
NoteThe Cisco Easy VPN client feature supports configuration of only one destination peer. If your
application requires the creation of multiple VPN tunnels, you must manually configure the IPSec VPN
and Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client
and the server.
Cisco 819 ISRs can be also configured to act as Cisco Easy VPN servers, letting authorized
Cisco
the configuration of Cisco
Site-to-Site VPN
The configuration of a site-to-site VPN uses IPSec and the generic routing encapsulation (GRE) protocol
to secure the connection between the branch office and the corporate network.
deployment scenario.
Chapter 9 Configuring Security Features
819 ISR. When the IPSec client initiates the VPN tunnel
Easy VPN clients establish dynamic VPN tunnels to the connected network. For information on
Easy VPN servers, see the Easy VPN Server feature document.
Figure 9-2 shows a typical
Figure 9-2Site-to-Site VPN Using an IPSec Tunnel and GRE
1Branch office containing multiple LANs and VLANs
2Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT)
3VPN client—Cisco 819 ISR
4Fast Ethernet —With address 200.1.1.1 (also the outside interface for NAT)
5LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1
6VPN client—Another router, which controls access to the corporate network
7LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1
8Corporate office network
9IPSec tunnel with GRE
For more information about IPSec and GRE configuration, see Secure Connectivity Configuration Guide
Library, Cisco IOS Release 12.4T.
Cisco 819 Series Integrated Services Routers Software Configuration Guide
9-6
OL-23590-02
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.