Cisco MWR 1941-DC Router Software Configuration Guide
Configuring the MWR 1941-DC in a Cell Site DCN
Downloads: This chapterpdf (PDF - 759.0KB) The complete bookPDF (PDF - 1.98MB) | Feedback

Configuring the MWR 1941-DC in a Cell Site DCN

Table Of Contents

Configuring the MWR 1941-DC in a Cell Site DCN

Before You Begin

Verifying the Version of Cisco IOS Software

Configuring the Host Name and Password

Verifying the Host Name and Password

Configuring Fast Ethernet Interfaces

Configuration Example

Configuring the Ethernet Switch Network Module

Configuration Example

Configuring Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards

Configuration Example

Configuring 16-Port Asynchronous Network Module

Configuration Example

Configuring T1 and E1 Interfaces

Configuring T1 Interfaces

Configuring E1 Interfaces

Configuring Drop and Insert

Configuration Examples

Configuring the 1 T3/E3 Module

Configuring the T3 Interface

Configuring the Card Type and Controller for a T3 Interface

Configuring DSU Mode and Bandwidth for T3

Configuring the E3 Interface

Configuring the Card Type and Controller for an E3 Interface

Configuring DSU Mode and Bandwidth for E3

Configuring Scrambling for E3

Configuration Examples

Configuring the NM-AIC-64, Contact Closure Network Module

Serial Communication Channels

Serial Data Channel

Asynchronous Craft Port

Configuring the AIC

Configuration Tasks

Configuring the AIC

Accessing the AIC

Configuring the NOC IP Address

Configuring Alarms

Programming the Analog Contact Points

Programming the Discrete Contact Points

Verifying the IP Address

Troubleshooting Tips

Monitoring and Maintaining the NM-AIC-64 Contact Closure Network Module

Software Upgrade

Configuration Backup

Override

Configuration Examples

Configuring QoS Attributes

Creating a Class Map

Creating a Policy Map

Assigning a QoS Boilerplate to an Interface

Configuration Example

Filtering IP Packets Using Access Lists

Creating Standard and Extended Access Lists Using Numbers

Creating Standard and Extended Access Lists Using Names

Specifying IP Extended Access Lists with Fragment Control

Benefits of Fragment Control in an IP Extended Access List

Enabling Turbo Access Control Lists

Configuring Turbo ACLs

Verifying Turbo ACLs

Applying Time Ranges to Access Lists

Including Comments About Entries in Access Lists

Applying Access Lists

Controlling Access to a Line or Interface

Controlling Policy Routing and the Filtering of Routing Information

Controlling Dialer Functions

Configuration Examples

Numbered Access List Examples

Named Access List Example

IP Extended Access List with Fragment Control Example

Time Range Applied to an IP Access List Example

Commented IP Access List Entry Examples

Saving Configuration Changes

Verifying the Configuration

Monitoring and Managing the MWR 1941-DC Router

Show Commands for Monitoring the MWR 1941-DC

Where to Go Next


Configuring the MWR 1941-DC in a Cell Site DCN



Note Cisco IOS Release 12.3(11)T does not support the Cisco IOS Cell Site DCN feature set (software image) for the MWR 1941-DC router.


This chapter describes how to use the Cisco IOS software command-line interface (CLI) to configure the following features of the MWR 1941-DC router in a Cell Site DCN:

Before You Begin

Configuring the Host Name and Password

Configuring Fast Ethernet Interfaces

Configuring the Ethernet Switch Network Module

Configuring Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards

Configuring 16-Port Asynchronous Network Module

Configuring T1 and E1 Interfaces

Configuring the 1 T3/E3 Module

Configuring the NM-AIC-64, Contact Closure Network Module

Configuring QoS Attributes

Filtering IP Packets Using Access Lists

Saving Configuration Changes

Verifying the Configuration

Monitoring and Managing the MWR 1941-DC Router

Where to Go Next

Follow the procedures in this chapter to configure the router manually, or if you want to
change the configuration after you have run the setup command facility "Using the Setup Command Facility" section.

This chapter describe only a small portion of commonly used configuration procedures. For detailed configuration topics, refer to the Cisco IOS configuration guide and command reference publications. These publications are available on the Documentation CD-ROM that came with your router, on the World Wide Web from Cisco's home page, or you can order printed copies separately.


Note If you skipped "First-Time Configuration," and you have never configured a Cisco router, go back to that chapter and read it now. The chapter contains important information you need to successfully configure your router.


Before You Begin

Before you configure the MWR 1941-DC in a Cell Site DCN, please note the following:

Cisco IOS Release 12.2(15)MC1a or later "mwr1900-is-mz" image must be installed on the Cisco MWR 1941-DC router.

When using the NM-16ESW with the MWR 1941-DC router, shielded cables are required and IP phone inline power is not supported.

When using the 1-port T3/E3 network module (NM-1T3/E3) in your MWR 1941-DC router configuration, note that E3 mode is not supported with Cisco IOS Release 12.2(15)MC1a.

Network Time Protocol (NTP). NTP must be configured. The Cisco MWR 1941-DC router uses NTP to maintain a clocking source for the proper time stamping of system messages and log files.

Redundancy—Standalone Mode. The MWR 1941-DC router must be configured to operate in standalone mode. The standalone option must be configured from redundancy mode. To manually set the relays to open or closed, do the following starting in global configuration mode:


Step 1 Enter redundancy mode.

Router(config)# redundancy

Step 2 Enter the y-cable mode.

Router(config-r)# mode y-cable

Step 3 Specify that the router is to be used as a stand-alone device. This command closes the relays.

Router(config-r-y)# standalone 

Step 4 Exit y-mode configuration mode.

Router(config-r-y)# exit


To verify the status of the relays on an MWR 1941-DC router, use the show controllers command.


Timesaver Before you begin configuring interfaces, disconnect all WAN cables from the router to keep it from trying to run the AutoInstall process. The router tries to run AutoInstall whenever you power it ON, if there is a WAN connection on both ends and the router does not have a valid configuration file stored in nonvolatile random-access memory (NVRAM) (for instance, when you add a new interface). It can take several minutes for the router to determine that AutoInstall is not connected to a remote Transmission Control Protocol/Internet Protocol (TCP/IP) host.



Caution The MWR 1941-DC router does not support online insertion and removal (OIR) of WAN interface cards. Any attempt to perform OIR on a card in a powered up router might cause damage to the card.


Caution The Cisco MWR 1941-DC router does not support online insertion and removal (OIR) of network modules. Any attempt to perform OIR on a card in a powered up router might cause damage to the card.

Verifying the Version of Cisco IOS Software

To implement the MWR 1941-DC router in an Cell Site DCN, the router requires Cisco IOS Release 12.2(15)MC1a or a later be installed. To verify the version of Cisco IOS software, use the show version command.

The show version command displays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images.

Configuring the Host Name and Password

One of the first configuration tasks you might want to do is configure the host name and set an encrypted password. Configuring a host name allows you to distinguish multiple Cisco routers from each other. Setting an encrypted password allows you to prevent unauthorized configuration changes.

 
Command
Purpose

Step 1 

Router> enable

Password: password

Router# 

Enter enable mode. Enter the password.

You have entered enable mode when the prompt changes to Router#.

Step 2 

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#

Enter global configuration mode. You have entered global configuration mode when the prompt changes to Router(config)#.

Step 3 

Router(config)# hostname Router

Router(config)#

Change the name of the router to a meaningful name. Substitute your host name for Router.

Step 4 

Router(config)# enable secret guessme

Enter an enable secret password. This password provides access to privileged EXEC mode. When a user types enable at the EXEC prompt
(Router>), they must enter the enable secret password to gain access to configuration mode. Substitute your enable secret for guessme.

Step 5 

Router(config)# line con 0




Router(config-line)# exec-timeout 0 0




Router(config-line)# exit

Router(config)#

Enter line configuration mode to configure the console port. When you enter line configuration mode, the prompt changes to Router(config-line)#.

Prevent the router's EXEC facility from timing out if you do not type any information on the console screen for an extended period.

Exit back to global configuration mode.

Verifying the Host Name and Password

To verify that you configured the correct host name and password:


Step 1 Enter the show config command:

Router(config)# show config
Using 1888 out of 126968 bytes
!
version XX.X
.
.
.
!
hostname Router
!
enable secret 5 $1$60L4$X2JYOwoDc0.kqa1loO/w8/
.
.
.

Step 2 Check the host name and encrypted password displayed near the top of the command output.

Step 3 Exit global configuration mode and attempt to re-enter it using the new enable password:

Router# exit
.
.
.
Router con0 is now available
Press RETURN to get started.
Router> enable
Password: guessme
Router#



Tips If you are having trouble, check the following:

Caps Lock is off.

You entered the correct passwords. Passwords are case sensitive.

Configuring Fast Ethernet Interfaces

To configure the FE interface, complete the following tasks, beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# interface fastethernet 0/0

Router(config-if)#

Enter interface configuration mode. You have entered interface configuration mode when the prompt changes to Router(config-if)#.

Step 2 

Router(config-if)# ip address 172.16.74.3 255.255.255.0

Assign an IP address and subnet mask to the interface.

Step 3 

Router(config-if)# ip helper address 99.1.1.2

Configure the router to forward User Datagram Protocol (UDP) broadcasts, including BOOTP, received on an interface to a specific address.

Step 4 

Router(config-if)# speed [auto | 100 | 10]

Configure the speed.

Step 5 

Router(config-if)# duplex [auto | half | 
full]

Configure the duplex operation

Step 6 

Router(config-if)# exit

Exit back to global configuration mode.

Repeat Step 4 through Step 6 if your router has more than one interface that you need to configure.

Step 7 

Router(config-if)# Ctrl-z

Router#

When you finish configuring interfaces, return to enable mode.

Configuration Example

The following is a sample output from the show running-config command for a FE interface:

interface FastEthernet0/0
 ip address 172.18.28.202 255.255.255.128
 ip helper-address 99.1.1.2
 no ip mroute-cache
 speed 100
 full-duplex

Configuring the Ethernet Switch Network Module

The 16-port Ethernet Switch network module (NM-16ESW) is a high-density module that provides Layer 2 switching across Ethernet ports. In a Cell Site DCN implementation, you can use the NM-16ESW in the Cisco MWR 1941-DC router for a cell site LAN for IP connectivity for peripheral equipment.

For information on configuring the NM-16ESW, see 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Cisco IOS Release 12.2(T) feature module:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t11/ft1636nm.htm

Configuration Example

The following is a sample output from the show running-config command for a NM-16ESW:

interface FastEthernet0/0
 ip address 172.18.28.206 255.255.255.128
 no ip proxy-arp
 speed 100
 full-duplex
!
interface FastEthernet0/1
 no ip address
 no ip proxy-arp
 load-interval 30
 shutdown
 speed 100
 full-duplex
 no keepalive
 no cdp enable
!
interface Serial0/1:0
 ip address 100.50.0.206 255.255.255.0
 no ip proxy-arp
 encapsulation ppp
 load-interval 30
 keepalive 1
 no fair-queue
 no cdp enable
!
interface Serial0/2
 no ip address
 shutdown
 clockrate 125000
!
interface Serial0/3
 no ip address
 shutdown
 clockrate 125000
!
interface FastEthernet1/0
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/1
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/2
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/3
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/4
 switchport access vlan 162
 no ip address
 duplex full
 speed 10
!
interface FastEthernet1/5
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/6
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/7
 switchport access vlan 11
 no ip address
 load-interval 30
 duplex full
 speed 100
 no keepalive
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet1/8
 switchport access vlan 12
 no ip address
 load-interval 30
 shutdown
 duplex full
 speed 10
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet1/9
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/10
 switchport mode trunk
 no ip address
 duplex full
 speed 10
!
interface FastEthernet1/11
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/12
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/13
 switchport access vlan 161
 no ip address
 duplex full
 speed 10
 keepalive 1
!
interface FastEthernet1/14
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1/15
 switchport access vlan 12
 no ip address
 load-interval 30
 duplex full
 speed 10
 no cdp enable
 spanning-tree portfast
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 no ip address
!
interface Vlan11
 ip address 41.42.43.206 255.255.255.0
 no ip proxy-arp
 load-interval 30
!
interface Vlan12
 no ip address
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 shutdown
!
interface Vlan20
 no ip address
!

Configuring Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards

The interfaces on the Asynchronous/Synchronous serial network modules or WAN interface card can be configured for synchronous or asynchronous serial protocols. HDLC (synchronous) and PPP (asynchronous or synchronous) are typical serial protocols.


Note For complete information on configuring serial interfaces, see the Configuring Serial Interfaces chapter of the Cisco IOS Interface Configuration Guide, Release 12.2:


http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/finter_c/index.htm

To configure a serial interface, complete the following tasks, beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# interface serial 0/0

Router(config-if)#

Enter the interface configuration mode. You have entered interface configuration mode when the prompt changes to Router(config-if)#.

Step 2 

Router(config-if)# ip address 172.16.74.1 255.255.255.0

Assign the IP address and subnet mask to the interface.

Step 3 

outer(config-if)# encapsulation 
encapsulation_type 

Set the encapsulation method, (for example, HDLC, PPP, Frame-Relay) used by the interface.

Step 4 

Router(config-if)# physical-layer async

All serial ports are initially configured as synchronous. Enter this command if you want to configure the port as asynchronous.

Step 5 

Router(config-if)# async mode dedicated

Router(config-if)# async default routing

Configure asynchronous parameters according to your needs.

Step 6 

Router(config-if)# line async <#>

Configure the asynchronous line setting.

Step 7 

Router(config-if)# clockrate 7200

To use a port in DCE mode, connect a DCE cable and set the internal transmit clock signal (TXC) speed in bits per second. See Table 6-1 and Table 6-2 for a list of clock rate settings for your specific interface. (For ports used in DTE mode, the router automatically uses the external timing signal.)

Step 8 

Router(config-if)# nrzi-encoding

All serial interfaces support both nonreturn to zero (NRZ) and nonreturn to zero inverted (NRZI) formats. NRZ is the default; NRZI is commonly used with EIA/TIA-232 connections in IBM environments. To enable NRZI encoding on an interface, enter this command.

Step 9 

Router(config-if)# exit

Exit back to global configuration mode.

Repeat Step 4 through Step 14 if your router has more that one serial interface that you need to configure.

Step 10 

Router(config)# Ctrl-z

Router#

When you finish configuring interface, return to enable mode.

Table 6-1 Clock Rate Settings for 2-Port Asynchronous/Synchronous Serial WAN Interface Card

Timer (bits per second)
Syntax (bits per second)
Default Setting (bits per second)

1200

28800

72000

2400

32000

115200

4800

38400

125000

9600

56000

128000

14400

57600

 

19200

64000

 

Table 6-2 Clock Rate Settings for 4-Port/8-Port Asynchronous/Synchronous Serial Network Module

Timer (bits per second)
Syntax (bits per second)
Default Setting (bits per second)

300

19200

64000

1200

28800

72000

2400

32000

115200

4800

38400

128000

9600

56000

 

14400

57600

 

Configuration Example

The following is a sample output from the show running-config command:

HDLC, DCE Side

!
interface Serial1/3
 ip address 45.45.45.62 255.255.255.0
 clockrate 64000
 no cdp enable
!

HDLC, DTE Side

!
interface Serial1/0
 ip address 44.44.44.62 255.255.255.0
 no cdp enable
!

Sync PPP, DCE Side

!
interface Serial1/3
 ip address 45.45.45.62 255.255.255.0
 encapsulation ppp
 clockrate 64000
 no cdp enable
!

Sync PPP, DTE Side

!
interface Serial1/0
 ip address 44.44.44.62 255.255.255.0
 encapsulation ppp
 no cdp enable
!

Async PPP (same configuration for either side, must set line speed via line interface)

!
interface Serial1/0
 physical-layer async
 ip address 44.44.44.62 255.255.255.0
 encapsulation ppp
 async mode dedicated
!
line 33
 speed 57600

Configuring 16-Port Asynchronous Network Module

The serial interfaces of the NM-16A provide low-speed EIA/TIA-232 data links from cell site equipment to the backhaul network. Alternatively, these interfaces can provide terminal server capability allowing cell site equipment to be managed remotely.


Note For information on configuring terminal server capability; see the Configuring a Terminal/Comm Server technical note:

http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtml


To configure an asynchronous interface on the NM-16A, complete the following tasks, beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# interface async 45

Router(config-if)#

Enter the interface configuration mode and specify the asynchronous interface to configure. You have entered interface configuration mode when the prompt changes to Router(config-if)#.

Step 2 

Router(config-if)# ip address 172.16.74.1 255.255.255.0

Assign the IP address and subnet mask to the interface.

Step 3 

Router(config-if)# async mode dedicated

Router(config-if)# async default routing

Router(config-if)# line async 45

Router(config-if)# speed 115200

Configure asynchronous parameters according to your needs.

Step 4 

Router(config-if)# exit

Return to the global configuration mode and repeat Step 4 through Step 7 if your router has more than one interface that you need to configure.

Step 5 

Router(config-if)# Ctrl-z

Router#

Return to enable mode.

Configuration Example

The following is a sample output from the show running-config command:

!
interface Async40
 ip address 10.10.15.62 255.255.255.0
 encapsulation ppp
 async dynamic routing
 async mode dedicated
 no keepalive
!
line 40
 speed 115200

Configuring T1 and E1 Interfaces

To configure a T1/E1 trunk interface, enter the following Cisco IOS commands at the router prompt.

Configuring T1 Interfaces

To configure a new T1 interface (or change an existing one), complete the following tasks beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# controller t1 1/0

Select the CT1/PRI interface to configure. This example configures a T1 interface in slot 1 and unit 0.

Step 2 

Router(config-controller)# clock source 
line

Specify which end of the circuit provides clocking. The clock source should be set to use internal clocking only for testing the network or if the full T1 line is used as the channel group. Only one end of the T1 line should be set to internal.

Step 3 

Router(config-controller)# framing esf

Specify the framing type.

Step 4 

Router(config-controller)# linecode b8zs

Specify the line code format.

Step 5 

Router(config-controller)# channel-group 0 
timeslots 1,3-5,7

Specify the channel group and time slots to be mapped.

For the VWIC interfaces, you can configure two channel-groups (0 and 1) on the first T1 port or you can configure one channel-group (0 or 1) on each T1 port.

Once you configure a channel group, the serial interface is automatically create.

Step 6 

Router(config-controller)# cablelength feet

Configure the cable length.

Step 7 

Router(config-controller)# exit 

Exit controller configuration mode.

Step 8 

Router(config-controller)# Router(config)# 
interface serial slot/port:0 

Configure each channel group as a virtual serial interface. Specify the T1 slot, unit number, and channel group to modify.

Step 9 

Router(config-if)# ip address 10.1.15.1 
255.255.255.0

Assign an IP address and subnet mask to the interface.

Step 10 

Router(config-if)# carrier-delay number 

Set the carrier delay for the serial interface.

Step 11 

Router(config-if)# exit

Exit back to global configuration mode.

Return to Step 1 if your router has more than one T1 interface that you need to configure.

Step 12 

Router(config-if)# Ctrl-z 
Router#

When you finish configuring interfaces, return to enable mode.

Configuring E1 Interfaces

To configure a new T1 interface (or change an existing one), complete the following tasks beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# controller e1 1/0

Select the CE1/PRI interface to configure. This example configures an E1 interface in slot 1 and unit 0.

Step 2 

Router(config-controller)# framing crc4

Specify the framing type.

Step 3 

Router(config-controller)# linecode hdb3

Specify the line code format.

Step 4 

Router(config-controller)# channel-group 0 timeslots 1,3-5,7

Specify the channel group and time slots to be mapped. For multiflex trunk interfaces, only channel 0 can be configured.

Step 5 

Router(config-controller)# interface serial 1/0:0

Configure each channel group as a virtual serial interface. Specify the E1 interface, unit number, and channel group to modify.

Step 6 

Router(config-if)# ip address 10.1.15.1 255.255.255.0

Assign an IP address and subnet mask to the interface.

Step 7 

Router(config-if)# exit

Exit back to global configuration mode.

Return to Step 4 if your router has more than one CE1/PRI interface that you need to configure.

Step 8 

Router(config-if)# Ctrl-z

When you finish configuring interfaces, return to enable mode.

Configuring Drop and Insert

The Drop and Insert feature can be configured using the Cisco VWIC-2MFT-T1-DIR and VWIC-2MFT-E1-DIR VWICs.

Drop-and-Insert capabilities allow individual 64Kb DS0 channels to be transparently passed, uncompressed, between two ports on the same VWIC without passing through a digital signal processor (DSP).


Note T1/E1 channels can be used either for Drop and Insert or VoIP, but not both.


To set up the Drop and Insert feature, complete the following tasks beginning in controller configuration mode:

 
Command
Purpose

Step 1 

Router(config-controller)# tdm-group 
tdm-group-no 
timeslots timeslot-list type [e&m | fxs 
[loop-start | 
ground-start] fxo [loop-start | 
ground-start]

Enter this command to set up TDM channel groups for the Drop-and-Insert function.

tdm-group-no is a value from 0 to 23 for T1 and from 0 to 30 for E1; it identifies the group.

timeslot-list is a single number, numbers separated by commas, or a pair of numbers separated by a hyphen to indicate a range of timeslots. The valid range is from 1 to 24 for T1. For E1, the range is from 1 to 31.

The signaling method selection for type depends on the connection that you are making. The fxs and fxo options allow you to specify a ground-start or loop-start line. The Cisco IOS Release 12.0 Voice, Video, and Home Applications Command Reference includes additional information about these options.

Note The group numbers for controller groups must be unique. For example, a TDM group should not have the same ID number as a DS0 group or channel group.

Step 2 

Router(config-controller)# channel-group 
channel-group-no timeslots timeslot-list 
[speed [56|64]]

(Optional) Enter this command to set up channel groups for WAN data services.

For the VWIC interfaces, you can configure channel-group 0 and 1 on one port or one channel-group (either 0 or 1) on each port.

channel-group-no is a value from 0 or 1 on the first port, or you can configure one channel group (0 or 1) on each port.

timeslot-list is a single number, numbers separated by commas, or a pair of numbers separated by a hyphen to indicate a range of timeslots. The valid range is from 1 to 24 for T1. For E1, the range is from 1 to 31.

The optional speed setting defaults to 56 Kbps for T1 and 64 Kbps for E1.

Step 3 

Router(config-controller)# no shutdown

Activate the controller.

Step 4 

Router(config)# connect id {T1 | E1} 
slot/port-1
tdm-group-no-1
{T1 | E1} slot/port-2 tdm-group-no-2

This global configuration command sets up the connection between two T1 or E1 TDM groups of timeslots on the VWIC—for Drop and Insert.

id is a name for the connection.

Identify each controller by its slot/port location.

tdm-group-no-1 and tdm-group-no-2 identify the TDM group numbers (from 0 to 23 or 30) on the specified controller. The groups were set up in Step 1.

Step 5 

Router(config-controller)# exit

Exit controller configuration mode. Skip the next step if you are not setting up Drop and Insert.

Step 6 

Router(config)# connect id {T1 | E1} 
slot/port-1 tdm-group-no-1 {T1 | E1} 
slot/port-2 tdm-group-no-2

This global configuration command sets up the connection between two T1 or E1 TDM groups of timeslots on the VWIC—for Drop and Insert.

id is a name for the connection.

Identify each controller by its slot/port location.

tdm-group-no-1 and tdm-group-no-2 identify the TDM group numbers (from 0 to 23 or 30) on the specified controller. The groups were set up in Step 1.

Configuration Examples

T1 Controller

The following is a sample configuration of an individual T1 controller from the show running-config command output:

controller T1 0/0
 framing esf
clock source internal
 linecode b8zs
 cablelength short 133
 channel-group 0 timeslots 1-24 speed 64

Drop and Insert

The following is a sample drop and insert configuration from the show running-config command output:

controller E1 0/0
 clock source internal
 channel-group 0 timeslots 1-5
 tdm-group 2 timeslots 6-24
!
controller E1 0/1
 clock source internal
 tdm-group 1 timeslots 6-24

connect E1_TDM E1 0/0 2 E1 0/1 1

Configuring the 1 T3/E3 Module

The NM-1T3/E3 is a single port universal T3/E3 network module with integrated CSU/DSU, clear channel, and subrate support. Channels on the network module can be configured as either T3 or E3 through Cisco IOS software and enables you to switch between T3 and E3 applications with a single IOS command.


Note Note for complete information on configuring the Clear Channel 1 T3/E3 module, see the Clear Channel T3/E3 with Integrated CSU/DSU Cisco IOS Release 12.2(15)T feature module.



Caution Online insertion and removal (OIR) of the NM-1T3/E3 is not supported on the Cisco MWR 1941-DC platform.


Note When used with the MWR 1941-DC router, the NM-1T3/E3 supports line rate throughput for traffic with packet sizes of 1500 bytes. For traffic with smaller packet sizes, degradation in throughput will be seen.


Configuring the T3 Interface

To configure the T3 interface, complete the following required tasks:

Configuring the Card Type and Controller for a T3 Interface

Configuring DSU Mode and Bandwidth for T3

Configuring the Card Type and Controller for a T3 Interface

When the Clear Channel T3/E3 network module is used for the first time, the running configuration does not show the T3/E3 controller and its associated serial interface. You can use the show version command to learn if the router recognized the T3/E3 card and was able to initialize the card properly. After the card type is configured for the slot, the respective controller and serial interface appear in the running configuration. See the "Verifying the Version of Cisco IOS Software" section.

After the network module has ascertained that the card has been initialized properly, use the card type command to configure the card. If the command is accepted successfully, Cisco IOS software creates a controller and a serial interface for the card.


Note The autoconfig/setup utility does not support configuring the card type for the T3/E3 network module.


To select and configure a card type and controller as T3, complete the following tasks beginning in global configuration mode:

 
Command or Action
Purpose

Step 1 

card type t3 slot

Example:
Router(config)# card type t3 1

Selects the card type.

Creates a T3 controller and a serial interface.

t3—Selects the T3 controller.

slot—Slot number of the interface.

By default, the T3 controller does not show up in the show running-config output.

Step 2 

controller t3 slot/port

Example:

Router(config)# controller t3 1

Specifies the T3 controller and enters controller configuration mode.

slot/port—Backplane slot number and port number on the controller.

Step 3 

framing {c-bit | m23}

Example:

Router(config-controller)# framing c-bit

Specifies the framing type.

c-bitSpecifies C-bit framing as the T3 framing type.

m23Specifies M23 framing as the T3 framing type.

Step 4 

cablelength feet

Example:

Router(config-controller)# cablelength 250

Specifies the distance from the routers to the network equipment.

feetNumber of feet in the range from 0 to 450.

The default value is 224 feet.

Step 5 

clock source {internal | line}

Example:

Router(config-controller)# clock source line

Selects the clock source.

internalSpecifies that the internal clock source is used. This is the default for T3.

lineSpecifies that the network clock source is used. This is the default for E3.

Step 6 

exit
Example:

Router(config-controller)# exit

Exits controller configuration mode and returns the router to privileged EXEC mode.

Configuring DSU Mode and Bandwidth for T3

To specify the interoperability mode and maximum allowable bandwidth used by a T3 controller, complete the following tasks beginning in global configuration mode:

 
Command
Purpose

Step 1 

interface serial slot/port

Example:

Router(config)# interface serial 1/0

Specifies the serial interface created on the controller.

Step 2 

dsu mode {0 | 1 | 23 | 4}

Example:

Router(config-if)# dsu mode 0

Specifies the interoperability mode used by a T3 controller.

0Connects a T3 controller to another T3 controller or to a Digital Link DSU (DL3100). Bandwidth range is from 300 to 44210 kbps. This is the default.

1Connects a T3 controller to a Kentrox DSU. Bandwidth range is from 1500 to 35000/44210 kbps.

Note If the bandwidth is set to greater than 35000 kbps, it defaults to 44210 kbps.

2Connects a T3 controller to a Larscom DSU. Bandwidth range is from 3100 to 44210 kbps.

3Connects a T3 controller to an Adtran T3SU 300. Bandwidth range is from 75 to 44210 kbps.

4Connects a T3 controller to a Verilink HDM 2182. Bandwidth range is from 1500 to 44210 kbps.

Step 3 

dsu bandwidth kbps

Example:

Router(config-if)# dsu bandwidth 44210

Specifies the maximum allowable bandwidth in the range from 1 to 44210 kbps.

The real (actual) vendor-supported bandwidth is in the range from 75 to 44210 kbps.

Step 4 

exit
Example:

Router(config-if)# exit

Exits interface configuration mode and returns the router to privileged EXEC mode.

Configuring the E3 Interface

To configure the E3 interface, complete the following required tasks:

Configuring the Card Type and Controller for an E3 Interface

Configuring DSU Mode and Bandwidth for E3

Configuring Scrambling for E3

Configuring the Card Type and Controller for an E3 Interface


Note The autoconfig/setup utility does not support configuring the card type for the T3/E3 network module.


To configure the card type and controller for an E3 interface, complete the following tasks beginning in global configuration mode:

 
Command or Action
Purpose

Step 1 

card type e3 slot

Example:

Router(config)# card type e3 1

Selects the card type.

Creates an E3 controller and a serial interface.

e3—Specifies the E3 transmission scheme predominantly used in Europe.

Provides 34010 kbps.

slot—Slot number of the interface.

By default, the E3 controller does not show up in the show running config output.

Step 2 

controller e3 slot/port

Example:

Router(config)# controller e3 1

Specifies the E3 controller and enters controller configuration mode.

slot/port—Backplane slot number and port number on the controller.

Step 3 

framing {bypass | g751}

Example:

Router(config-controller)# framing bypass

Specifies the framing type.

bypassSpecifies that the G.751 framing be bypassed.

g751Specifies G.751 as the E3 framing type.

Default is g751.

Step 4 

clock source {internal | line}

Example:

Router(config-controller)# clock source line

Selects the clock source.

internalSpecifies that the internal clock source is used. This is the default for T3.

lineSpecifies that the network clock source is used. This is the default for E3.

Step 5 

exit
Example:

Router(config-controller)# exit

Exits controller configuration mode and returns the router to privileged EXEC mode.

Configuring DSU Mode and Bandwidth for E3

To specify the interoperability mode used by an E3 controller, complete the following tasks beginning in global configuration mode:

 
Command
Purpose

Step 1 

interface serial slot/port

Example:

Router(config)# interface serial 1/0

Enters interface configuration mode and specifies the serial interface created on the controller.

Step 2 

dsu mode {0 | 1}

Example:

Router(config-if)# dsu mode 0

Specifies the interoperability mode used by an E3 controller.

0Sets the interoperability mode to 0. This is the default. Specify mode 0 to connect an E3 controller to another E3 controller or to a Digital Link DSU (DL3100). Bandwidth range is from 358 to 24500/34010 kbps.

Note If the bandwidth is set to greater than 24500 kbps, it defaults to 34010 kbps.

1Sets the interoperability mode to 1. Specify mode 1 to connect an E3 controller to a Kentrox DSU. Bandwidth range is from 500 to 34010 kbps.

Step 3 

dsu bandwidth kbps

Example:

Router(config-if)# dsu bandwidth 44210

Specifies the maximum allowable bandwidth in the range from 22 to 34010 kbps.

The real (actual) vendor-supported bandwidth is in the range from 358 to 34010 kbps.

Step 4 

exit
Example:

Router(config-if)# exit

Exits interface configuration mode and returns the router to privileged EXEC mode.

Configuring Scrambling for E3

To enable encryption of the payload on the E3 controller, complete the following tasks beginning in global configuration mode.

 
Command
Purpose

Step 1 

interface serial slot/port

Example:

Router(config)# interface serial 1/0

Enters interface configuration mode.

Step 2 

scramble

Example:

Router(config-if)# scramble

Enables the scrambling of the payload.

Default is off.

Step 3 

exit
Example:

Router(config-if)# exit

Exits interface configuration mode and returns the router to privileged EXEC mode.

Configuration Examples

T3 Controller

The following is sample output from the show running-config command for a T3 controller:

card type t3 1

controller T3 1/0
cablelength 10

interface Serial1/0
no ip address
no ip route-cache
no ip mroute-cache
no keepalive
dsu bandwidth 44210

E3 Controller

The following is sample output from the show running-config command for an E3 controller:

card type e3 1
controller E3 1/0

interface Serial1/0
 ip address 10.0.0.6 255.255.255.0
 encapsulation ppp
 no keepalive
 dsu bandwidth 34010
 no cdp enable

Configuring the NM-AIC-64, Contact Closure Network Module

The Alarm Interface Card Network Module (AICNM) is an optional card that expands network management capabilities for customer-defined alarms. The AIC has its own CPU that communicates with the router and external media through serial communication channels. The AIC reduces service provider and enterprise operating costs by providing a flexible, low-cost network solution for migrating existing DCNs to IP-based DCNs. The AIC provides its users with a single "box" solution because it can be configured in the same router along with other operation, alarm, maintenance, and provisioning (OAMP) interfaces.

The AIC provides a total of 64 alarm inputs. Eight of the 64 point are software configurable for measuring either analog inputs or discrete inputs. The remaining 56 points are fixed to measure discrete points only. The AIC also provides 16 control relay outputs.

The discrete alarm input can be activated through ground or negative battery input. The negative battery range is -36V to -72V. The analog alarm is software configurable for either DC voltage or current. It can measure voltage from -60 to 60V or current from 0 to 20mA, but the configurable range is 4 mA to 20mA. The standard 16 control relays can be configured to turn on or turn off an external device.

The AIC's 64 input contact points can control and monitor network elements and other non-intelligent interfaces, permitting the detection and report of alarms such as the following:

Network element alarm states

Building security (door and window open and close)

Fire and smoke indication

Building environmentals (temperature and humidity)

Utility power readings

When an event occurs, such as a door alarm or an open gate, the AIC maps the simple discrete and analog alarms to preprogrammed intelligent messages and transports the messages to destinations in the IP network, typically to a Network Operations Center (NOC). These messages are generated either in Transaction Language 1 (TL1) or in Simple Network Management Protocol (SNMP), which are used by a NOC's Operations Support System (OSS).

When the AIC is incorporated into the Cisco DCN solution platforms, all the AIC's contact-closure alarms are routed and reported through the same network and systems as the intelligent network elements (NEs). This facilitates continued use of the existing OSS and its associated networks. A Cisco router with an AIC sends TL1 or SNMP messages to the OSS autonomously or in response to TL1 or SNMP commands from the OSS, as shown in Figure 6-1. TL1 supports two sessions, with the port numbers 5011 and 5012, respectively, and SNMP supports four sessions.

Figure 6-1 TL1 and SNMP Message Flow in a DCN Application

Serial Communication Channels

As illustrated in Figure 6-2, the AIC has two serial communications channels that provide different types of interfaces to Cisco IOS software:

Serial data channel

Asynchronous craft port

Figure 6-2 OS Boundary into the AIC

Serial Data Channel

The serial data channel supports all TCP/IP traffic to and from the AIC. This includes communication over IP with NOCs and data centers. The channel consists of one physical interface that provides support for the following applications:

Telnet

TL1

TFTP

SNMP

The Cisco IOS software assigns an IP address to the AIC for use by the serial data channel. To route traffic, the serial data channel uses IP over synchronous High-Level Data Link Control (HDLC). All IP packets coming to the Cisco router with a destination IP address that matches the AIC's IP address are forwarded to the serial data channel using IP over HDLC.

Asynchronous Craft Port

The asynchronous craft port supports Telnet to the AIC's port number. This Telnet method, called local-CLI, is useful for debugging when remote Telnet to the AIC's IP address (remote-CLI) is not applicable. For more information, see the "Configuring the NOC IP Address" section.

The asynchronous craft port also supports an AIC boot sequence, similar to the ROM monitor in Cisco IOS software, which allows the user to recover from a corrupted software image or configuration. See the "Override" section.

Configuring the AIC

From a top-level view, AIC configuration involves assigning an IP address to the AIC using Cisco IOS commands and setting up alarm configurations with either TL1 or the AIC command-line interface (CLI). The flexible TL1 and AIC CLI permit a broad range of alarm configuration scenarios. The following are examples of alarm configurations that can be programmed with the AIC CLI:

Configuring a Discrete Alarm

enable
config terminal
alarm 1
description "west door"
normally closed
description normal "door closed"
description alarm "door open"
level 2
exit

Configuring an Analog Alarm as an Analog Monitoring Voltage

enable
config terminal
alarm 57
description "tank level"
description normal "full"
description low "low"
description low-low "empty"
analog voltage 2.5 30 60 60 
exit

Configuring an Analog Alarm as a Discrete Monitoring Current

enable
config terminal
alarm 58
description "east door"
discrete current-loop 0.0 3.2 5.9
exit

Configuring an Analog Alarm as a Discrete Monitoring Voltage

enable
config terminal
alarm 58
description "backup battery"
discrete voltage 9.0 high
exit

Configuring an Analog Alarm to Act Like a Discrete Alarm (Minimal Configuration Method)

enable
config terminal
alarm 59
discrete
exit

Configuration Tasks

See the following sections for configuration tasks for the AIC feature. Each task in the list is identified as either required or optional:

Configuring the AIC (required)

Entering Alarm Configuration Mode and Configuring the AIC IP Address

Configuring the IP Route to the AIC

Configuring the NOC IP Address (optional)

Configuring Alarms (optional)

Configuring the AIC

Cisco IOS commands are used for configuring the AIC IP address and the IP routing to the AIC NM. After the IP address and the IP routing are set, alarm configurations can then be set up with either TL1 or the AIC command-line interface. See the"Configuring the NOC IP Address" section or the "Configuring Alarms" section for more information.

The following sections describe how to configure the AIC IP address and the IP Routing to the AIC NM.

Entering Alarm Configuration Mode and Configuring the AIC IP Address

Enter alarm configuration mode and configure the AIC IP address, beginning in privileged EXEC mode:

 
Command
Purpose

Step 1 

Router# show run

Determines if the AIC is installed correctly in the router. If the AIC has been installed correctly, then the following appears:

interface serial slot/port

where the slot is the slot in which the AIC is inserted, and the port is 0.

Step 2 

Router# configure terminal

Starts the configuration session.

Step 3 

Router(config)# alarm-interface slot

Enters the AIC interface mode, specifying the slot number into which the AIC is installed.

Step 4 

Router(config-aic)# ip address ip-address mask

Enters the IP address of the AIC. Entering a mask is optional, because the IP address does not use a subnet address.

Step 5 

Router(config-aic)# reset

Resets the AIC. Changing the IP configuration may not take until the next time the card is started. The reset command restarts the card.

Step 6 

Router(config-aic)# exit

Exits the AIC interface mode.

Configuring the IP Route to the AIC

There are many ways to configure IP routing to the AIC. Below are two methods. The first method uses an unnumbered IP address. It is used when an administrator wants to assign an IP address that is already known to the router, such as an address that is one of the addresses in the subnet of a FastEthernet IP address.

The second method, does not use an unnumbered IP address and is used when there is a subnet available to the serial interface and to the AIC. Usually this subnet is small with a subnet mask such as 255.255.255.252.

Configure IP routing to the AIC with an unnumbered IP address, beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# ip route network-number network-mask {IP address | interface} [distance] [name name]

Establish the discrete IP route and mask on the router's serial interface. The arguments have the following meanings:

network-number—IP address of the target network or subnet.

network-mask—Network mask that lets you mask network and subnetwork bits.

IP address—Internet address of the next hop that can be used to reach that network in standard
IP address notation. Example: 10.1.1.1.

interface—Network interface to use.

distance—(Optional) An administrative distance, which is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers.

name name—(Optional) Name of the user profile.

Example:

Router(config)#ip route 10.5.5.2 
255.255.255.255 serial2/0

Step 2 

Router(config)# interface serialslot/port

Enter serial interface mode. Enter the slot in which the AIC is installed and port 0.

Step 3 

Router(config-if)# ip unnumbered type interface-number

Enable IP processing on the serial interface to the AIC without assigning an explicit IP address to the interface. The type and interface-number arguments indicate another interface on which the router has an assigned IP address. The other interface cannot be an unnumbered interface, because only an interface that has its own IP address can be used to "lend" its IP to the serial port. Enter, for example:

Router(config-if)# ip unnumbered FastEthernet 
0/0

Step 4 

Router(config-if)# exit

Exit serial interface mode.

Configure IP routing to the AIC without an unnumbered IP address, beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# interface serial slot/port

Enter the serial interface mode. Enter the slot in which the AIC is installed and the port 0.

Step 2 

Router(config-if)# ip address ip-address network-mask

Specify the IP address and mask of the router's serial interface to the AIC. For example:

Router(config)# ip route 10.5.5.1 
255.255.255.0

Step 3 

Router(config-if)# exit

Exits the serial interface mode.

Accessing the AIC

Remote-CLI and local-CLI are the two methods for accessing the AIC:

Remote-CLI involves telneting to the IP address of the AIC. For example:

telnet 10.5.5.2

Local-CLI involves accessing the asynchronous craft port by telneting to the IP address of the router and the AIC's TCP port number. For example:

telnet 10.2.130.105 2001

where 10.2.130.105 is the router's IP address and 2001 is on slot 0 of the AIC.

The AIC's TCP port number depends on the slot number in which the AIC is installed. As shown in Table 6-3, the Cisco IOS software reserves the first line of each slot for the asynchronous craft port.

Table 6-3 TCP Port Number Allocation for the AIC on the Cisco 2600 and Cisco 3600 Series

Slot Number
Terminal Line Number for the AIC's Asynchronous Craft Port
TCP Port Number
     
     
     
     
     
     
     

Configuring the NOC IP Address


Note The aic command-line prompt indicates that either TL1 or AIC CLI commands must be used


Configure up to four NOC IP addresses to which the AIC will send SNMP messages, beginning in global configuration mode:

 
Command
Purpose

Step 1 

aic(config)# snmp

Enter SNMP configuration mode.

Step 2 

aic(config)# noc ip-address {number} ip-address

Enter an NOC IP address in which the AIC will send SNMP messages. The number argument can be the numbers 1 through 4.

Step 3 

aic(config)# exit

Exit the AIC CLI.

Configuring Alarms

After the AIC and NOC IP addresses have been configured, you can the configure alarms by programming the AIC's discrete and analog contact points. These tasks can be performed on-site or by Telneting as described in the "Accessing the AIC" section.

Alarms are configured using either TL1 or AIC CLI. Information about TL1 commands can be found in the Telcordia Technology (formerly Bellcore) document Network Maintenance: Network Element and Transport Surveillance Messages, GR-833-CORE, Issue 5, November 1996. For a reference of security-related commands (ACT-USER and CANC-USER) refer to Telcordia Technology's Operations Applications Messages-Network Element and Network System Security Admin Messages, TR-NWT-000835, Issue 2, January 1993. The following TL1 messages and commands are supported by the AIC:

TL1 Messages

REPT-ALM-ENV

REPT-ALM-EQPT

REPT-EVT

TL1 Commands

ACT-USER

CANC-USER

OPR-EXT-CONT

RLS-EXT-CONT

RTRV-ALM

RTRV-ALM-ENV

RTRV-ATTR

RTRV-ATTR-CONT

RTRV-ATTR-ENV

RTRV-ATTR-LOG

RTRV-HDR

RTRV-LOG

RTRV-EXT-CONT

SET-ATTR-ENV

SET-ATTR-EQPT

SET-ATTR-LOG

STA-LOG

STP-LOG

Programming the Analog Contact Points

Alarm points 57 through 64 are analog inputs, which are configurable as discrete inputs. When configured as an analog input, the user must select whether the point is monitoring voltage or current. The user must also define five ranges by selecting four values for a point monitoring voltage or six ranges for a point monitoring current. For current-monitoring points, the lowest and highest values define the range of possible values. (Valid values are from -9999999.9 to 9999999.9.) For voltage-monitoring alarms, the range of possible values is always -60V to 60V. The other four values must be within the defined range, and they partition the range into low-low, low, high, and high-high ranges. Except for the normal range, each range is associated with an alarm condition.

Analog points have four unique alarm states. Each alarm state has its own alarm description string. Only one alarm state per point may be active at any given time. In other words, when a threshold is crossed, the previous alarm state is cleared and the new alarm state is active.

When an analog input is configured as discrete, the user must select whether the point is monitoring voltage or current. Similar to the analog configuration, the user must also select the range of acceptable values for a current-monitoring alarm. (Valid values are from -9999999.9 to 9999999.9.) The voltage range is always -60V to 60V. The user must define the threshold that will cause the alarm condition and whether the normal state of the alarm is the higher or lower range.


Note For the current analog point, the lower boundary is 4 mA and the upper boundary is 20 mA. For example,

analog current-loop 10 13 16 17 20 26

has 16 units between 10 and 26. If the AIC measures 4 mA, then it will factor that the point is registering at the lower boundary. The AIC will interpret 13 as 7 mA, 16 as 10 mA, 17 as 11 mA, 20 as 14 mA, and 26 as the upper boundary, which is 20 mA.


Following are examples:

Point 57 is monitoring the ambient temperature of a building and the sensor range is -20 to 75 degrees Celsius. Below 0 degrees is a critical alarm, 0 to 10 degrees is a major alarm, 10 to 35 degrees is the normal range, 35 to 45 degrees is a minor alarm, and above 45 degrees is a major alarm. The configuration for this point follows:

alarm 57
analog current-loop -20 0 10 35 45 75
level low-low 1
level low 2
level high 3
level high-high 2

Point 58 is monitoring a fuel tank level with a resistive sensor. Below -46 volts is a critical alarm,
-46 to -40 volts is a minor alarm, and above -40 volts is the normal range. This is a unidirectional alarm, so the high thresholds are set equal to the high bound (since this threshold cannot be crossed). The configuration for this point follows:

alarm 58
analog voltage -46 -40 60 60 
level low-low 1
level low 3

Point 59 is monitoring a battery bank. Below -42 volts is a critical alarm and above -42 volts is the normal range. The configuration for this point follows:

alarm 59
discrete voltage -42 high 
level 1

Programming the Discrete Contact Points

The discrete alarms do not require as much programming as the analog alarms. The AIC CLI commands available are the following:

Command
Description

no

Reversal option

exit

Exits current mode

description

Sets the description. If no is set, then the description is not required.

normally

Sets the alarm's normal state to closed. If the no option is used, the normal state is set to open. This command applies only to points 1 - 56.

level

Sets the alarm's level to the specified level.


Verifying the IP Address

To verify that the correct AIC IP address and IP route was entered, use the show run command. Below are samples of before-configuration and after-configuration show run command outputs:

interface Serial5/0
 ip unnumbered FastEthernet0/0
!
ip route 10.2.130.102 255.255.255.255 Serial5/0
!
alarm-interface 5
 ip address 10.2.130.102


********Before Configuration show run Output*******
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname uut2-RouterA
!
logging rate-limit console 10 except errors
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
call rsvp-sync
cns event-service server
!
!
interface FastEthernet0/0
 ip address 10.2.130.2 255.255.0.0
 duplex auto
 speed auto
 no cdp enable
!
interface Serial5/0
 no ip address
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.0.1
ip http server
!
no cdp run
!
!
dial-peer cor custom
!
!
line con 0
 exec-timeout 0 0
 transport input none
line 161
 no exec
 transport preferred none
 transport input telnet
 transport output none
 stopbits 1
line aux 0
line vty 0 4
 password lab
 login
!
end


*****After Configuration show run Output*******

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname uut2-3660
!
logging rate-limit console 10 except errors
no logging console
!
ip subnet-zero
!
no ip finger
no ip domain-lookup
!
call rsvp-sync
cns event-service server
!
interface FastEthernet0/0
 ip address 10.2.130.2 255.255.0.0
 duplex auto
 speed auto
 no cdp enable
!
interface Serial5/0
ip unnumbered FastEthernet0/0
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.0.1
ip route 10.2.130.102 255.255.255.255 Serial5/0
ip http server
!
no cdp run
!
!
alarm-interface 5
 ip address 10.2.130.102
!
dial-peer cor custom
!
!
!
line con 0
 exec-timeout 0 0
 transport input none
line 161
 no exec
 transport preferred none
 transport input telnet
 transport output none
 stopbits 1
line aux 0
line vty 0 4
 password lab
 login
!
end

Troubleshooting Tips

If no alarm messages are sent for an unusually long period of time, ping the AIC address to check for connectivity.

Monitoring and Maintaining the NM-AIC-64 Contact Closure Network Module

The AIC provides a TFTP client for software upgrade and configuration image transfer. The methods for both actions, as well as how to override the existing software or configuration, are described below.

Software Upgrade

When upgrading software, the AIC must be reset to run the new software. The AIC provides a protected (login required) command for software download. When the user invokes this command with the TFTP server address as a parameter, the AIC connects to the IP address and, via TFTP, retrieves the software image file. After verifying that the software has been transferred successfully, the AIC replaces its running software with the newly downloaded software.

In the case of incompatible versions of Cisco IOS and AIC software, the Cisco IOS software recognizes the difference and displays this information to the user. The user makes the decision whether to upgrade or downgrade either the Cisco IOS or AIC software or to take no corrective action.

Configuration Backup

The AIC CLI provides commands for storing and restoring configurations. Users can transfer the current configuration of the AIC to or from the TFTP server whose address is given as a parameter to the
get config command. When a configuration file is transferred from the server to the AIC, the AIC takes on the new configuration.

The configuration is stored as a list of commands (script) that can be applied to the CLI of an AIC for configuration.

Two other useful commands are the get image and put config commands. Use the get image command to get a new image, and the put config command to back up the configuration to the TFTP server.

Backup is not automatic, but the AIC reminds the user, on logout, to back up the configuration.

Override

In the case that bad software is resident on the AIC or that the configured administrator password is lost, the AIC provides a method for recovering the card. Upon booting, the AIC begins a countdown, visible at the AIC local CLI (Craft Port). If an ASCII character is received on that local CLI channel (DSCC4 channel 2) during this countdown, the AIC enters a mode in which a limited CLI is available. At this limited CLI, available over the Craft Port only, no login is necessary. The user may enter commands for software upgrade and configuration transfer. The new configuration takes effect upon a reset of the AIC card.

After interrupting the countdown, the user will see an AIC Boot]: prompt. From this prompt, the user can enter "?" to see the available commands, "g" to get a new application image, or "d" to delete the current configuration and return to the defaults. (All commands require a carriage return.) In the case of the get command, the user will be prompted for the name of the file, the IP address of the TFTP server, and a confirmation.

Configuration Examples

AIC IP Address Configuration Example

The following example shows a Cisco router configured for AIC IP address:

version 12.2
no service single-slot-reload-enable
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RouterA-top
!
logging rate-limit console 10 except errors
!
memory-size iomem 15
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
ip host moe 172.31.10.2
ip host mickey 10.1.1.2
!
no ip dhcp-client network-discovery
frame-relay switching
x25 routing
!
!
call-history-mib max-size 50
!
interface Ethernet0/0
 ip address 10.5.37.13 255.255.0.0
 ip helper-address 223.255.254.254
 no keepalive
 half-duplex
!
interface Serial0/0
 ip address 10.5.5.1 255.255.255.0
 encapsulation frame-relay
 no ip mroute-cache
 clockrate 500000
 frame-relay class voice-vc
 frame-relay traffic-shaping
 frame-relay map ip 10.5.5.2 990 broadcast
 frame-relay interface-dlci 990
 frame-relay intf-type dce
!
interface Ethernet0/1
 no ip address
 half-duplex
 no cdp enable
!
interface Serial0/1
 ip address 10.11.11.1 255.255.255.0
 encapsulation frame-relay
 no ip mroute-cache
 clockrate 256000
 frame-relay class voice-vc
 frame-relay traffic-shaping
 frame-relay interface-dlci 991
 frame-relay intf-type dce
!
interface Serial1/0
 ip address negotiated
!
router mobile
!
ip kerberos source-interface any
ip classless
ip route 223.255.254.254 255.255.255.255 10.5.0.1
ip route 223.255.254.254 255.255.255.255 Ethernet0/0
no ip http server
!
!
map-class frame-relay voice-vc
 frame-relay cir 800000
 frame-relay bc 512000
 no frame-relay adaptive-shaping
 frame-relay fair-queue
 frame-relay voice bandwidth 500000
 frame-relay fragment 100
 frame-relay ip rtp priority 16384 16383 512
!         
map-class frame-relay fr1
 frame-relay cir 1000000
 frame-relay bc 1000
 no frame-relay adaptive-shaping
 frame-relay fair-queue
 frame-relay voice bandwidth 1000000
 frame-relay fragment 100
!
map-class frame-relay voice-vc2
 frame-relay cir 800000
 frame-relay bc 512000
 no frame-relay adaptive-shaping
 frame-relay voice bandwidth 800000
!
map-class frame-relay voice-data
access-list 1 deny   192.200.1.20
access-list 2 deny   10.10.1.10
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
snmp-server packetsize 4096
snmp-server manager
!
alarm-interface 1
 ip address 10.4.3.2
call rsvp-sync
!
mgcp modem passthrough voip mode ca
no mgcp timer receive-rtcp
!
mgcp profile default
!
dial-peer cor custom
!
dial-peer voice 1 pots
 destination-pattern 3
 direct-inward-dial
 forward-digits all
!
dial-peer voice 100 voip
 shutdown
 destination-pattern 3
 session target ipv4:10.2.81.1
 playout-delay maximum 300
!
dial-peer voice 2 pots
 shutdown
 destination-pattern 3002
!
dial-peer voice 3 pots
 shutdown
 destination-pattern 3003
!
dial-peer voice 4 pots
 shutdown
 destination-pattern 3004
!
dial-peer voice 2000 voip
 shutdown
 destination-pattern 2...
 session target ipv4:5.5.5.2
 playout-delay maximum 300
!
dial-peer voice 110 voip
 shutdown 
 destination-pattern 1...
 session target ipv4:10.2.83.30
 playout-delay maximum 300
!
dial-peer voice 922 pots
 shutdown
 destination-pattern 9..
!
dial-peer voice 22 pots
 shutdown
 destination-pattern 22
!
dial-peer voice 6001 pots
 shutdown
 destination-pattern 6001
!
dial-peer voice 333 voip
 shutdown
 destination-pattern 1
 session target ipv4:10.2.79.55
 playout-delay maximum 300
!
dial-peer voice 200 vofr
 shutdown
 destination-pattern 1
!
dial-peer voice 7001 pots
 shutdown
 destination-pattern 7001
!
dial-peer voice 5000 voip
 shutdown
 destination-pattern 5...
 session target ipv4:10.11.11.2
 playout-delay maximum 300
!
dial-peer voice 20 voip
 shutdown
 destination-pattern 1
 session target ipv4:10.11.11.2
 playout-delay maximum 300
!
dial-peer voice 2001 voip
 preference 2
 shutdown
 destination-pattern 2...
 session target ipv4:10.2.79.7
 playout-delay maximum 300
!
dial-peer voice 1000 voip
 destination-pattern 1...
 session target ipv4:10.2.81.6
 playout-delay maximum 300
 no vad
!
dial-peer voice 1001 voatm
 shutdown
 destination-pattern 1...
!
dial-peer voice 1100 vofr
 shutdown
 destination-pattern 1...
 session target Serial0/0 990
 no vad
!
gateway 
!
gateway 
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 transport input none
line 33
 no exec
 transport preferred none
 transport input telnet
 transport output none
 stopbits 1
line aux 0
line vty 0 4
 login
!
end

IP Route to the AIC Configuration Examples

Following examples show the configuration of an IP route to the AIC with an unnumbered and numbered IP address.

With an Unnumbered IP Address

The following example shows a Cisco router, with an IP route to an AIC, is configured with an unnumbered IP address:

version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname uut2-RouterB
!
logging rate-limit console 10 except errors
no logging console
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
call rsvp-sync
cns event-service server
!
interface FastEthernet0/0
 ip address 10.2.130.2 255.255.0.0
 duplex auto
 speed auto
no cdp enable
!
interface Serial5/0
 ip unnumbered FastEthernet0/0
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.0.1
ip route 10.2.130.102 255.255.255.255 Serial5/0
ip http server
!
no cdp run
!
alarm-interface 5
 ip address 10.2.130.102
!
dial-peer cor custom
!
!
!
line con 0
 exec-timeout 0 0
 transport input none
line 161
 no exec
 transport preferred none
 transport input telnet
 transport output none
 stopbits 1
line aux 0
line vty 0 4
 password lab
 login
!
end

Without an Unnumbered IP Address

The following example shows a Cisco router configured without an unnumbered IP address:

uut5-2621#s run
Building configuration...

Current configuration :1318 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname uut5-RouterC
!
logging rate-limit console 10 except errors
no logging console
!
ip subnet-zero
!
no ip finger
no ip domain-lookup
!         
no ip dhcp-client network-discovery
!
interface FastEthernet0/0
 ip address 10.2.130.5 255.255.0.0
 duplex auto
 speed auto
 no cdp enable
!
interface Serial1/0
 ip address 172.128.12.1 255.255.255.252
!
router rip
 network 10.0.0.0
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.0.1
no ip http server
!
no cdp run
!
snmp-server packetsize 4096
snmp-server manager
!
!
alarm-interface 1
 ip address 172.128.12.2
call rsvp-sync
!
dial-peer cor custom
!
line con 0
 exec-timeout 0 0
 transport input none
line 33
 no exec
 transport preferred none
 transport input telnet
 transport output none
 stopbits 1
line aux 0
line vty 0 4
 password lab
 login
!
no scheduler allocate
!
end

AIC CLI Configuration for Alarms

These examples are output from the show alarm config # command.

Discrete Alarm

description:west door
normally closed
normal state description:door closed
alarm state description:door open
SNMP trap:enabled

Analog Alarm Monitoring Current

description:thermostat
high-high state description:very hot
high state description:hot
normal state description:just right
low state description:cold
low-low state description:very cold
current-loop -5.2 5.4 15.0 25.0 35.1 45.6
SNMP trap:enabled

Analog Alarm Monitoring Current Configured as a Discrete

description:east door
configured as discrete
normal state description:door closed
alarm description:door open
current-loop 0.0 3.2 5.9

SNMP trap:enabled

Configuring QoS Attributes

To use QoS on the MWR 1941-DC router in a Cell Site DCN, create a class map that defines the criteria that a packet much match to be placed in that class and then tell the router the action to take on those packets that match by creating a policy map. These two components make up the QoS boilerplate and once you have created the QoS boilerplate, you can assign it to an interface.


Note The QoS functionality of the MWR 1941-DC router is built on the same code as the Cisco 10000 ESR (with some exceptions). For more information about the QoS feature, see "Configuring Quality of Service" (http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/10ksw/qosos.htm) and the "Cisco 10000 Series ESR Quality of Service" feature module (http://www.cisco.com/univercd/cc/td/doc/product/aggr/10000/10kfm/fm_qos.htm), as well as the "Cisco IOS Quality of Service Solutions Configuration Guide" and the "Cisco IOS Quality of Service Solutions Command Reference."


Creating a Class Map

For each class map that you want to create, do the following in global configuration mode:


Step 1 Assign a name to your class map.

Router(config)# class-map [match-all | match-any] class_name

Where match-any means a single match rule is sufficient for class membership and match-all means only those packets that have all the attributes you specify are part of the class.

When you enter the class-map command, you are placed in class map configuration mode.

Step 2 Describe the characteristics of the packets that are subject to QoS using one or more of the following.

Router(config-cmap)# match access-group number

Router(config-cmap)# match ip dscp number

Router(config-cmap)# match ip precedence number

Router(config-cmap)# match input-interface interface-name

Router(config-cmap)# match protocol protocol

match access-group specifies access control list (ACL) that a packet must match.

match ip dscp specifies the IP differentiated service code point (DSCP) that a packet must match.

match ip precedence specifies the precedence values (0-7) that a packet must match.

match input-interface specifies the name of the input interface used as a match criterion.

match input-protocol specifies the protocol that a packet must match.

For more information about these commands, see the "Cisco IOS Quality of Service Solutions Command Reference."

Step 3 Exit class map configuration mode.

Router(config-cmap)# exit


Creating a Policy Map

To create a policy map, do the following in global configuration mode:


Step 1 Assign a name to your policy map.

Router(config)# policy-map policy_name

When you enter the policy-map command, you are placed in policy map configuration mode.

Step 2 Associate the policy map with a class map.

Router(config-pmap)# class class_name

Specify the same class_name as you did in Step 1 of Creating a Class Map. When you enter the class command, you are placed in class submode of the policy-map configuration mode.

Step 3 Describe the QoS actions you want the router to perform when the router encounters a packet that has the characteristics described by the class map. Use one or more of the following commands:

Router(config-pmap-c)# priority percent number

Router(config-pmap-c)# bandwidth percent number

Router(config-pmap-c)# queue-limit number

Router(config-pmap-c)# priority rate-in-kbps

Router(config-pmap-c)# shape {average | peak} cir [bc] [be]

Router(config-pmap-c)# shape max-buffers number-of-buffers

priority percent gives priority to a class of traffic belonging to a policy map and specifies that a certain percentage of the available bandwidth should be reserved for this class.

bandwidth percent specifies the bandwidth allocated for a class belonging to a policy map.

queue-limit specifies the maximum number of packets the queue can hold for a class policy configured in a policy map.

priority enables low-latency priority queuing, which allows you to assign a specified share of the link bandwidth to one queue that receives priority over all others. Low-latency priority queueing minimizes the packet-delay variance for delay-sensitive traffic, such as live voice and video.

shape and shape max-buffers are used with class-based weighted fair queuing (CB-WFQ), which allows you to control the traffic going out an interface in order to match its transmission to the speed of the remote target interface.


Note The bandwidth percent and priority percent commands cannot be used in the same class, within the same policy map but can be used together in the same policy map.


For more information about these commands, see the "Cisco IOS Quality of Service Solutions Command Reference."

Step 4 Repeat Step 2 and Step 3 for each class map.

Step 5 Exit policy map configuration mode.

Router(config-pmap-c)# exit
Router(config-pmap)# exit


Assigning a QoS Boilerplate to an Interface

To assign a QoS boilerplate to an interface, do the following in global configuration mode.


Step 1 Access interface configuration mode.

Router(config)# interface number

Step 2 Assign the QoS boilerplate to the interface.

Router(config-if)# service-policy output policy_name


Configuration Example

The following is an example configuration of QoS configured on the MWR 1941-DC router in a Cell Site DCN.

class-map match-all voice-class
  		match protocol rtp
 	class-map match-all nm-class
  	match protocol snmp
  	match protocol syslog
 	class-map match-all data-class
  	match protocol telnet
  	match protocol ftp
  	match protocol http
	! 
 	policy-map proto
  	class nm-class
   	 bandwidth percent 20
   	 queue-limit 300
  	class data-class
   	 bandwidth percent 40
   	 queue-limit 300
  	class voice-class
   	 bandwidth percent 40
   	 queue-limit 300
	

Filtering IP Packets Using Access Lists

Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified interfaces, we provide access lists.

You can use access lists in the following ways:

To control the transmission of packets on an interface

To control vty access

To restrict contents of routing updates

This section summarizes how to create IP access lists and how to apply them.

An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The Cisco IOS software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.

The two main tasks involved in using access lists are as follows:

1. Create an access list by specifying an access list number or name and access conditions.

2. Apply the access list to interfaces or terminal lines.

These and other tasks are described in this section and are labeled as required or optional. Either the first or second task is required, depending on whether you identify your access list with a number or a name.

Creating Standard and Extended Access Lists Using Numbers (Required)

Creating Standard and Extended Access Lists Using Names (Required)

Specifying IP Extended Access Lists with Fragment Control (Optional)

Enabling Turbo Access Control Lists (Optional)

Applying Time Ranges to Access Lists (Optional)

Including Comments About Entries in Access Lists (Optional)

Applying Access Lists (Required)

Configuration Examples

Creating Standard and Extended Access Lists Using Numbers

Cisco IOS software supports the following types of access lists for IP:

Standard IP access lists that use source addresses for matching operations.

Extended IP access lists that use source and destination addresses for matching operations, and optional protocol type information for finer granularity of control.

Dynamic extended IP access lists that grant access per user to a specific source or destination host basis through a user authentication process. In essence, you can allow user access through a firewall dynamically, without compromising security restrictions. Dynamic access lists and lock-and-key access are described in the "Configuring Traffic Filters" chapter of the Cisco IOS Security Configuration Guide.

Reflexive access lists that allow IP packets to be filtered based on session information. Reflexive access lists contain temporary entries, and are nested within an extended, named IP access list. For information on reflexive access lists, refer to the "Configuring IP Session Filtering (Reflexive Access Lists)" chapter in the Cisco IOS Security Configuration Guide and the "Reflexive Access List Commands" chapter in the Cisco IOS Security Command Reference.


Note Release 11.1 introduced substantial changes to IP access lists. These extensions are backward compatible; migrating from a release earlier than Release 11.1 to the current release will convert your access lists automatically. However, the current implementation of access lists is incompatible with Cisco IOS Release 11.1 or earlier. If you create an access list using the current Cisco IOS release and then load older Cisco IOS software, the resulting access list will not be interpreted correctly. This condition could cause you severe security problems. Save your old configuration file before booting Release 11.1 or earlier images.


To create a standard access list, use the following commands in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# access-list access-list-number remark remark

Indicates the purpose of the deny or permit statement.1

Step 2 

Router(config)# access-list access-list-number {deny | permit} source [source-wildcard] [log]


or

Router(config)# access-list access-list-number {deny | permit} any [log]

Defines a standard IP access list using a source address and wildcard.



Defines a standard IP access list using an abbreviation for the source and source mask of 0.0.0.0 255.255.255.255.

1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.

The Cisco IOS software can provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the access list will cause an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console global configuration command.

The first packet that triggers the access list causes an immediate logging message, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.

However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals.


Caution If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching it; every packet that matches an access list causes a log message. A setting of 1 is not recommended because the volume of log messages could overwhelm the system.

Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so each cache is emptied at the end of 5 minutes, regardless of the count of messages in each cache. Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a threshold is not specified.


Note The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.



Note If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.


For an example of a standard IP access list using logs, see the "Numbered Access List Examples" section.

To create an extended access list, use the following commands in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# access-list access-list-number remark remark

Indicates the purpose of the deny or permit statement.1

Step 2 

Router(config)# access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]


or

Router(config)# access-list access-list-number {deny | permit} protocol any any [log | log-input] [time-range time-range-name] [fragments]


or

Router(config)# access-list access-list-number {deny | permit} protocol host source host destination [log | log-input] [time-range time-range-name][fragments]



or



Router(config)# access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]

Defines an extended IP access list number and the access conditions. Specifies a time range to restrict when the permit or deny statement is in effect. Use the log keyword to get access list logging messages, including violations. Use the log-input keyword to include input interface, source MAC address, or VC in the logging output.

or

Defines an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255, and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255.

or


Defines an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0, and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.

or

Defines a dynamic access list. For information about lock-and-key access, refer to the "Configuring Traffic Filters" chapter in the Cisco IOS Security Configuration Guide.

1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.


Note The fragments keyword is described in the "Specifying IP Extended Access Lists with Fragment Control" section.


After you create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.


Note When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.



Note In a standard access list, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.



Note Autonomous switching is not used when you have extended access lists.


After creating an access list, you must apply it to a line or interface, as shown in the "Applying Access Lists" section. See the "Implicit Masks in Access Lists Examples" section for examples of implicit masks.

Creating Standard and Extended Access Lists Using Names

You can identify IP access lists with an alphanumeric string (a name) rather than a number. Named access lists allow you to configure more IP access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. Currently, only packet and route filters can use a named list.

Consider the following guidelines before configuring named access lists:

Access lists specified by name are not compatible with Cisco IOS Releases prior to 11.2.

Not all access lists that accept a number will accept a name. Access lists for packet filters and route filters on interfaces can use a name.

A standard access list and an extended access list cannot have the same name.

Numbered access lists are also available, as described in the "Creating Standard and Extended Access Lists Using Numbers" section.


Note Named access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.


To create a standard access list, use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# ip access-list standard name

Defines a standard IP access list using a name and enters standard named access list configuration mode.

Step 2 

Router(config-std-nacl)# remark remark

Allows you to comment about the following deny or permit statement in a named access list.1

Step 3 

Router(config-std-nacl)# deny {source [source-wildcard] | any}[log]


and/or

Router(config-std-nacl)# permit {source [source-wildcard] | any}[log]

Specifies one or more conditions allowed or denied, which determines whether the packet is passed or dropped.

Step 4 

Router(config-std-nacl)# exit

Exits access-list configuration mode.

1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.

To create an extended access list, use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# ip access-list extended name

Defines an extended IP access list using a name and enters extended named access list configuration mode.

Step 2 

Router(config-ext-nacl)# remark remark

Allows you to comment about the following deny or permit statement in a named access list.1

Step 3 

Router(config-ext-nacl)# deny | permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]




and

Router(config-ext-nacl)# deny | permit protocol any any [log | log-input] [time-range time-range-name] [fragments]


or

Router(config-ext-nacl)# deny | permit protocol host source host destination [log | log-input] [time-range time-range-name] [fragments]

or



Router(config-ext-nacl)# dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]

In access-list configuration mode, specifies the conditions allowed or denied. Specifies a time range to restrict when the permit or deny statement is in effect. Use the log keyword to get access list logging messages, including violations. Use the log-input keyword to include input interface, source MAC address, or VC in the logging output.


or

Defines an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255, and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255.

or


Defines an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0, and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.

or

Defines a dynamic access list.

1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.


Note Autonomous switching is not used when you have extended access lists.



Note The fragments keyword is described in the "Specifying IP Extended Access Lists with Fragment Control" section.


After you initially create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add access list command lines to a specific access list. However, you can use no permit and no deny commands to remove entries from a named access list.


Note When making the standard and extended access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end. Further, with standard access lists, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.


After creating an access list, you must apply it to a line or interface, as shown in "Applying Access Lists" section".

See the "Named Access List Example" section for an example of a named access list.

Specifying IP Extended Access Lists with Fragment Control

This section describes the functionality added to IP extended named and numbered access lists. You can now specify whether the system examines noninitial IP fragments of packets when applying an IP extended access list.

Prior to this feature, nonfragmented packets and the initial fragment of a packet were processed by IP extended access lists (if such an access list was applied), but noninitial fragments were permitted by default. The IP Extended Access Lists with Fragment Control feature now allows more granularity of control over noninitial packets.

Because noninitial fragments contain only Layer 3 information, access-list entries containing only Layer 3 information can and now are applied to noninitial fragments. The fragment has all the information the system needs to filter, so the entry is applied to the fragments.

This feature adds the optional fragments keyword to four IP access list commands [access-list (IP extended), deny (IP), dynamic, and permit (IP)]. By specifying the fragments keyword in an access list entry, that particular access list entry applies only to noninitial fragments of packets; the fragment is either permitted or denied accordingly.

The behavior of access-list entries regarding the presence or absence of the fragments keyword can be summarized as follows:

If the Access-List Entry has...
Then..

...no fragments keyword, and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

The entry is applied to nonfragmented packets and initial fragments.

If the entry matches and is a permit statement, the packet or fragment is permitted.

If the entry matches and is a deny statement, the packet or fragment is denied.

The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and

If the entry is a permit statement, the noninitial fragment is permitted.

If the entry is a deny statement, the next access-list entry is processed.


Note Note that the deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.


...the fragments keyword, and assuming all of the access-list entry information matches,

The access-list entry is applied only to noninitial fragments.


Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.



Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

The fragments keyword can be applied to dynamic access lists also.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.


Note The fragments keyword cannot solve all cases involving access lists and IP fragments.


Turbo Access Lists

A turbo access list treats fragments and uses the fragments keyword in the same manner as a nonturbo access list.

Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Benefits of Fragment Control in an IP Extended Access List

If the fragments keyword is used in additional IP access list entries that deny fragments, the fragment control feature provides the following benefits:

Additional Security

You are able to block more of the traffic you intended to block, not just the initial fragment of such packets. The unwanted fragments no longer linger at the receiver until the reassembly timeout is reached because they are blocked before being sent to the receiver. Blocking a greater portion of unwanted traffic improves security and reduces the risk from potential hackers.

Reduced Cost

By blocking unwanted noninitial fragments of packets, you are not paying for traffic you intended to block.

Reduced Storage

By blocking unwanted noninitial fragments of packets from ever reaching the receiver, that destination does not have to store the fragments until the reassembly timeout period is reached.

Expected Behavior is Achieved

The noninitial fragments will be handled in the same way as the initial fragment, which is what you would expect. There are fewer unexpected policy routing results and fewer fragment of packets being routed when they should not be.

For an example of fragment control in an IP extended access list, see the "IP Extended Access List with Fragment Control Example" section.

Enabling Turbo Access Control Lists

The Turbo Access Control Lists (Turbo ACL) feature processes access lists more expediently than conventional access lists. This feature enables a Cisco router to evaluate ACLs for more expedient packet classification and access checks.

ACLs are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing needs and requirements for security filtering and packet classification, ACLs can expand to the point that searching the ACL adds a substantial amount of time and memory when packets are being forwarded. Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is necessary for searching an access list with several entries.

The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include the following:

For ACLs larger than three entries, the CPU load required to match the packet to the predetermined packet-matching rule is lessened. The CPU load is fixed, regardless of the size of the access list, allowing for larger ACLs without incurring any CPU overhead penalties. The larger the access list, the greater the benefit.

The time taken to match the packet is fixed, so that latency of the packets is smaller (substantially in the case of large access lists) and, more importantly, consistent, allowing better network stability and more accurate transit times.


Note Access lists containing specialized processing characteristics such as evaluate and time-range entries are excluded from Turbo ACL acceleration.


The Turbo ACL builds a set of lookup tables from the ACLs in the configuration; these tables increase the internal memory usage, and in the case of large and complex ACLs, tables containing 2 MB to 4 MB of memory are usually required. Routers enabled with the Turbo ACL feature should allow for this amount of memory usage. The show access-list compiled EXEC command displays the memory overhead of the Turbo ACL tables for each access list.

To configure the Turbo ACL feature, perform the tasks described in the following sections. The task in the first section is required; the task in the remaining section is optional:

Configuring Turbo ACLs (Required)

Verifying Turbo ACLs (Optional)

Configuring Turbo ACLs

To enable the Turbo ACL feature, use the following command in global configuration mode:

Command
Purpose
Router(config)# access-list compiled

Enables the Turbo ACL feature.


Verifying Turbo ACLs

Use the show access-list compiled EXEC command to verify that the Turbo ACL feature has been successfully configured on your router. This command also displays the memory overhead of the Turbo ACL tables for each access list. The command output contains the following states:

Operational—The access list has been compiled by Turbo ACL, and matching to this access list is performed through the Turbo ACL tables at high speed.

Unsuitable—The access list is not suitable for compiling, perhaps because it has time-range enabled entries, evaluate references, or dynamic entries.

Deleted—No entries are in this access list.

Building—The access list is being compiled. Depending on the size and complexity of the list, and the load on the router, the building process may take a few seconds.

Out of memory—An access list cannot be compiled because the router has exhausted its memory.

The following is sample output from the show access-lists compiled EXEC command:

Router# show access-lists compiled

Compiled ACL statistics:
12 ACLs loaded, 12 compiled tables
 ACL         State      Tables  Entries  Config  Fragment  Redundant  Memory
1           Operational    1        2        1         0          0      1Kb
2           Operational    1        3        2         0          0      1Kb
3           Operational    1        4        3         0          0      1Kb
4           Operational    1        3        2         0          0      1Kb
5           Operational    1        5        4         0          0      1Kb
9           Operational    1        3        2         0          0      1Kb
20          Operational    1        9        8         0          0      1Kb
21          Operational    1        5        4         0          0      1Kb
101         Operational    1       15        9         7          2      1Kb
102         Operational    1       13        6         6          0      1Kb
120         Operational    1        2        1         0          0      1Kb
199         Operational    1        4        3         0          0      1Kb
First level lookup tables:
Block      Use              Rows       Columns   Memory used
  0   TOS/Protocol            6/16     12/16      66048
  1   IP Source (MS)         10/16     12/16      66048
  2   IP Source (LS)         27/32     12/16      132096
  3   IP Dest (MS)            3/16     12/16      66048
  4   IP Dest (LS)            9/16     12/16      66048
  5   TCP/UDP Src Port        1/16     12/16      66048
  6   TCP/UDP Dest Port       3/16     12/16      66048
  7   TCP Flags/Fragment      3/16     12/16      66048

Applying Time Ranges to Access Lists

You can implement access lists based on the time of day and week using the time-range global configuration command. To do so, first define the name and times of the day and week of the time range, then reference the time range by name in an access list to apply restrictions to the access list.

Currently, IP and Internetwork Packet Exchange (IPX) named or numbered extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. The time-range keyword is referenced in the named and numbered extended access list task tables in the "Creating Standard and Extended Access Lists Using Numbers" section and "Creating Standard and Extended Access Lists Using Names" section. The time-range command is described in the "Performing Basic System Management" chapter of the Cisco IOS Configuration Fundamentals Configuration Guide. See the "Time Range Applied to an IP Access List Example" section for a configuration example of IP time ranges.

Possible benefits of using time ranges include the following:

The network administrator has more control over permitting or denying a user access to resources. These resources could be an application (identified by an IP address/mask pair and a port number), policy routing, or an on-demand link (identified as interesting traffic to the dialer).

Network administrators can set time-based security policy, including the following:

Perimeter security using the Cisco IOS Firewall feature set or access lists

Data confidentiality with Cisco Encryption Technology or IP Security Protocol (IPSec)

Policy-based routing (PBR) and queueing functions are enhanced.

When provider access rates vary by time of day, it is possible to automatically reroute traffic cost effectively.

Service providers can dynamically change a committed access rate (CAR) configuration to support the quality of service (QoS) service level agreements (SLAs) that are negotiated for certain times of day.

Network administrators can control logging messages. Access list entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without needing to analyze many logs generated during peak hours.

Including Comments About Entries in Access Lists

You can include comments (remarks) about entries in any named IP access list using the remark access-list configuration command. The remarks make the access list easier for the network administrator to understand and scan. Each remark line is limited to 100 characters.

The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. The standard and extended access list task tables in the "Creating Standard and Extended Access Lists Using Numbers" section and "Creating Standard and Extended Access Lists Using Names" section include the remark command. See the "Commented IP Access List Entry Examples" section for examples of commented IP access list entries.

Remember to apply the access list to an interface or terminal line after the access list is created. See the following section "Applying Access Lists" for more information.

Applying Access Lists

After creating an access list, you must reference the access list to make it work. To use an access list, perform the tasks described in the following sections. The tasks in the first section are required; the tasks in the remaining sections are optional:

Controlling Access to a Line or Interface (Required)

Controlling Policy Routing and the Filtering of Routing Information (Optional)

Controlling Dialer Functions (Optional)

Controlling Access to a Line or Interface

After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. This section describes guidelines on how to accomplish this task for both terminal lines and network interfaces. Remember the following:

When controlling access to a line, you must use a number.

When controlling access to an interface, you can use a name or number.

To restrict access to a vty and the addresses in an access list, use the following command in line configuration mode. Only numbered access lists can be applied to lines. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.

Command
Purpose

Router(config-line)# access-class access-list-number {in | out}

Restricts incoming and outgoing connections between a particular vty (into a device) and the addresses in an access list.


To restrict access to an interface, use the following command in interface configuration mode:

Command
Purpose

Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}

Controls access to an interface.


For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.

Controlling Policy Routing and the Filtering of Routing Information

To use access lists to control policy routing and the filtering of routing information, see the "Configuring IP Routing Protocol-Independent Features" chapter in the Cisco IOS IP Configuration Guide.

Controlling Dialer Functions

To use access lists to control dialer functions, refer to the "Preparing to Configure DDR" chapter in the Cisco IOS Dial Technologies Configuration Guide.

Configuration Examples

The following are access list configuration examples.

Numbered Access List Examples

In the following example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the Cisco IOS software would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the software would accept addresses on all other network 36.0.0.0 subnets.

access-list 2 permit 36.48.0.3
access-list 2 deny 36.48.0.0  0.0.255.255 
access-list 2 permit 36.0.0.0  0.255.255.255 
interface ethernet 0
 ip access-group 2 in

The following example defines access lists 1 and 2, both of which have logging enabled:

interface ethernet 0
 ip address 1.1.1.1 255.0.0.0
 ip access-group 1 in
 ip access-group 2 out
!
access-list 1 permit 5.6.0.0 0.0.255.255 log
access-list 1 deny 7.9.0.0 0.0.255.255 log
!
access-list 2 permit 1.2.3.4 log
access-list 2 deny 1.2.0.0 0.0.255.255 log

If the interface receives 10 packets from 5.6.7.7 and 14 packets from 1.2.23.21, the first log will look like the following:

list 1 permit 5.6.7.7 1 packet
list 2 deny 1.2.23.21 1 packet

Five minutes later, the console will receive the following log:

list 1 permit 5.6.7.7 9 packets
list 2 deny 1.2.23.21 13 packets

Turbo Access Control List Example

The following is a Turbo ACL configuration example. The access-list compiled global configuration command output indicates that Turbo ACL is enabled.

interface Ethernet2/7
 no ip address
 ip access-group 20 out
 no ip directed-broadcast
 shutdown
!         
no ip classless
ip route 192.168.0.0 255.255.255.0 10.1.1.1
!
access-list compiled
access-list 1 deny   any
access-list 2 deny   192.168.0.0 0.0.0.255
access-list 2 permit any

Implicit Masks in Access Lists Examples

IP access lists contain implicit masks. For instance, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. Consider the following example configuration:

access-list 1 permit 0.0.0.0
access-list 1 permit 131.108.0.0
access-list 1 deny 0.0.0.0 255.255.255.255

For this example, the following masks are implied in the first two lines:

access-list 1 permit 0.0.0.0 0.0.0.0
access-list 1 permit 131.108.0.0 0.0.0.0

The last line in the configuration (using the deny keyword) can be left off, because IP access lists implicitly deny all other access. Leaving off the last line in the configuration is equivalent to finishing the access list with the following command statement:

access-list 1 deny 0.0.0.0 255.255.255.255

The following access list only allows access for those hosts on the three specified networks. It assumes that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with a source address that does not match the access list statements will be rejected.

access-list 1 permit 192.5.34.0  0.0.0.255
access-list 1 permit 128.88.0.0  0.0.255.255
access-list 1 permit 36.0.0.0  0.255.255.255
! (Note: all other access implicitly denied)

To specify a large number of individual addresses more easily, you can omit the address mask that is all 0s from the access-list global configuration command. Thus, the following two configuration commands are identical in effect:

access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3  0.0.0.0

Extended Access List Examples

In the following example, the first line permits any incoming TCP connections with destination ports greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error feedback.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255
interface ethernet 0
 ip access-group 102 in

For another example of using an extended access list, suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host.

SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the router always will be accepting mail connections on port 25 is what makes possible separate control of incoming and outgoing services. The access list can be configured on either the outbound or inbound interface.

In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
interface ethernet 0
 ip access-group 102 in

Named Access List Example

The following configuration creates a standard access list named Internet_filter and an extended access list named marketing_group:

interface Ethernet0/5
 ip address 2.0.5.1 255.255.255.0
 ip access-group Internet_filter out
 ip access-group marketing_group in
...
ip access-list standard Internet_filter
 permit 1.2.3.4
 deny any
ip access-list extended marketing_group
 permit tcp any 171.69.0.0 0.0.255.255 eq telnet
 deny tcp any any
 permit icmp any any
 deny udp any 171.69.0.0 0.0.255.255 lt 1024
 deny ip any any log

IP Extended Access List with Fragment Control Example

The first statement will match and deny only noninitial fragments destined for host 1.1.1.1. The second statement will match and permit only the remaining nonfragmented and initial fragments that are destined for host 1.1.1.1 TCP port 80. The third statement will deny all other traffic. In order to block noninitial fragments for any TCP port, we must block noninitial fragments for all TCP ports, including port 80 for host 1.1.1.1.

access-list 101 deny ip any host 1.1.1.1 fragments
access-list 101 permit tcp any host 1.1.1.1 eq 80
access-list 101 deny ip any any

Time Range Applied to an IP Access List Example

The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m. on IP. The example allows UDP traffic on Saturday and Sunday from noon to 8:00 p.m. only.

time-range no-http
 periodic weekdays 8:00 to 18:00
!
time-range udp-yes
 periodic weekend 12:00 to 20:00
!
ip access-list extended strict
 deny tcp any any eq http time-range no-http
 permit udp any any time-range udp-yes
!
interface ethernet 0
 ip access-group strict in

Commented IP Access List Entry Examples

In the following example of a numbered access list, the workstation belonging to Jones is allowed access and the workstation belonging to Smith is not allowed access:

access-list 1 remark Permit only Jones workstation through
access-list 1 permit 171.69.2.88
access-list 1 remark Do not allow Smith workstation through
access-list 1 deny 171.69.3.13

In the following example of a numbered access list, the Winter and Smith workstations are not allowed to browse the web:

access-list 100 remark Do not allow Winter to browse the web
access-list 100 deny host 171.69.3.85 any eq http
access-list 100 remark Do not allow Smith to browse the web
access-list 100 deny host 171.69.3.13 any eq http

In the following example of a named access list, the Jones subnet is not allowed access:

ip access-list standard prevention
remark Do not allow Jones subnet through
deny 171.69.0.0 0.0.255.255

In the following example of a named access list, the Jones subnet is not allowed to use outbound Telnet:

ip access-list extended telnetting
remark Do not allow Jones subnet to telnet out
deny tcp 171.69.0.0 0.0.255.255 any eq telnet

Saving Configuration Changes

To prevent the loss of the router configuration, save it to NVRAM.

 
Command
Purpose

Step 1 

Router> enable

Password: password

Router# 

Enters enable mode. Enter the password.

You have entered enable mode when the prompt changes to Router#.

Step 2 

Router# copy running-config startup-config

Saves the configuration changes to NVRAM so that they are not lost during resets, power cycles, or power outages.

Step 3 

Router(config-if)# Ctrl-z

Router#

%SYS-5-CONFIG_I: Configured from console by console

Returns to enable mode.

This message is normal and does not indicate an error.

Verifying the Configuration

To verify the configuration of the MWR 1941-DC, enter the following command:

MWR1941-1#show running-config
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cellsite_router1
!
logging queue-limit 100
enable secret 5 $1$7w/U$C10zHvVw9lD8OOCAoKBKN.
!
memory-size iomem 25
clock timezone EST -5
!
redundancy
  mode y-cable
   standalone
!
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip host bizarre 64.102.16.25
ip host ax 172.18.28.222
!
ip dhcp-server 3.0.0.1
ip dhcp-server 5.0.0.7
multilink bundle-name both
frame-relay switching
!
no voice hpi capture buffer
no voice hpi capture destination 
!
mta receive maximum-recipients 0
!
controller E1 0/0
 clock source internal
 channel-group 0 timeslots 1-3
 tdm-group 1 timeslots 4-31
!
controller E1 0/1
 clock source internal
 tdm-group 1 timeslots 4-31
!
controller T1 0/3
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/2
 framing esf
 clock source internal
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64
!
 class-map match-all voice-class
  match protocol rtp
 class-map match-all nm-class
  match protocol snmp
  match protocol syslog
 class-map match-all data-class
  match protocol telnet
  match protocol ftp
  match protocol http
!
 policy-map proto
  class nm-class
   bandwidth percent 20
   queue-limit 300
  class data-class
   bandwidth percent 40
   queue-limit 300
  class voice-class
   bandwidth percent 40
   queue-limit 300
!
interface FastEthernet0/0
 ip address 172.18.28.202 255.255.255.128
 ip helper-address 99.1.1.2
 no ip mroute-cache
 speed 100
 full-duplex
!
interface Serial0/0:0
 description backhaul interface
 ip address 4.0.0.8 255.0.0.0
 no ip proxy-arp
 max-reserved-bandwidth 100
 service-policy output proto
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp compression-connections 256
 load-interval 30
 no keepalive
 ip rtp header-compression iphc-format
 ip rtp compression-connections 256
!
interface FastEthernet0/1
 ip address 100.0.0.2 255.0.0.0
 ip helper-address 3.0.0.1
 no ip proxy-arp
 no ip mroute-cache
 load-interval 30
 speed 100
 full-duplex
 no cdp enable
!
interface Serial0/2:0
 ip address 44.0.0.2 255.255.255.0
 encapsulation ppp
!
interface Serial0/3:0
 ip address 55.0.0.2 255.255.255.0
 encapsulation ppp
 shutdown
!
interface Serial0/4
 no ip address
 shutdown
 clockrate 125000
!
interface Serial0/5
 no ip address
 shutdown
 clockrate 125000
!
interface Serial1/0
 ip address 99.1.1.1 255.0.0.0
 ip helper-address 99.1.1.2
 ip helper-address 172.18.61.23
 no ip mroute-cache
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.28.129
ip route 4.0.0.8 255.255.255.255 Serial1/0
ip route 23.0.0.0 255.255.255.0 4.0.0.9
ip route 125.0.0.0 255.255.255.0 4.0.0.9
ip route 126.0.0.0 255.255.255.0 2.0.0.7
ip route 129.0.0.0 255.255.255.0 126.0.0.10
ip route 172.18.28.204 255.255.255.255 Serial1/0
ip route 200.0.0.0 255.255.255.0 4.0.0.9
!
logging 172.18.61.23
access-list 151 permit icmp host 1.1.1.1 host 23.0.0.7
access-list 151 permit icmp host 31.0.0.7 host 23.0.0.7
access-list 151 permit icmp host 10.0.0.7 host 23.0.0.7
access-list 151 permit tcp host 31.0.0.7 eq telnet host 23.0.0.7 gt 1024
access-list 151 permit tcp host 31.0.0.7 eq ftp host 23.0.0.7 gt 1024
access-list 151 permit tcp host 31.0.0.7 eq www host 23.0.0.7 gt 1024
access-list 151 permit udp host 1.1.1.1 eq snmp host 23.0.0.7 gt 1024
access-list 151 permit udp host 1.1.1.1 eq syslog host 23.0.0.7 gt 1024
access-list 151 permit udp host 10.0.0.7 gt 16000 host 23.0.0.7 gt 1024
access-list 151 permit tcp host 31.0.0.7 eq ftp-data host 23.0.0.7 gt 1024
access-list 151 permit udp host 1.1.1.1 eq snmptrap host 23.0.0.7 gt 1024
connect TDM E1 0/0 1 E1 0/1 1
!
!
tftp-server nvram:/startup-config
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server host 172.18.61.23 public 
!
alarm-interface 1
 ip address 99.1.1.2
call rsvp-sync
!
!
line con 0
 exec-timeout 0 0
line 33
 session-timeout 1 
 flush-at-activation
 no exec
 transport preferred none
 transport input telnet
 transport output none
 stopbits 1
line aux 0
line vty 0 4
 password lab
 login
!         
end


Monitoring and Managing the MWR 1941-DC Router

There are several methods you can use to remotely manage the MWR 1941-DC router and attached devices at the cell site. Examples of these methods include using CiscoWorks2000 for Mobile Wireless (CW4MW) and Telnet.

To enable remote network management of the MWR 1941-DC using CW24MW, do the following:


Step 1 At the privileged prompt, enter the following command to access configuration mode:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#

Step 2 At the configuration prompt, enter the following command to assign a host name to each of the network management workstations:

Router(config)# ip host hostname ip_address

Where hostname is the name assigned to the Operations and Maintenance (O&M) workstation and ip_address is the address of the network management workstation.

Step 3 Enter the following commands to create a loopback interface for O&M:

Router(config)# interface loopback number
Router(config-if)# ip address ip_address subnet_mask

Step 4 Exit interface configuration mode:

Router(config-if)# exit

Step 5 At the configuration prompt, enter the following command to specify the recipient of a Simple Network Management Protocol (SNMP) notification operation:

Router(config)# snmp-server host hostname [traps | informs] [version {1 | 2c | 3 [auth | 
noauth | priv]}] community-string [udp-port port] [notification-type]

Where hostname is the name assigned to the CW4MW workstation with the ip host command in Step 2.

Step 6 Enter the following commands to specify the public and private SNMP community names:

Router(config)# snmp-server community public RO
Router(config)# snmp-server community private RW

Step 7 Enter the following command to enable the sending of SNMP traps:

Router(config)# snmp-server enable traps

Step 8 Enter the following command to specify the loopback interface from which SNMP traps should originate:

Router(config)# snmp-server trap-source loopback number

Where number is the number of the loopback interface you configured for the O&M in Step 3.

Step 9 At the configuration prompt, press Ctrl-Z to exit configuration mode.

Step 10 Write the new configuration to nonvolatile memory as follows:

Router# copy running-config startup-config


Show Commands for Monitoring the MWR 1941-DC

To monitor and maintain the MWR 1941-DC router, use the following commands:

Command
Purpose

show interface fastethernet slot/port

Displays the status of the FE interface.

show controllers fastethernet slot/port

Displays information about initialization block, transmit ring, receive ring and errors for the Fast Ethernet controller chip.

show controllers t1

Displays information about the cable length, framing, firmware, and errors associated with the T1. With the MWR 1941-DC, this command also displays the status of the relays on the VWIC.

clear counters fastethernet slot/port

Clears interface counters.

show controllers

Displays all network modules and their interfaces. Displays the status of the VWIC relays when a VWIC is installed.

show interface type slot/port

Displays the configuration and status of the specified interface.

show protocols

Displays the protocols configured for the router and the individual interfaces.


Where to Go Next

At this point you can proceed to the following:

The Cisco IOS software configuration guide and command reference publications for more advanced configuration topics. These publications are available on Cisco.com, the Documentation CD-ROM that came with your router, or you can order printed copies.

The System Error Messages and Debug Command Reference publications for troubleshooting information. These publications are available on Cisco.com, the Documentation CD-ROM that came with your router, or you can order printed copies.

The CiscoWork2000 publications for information on managing your MWR 1941-DC router remotely.