Cisco IOS Software Releases 12.3 Special and Early Deployments

Table Of Contents

Demilitarized Zone (DMZ) Port

Contents

Restrictions for Demilitarized Zone (DMZ) Port

Information About Demilitarized Zone (DMZ) Port

DMZ Networks

How to Enable DMZ Port

Enabling DMZ Port

Configuration Examples for DMZ Port

Configuring DMZ Port: Example

Verifying DMZ Port: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

interface ethernet 2

show interface ethernet 2

Demilitarized Zone (DMZ) Port

---

The Demilitarized Zone (DMZ) port permits two LAN networks instead of the currently available single LAN network. This feature will enable switch port 4 of the existing four 10/100 switch ports to be optionally used as a Layer 3 LAN port, thereby providing Cisco 830 series routers with one more 10-Mbps Layer 3 LAN port. The new LAN port can be used for DMZ purposes for public access to the customer's web and other servers that are accessible from the Internet. The existing LAN network ports will continue to be used for private internal traffic.

Typically the DMZ port is configured at a lower security level than the other LAN ports on the Cisco 830 series router.

Feature History for Demilitarized Zone (DMZ) Port

Release	Modification
12.3(7)XR1	This feature was introduced.
12.3(14)T	This feature was integrated into Cisco IOS Release 12.3(14)T.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Restrictions for Demilitarized Zone (DMZ) Port

•Information About Demilitarized Zone (DMZ) Port

•How to Enable DMZ Port

•Configuration Examples for DMZ Port

•Additional References

•Command Reference

Restrictions for Demilitarized Zone (DMZ) Port

•The Ethernet 2 interface of the Cisco 830 series router should be used as a DMZ port for LAN only. Using Ethernet 2 interface for WAN is not supported.

•Because the media-independent interface, which connects the router's LAN interface to the Marvel switch, operates only at 10 Mbps, inter-LAN routing speed between Ethernet 0 and Ethernet 2 interfaces will be limited to a maximum of 10 Mbps.

•Because Ethernet 0 and Ethernet 2 interfaces share the same Tx/Rx rings, buffer pools, and communication controller, the output of some of the commands such as show controller and show buffers may be similar.

•Because the Ethernet 2 interface uses the existing switch port 4, if switch port 4 is shut down by issuing a shutdown command inside the interface fastethernet 4 command, this action will operationally shut down the Ethernet 2 interface.

•The DMZ interface will reuse the existing Tx/Rx Activity LEDs of the Ethernet 0 interface. There will not be any link LED for the Ethernet 2 interface. When the Ethernet 2 interface is enabled, the Link LED of switch port 4 can be monitored to check whether the line protocol is up.

•The MAC address for the Ethernet 2 interface will be same as that for the Ethernet 0 interface.

Information About Demilitarized Zone (DMZ) Port

To configure the Demilitarized Zone (DMZ) Port feature, you should understand the following concepts:

•DMZ Networks

DMZ Networks

A DMZ network enables Internet users to access a company's public servers, including Web and File Transfer Protocol (FTP) servers, while maintaining security for the company's private LAN.

How to Enable DMZ Port

This section contains the following procedure:

•Enabling DMZ Port

Enabling DMZ Port

To enable the Ethernet 2 interface on your Cisco 830 series router for the DMZ Port feature, perform the following steps:

SUMMARY STEPS

1. enable

2. configure terminal

3. interface ethernet 2

4. no shutdown

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	interface ethernet 2 Example: Router# interface ethernet 2	Configures an interface type and enters interface configuration mode.
Step 4	no shutdown Example: Router# no shutdown	Configures switch port 4 as the Ethernet 2 port.
Step 5	end Example: Router# end	(Optional) Exits the configuration mode and returns to privileged EXEC mode.

Configuration Examples for DMZ Port

This section provides the following configuration example:

•Configuring DMZ Port: Example

•Verifying DMZ Port: Example

Configuring DMZ Port: Example

The following example shows the DMZ Port feature configured on a Cisco 831 router:

Building configuration...

Current configuration : 3302 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

!

no aaa new-model

ip subnet-zero

!

!

!

!

ip inspect audit-trail

!

interface Ethernet0

 ip address 192.168.27.1 255.255.255.0

 ip access-group 101 in

 ip inspect standard in

 no cdp enable

!

interface Ethernet1

 ip address 172.16.2.1 255.255.0.0

 ip access-group 121 in

 duplex auto

 no cdp enable

!

interface Ethernet2           --------------> DMZ port

 ip address 192.168.30.1 255.255.255.0

 ip access-group 111 in       --------------> Applying access list

 ip inspect standard out      --------------> Applying inspect statements

 no cdp enable

!

ip classless

!

ip http server

no ip http secure-server

!

!

access-list 101 permit tcp 192.168.27.0 0.0.0.255 host 192.168.30.3 eq pop3

access-list 101 permit tcp 192.168.27.0 0.0.0.255 host 192.168.30.3 eq telnet

access-list 101 deny   ip 192.168.27.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 101 permit ip 192.168.27.0 0.0.0.255 any

access-list 101 deny   ip any any

access-list 111 permit icmp 192.168.30.0 0.0.0.255 any

access-list 111 deny   ip any any

access-list 121 permit tcp any host 192.168.30.3 eq www

access-list 121 permit tcp any host 192.168.30.3 eq ftp

access-list 121 permit tcp any host 192.168.30.3 eq smtp

access-list 121 deny   ip any any

end

Verifying DMZ Port: Example

The following example shows the sample output from the show interface ethernet 2 privileged EXEC command used to verify if the Ethernet 2 port is enabled:

Router# show interfaces ethernet 2

Ethernet2 is up, line protocol is up

   Hardware is PQUICC_FEC, address is aaaa.0bbb.cccc (bia 000d.2813.53d2)

   Internet address is 10.0.0.1/8

   MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,

      reliability 255/255, txload 1/255, rxload 1/255

   Encapsulation ARPA, loopback not set

   Keepalive set (10 sec)

   Full-duplex, 10Mb/s

   ARP type: ARPA, ARP Timeout 04:00:00

   Last input 00:00:43, output never, output hang never

   Last clearing of "show interface" counters never

   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

   Queueing strategy: fifo

   Output queue: 0/40 (size/max)

   5 minute input rate 0 bits/sec, 0 packets/sec

   5 minute output rate 0 bits/sec, 0 packets/sec

      6965 packets input, 2250292 bytes, 0 no buffer

      Received 6910 broadcasts, 0 runts, 0 giants, 0 throttles

      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

      0 input packets with dribble condition detected

      48474 packets output, 4881725 bytes, 0 underruns

      0 output errors, 0 collisions, 2 interface resets

      0 babbles, 0 late collision, 0 deferred

      0 lost carrier, 0 no carrier

      0 output buffer failures, 0 output buffers swapped out

Additional References

The following sections provide references related to DMZ port.

Related Documents

Related Topic	Document Title
Cisco IOS Release 12.3 Configuration Guides and Command References	Cisco IOS Release 12.3 Configuration Guides and Command References

Standards

Standards	Title
None	—

MIBs

MIBs	MIBs Link
•None	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
None	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 command reference publications.

interface ethernet 2

To enable the DMZ Port feature, use the interface ethernet 2 command in interface configuration mode.

interface type number [name-tag]

Syntax Description

type	Type of interface to be configured.
number	Port, connector, or interface card number.
name-tag	(Optional) Specifies the logical name to identify the server configuration so that multiple server configurations can be entered. This optional argument is for use with the Redundant Link Manager (RLM) feature.

Defaults

Interface Ethernet 2 is disabled.

Command Modes

Interface configuration mode

Command History

Release	Modification
10.0	This command was introduced.
12.3(7)XR1	New Ethernet interface number 2 added for Cisco 830 series routers.
12.3(14)T	This command was integrated into Cisco IOS Release 12.3(14)T.

Usage Guidelines

This command does not have a no form.

Examples

The following example shows how to enable the DMZ Port feature on Ethernet interface 2:

Router# interface ethernet 2

Router# no shutdown

show interface ethernet 2

To display information about an Ethernet interface on the router, use the show interfaces ethernet command in privileged EXEC mode.

show interfaces ethernet [number] [accounting]

Syntax Description

number	(Optional) Port number on the selected interface.
accounting	(Optional) Displays the number of packets of each protocol type that have been sent through the interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.
12.3(7)XR1	New Ethernet interface number 2 added for Cisco 830 series routers.
12.2(14)T	This command was integrated into Cisco IOS Release 12.2(14)T.

Usage Guidelines

If you do not provide values for the number argument, the command displays statistics for all network interfaces. The optional keyword accounting displays the number of packets of each protocol type that have been sent through the interface.

Examples

The following is sample output from the show interface ethernet 2 command for Ethernet interface 2:

Router# show interfaces ethernet 2

Ethernet2 is up, line protocol is up 

Hardware is Lance, address is 0060.3ef1.702b (bia 0060.3ef1.702b)

Internet address is 172.21.102.33/24

MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255

Encapsulation ARPA, loopback not set, keepalive set (10 sec)

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:20, output 00:00:06, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

115331 packets input, 27282407 bytes, 0 no buffer

Received 93567 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 input packets with dribble condition detected

143782 packets output, 14482169 bytes, 0 underruns

0 output errors, 1 collisions, 5 interface resets

0 babbles, 0 late collision, 7 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

Copyright © 2004, 2005 Cisco Systems, Inc. All rights reserved.