-
Cisco 800 Series Routers Software Configuration Guide
-
About This Guide
-
Concepts
-
Configuring Basic Networks
-
Configuring Advanced Networks
-
Network Scenarios
-
Configuring Remote CAPI
-
Configuring Telephone Interfaces
-
Router Feature Configurations
-
Advanced Router Configuration
-
Troubleshooting
-
Cisco IOS Basic Skills
-
ROM Monitor
-
Common Port Assignments
-
Provisioning the ISDN Line
-
ISDN BRI Cause Values
-
Table Of Contents
Before You Configure Your Network
Configuring the Ethernet Interface
Configuring the Dialer Interface
Configuring the Loopback Interface
Configuring the Asynchronous Transfer Mode Interface
AAL5SNAP Encapsulation Configuration Example
AAL5MUX PPP Encapsulation Configuration Example
Configuring Command-Line Access to the Router
Configuring Addressing Parameters
Configuring DHCP Client Support
Configuring an Extended Access List
Configuring Quality of Service Parameters
Configuring a Single-PVC Environment
Configuring an Access List and Voice Class
Configuring a Policy Map and Specifing Voice Queuing
Configuring a Policy Map and Specifying Priority Queuing for Voice Class
Associating the Policy Map to the ATM PVC and Decreasing the ATM Interface MTU
Configuring a Single-PVC Environment Using RFC 1483 Encapsulation
Differentiating Between Data and Voice Packets
Configuring an Access List and Voice Class
Configuring a Policy Map and Specifying Voice Queuing
Associating the Policy Map with the ATM PVC and Using TCP MSS Adjust
Fine-Tuning the Size of the PVC ATM Transmit Ring Buffer
Configuring a Single-PVC Environment Using PPP over ATM and Multilink Encapsulation
Differentiating Between Data and Voice Packets
Configuring the Policy Map and Specifying Voice Queuing
Associating the Policy Map to the ATM PVC
Configuring Link Fragmentation and Interleaving with Low Latency Queuing
Configuring a Multiple-PVC Environment
Voice and Data on Different Subnets
Configuring the ATM Interface and Subinterfaces
Voice and Data on the Same Subnet Using Virtual Circuit Bundling
Configuring the ATM Interface, PVC-Bundle for Voice and Data, and IP Precedence for Voice Packets
Specifying IP Precedence and the Service Class for the Voice Network
Specifying the Backup Interface
Defining Traffic Load Threshold
Dial Backup Using the Console Port
Configuring IGMP Proxy and Sparse Mode
Configuring IP Security and GRE Tunneling
Configuring Internet Protocol Parameters
Configuring a GRE Tunnel Interface
Configuring the Ethernet Interfaces
Configuring and Monitoring High-Speed Crypto
Configuring Multilink PPP Fragmentation and Interleaving
Configuring Voice for H.323 Signaling
Configuring the POTS Dial Peers
Configuring Voice Dial Peers for H.323 Signaling
Configuring Voice Ports for H.323 Signaling
Cisco 827 Router Configuration Examples
Cisco 827-4V Router Configuration
Cisco 827 Router Configuration
Corporate or Endpoint Router Configuration for Data Network
Corporate or Endpoint Router Configuration for Data and Voice Network
Router Feature Configuration
This chapter includes basic feature-by-feature configuration procedures for Cisco 800 series and Cisco SOHO series routers. This chapter is useful if you have a network in place and you want to add specific features.
Note
Every feature described is not necessarily supported on every router model. Where possible and applicable, feature limitations are listed.
If you prefer to use network scenarios to build a network, see "Network Scenarios."
This chapter contains the following sections:
•
•
•
•
•
•
•
•
•
•
Each section includes a configuration example and verification steps, where available.
Before You Configure Your Network
Before you configure your network, you must do the following:
•
•
•
–
–
•
–
–
–
–
•
–
–
–
•
Configuring Basic Parameters
To configure the router, perform the tasks described in the following sections:
•
•
•
•
•
•
A configuration file example that illustrates how to configure the network is presented after the tasks.
After your router boots, the following prompt displays. Enter no.
Would you like to enter the initial configuration dialog [yes]: noFor complete information on how to access global configuration mode, see the "Entering Global Configuration Mode" section. For more information on the commands used in the following tables, refer to the Cisco IOS Release 12.0 documentation set.
Configuring Global Parameters
Follow the steps below to configure the router for global parameters.
For complete information on the global parameter commands, refer to the Cisco IOS Release 12.0 documentation set.
Configuring the Ethernet Interface
Follow the steps below to configure the Ethernet interface, beginning in global configuration mode.
For complete information on the Ethernet commands, refer to the Cisco IOS Release 12.0 documentation set. For more general information on Ethernet concepts, see "Concepts."
Configuration Example
The following example shows the Ethernet interface configuration. You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!interface Ethernet0ip address 192.168.1.1 255.255.255.0no ip directed-broadcast (default)!Verifying Your Configuration
To verify that you have properly configured the Ethernet interface, enter the show interface ethernet0 command. You should see a verification output like the example shown below.
router#sh int eth0Ethernet0 is up, line protocol is upHardware is PQUICC Ethernet, address is 0000.Oc13.a4db(bia0010.9181.1281)Internet address is 170.1.4.101/24MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,reliability 255/255., txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setKeepalive set (10 sec)Configuring the Dialer Interface
Use these commands if you are using PPP encapsulation for the ATM PVC.
Follow the steps below to configure the dialer interface, beginning in global configuration mode.
Configuration Example
The following example shows the dialer interface configuration. You do not need to input the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!interface atm0pvc 1/40encapsulation aal5mux ppp dialerdialer pool-member 1!interface dialer 0ip address 200.200.100.1 255.255.255.0encapsulation pppdialer pool 1!Verifying Your Configuration
To verify that you have properly configured the dialer interface, enter the show interface virtual-access 1 command. Both line protocol and dialer 0 should be up and running. You should see a verification output like the example shown below.
router(config-if)#sh int virtual-access 1Virtual-Access1 is up, line protocol is upHardware is Virtual Access interfaceInterface is unnumbered. Using address of Dialer0 (2.2.2.1)MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation PPP, loopback not setVirtual-access 1 is up means that the interface is up and running. If you see the output Virtual-access 1 is down, it means that the interface is "administratively down," and the interface is configured with the shutdown command. To bring the interface up, you must enter the no shutdown command.
Configuring the Loopback Interface
This section describes configuring the loopback interface. The loopback interface acts as a placeholder for the static IP address and provides default routing information.
For complete information on the loopback commands, refer to the Cisco IOS Release 12.0 documentation set.
Configuration Tasks
Follow the steps below to configure the loopback interface.
Sample Configuration
The loopback interface in this sample configuration is used to support NAT on the virtual-template interface. This sample configuration shows the loopback interface configured on the Ethernet interface with an IP address of 200.200.100.1/24, which acts as a static IP address. The loopback interface points back to virtual-template1, which has a negotiated IP address.
!interface Loopback0ip address 200.200.100.1 255.255.255.0 (static IP address)ip nat outside!interface Virtual-Template1ip unnumbered loopback0no ip directed-broadcastip nat outside!Verifying Your Configuration
To verify that you have properly configured the loopback interface, enter the show interface loopback 0 command. You should see a verification output similar to the following example.
Router #sh int loopback 0Loopback0 is up, line protocol is upHardware is LoopbackInternet address is 200.200.100.1/24MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation LOOPBACK, loopback not setLast input never, output never, output hang neverLast clearing of "show interface" counters neverQueueing strategy: fifoOutput queue 0/0, 0 drops; input queue 0/75, 0 drops5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 packets output, 0 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped outAnother way to verify the loopback interface is to send multiple ping packets to it:
Router#ping 200.200.100.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 200.200.100.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msConfiguring the Asynchronous Transfer Mode Interface
Use the following steps to configure the Asynchronous Transfer Mode (ATM) interface, beginning in global configuration mode.
Note
Step 1
interface ATM 0
Enter configuration mode for the ATM interface.
Step 2
dsl equipment-type {co | cpe}
Configure the DSL equipment type, if applicable.
Step 3
dsl linerate {number | auto}
Specify the G.SHDSL line rate, if applicable. The range of valid numbers is between 72 and 2312.
Step 4
dsl operating-mode gshdsl symmetric annex annex
Set the G.SHDSL operating mode, if applicable, and select the G.991.2 annex.
Step 5
ip address ip-address mask
Set the IP address and subnet mask for the ATM interface.
Step 6
pvc vpi/vci
Create an ATM PVC for each end node with which the router communicates.
Step 7
protocol ip ip-address broadcast
Set the protocol broadcast for the IP address.
Step 8
encapsulation protocol
Specify the encapsulation type for the PVC. Encapsulations can be specified as AAL5SNAP, AAL5MUX IP, or AAL5MUX PPP.1
Step 9
tx-ring-limit number
Configure the size of the PVC transmit queue. The default setting is 6.
Step 10
no shutdown
Enable the ATM interface.
Step 11
exit
Exit configuration mode for the ATM interface.
1 This step is optional. If you specify the AAL5MUX PPP encapsulation, you will need to add an additional step to specify the dialer pool-member number using the command dialer-pool member number.
For complete information on the ATM commands, refer to the Cisco IOS Release 12.0 documentation set. For more general information on ATM concepts, see "Concepts."
AAL5SNAP Encapsulation Configuration Example
The following example shows the ATM interface configuration for AAL5SNAP encapsulation.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!interface ATM0ip address 200.200.100.1 255.255.255.0no ip directed-broadcast (default)no atm ilmi-keepalive (default)pvc 8/35encapsulation aal5snapprotocol ip 200.200.100.254 broadcast!Verifying Your Configuration
To verify that you have properly configured the ATM interface with AAL5SNAP encapsulation, enter the show interface atm0 command. You should see a verification output like the example shown below.
router#sh int atm0ATM0 is up, line protocol is upHardware is PQUICC_SAR (with Alcatel ADSL Module)Internet address is 1.1.1.1/24MTU 1500 bytes, sub MTU 1500, BW 640 Kbit, DLY 80 usec, reliability113/255. txload 1/255, rxload 1/255Encapsulation aal5snap, loopback not setKeepalive not supportedDTR is pulsed for 5 seconds on resetLCP ClosedAAL5MUX PPP Encapsulation Configuration Example
The following example shows an ATM interface configuration for an AAL5MUX PPP encapsulation.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file generated when you use the show running-config command.
!interface ATM0no ip directed-broadcast (default)no atm ilmi-keepalive (default)pvc 8/35encapsulation aal5mux ppp dialerdialer pool-member 1!Verifying Your Configuration
To verify that you have properly configured the ATM interface with AAL5MUX PPP encapsulation, enter the virtual-access 1 command. You should see a verification output like the example shown below.
router#sh int virtual-access 1Virtual-Access1 is up, line protocol is upHardware is Virtual Access interfaceInterface is unnumbered. Using address of Dialer0 (2.2.2.1)MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation PPP, loopback not setVirtual-access 1 is up means that the interface is up and running. If you see the output Virtual-access 1 is down, it means that the interface is "administratively down," and the interface is configured with the shutdown command. To bring the interface up, you must enter the no shutdown command.
Configuring Command-Line Access to the Router
Follow the steps below to configure parameters to control access to the router, beginning in global configuration mode.
For complete information on the command line commands, refer to the Cisco IOS Release 12.0 documentation set.
Configuration Example
The following configuration shows the command-line access commands.
You do not need to input the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!line con 0exec-timeout 10 0password 4youreyesonlylogintransport input none (default)stopbits 1 (default)line vty 0 4password secretlogin!Configuring Bridging
Bridges are store-and-forward devices that use unique hardware addresses to filter traffic that would otherwise travel from one segment to another. You can configure the routers as pure bridges.
Follow the steps below to configure bridging, beginning in global configuration mode.
For complete information on the bridging commands, refer to the Cisco IOS Release 12.0 documentation set. For more general concepts on bridging, see "Concepts."
Configuration Example
The following configuration example uses bridging with AAL5SNAP encapsulation. You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
This configuration example shows the Ethernet and ATM interfaces configured. The Ethernet interface has IP addressing turned off for bridging, and IP directed broadcast is disabled, which prevents the translation of directed broadcasts to physical broadcasts. The bridge-group number to which the ATM interface is associated is set to 1.
The ATM interface has a PVC of 8/35, and the encapsulation is set to AAL5SNAP. The IP address is disabled for bridging and the IP directed broadcast is disabled, which prevents the translation of directed broadcasts to physical broadcasts. The bridge protocol is set to 1 to define the STP.
no ip routing!interface Ethernet0no ip addressno ip directed-broadcast (default)bridge-group 1!interface ATM0no ip addressno ip directed-broadcast (default)pvc 8/35encapsulation aal5snap!bridge-group 1!ip classless (default)!bridge 1 protocol ieee!endVerifying Your Configuration
To verify that you have properly configured bridging, enter the show spanning-tree command. You should see a verification output like the example shown below.
router#sh spanning-treeBridge group 1 is executing the IEEE compatible Spanning Tree protocolBridge Identifier has priority 32768, address 1205.9356.0000Configured hello time 2, max age 20, forward delay 15We are the root of the spanning treePort Number size is 9Topology change flag set, detected flag setTimes: hold 1, topology change 35, notification 2hello 2, max age 20, forward delay 15Timers:hello 1, topology change 34, notification 0bridge aging time 15Port 2 (Ethernet0) of Bridge group 1 is forwardingPort path cost 100, Port priority 128Designated root has priority 32768, address 1205.9356.0000Designated bridge has priority 32768, address 1205.9356.0000Designated port is 2, path cost 0Timers:message age 0, forward delay 0, hold 0BPDU:sent 0, received 0Port 3 (ATM0 RFC 1483) of Bridge group 1 is forwardingPort path cost 1562, Port priority 128Designated root has priority 32768, address 1205.9356.0000Designated bridge has priority 32768, address 1205.9356.0000Designated port is 3, path cost 0Timers:message age 0, forward delay 0, hold 0BPDU:sent 0, received 0Configuring Static Routing
Static routes are routing information that you manually configure into the router. If the network topology changes, the static route must be updated with a new route. Static routes are private routes, unless they are redistributed by a routing protocol. Configuring static routing on the 800 series routers is optional.
Follow the steps below to configure static routing, beginning in global configuration mode.
For complete information on the static routing commands, refer to the Cisco IOS Release 12.0 documentation set. For more general information on static routing, see "Concepts."
Configuration Example
In the following configuration example, the static route is sending all IP packets with a destination of 1.0.0.0 and a subnet mask of 255.0.0.0 out on the ATM interface to another device with an IP address of 14.0.0.1. Specifically, the packets are being sent to the configured PVC.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!ip classless (default)ip route 1.0.0.0 255.0.0.0 atm0 14.0.0.1no ip http server (default)!Verifying Your Configuration
To verify that you have properly configured static routing, enter the show ip route command and look for static routes signified by the "S."
You should see a verification output like the example shown below.
router#sh ip routeCodes:C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-ISinter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is 0.0.0.0 to network 0.0.0.05* 2.0.0.0/24 is subnetted, 1 subnetsC 2.2.2.0 is directly connected, Ethernet0/0S* 0.0.0.0/0 is directly connected, Ethernet0/0Configuring Dynamic Routing
In dynamic routing, the network protocol adjusts the path automatically based on network traffic or topology. Changes in dynamic routing are shared with other routers in the network.
The IP routing protocol can use the Routing Information Protocol (RIP) or the Enhanced Interior Gateway Routing Protocol (EIGRP) to learn routes dynamically. You can configure either one of these routing protocols.
Configuring RIP
Follow the steps below to configure RIP routing protocol on the router, beginning in global configuration mode.
For complete information on the dynamic routing commands, refer to the Cisco IOS Release 12.0 documentation set. For more general information on RIP, refer to "Concepts."
Configuration Example
The following configuration shows RIP version 2 enabled in IP network 10.10.10.0.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!router ripversion 2network 10.0.0.0no auto-summary!Verifying Your Configuration
To verify that you have properly configured RIP, enter the show ip route command and look for RIP routes signified by "R." You should see a verification output like the following example.
router#sh ip routeCodes:C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-ISinter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is not set2.0.0.0/24 is subnetted, 1 subnetsC 2.2.2.0 is directly connected, Ethernet0/0R 3.0.0.0/8 [120/1] via 2.2.2.1, 00:00:02, Ethernet0/0Configuring IP EIGRP
Follow the steps below to configure IP EIGRP, beginning in global configuration mode.
For complete information on the IP EIGRP commands, refer to the Cisco IOS Release 12.0 documentation set. For more general information on EIGRP concepts, see "Concepts."
Configuration Example
The following configuration shows EIGRP routing protocol enabled in IP networks 10.0.0.0 and 172.17.0.0. The EIGRP autonomous system number is assigned as 100.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!router eigrp 100network 10.0.0.0network 172.17.0.0!Verifying Your Configuration
To verify that you have properly configured IP EIGRP, enter the show ip route command and look for EIGRP routes signified by "D." You should see a verification output like the following example.
router#sh ip routeCodes:C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area* - candidate default, U - per-user static route, o - ODRP - periodic downloaded static routeGateway of last resort is not set2.0.0.0/24 is subnetted, 1 subnetsC 2.2.2.0 is directly connected, Ethernet0/0D 3.0.0.0/8 [90/409600] via 2.2.2.1, 00:00:02, Ethernet0/0Configuring Addressing Parameters
This section describes how to configure addressing using Network Address Translation (NAT) and Easy IP Phase 1 and 2.
Configuring NAT
You can configure NAT for either static or dynamic address translations.
Follow the steps below to configure static or dynamic inside source translation, beginning in global configuration mode.
Note
For complete information on the NAT commands, refer to the Cisco IOS Release 12.0 documentation set. For general information on NAT concepts, see "Concepts."
Configuration Example
The following configuration shows NAT configured for the Ethernet and ATM interfaces.
The Ethernet 0 interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside, which means that the interface is connected to the inside network that is subject to NAT translation.
The ATM 0 interface has an IP address of 200.200.100.1 and a subnet mask of 255.255.255.0. NAT is configured for outside, which means that the interface is connected to an outside network, such as the Internet.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!interface Ethernet0ip address 192.168.1.1 255.255.255.0no ip directed-broadcast (default)ip nat inside!interface ATM0ip address 200.200.100.1 255.255.255.0no ip directed-broadcast (default)ip nat outsideno atm ilmi-keepalive (default)pvc 8/35encapsulation aal5snap!ip route 0.0.0.0.0.0.0.0 200.200.100.254!ip nat pool test 200.200.100.1 200.200.100.1 netmask 255.255.255.0ip nat inside source list 101 pool test overloadip classless (default)!Verifying Your Configuration
To verify that you have properly configured NAT, enter the show ip nat statistics command. You should see a verification output like the example shown below.
router#sh ip nat statisticsTotal active translations:45 (10 static, 35 dynamic; 45 extended)Outside interfaces:ATM0Inside interfaces:Ethernet0Hits:34897598 Misses:44367Expired translations:119305Dynamic mappings:-- Inside Sourceaccess-list 1 pool homenet refcount 14pool homenet:netmask 255.255.255.0start 200.200.100.1 end 200.200.100.1type generic, total addresses 1, allocated 1 (100%), missesConfiguring Easy IP (Phase 1)
This section explains how to configure Easy IP (Phase 1). Easy IP Phase 1 includes NAT overload and PPP/Internet Protocol Control Protocol (IPCP). NAT overload means that you can use one registered IP address for the interface and use it to access the Internet from all devices in the network.
With PPP/IPCP, Cisco 800 series routers automatically negotiate a globally unique (registered or public) IP address for the interface from the ISP route.
Follow the steps below to configure Easy IP (Phase 1), beginning in global configuration mode.
For complete information on the Easy IP commands, refer to the Cisco IOS Release 12.0 documentation set. For general information on Easy IP (Phase 1) concepts, see "Concepts."
Configuring Easy IP (Phase 2)
This section explains how to configure a Cisco 800 series router as a DHCP server.
The Easy IP (Phase 2) feature combines DHCP server and relay. With DHCP, LAN devices on an IP network (DHCP clients) can request IP addresses from the DHCP server. The DHCP server allocates IP addresses from a central pool as needed. A DHCP server can be a workstation, PC, or a Cisco router. With the DHCP relay feature configured on the router, the routers can relay IP address requests from the LAN interface and to the DHCP server as shown in Figure 7-1 and Table 7-1.
Figure 7-1 Easy IP (Phase 2)-DHCP Server and Relay
Configuring DHCP
The following sections describe how to configure the router as a DHCP client, server, or relay.
Configuring DHCP Client Support
Follow these steps to configure the router for DHCP client support:
Step 1
Specifying the value client-id ethernet0 means that the MAC address of the Ethernet interface is used as the client ID when the DHCP request is sent. Otherwise, the MAC address of the BVI interface is used as the client ID.
Step 2
a.
b.
c.
d.
ip nat inside source list 1 interface BVI 1 overload command.Step 3
a.
b.
Configuration Example
The following example shows a configuration of the DHCP client.
Current configuration:!version 12.0no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname c827!!ip subnet-zeroip dhcp excluded-address 10.10.10.1!ip dhcp pool SERVERnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1import all!bridge irbinterface Ethernet0ip address 10.10.10.1 255.255.255.0no ip directed-broadcastip nat inside!interface ATM0no ip addressno ip directed-broadcastno atm ilmi-keepalivebundle-enablehold-queue 208 in!interface ATM0.1 point-to-pointno ip directed-broadcastpvc 1/100encapsulation aal5snap!bridge-group 1!interface ATM0.2 point-to-pointip address 5.0.0.2 255.0.0.0no ip directed-broadcastpvc 1/101protocol ip 5.0.0.1 broadcastprotocol ip 5.0.0.5 broadcastencapsulation aal5snap!!interface BVI1ip address dhcp client-id Ethernet0no ip directed-broadcastip nat outside!ip nat inside source list 1 interface BVI1 overloadip classlessip route 0.0.0.0 0.0.0.0 BVI1no ip http server!access-list 1 permit 10.10.10.0 0.0.0.255bridge 1 protocol ieeebridge 1 route ip!voice-port 1timing hookflash-in 0!voice-port 2timing hookflash-in 0!voice-port 3timing hookflash-in 0!voice-port 4timing hookflash-in 0!!line con 0exec-timeout 0 0transport input nonestopbits 1line vty 0 4password lablogin!scheduler max-task-time 5000endConfiguring DHCP Server
Follow the steps below to configure the router as a DHCP server, beginning in global configuration mode.
For more information on the features not used in this configuration, refer to the Cisco IOS DHCP Server feature module. For more general information on DHCP servers, refer to "Concepts."
Configuration Example
The following configuration shows a DHCP server configuration for the IP address 20.1.1.2.
!ip dhcp pool CLIENTnetwork 20.20.20.0 255.255.255.0domain-name cisco.comdefault-router 20.20.20.20netbios-name-server 1.1.1.1dns-server 1.1.1.2lease 0 1!Verifying Your Configuration
To verify that you have properly configured the DHCP server, enter the show dhcp server command and look for the assigned server IP. You should see a verification output like the example shown below.
router# sh dhcp servershow ip dhcp bindingshow ip dhcp conflictshow ip dhcp server staticsConfiguring the DHCP Relay
This section describes how to configure the router to forward User Datagram Protocol (UDP) broadcasts, including IP address requests, from DHCP clients.
Follow the steps below to configure the DHCP relay, beginning in global configuration mode.
For complete information on the DHCP relay commands, refer to the Cisco IOS Release 12.0 documentation set. For more general information on DHCP relays, refer to "Concepts."
Configuration Example
The following configuration contains commands relevant to DHCP relay only.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!int Ethernet0ip address 192.168.100.1 255.255.255.0ip helper-address 200.200.200.1!Verifying Your Configuration
To verify that you have properly configured the DHCP relay, enter the show dhcp server command. You should see verification output like the example shown below.
router#sh dhcp serverDHCP server:2.2.2.2Leases: 0Offers: 0 Requests:0 Acks:0 Naks:0Declines:0 Releases:0 Bad: 0Configuring TACACS+
The Cisco 806, 827, 831, 836, 837, 827H, and 827-4V routers and the Cisco SOHO 71, 91, 96, and 97 routers support the Terminal Access Controller Access Control System Plus (TACACS+) protocol through Telnet. TACACS+ is a Cisco proprietary authentication protocol that provides remote access authentication and related network security services, such as event logging. User passwords are administered in a central database rather than in individual routers. TACACS+ also provides support for separate modular authentication, authorization, and accounting (AAA) facilities that are configured at individual routers.
To configure your router to support TACACS+, perform the following tasks:
You may need to perform other configuration steps to enable accounting for TACACS+ connections. For instructions on configuring TACACS+, refer to the Security Configuration Guide.
Configuring an Extended Access List
Follow the steps below to include one or more extended access lists in your router configuration, beginning in global configuration mode.
For more complete information on the extended access list commands, refer to the Cisco IOS Release 12.0 documentation set. For information on TCP and UDP port assignments, see "Common Port Assignments."
Configuration Example
This configuration shows an access list being applied to IP address 192.168.1.0.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file generated when you use the show running-config command.
!access-list 101 permit tcp any host 192.168.1.0 0.0.0.255!Configuring Quality of Service Parameters
This section describes how to configure quality of service (QoS) parameters. The following are requirements for voice QoS:
•
•
You can configure QoS in a single- or multiple-PVC environment. In a single-PVC environment, the traffic relies on IOS to provide priority queuing, using class-based weighted fair queuing (CBWFQ) to prioritize voice traffic and using MTU size reduction to perform Layer 3 fragmentation of data packets. In a multiple-PVC environment, the traffic relies on the ATM interface to provide priority queuing for voice and fragmentation and interleaving.
Note
For complete information on the QoS commands, refer to the Cisco IOS documentation set. For general information on QoS concepts, see "Concepts."
Configuring a Single-PVC Environment
In the single-PVC environment, the traffic relies on IOS to provide priority queuing (using CBWFQ). The tasks to configure a single-PVC environment are as follows:
•
•
•
•
Configuring IP Precedence
IP Precedence gives voice packets a higher priority than other IP data traffic. The ip precedence command is used by the router to differentiate voice traffic from data traffic. Therefore, you need to ensure that the data IP packets do not have the same IP precedence as that of the voice packets.
Follow the steps below to configure real-time voice traffic precedence over other IP network traffic, beginning in global configuration mode.
Note
Configuring an Access List and Voice Class
Follow the steps below to create a policy map and to associate a priority queue with the voice class, beginning in global configuration mode.
Configuring a Policy Map and Specifing Voice Queuing
Follow the steps below to configure a policy map and to specify voice queuing, beginning in global configuration mode.
Step 1
policy map name
Configure a policy map.1
Step 2
class voice
Specify the class for queuing.
Step 3
priority number
Specify the priority for queuing.
1 Total bandwidth for the policy map may not exceed 75 percent of the total PVC bandwidth.
Configuring a Policy Map and Specifying Priority Queuing for Voice Class
Follow the steps below to associate the policy map to the ATM PVC and decrease the MTU of the ATM interface so that large data packets are fragmented, beginning in global configuration mode.
Step 1
policy map name
Configure a policy map.1
Step 2
class voice
Specify the class for queuing.
Step 3
priority bandwidth
Specify the priority for queuing.
Step 4
exit
Exit configuration mode for the policy map.
1 Total bandwidth for the policy map may not exceed 75 percent of the total PVC bandwidth.
Associating the Policy Map to the ATM PVC and Decreasing the ATM Interface MTU
Use the following table to associate the policy map to the ATM PVC and decrease the MTU, beginning in global configuration mode. It is recommended that 300 is used for the MTU size because it is larger than the size of the voice packets generated by the different codecs.
Note
Configuration Example
The following example shows a voice QoS configuration in a single-PVC environment using AAL5SNAP encapsulation.
!dial-peer voice 105 voipdestination-pattern 3..session target ipv4:10.1.2.3ip precedence 5access-list 101 permit ip any any precedence criticalclass-map voicematch access-group 101policy-map mypolicyclass voicepriority 480int atm0mtu 300pvc 8/35encapsulation aal5snapservice-policy out mypolicyvbr-rt 640 640 10!Configuring a Single-PVC Environment Using RFC 1483 Encapsulation
This section describes configuring of a single-PVC environment using RFC 1483.
In a single-PVC environment using RFC 1483 encapsulation, the traffic relies on Cisco IOS to provide priority queuing using low latency queuing (LLQ). The following tasks are needed to configure a single-PVC environment:
•
•
•
•
•
Differentiating Between Data and Voice Packets
To give priority to voice packets, the router must differentiate between the entering voice and data packets. One way to differentiate the packets is to examine their source or destination IP addresses, because data and VoIP devices may have different IP addresses.
Another way to differentiate the packet is use IP Precedence. Usually, data packets have precedence 0, while voice packets have IP precedence 5. To learn how to configure the IP Precedence for voice packets, refer to the documentation for your VoIP device.
Note
Configuring an Access List and Voice Class
Assuming that all voice packets have precedence 5 and that all data packets have precedence 0, perform these steps to configure an access-list that matches all precedence 5 packets, beginning in global configuration mode.
Configuring a Policy Map and Specifying Voice Queuing
Follow the steps below to configure a policy may and to specify voice queuing, beginning in global configuration mode.
Step 1
policy map name
Configure a policy map.1
Step 2
class voice
Specify the class for queuing.
Step 3
priority bandwidth
Specify the bandwidth for this strict priority queue.
1 Total bandwidth for the policy map may not exceed 75 percent of the total PVC bandwidth.
Associating the Policy Map with the ATM PVC and Using TCP MSS Adjust
Perform the steps below to associate the policy map with the ATM PVC and to use the TCP MSS adjust command to control delay, beginning in global configuration mode.
Note
Fine-Tuning the Size of the PVC ATM Transmit Ring Buffer
Each PVC has a hardware output first-in first-out (FIFO) queue that temporarily stores packets before they are sent out to the transceiver. In order to reduce latency for voice packets, you may need to reduce the size of this queue. Reducing the queue size reduces the maximum number of data packets that are "ahead" of a voice packet in the transmit queue. However, a transmit queue size that is too small may affect transmit throughput performance.
Configuration Example
The following example shows a voice QoS configuration in a single-PVC environment using AAL5SNAP encapsulation.
access-list 101 permit ip any any precedence criticalclass-map voicematch access-group 101policy-map mypolicyclass voicepriority 480int atm0dsl equipment-type CPEdsl linerate AUTOip tcp-mss 1452pvc 8/35encapsulation aaal5snapservice-policy out mypolicyvbr-rt 1000 1000 1tx-ring-limit 5!Configuring a Single-PVC Environment Using PPP over ATM and Multilink Encapsulation
This section describes configuring of a single-PVC environment using PPP over ATM and multilink encapsulation.
The "Configuring Link Fragmentation and Interleaving with Low Latency Queuing" section describes configuring multilink PPP fragmentation and interleaving for a second single-PVC environment.
In a single-PVC environment using PPP over ATM multilink encapsulation, the traffic relies on Cisco IOS to provide priority queuing using LLQ. These tasks are involved in configuring a single-PVC environment:
•
•
•
•
Differentiating Between Data and Voice Packets
To give priority to voice packets, the router must differentiate between the entering voice and data packets. One way to differentiate the packets is to examine the source or destination IP addresses, because data and VoIP devices may have different IP addresses.
Another way to differentiate the packets is use IP Precedence. Usually, data packets have precedence 0, while voice packets have IP precedence 5. To learn how to configure the IP precedence for voice packets, refer to the documentation for your VoIP device.
Note
Configuring the Policy Map and Specifying Voice Queuing
Follow the steps below to configure a policy may and to specify voice queuing, beginning in global configuration mode.
Step 1
policy map name
Configure a policy map.1
Step 2
class voice
Specify the class for queuing.
Step 3
priority bandwidth
Specify the bandwidth for this strict priority queue.
1 Total bandwidth for the policy map may not exceed 75 percent of the total PVC bandwidth.
Associating the Policy Map to the ATM PVC
Follow the steps below to associate the policy map to the ATM PVC, beginning in global configuration mode.
Configuring Link Fragmentation and Interleaving with Low Latency Queuing
Link fragmentation and interleaving (LFI) is available when you are using multilink PPP over ATM.
Two types of traffic can be simultaneously transmitted over the same link:
•
•
The purpose of LFI is to reduce latency for delay-sensitive traffic. Two things happen when LFI is used:
•
•
Multilink PPP is one example of how LFI is implemented.
Use the following steps to configure the router for LFI. Begin in global configuration mode.
Calculate the fragment size using the following formula:
fragment size = (bandwidth in kbps/8) * fragment-delay i milliseconds (ms)
In this case, the fragment size = (640/8) * 10 = 800. The fragment size is greater than the maximum voice packet size of 200, which is that of G.711, 20 ms. Note that a low fragment delay corresponds to a fragment size that may be smaller than the voice packet size, resulting in reduced voice quality.
Note
Configuring a Multiple-PVC Environment
In a multiple-PVC environment, the traffic relies on the ATM interface to provide priority queuing for voice and fragmentation and interleaving. The following sections describe the configurations that you can use.
Voice and Data on Different Subnets
Figure 7-2 shows voice and data packets on different subnets. All voice traffic may be on an ATM PVC with a vbr-rt service class, while all data traffic is transported on an ATM PVC with a ubr service class.
Figure 7-2 Voice and Data on Different Subnets
Configuring the ATM Interface and Subinterfaces
Follow the steps below to configure the ATM interface and subinterfaces, beginning in global configuration mode.
Configuration Example
The following example shows a voice QoS configuration with all data traffic on the 30.0.0.1 network and all voice traffic on the 20.0.0.1 network.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!interface ATM0.1 point-to-pointip address 20.0.0.1 255.0.0.0no ip directed-broadcast (default)pvc 1/100protocol ip 20.0.0.2 broadcastvbr-rt 424 424 5encapsulation aal5snap!interface ATM0.2 point-to-pointip address 30.0.0.1 255.0.0.0no ip directed-broadcast (default)pvc 1/101protocol ip 30.0.0.2 broadcastencapsulation aal5snapVoice and Data on the Same Subnet Using Virtual Circuit Bundling
Figure 7-3 and Table 7-2 show voice and data packets on the same subnet using virtual circuit bundling. Virtual circuit bundling allows multiple PVCs on the same bundle. Using virtual circuit bundling and assigning precedence 5 to voice packets and not data packets ensures that traffic for the two are separated onto two PVCs.
Figure 7-3 Voice and Data on the Same Subnet with Virtual Circuit Bundling
Ethernet 0
Bundle
PVC Bundle 1/40 BVR (RT), voice
PVC Bundle 8/35 UBR, data
The tasks for configuring a voice and data network on the same subnet with virtual circuit bundling are as follows:
•
•
•
•
Configuring the ATM Interface, PVC-Bundle for Voice and Data, and IP Precedence for Voice Packets
Follow the steps below to configure the ATM interface, the PVC-bundle for voice and data, and IP Precedence for the voice packets, beginning in global configuration mode.
Step 1
interface ATM 0
Enter configuration mode for the ATM interface.
Step 2
dsl equipment-type co/cpe
Configure the DSL equipment type.
Step 3
dsl linerate number/auto
Specify the G.SHDSL line rate. The range of valid numbers is between 72 and 2312.
Step 4
dsl operating-mode gshdsl symmetric annex annex
Set the G.SHDSL operating mode, and select the G.991.2 annex.
Step 5
ip address ip-address mask
Set the IP address and subnet mask for the ATM interface.
Step 6
bundle name
Specify a bundle name.
Step 7
encapsulation type
Specify the encapsulation type for the voice bundle PVC.
Step 8
protocol ip ip-address broadcast
Set the protocol broadcast for the IP address.
Step 9
pvc-bundle name vpi/vci
Create a PVC for the voice bundle.
Step 10
vbr-rt pcr scr bs
Set the service class for the voice bundle.1
Step 11
ip precedence number
Select an IP Precedence level specific to the voice bundle that you created.
Step 12
pvc-bundle name vpi/vci
Create a PVC for the data bundle.
Step 13
ubr pcr
Set the service class for the data2 bundle.
Step 14
precedence other
Set the IP Precedence level other to the data bundle that you created.
Step 15
exit
Exit configuration mode for the ATM interface.
1 For voice, the service class must be vbr-rt or vbr-nrt.
2 For data, the service class must be vbr-nrt or ubr.
Specifying IP Precedence and the Service Class for the Voice Network
Follow the steps below to configure real-time voice traffic precedence over other IP network traffic, beginning in global configuration mode.
Note
Configuration Example
The following configuration shows both voice and data on the same subnet with virtual circuit bundling. IP precedence is set to 5 for the voice packets, but not for the data packets so that the traffic can be separated onto two different ATM PVCs.
!interface atm0ip address 20.0.0.1 255.0.0.0bundle testencapsulation aal5snapprotocol ip 20.0.0.2 broadcast!pvc-bundle voice 1/100vbr-rt 424 424 5precedence 5!pvc-bundle data 1/101precedence other!dial-peer voice 100 voipdestination-pattern 26..session target ipv4:20.0.0.8ip precedence 5!Configuring Dial Backup
You must decide whether to activate the backup interface when the primary line goes down, when the traffic load on the primary line exceeds the defined threshold, or when either occurs. The tasks you perform depend on your decision. Perform the tasks in the following sections to configure dial backup:
•
•
•
Then configure the backup interface for DDR, so that calls are placed as needed.
Specifying the Backup Interface
To specify a backup interface for a primary WAN interface or subinterface, enter the backup interface type number command to select a backup interface.
Note
For more information regarding the available dial backup mechanisms in IOS, please go to the following URL:
http://www.cisco.com/warp/public/123/backup-main.html
Defining Backup Line Delays
You can configure a value that defines how much time should elapse before a secondary line status changes after a primary line status has changed. You can define two delays:
•
•
To define these delays, use the following syntax:
Router (config-if) # backup delay {enable-delay | never} {disable-delay | never}
Defining Traffic Load Threshold
You can configure dial backup to activate the secondary line, based on the traffic load on the primary line. The software monitors the traffic load and computes a 5-minute moving average. If this average exceeds the value you set for the line, the secondary line is activated and, depending on how the line is configured, some or all of the traffic will flow onto the secondary dialup line.
You can configure a load level for traffic at which additional connections will be added to the primary WAN interface. The load level values range from 1 (unloaded) to 255 (fully loaded).
Use the following syntax to define a WAN line threshold:
Router (config-if) # dialer load-threshold 8 outbound {enable-threshold | never} {disable-threshold | never}
Dial Backup Using the Console Port
The following example shows dial backup using a console port configured for DDR:
interface atm 0ip address 172.30.3.4 255.255.255.0backup interface async1backup delay 10 10!interface async 1ip address 172.30.3.5 255.255.255.0dialer in-banddialer string 5551212dialer-group 1async dynamic routingdialer list 1 protocol ip permitchat-script sillyman """atdt 5551212" TIMEOUT 60 "CONNECT"line aux 0modem chat-script sillymanmodem inoutspeed 9600Configuration Example
The following example shows configuration of dial backup and remote router management on the Cisco 831 and Cisco 837 routers using the console port and dialer watch.
!username Router password !PASSWORD!modemcap entry MY_USR_MODEM:MSC=&F1S0=1!chat-script Dialout ABORT ERROR ABORT BUSY "" "AT" OK "ATDT 5555102\T" TIMEOUT 60 CONNECT \c!interface Async1no ip addressencapsulation pppdialer in-banddialer pool-member 3autodetect encapsulation pppasync default routingasync dynamic routingasync mode dedicatedpap authentication pap callin!! Dialer3 is for dial backup and remote router management!interface Dialer3ip address negotiatedencapsulation pppno ip route-cacheno ip mroute-cachedialer pool 3dialer remote-name !REMOTE-NAMEdialer idle-timeout 300dialer string 5555102 modem-script Dialoutdialer watch-group 1dialer-group 1autodetect encapsulation ppppeer default ip address 192.168.2.2no cdp enableppp pap sent-username ! USER SPECIFIC password ! USER SPECIFICppp ipcp dns requestppp ipcp wins requestppp ipcp mask request!! IP NAT over Dialer interface using route-mapip nat inside source route-map main interface Dialer1 overloadip nat inside source route-map secondary interface Dialer3 overloadip classlessip route 0.0.0.0 0.0.0.0 !(dial backup peer address @ISP)ip route 0.0.0.0 0.0.0.0 Dialer1 150!no ip http serverip pim bidir-enable!!access-list 101 permit ip 192.168.0.0 0.0.255.255 anydialer watch-list 1 ip !(ATM peer address @ISP) 255.255.255.255dialer-list 1 protocol ip permit!! To direct traffic to an interface only if the Dialer gets assigned with an ip addressroute-map main permit 10match ip address 101match interface Dialer1!route-map secondary permit 10match ip address 101match interface Dialer3!line con 0exec-timeout 0 0modem enablestopbits 1line aux 0exec-timeout 0 0script dialer Dialoutmodem InOutmodem autoconfigure type MY_USR_MODEMtransport input allstopbits 1speed 38400flowcontrol hardwareline vty 0 4exec-timeout 0 0login local!The following example shows configuration of remote management using a console port for the Cisco SOHO 91 and Cisco SOHO 97 routers.
!username Router password !PASSWORD!modemcap entry MY_USR_MODEM:MSC=&F1S0=1!interface Async1no ip addressencapsulation pppdialer in-bandautodetect encapsulation pppasync default routingasync dynamic routingasync mode dedicatedpap authentication pap callinpeer default ip address pool clientpool!! dialer 1 used for PPPoE or PPPoATM! PPPoE or PPPoATM dialer1 configurations are not shown in this sample!ip route 0.0.0.0 0.0.0.0 dialer 1 150!dialer list 1 protocol ip permit!ip local pool clientpool 192.168.0.2 192.168.0.10!line con 0exec-timeout 0 0modem enablestopbits 1line aux 0exec-timeout 0 0modem Dialinmodem autoconfigure type MY_USER_MODEMtransport input allstopbits 1speed 38400flowcontrol hardwareto align with line aux 0exec-timeout 0 0login local!Configuration Example
The following example shows dial backup and remote management configuration on the Cisco 836 router, using the ISDN S/T port and dialer watch.
Cisco836#!vpdn enable!vpdn-group 1accept-dialinprotocol pppoe!!Specifies the ISDN switch typeisdn switch-type basic-net3!interface Ethernet0ip address 192.168.1.1 255.255.255.0hold-queue 100 out!!ISDN interface to be used as a backup interfaceinterface BRI0no ip addressencapsulation pppdialer pool-member 1isdn switch-type basic-net3!interface ATM0no ip addressno atm ilmi-keepalivepvc 1/40encapsulation aal5snappppoe-client dial-pool-number 2!dsl operating-mode auto!! Dial backup interface, associated with physical BRI0 interface. Dialer pool 1 associates it with BRI0's dialer pool member 1. Note "dialer watch-group 1" associates a watch list with corresponding "dialer watch-list" commandinterface Dialer0ip address negotiatedencapsulation pppdialer pool 1dialer idle-timeout 30dialer string 384040dialer watch-group 1dialer-group 1!! Primary interface associated with physical ATM0 interface, dialer pool 2 associates it with ATM0's dial-pool-number2interface Dialer2ip address negotiatedip mtu 1492encapsulation pppdialer pool 2dialer-group 2no cdp enable!ip classless!Primary and backup interface given route metricip route 0.0.0.0 0.0.0.0 22.0.0.2ip route 0.0.0.0 0.0.0.0 192.168.2.2 80ip http server!!Watch for interesting trafficdialer watch-list 1 ip 22.0.0.2 255.255.255.255!Specifies interesting traffic to trigger backup ISDN trafficdialer-list 1 protocol ip permit!Configuring IGMP Proxy and Sparse Mode
The Internet Group Management Protocol (IGMP) proxy feature was added to the unidirectional link routing feature to permit hosts that are not directly connected to a downstream router to join a multicast group sourced from an upstream network.
Follow the steps below to configure IGMP proxy and sparse mode, starting in global configuration mode.
Configuration Example
The following example shows the relevant IGMP proxy and sparse mode commands. The Ethernet 0, Ethernet 1, and loopback 0 interfaces have been configured for PIM sparse mode; the PIM RP address has been defined as 10.5.1.1.
ip pim rp-address 10.5.1.1 5access-list 5 permit 239.0.0.0 255.255.255.255!interface loopback 0ip address 10.7.1.1 255.255.255.0ip pim sparse-modeip igmp helper-address udl ethernet 0ip igmp proxy-service!interface ethernet 0ip address 10.2.1.2 255.255.255.0ip pim sparse-modeip igmp unidirectional link!interface ethernet 1ip address 10.5.1.1 255.255.255.0ip pim sparse-modeip igmp mroute-proxy loopback 0!Verifying Your Configuration
You can verify your configuration by using the show ip igmp interface ethernet 0 multicasting command. You should see a verification output similar to the following:
router#show ip igmp interface ethernet 0Ethernet0 is up, line protocol is upInternet address is 10.2.1.2 255.255.255.0IGMP is enabled on interfaceCurrent IGMP host version is 2Current IGMP router version is 2IGMP query interval is 60 secondsIGMP querier timeout is 120 secondsIGMP max query response time is 10 secondsLast member query response interval is 1000 msInbound IGMP access group is not setIGMP activity: 1 joins, 0 leavesMulticast routing is enabled on interfaceMulticast designated router (DR) is 10.2.1.2 (this system)IGMP querying router is 10.2.1.2 (this system)Multicast groups joined (number of users):224.0.1.40 (1)Configuring IP Security and GRE Tunneling
IP Security (IPSec) provides secure tunnels between two peers, such as two routers. You can define which packets are to be considered sensitive and sent through these secure tunnels. You can also define the parameters which should be used to protect these sensitive packets, by specifying characteristics of these tunnels. When the IPSec peer sees a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.
This section contains the following topics:
•
•
•
•
•
Configurations for both IPSec and Generic Routing Encapsulation (GRE) tunneling are presented in this section. Perform the following steps to configure IPSec using a GRE tunnel, beginning in global configuration mode.
For general IPSec configuration, go to:
www.cisco.com/warp/public/707/index.shtml#ipsec
Configuring Internet Protocol Parameters
Complete the follow steps to configure IP parameters, starting in global configuration mode.
Configuring an Access List
Use the access-list command to create an access list that permits the GRE protocol and that specifies the starting and ending IP addresses of the GRE tunnel. Use the following syntax:
access-list 101 permit gre host ip-address host ip-address
In the preceding command line, the first host ip-address specifies the tunnel starting point, and the second host ip-address specifies the tunnel end point.
Configuring IPSec
Follow the steps below to configure IPSec, starting in global configuration mode.
Configuring a GRE Tunnel Interface
Follow the steps below to configure the generic routing encapsulation (GRE) tunnel interface, starting in global configuration mode.
Configuring the Ethernet Interfaces
Perform the following tasks to configure the Ethernet 0 and Ethernet 1 interfaces, starting in global configuration mode.
Configuring Static Routes
Complete the following steps to configure static routes, starting in global configuration mode.
Configuring and Monitoring High-Speed Crypto
Use the following command to enable high-speed crypto, starting with global configuration mode.
crypto engine acceleratorTo disable high-speed crypto, use the following command:
no crypto engine acceleratorTo monitor high-speed crypto, use the following command:
show crypto engine accelerator statistic
For more information on configuring IPSec, refer to the Cisco IOS Security Configuration Guide.
Configuration Example
This configuration example for the Cisco 831 router shows IPSec being used over a GRE tunnel. The example also applies to a Cisco SOHO 91 router. You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 831-uut1!memory-size iomem 10!ip subnet-zero!ip audit notify logip audit po max-events 100!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key grel address 100.1.1.1!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set strong esp-3des esp-sha-hmac!crypto map mymap local-address Ethernet1crypto may mymap 1 ipsec-isakmpset peer 100.1.1.1set transform-set strongmatch address 151!!!!interface Tunnel0ip address 1.1.1.1 255.255.255.0tunnel source Ethernet1tunnel destination 100.1.1.1crypto map mymap!interface Ethernet0ip address 202.2.2.2 255.255.255.0hold-queue 100 out!interface Ethernet1ip address 100.1.1.1 255.255.255.0crypto map mymap!ip classlessip route 200.1.1.0 255.255.255.0 Tunnel0ip http server!!access-list 151 permit gre host 100.1.1.2 host 100.1.1.1!line con 0no modem enablestopbits 1line aux 0line vty 0 4!scheduler max-task-time 5000The following example shows IPSec configuration on a Cisco 837 router.
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 837-uutl!memory-size iomem 10!mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180ip subnet-zero!ip audit notify logip audit po max-events 100ip ssh time-out 120ip ssh authentication-retries 3!crypto isakmp policy 1encr 3desauthentication pre-sharecrypto isakmp key grel address 100.1.1.1!crypto ipsec transform-set strong esp-3des esp-sha-hmac!crypto map mymap local-address ATM0crypto map mymap 1 ipsec-isakmpset peer 100.1.1.1set transform-set strongmatch address 151!interface Tunnel0ip address 1.1.1.1 255.255.255.0ip mtu 1440tunnel source ATM0tunnel destination 100.1.1.1crypto map mymap!interface Ethernet0ip address 202.2.2.2 255.255.255.0hold-queue 100 out!interface ATM0ip address 100.1.1.2 255.255.255.0no atm ilmi-keepalivepvc 1/40protocol ip 100.1.1.1 broadcastencapsulation aa15snap!dsl operating-mode autocrypto map mymap!ip classlessip route 200.1.1.0 255.255.255.0 Tunnel0ip http serverip pim bidir-enableConfiguring Multilink PPP Fragmentation and Interleaving
You should configure multilink PPP fragmentation if you have point-to-point connection using PPP encapsulation or if you have links slower than your network.
PPP support for interleaving can be configured on a dialer interface.
Follow the steps below to configure multilink PPP and interleaving on a dialer interface, beginning in global configuration mode.
For complete information on the PPP fragmentation and interleaving commands, refer to the Dial Solutions Configuration Guide for Cisco IOS Release 12.0T. For general information on PPP fragmentation and interleaving concepts, see "Concepts."
Configuration Example
The following configuration defines a dialer interface that enables multilink PPP with interleaving and a maximum real-time traffic delay of 20 ms. The encapsulation type is defined as aal5mux.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file generated when you use the show running-config command.
!interface dialer 1ppp multilinkencapsulated pppppp multilink interleavebandwidth 640ppp multilink fragment-delay 20ip rtp reserve 16384 100 64!interface ATM0pvc 8/35encapsulation aal5mux ppp dialerdialer pool-member 1Verifying Your Configuration
To verify that you have properly configured PPP fragmentation and interleaving, enter the debug ppp multilink fragment command, and then send out one 1500-byte ping packet. The debug message will display information about the fragments being transmitted.
Configuring IP Precedence
IP Precedence gives voice packets higher priority than other IP data traffic. Complete the following steps to configure real-time voice traffic precedence over other IP network traffic, beginning in global configuration mode.
Note
For complete information on the IP Precedence commands, refer to the Cisco IOS Release 12.0 documentation set. For general information on IP precedence, see "Concepts."
Configuration Example
This configuration example shows a voice configuration with IP Precedence set. The IP destination target is set to 8 dialing digits, which automatically sets the IP precedence to 5 on the Cisco routers. The dial peer session target is RAS, which is a protocol that runs between the H.323 voice protocol gateway and gatekeeper.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!access-list 101 permitroute-map data permit 10set ip precedence routing!Configuring Voice
Step 1
configure dial-peer
Enter configuration mode for the dial peer.
Step 2
dial-peer voice number voip
Assign the dial peer voice number to configure a VoIP dial peer.
The Cisco 827 voice-enabled routers support voice using the H.323 signaling protocol as the default signaling protocol.
Prerequisite Tasks
Before you can configure your router to use voice, you need to perform the following tasks:
•
•
•
•
Configuring Voice for H.323 Signaling
This section describes the tasks you need to perform to configure the router for H.323 signaling on the voice ports.
Configuring the POTS Dial Peers
Use the following steps to configure the POTS dial peers, beginning in global configuration mode.
Configuring Voice Dial Peers for H.323 Signaling
Complete the following steps to configure voice dial peers for H.323 signaling, beginning in global configuration mode.
Configuring Voice Ports for H.323 Signaling
Voice port configuration should be automatic in the United States; however, for configuration outside the United States, you may follow the steps below to configure the voice port, beginning in global configuration mode.
For complete information on the dial peer commands, refer to the Cisco IOS Release 12.0 documentation set. For general information on dial peer concepts, see "Concepts."
Configuring Number Expansion
This section describes how to expand an extension number into a particular destination pattern. Use the following global configuration command to expand the extension number:
Router(config)# num-exp extension-number extension-stringTo verify that you have mapped the telephone numbers correctly, enter the show num-exp command.
After you have configured dial peers and assigned destination patterns to them, enter the show dialplan number command to see how a telephone number maps to a dial peer.
For complete information on the number expansion commands, refer to the Cisco IOS documentation set.
Configuration Example
This configuration shows voice traffic configured. You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!class-map voicematch access-group 101!policy-map mypolicyclass voicepriority 128class class-defaultfair-queue 16!ip subnet-zero!gateway!interface Ethernet0ip address 20.20.20.20 255.255.255.0no ip directed-broadcast (default)ip route-cache policyip policy route-map data!interface ATM0ip address 10.10.10.20 255.255.255.0no ip directed-broadcast (default)no atm ilmi-keepalive (default)pvc 1/40service-policy output mypolicyprotocol ip 10.10.10.36 broadcastvbr-nrt 640 600 4! 640 is the maximum upstream rate of ADSLencapsulation aal5snap!bundle-enableh323-gateway voip interfaceh323-gateway voip id gk-twister ipaddr 172.17.1.1 1719h323-gateway voip h323-id gw-820h323-gateway voip tech-prefix 1#!router eigrp 100network 10.0.0.0network 20.0.0.0!ip classless (default)no ip http server!access-list 101 permit ip any any precedence criticalroute-map data permit 10set ip precedence routine!!line con 0exec-timeout 0 0transport input nonestopbits 1line vty 0 4login!!voice-port 1local-alertingtimeouts call-disconnect 0!voice-port 2local-alertingtimeouts call-disconnect 0!voice-port 3local-alertingtimeouts call-disconnect 0!voice-port 4local-alertingtimeouts call-disconnect 0!dial-peer voice 10 voipdestination-pattern........ip precedence 5session target ras!dial-peer voice 1 potsdestination-pattern 5258111port 1!dial-peer voice 2 potsdestination-pattern 5258222port 2!dial-peer voice 3 potsdestination-pattern 5258333port 3!dial-peer voice 4 potsdestination-pattern 5258444port 4!endCisco 827 Router Configuration Examples
Examples are provided for the following configurations:
•
•
•
•
These configurations are intended to be examples only. Your router configuration may look different, depending on your network.
Cisco 827-4V Router Configuration
The following is a configuration for the Cisco 827-4V router configured for H.323 signaling voice traffic. These commands appear automatically in the configuration file generated when you use the show running-config command.
ip subnet-zero!bridge crb!interface Ethernet0no ip addressno ip directed-broadcastbridge-group 1!interface ATM0no ip addressno ip directed-broadcastno atm ilmi-keepalivebundle-enable!interface ATM0.1 point-to-pointip address 1.0.0.1 255.255.255.0no ip directed-broadcastpvc voice 1/40protocol ip 1.0.0.2 broadcastencapsulation aal5snap!!interface ATM0.2 point-to-pointno ip addressno ip directed-broadcastpvc data 1/41encapsulation aal5snap!bridge-group 1!ip classless!bridge 1 protocol ieee!voice-port 1local-alertingtimeouts call-disconnect 0!voice-port 2local-alertingtimeouts call-disconnect 0!voice-port 3local-alertingtimeouts call-disconnect 0!voice-port 4local-alertingtimeouts call-disconnect 0!dial-peer voice 101 potsdestination-pattern 14085271111port 1!dial-peer voice 1100 voipdestination-pattern 12123451111codec g711ulawsession target ipv4:1.0.0.2!dial-peer voice 102 potsdestination-pattern 14085272222port 2!dial-peer voice 1200 voipdestination-pattern 12123452222codec g711ulawsession target ipv4:1.0.0.2!dial-peer voice 103 potsdestination-pattern 14085273333port 3!dial-peer voice 1300 voipdestination-pattern 12123453333codec g711ulawsession target ipv4:1.0.0.2!dial-peer voice 104 potsdestination-pattern 14085274444port 4!dial-peer voice 1400 voipdestination-pattern 12123454444codec g711ulawsession target ipv4:1.0.0.2!Cisco 827 Router Configuration
The following is a configuration for the Cisco 827 router. You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
Current configuration:!version 12.0no service pad (default)service timestamps debug uptime (default)service timestamps log uptime (default)no service password-encryption (default)hostname Cisco827enable secret 5 $1$RnI.$K4mh5q4MFetaqKzBbQ7gv0ip subnet-zerono ip domain-lookupip dhcp-server 20.1.1.2ipx routing 0010.7b7e.5499!In the preceding command, the router MAC address is automatically used ! as the router IPX address.!interface Ethernet0ip address 10.1.1.1 255.255.255.0no ip directed-broadcast (default)ipx network 100 novell-ether!interface ATM0ip address 14.0.0.17 255.0.0.0no ip directed-broadcast (default)no atm ilmi-keepalive (default)pvc 8/35protocol ip 14.0.0.1 no broadcastencapsulation aal5snap!router ripversion 2network 10.0.0.0network 30.0.0.0no auto-summary!no ip http server (default)ip classless (default)!line con 0exec-timeout 10 0password 4youreyesonlylogintransport input none (default)stopbits 1 (default)line vty 0 4password secretlogin!endCorporate or Endpoint Router Configuration for Data Network
This section shows a configuration that you can use to configure a Cisco 3600 router as a corporate or endpoint router in your data network.You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
Current configuration:!version 12.0no service pad (default)service timestamps debug uptime (default)service timestamps log uptime (default)no service password-encryption (default)!hostname c3600enable secret 5 $1$8TI8$WjLcYWgZ7EZhqH49Y2hJV!ip subnet-zerono domain-lookupipx routing 0010.7b7e.5498!In the preceding command, the router MAC address is automatically used as the router IPX address.!interface Ethernet0ip address 20.0.0.1 255.0.0.0no ip directed-broadcast (default)ipx network 200!router ripversion 2network 20.0.0.0network 30.0.0.0no auto-summary!no ip http server (default)ip classless (default)!protocol ip 2.0.0.1 broadcast!line con 0exec-timeout 0 0transport input none (default)stopbits 1 (default)line vty 0 4password secretlogin!endCorporate or Endpoint Router Configuration for Data and Voice Network
This section shows a configuration that you can use to configure a Cisco 3600 router as a corporate or endpoint router in your data and voice network.You do not need to enter the commands marked "default." These commands appear automatically in the configuration file generated when you use the show running-config command.
Current configuration:!version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname c3640!ip subnet-zero!cns event-service server!!!voice-port 1/0/0no echo-cancel enable!voice-port 1/1/0!voice-port 1/1/1!dial-peer voice 101 potsdestination-pattern 5552222port 1/0/0!dial-peer voice 102 potsdestination-pattern 5554444port 1/0/1!dial-peer voice 103 potsdestination-pattern 5556666port 1/1/0!dial-peer voice 104 potsdestination-pattern 5558888port 1/1/1dial-peer voice 1100 voipdestination-pattern 5551111codec g711alawip precedence 5no vadsession target ipv4:2.0.0.3!dial-peer voice 1101 voipdestination-pattern 5553333codec g711alawip precedence 5no vadsession target ipv4:2.0.0.3!dial-peer voice 1102 voipdestination-pattern 5555555codec g711alawip precedence 5session target ipv4:2.0.0.3!dial-peer voice 1103 voipdestination-pattern 5557777codec g711alawip precedence 5session target ipv4:2.0.0.3!process-max-time 200!interface Ethernet0/1no ip addressno ip directed-broadcast (default)shutdown!router ripversion 2network 3.0.0.0!ip classless (default)ip route 0.0.0.0 0.0.0.0 Ethernet 0/0ip route 1.0.0.0 255.0.0.0 3.0.0.0ip route 2.0.0.0 255.0.0.0 3.0.0.1ip route 5.0.0.0 255.0.0.0 3.0.0.1ip route 40.0.0.0 255.255.255.0 172.28.9.1ip route 172.28.5.0 255.255.255.0 172.28.9.1ip route 172.28.9.0 255.255.255.0 172.28.9.1no http server!line con 0transport input none (default)line aux 0line vty 0 4login!end
