Feedback
Table Of Contents
Configuring the MWR 1941-DC in a Cell Site DCN
Verifying the Version of Cisco IOS Software
Configuring the Host Name and Password
Verifying the Host Name and Password
Configuring Fast Ethernet Interfaces
Configuring the Ethernet Switch Network Module
Configuring Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards
Configuring 16-Port Asynchronous Network Module
Configuring T1 and E1 Interfaces
Configuring the 1 T3/E3 Module
Configuring the Card Type and Controller for a T3 Interface
Configuring DSU Mode and Bandwidth for T3
Configuring the Card Type and Controller for an E3 Interface
Configuring DSU Mode and Bandwidth for E3
Configuring the NM-AIC-64, Contact Closure Network Module
Configuring the NOC IP Address
Programming the Analog Contact Points
Programming the Discrete Contact Points
Monitoring and Maintaining the NM-AIC-64 Contact Closure Network Module
Assigning a QoS Boilerplate to an Interface
Filtering IP Packets Using Access Lists
Creating Standard and Extended Access Lists Using Numbers
Creating Standard and Extended Access Lists Using Names
Specifying IP Extended Access Lists with Fragment Control
Benefits of Fragment Control in an IP Extended Access List
Enabling Turbo Access Control Lists
Applying Time Ranges to Access Lists
Including Comments About Entries in Access Lists
Controlling Access to a Line or Interface
Controlling Policy Routing and the Filtering of Routing Information
IP Extended Access List with Fragment Control Example
Time Range Applied to an IP Access List Example
Commented IP Access List Entry Examples
Monitoring and Managing the MWR 1941-DC Router
Show Commands for Monitoring the MWR 1941-DC
Configuring the MWR 1941-DC in a Cell Site DCN
Note
Cisco IOS Release 12.3(11)T does not support the Cisco IOS Cell Site DCN feature set (software image) for the MWR 1941-DC router.
This chapter describes how to use the Cisco IOS software command-line interface (CLI) to configure the following features of the MWR 1941-DC router in a Cell Site DCN:
•
•
•
•
•
•
•
•
•
•
Follow the procedures in this chapter to configure the router manually, or if you want to
change the configuration after you have run the setup command facility "Using the Setup Command Facility" section.This chapter describe only a small portion of commonly used configuration procedures. For detailed configuration topics, refer to the Cisco IOS configuration guide and command reference publications. These publications are available on the Documentation CD-ROM that came with your router, on the World Wide Web from Cisco's home page, or you can order printed copies separately.
Note
Before You Begin
Before you configure the MWR 1941-DC in a Cell Site DCN, please note the following:
•
•
•
•
•
Step 1
Router(config)# redundancyStep 2
Router(config-r)# mode y-cableStep 3
Router(config-r-y)# standaloneStep 4
Router(config-r-y)# exitTo verify the status of the relays on an MWR 1941-DC router, use the show controllers command.
Timesaver
Caution
Caution
Verifying the Version of Cisco IOS Software
To implement the MWR 1941-DC router in an Cell Site DCN, the router requires Cisco IOS Release 12.2(15)MC1a or a later be installed. To verify the version of Cisco IOS software, use the show version command.
The show version command displays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images.
Configuring the Host Name and Password
One of the first configuration tasks you might want to do is configure the host name and set an encrypted password. Configuring a host name allows you to distinguish multiple Cisco routers from each other. Setting an encrypted password allows you to prevent unauthorized configuration changes.
Verifying the Host Name and Password
To verify that you configured the correct host name and password:
Step 1
Router(config)# show configUsing 1888 out of 126968 bytes!version XX.X...!hostname Router!enable secret 5 $1$60L4$X2JYOwoDc0.kqa1loO/w8/...Step 2
Step 3
Router# exit...Router con0 is now availablePress RETURN to get started.Router> enablePassword: guessmeRouter#
Tips
•
•
Configuring Fast Ethernet Interfaces
To configure the FE interface, complete the following tasks, beginning in global configuration mode:
Configuration Example
The following is a sample output from the show running-config command for a FE interface:
interface FastEthernet0/0ip address 172.18.28.202 255.255.255.128ip helper-address 99.1.1.2no ip mroute-cachespeed 100full-duplexConfiguring the Ethernet Switch Network Module
The 16-port Ethernet Switch network module (NM-16ESW) is a high-density module that provides Layer 2 switching across Ethernet ports. In a Cell Site DCN implementation, you can use the NM-16ESW in the Cisco MWR 1941-DC router for a cell site LAN for IP connectivity for peripheral equipment.
For information on configuring the NM-16ESW, see 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Cisco IOS Release 12.2(T) feature module:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t11/ft1636nm.htm
Configuration Example
The following is a sample output from the show running-config command for a NM-16ESW:
interface FastEthernet0/0ip address 172.18.28.206 255.255.255.128no ip proxy-arpspeed 100full-duplex!interface FastEthernet0/1no ip addressno ip proxy-arpload-interval 30shutdownspeed 100full-duplexno keepaliveno cdp enable!interface Serial0/1:0ip address 100.50.0.206 255.255.255.0no ip proxy-arpencapsulation pppload-interval 30keepalive 1no fair-queueno cdp enable!interface Serial0/2no ip addressshutdownclockrate 125000!interface Serial0/3no ip addressshutdownclockrate 125000!interface FastEthernet1/0no ip addressduplex fullspeed 100!interface FastEthernet1/1no ip addressduplex fullspeed 100!interface FastEthernet1/2no ip addressduplex fullspeed 100!interface FastEthernet1/3no ip addressduplex fullspeed 100!interface FastEthernet1/4switchport access vlan 162no ip addressduplex fullspeed 10!interface FastEthernet1/5no ip addressduplex fullspeed 100!interface FastEthernet1/6no ip addressduplex fullspeed 100!interface FastEthernet1/7switchport access vlan 11no ip addressload-interval 30duplex fullspeed 100no keepaliveno cdp enablespanning-tree portfast!interface FastEthernet1/8switchport access vlan 12no ip addressload-interval 30shutdownduplex fullspeed 10no cdp enablespanning-tree portfast!interface FastEthernet1/9no ip addressduplex fullspeed 100!interface FastEthernet1/10switchport mode trunkno ip addressduplex fullspeed 10!interface FastEthernet1/11no ip addressduplex fullspeed 100!interface FastEthernet1/12no ip addressduplex fullspeed 100!interface FastEthernet1/13switchport access vlan 161no ip addressduplex fullspeed 10keepalive 1!interface FastEthernet1/14no ip addressduplex fullspeed 100!interface FastEthernet1/15switchport access vlan 12no ip addressload-interval 30duplex fullspeed 10no cdp enablespanning-tree portfast!interface Vlan1no ip addressshutdown!interface Vlan10no ip address!interface Vlan11ip address 41.42.43.206 255.255.255.0no ip proxy-arpload-interval 30!interface Vlan12no ip addressno ip proxy-arpno ip mroute-cacheload-interval 30shutdown!interface Vlan20no ip address!Configuring Asynchronous/Synchronous Serial Network Modules or WAN Interface Cards
The interfaces on the Asynchronous/Synchronous serial network modules or WAN interface card can be configured for synchronous or asynchronous serial protocols. HDLC (synchronous) and PPP (asynchronous or synchronous) are typical serial protocols.
Note
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/finter_c/index.htm
To configure a serial interface, complete the following tasks, beginning in global configuration mode:
Step 1
Router(config)# interface serial 0/0
Router(config-if)#
Enter the interface configuration mode. You have entered interface configuration mode when the prompt changes to Router(config-if)#.
Step 2
Router(config-if)# ip address 172.16.74.1 255.255.255.0
Assign the IP address and subnet mask to the interface.
Step 3
Set the encapsulation method, (for example, HDLC, PPP, Frame-Relay) used by the interface.
Step 4
Router(config-if)# physical-layer async
All serial ports are initially configured as synchronous. Enter this command if you want to configure the port as asynchronous.
Step 5
Router(config-if)# async mode dedicated
Router(config-if)# async default routing
Configure asynchronous parameters according to your needs.
Step 6
Router(config-if)# line async <#>
Configure the asynchronous line setting.
Step 7
Router(config-if)# clockrate 7200
To use a port in DCE mode, connect a DCE cable and set the internal transmit clock signal (TXC) speed in bits per second. See Table 6-1 and Table 6-2 for a list of clock rate settings for your specific interface. (For ports used in DTE mode, the router automatically uses the external timing signal.)
Step 8
Router(config-if)# nrzi-encoding
All serial interfaces support both nonreturn to zero (NRZ) and nonreturn to zero inverted (NRZI) formats. NRZ is the default; NRZI is commonly used with EIA/TIA-232 connections in IBM environments. To enable NRZI encoding on an interface, enter this command.
Step 9
Router(config-if)# exit
Exit back to global configuration mode.
Repeat Step 4 through Step 14 if your router has more that one serial interface that you need to configure.
Step 10
Router(config)# Ctrl-z
Router#
When you finish configuring interface, return to enable mode.
Configuration Example
The following is a sample output from the show running-config command:
HDLC, DCE Side
!interface Serial1/3ip address 45.45.45.62 255.255.255.0clockrate 64000no cdp enable!HDLC, DTE Side
!interface Serial1/0ip address 44.44.44.62 255.255.255.0no cdp enable!Sync PPP, DCE Side
!interface Serial1/3ip address 45.45.45.62 255.255.255.0encapsulation pppclockrate 64000no cdp enable!Sync PPP, DTE Side
!interface Serial1/0ip address 44.44.44.62 255.255.255.0encapsulation pppno cdp enable!Async PPP (same configuration for either side, must set line speed via line interface)
!interface Serial1/0physical-layer asyncip address 44.44.44.62 255.255.255.0encapsulation pppasync mode dedicated!line 33speed 57600Configuring 16-Port Asynchronous Network Module
The serial interfaces of the NM-16A provide low-speed EIA/TIA-232 data links from cell site equipment to the backhaul network. Alternatively, these interfaces can provide terminal server capability allowing cell site equipment to be managed remotely.
Note
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtmlTo configure an asynchronous interface on the NM-16A, complete the following tasks, beginning in global configuration mode:
Configuration Example
The following is a sample output from the show running-config command:
!interface Async40ip address 10.10.15.62 255.255.255.0encapsulation pppasync dynamic routingasync mode dedicatedno keepalive!line 40speed 115200Configuring T1 and E1 Interfaces
To configure a T1/E1 trunk interface, enter the following Cisco IOS commands at the router prompt.
Configuring T1 Interfaces
To configure a new T1 interface (or change an existing one), complete the following tasks beginning in global configuration mode:
Configuring E1 Interfaces
To configure a new T1 interface (or change an existing one), complete the following tasks beginning in global configuration mode:
Configuring Drop and Insert
The Drop and Insert feature can be configured using the Cisco VWIC-2MFT-T1-DIR and VWIC-2MFT-E1-DIR VWICs.
Drop-and-Insert capabilities allow individual 64Kb DS0 channels to be transparently passed, uncompressed, between two ports on the same VWIC without passing through a digital signal processor (DSP).
Note
To set up the Drop and Insert feature, complete the following tasks beginning in controller configuration mode:
Configuration Examples
T1 Controller
The following is a sample configuration of an individual T1 controller from the show running-config command output:
controller T1 0/0framing esfclock source internallinecode b8zscablelength short 133channel-group 0 timeslots 1-24 speed 64Drop and Insert
The following is a sample drop and insert configuration from the show running-config command output:
controller E1 0/0clock source internalchannel-group 0 timeslots 1-5tdm-group 2 timeslots 6-24!controller E1 0/1clock source internaltdm-group 1 timeslots 6-24connect E1_TDM E1 0/0 2 E1 0/1 1Configuring the 1 T3/E3 Module
The NM-1T3/E3 is a single port universal T3/E3 network module with integrated CSU/DSU, clear channel, and subrate support. Channels on the network module can be configured as either T3 or E3 through Cisco IOS software and enables you to switch between T3 and E3 applications with a single IOS command.
Note
Caution
Note
Configuring the T3 Interface
To configure the T3 interface, complete the following required tasks:
•
•
Configuring the Card Type and Controller for a T3 Interface
When the Clear Channel T3/E3 network module is used for the first time, the running configuration does not show the T3/E3 controller and its associated serial interface. You can use the show version command to learn if the router recognized the T3/E3 card and was able to initialize the card properly. After the card type is configured for the slot, the respective controller and serial interface appear in the running configuration. See the "Verifying the Version of Cisco IOS Software" section.
After the network module has ascertained that the card has been initialized properly, use the card type command to configure the card. If the command is accepted successfully, Cisco IOS software creates a controller and a serial interface for the card.
Note
To select and configure a card type and controller as T3, complete the following tasks beginning in global configuration mode:
Configuring DSU Mode and Bandwidth for T3
To specify the interoperability mode and maximum allowable bandwidth used by a T3 controller, complete the following tasks beginning in global configuration mode:
Configuring the E3 Interface
To configure the E3 interface, complete the following required tasks:
•
•
•
Configuring the Card Type and Controller for an E3 Interface
Note
To configure the card type and controller for an E3 interface, complete the following tasks beginning in global configuration mode:
Configuring DSU Mode and Bandwidth for E3
To specify the interoperability mode used by an E3 controller, complete the following tasks beginning in global configuration mode:
Configuring Scrambling for E3
To enable encryption of the payload on the E3 controller, complete the following tasks beginning in global configuration mode.
Configuration Examples
T3 Controller
The following is sample output from the show running-config command for a T3 controller:
card type t3 1controller T3 1/0cablelength 10interface Serial1/0no ip addressno ip route-cacheno ip mroute-cacheno keepalivedsu bandwidth 44210E3 Controller
The following is sample output from the show running-config command for an E3 controller:
card type e3 1controller E3 1/0interface Serial1/0ip address 10.0.0.6 255.255.255.0encapsulation pppno keepalivedsu bandwidth 34010no cdp enableConfiguring the NM-AIC-64, Contact Closure Network Module
The Alarm Interface Card Network Module (AICNM) is an optional card that expands network management capabilities for customer-defined alarms. The AIC has its own CPU that communicates with the router and external media through serial communication channels. The AIC reduces service provider and enterprise operating costs by providing a flexible, low-cost network solution for migrating existing DCNs to IP-based DCNs. The AIC provides its users with a single "box" solution because it can be configured in the same router along with other operation, alarm, maintenance, and provisioning (OAMP) interfaces.
The AIC provides a total of 64 alarm inputs. Eight of the 64 point are software configurable for measuring either analog inputs or discrete inputs. The remaining 56 points are fixed to measure discrete points only. The AIC also provides 16 control relay outputs.
The discrete alarm input can be activated through ground or negative battery input. The negative battery range is -36V to -72V. The analog alarm is software configurable for either DC voltage or current. It can measure voltage from -60 to 60V or current from 0 to 20mA, but the configurable range is 4 mA to 20mA. The standard 16 control relays can be configured to turn on or turn off an external device.
The AIC's 64 input contact points can control and monitor network elements and other non-intelligent interfaces, permitting the detection and report of alarms such as the following:
•
•
•
•
•
When an event occurs, such as a door alarm or an open gate, the AIC maps the simple discrete and analog alarms to preprogrammed intelligent messages and transports the messages to destinations in the IP network, typically to a Network Operations Center (NOC). These messages are generated either in Transaction Language 1 (TL1) or in Simple Network Management Protocol (SNMP), which are used by a NOC's Operations Support System (OSS).
When the AIC is incorporated into the Cisco DCN solution platforms, all the AIC's contact-closure alarms are routed and reported through the same network and systems as the intelligent network elements (NEs). This facilitates continued use of the existing OSS and its associated networks. A Cisco router with an AIC sends TL1 or SNMP messages to the OSS autonomously or in response to TL1 or SNMP commands from the OSS, as shown in Figure 6-1. TL1 supports two sessions, with the port numbers 5011 and 5012, respectively, and SNMP supports four sessions.
Figure 6-1 TL1 and SNMP Message Flow in a DCN Application
Serial Communication Channels
As illustrated in Figure 6-2, the AIC has two serial communications channels that provide different types of interfaces to Cisco IOS software:
•
•
Figure 6-2 OS Boundary into the AIC
Serial Data Channel
The serial data channel supports all TCP/IP traffic to and from the AIC. This includes communication over IP with NOCs and data centers. The channel consists of one physical interface that provides support for the following applications:
•
•
•
•
The Cisco IOS software assigns an IP address to the AIC for use by the serial data channel. To route traffic, the serial data channel uses IP over synchronous High-Level Data Link Control (HDLC). All IP packets coming to the Cisco router with a destination IP address that matches the AIC's IP address are forwarded to the serial data channel using IP over HDLC.
Asynchronous Craft Port
The asynchronous craft port supports Telnet to the AIC's port number. This Telnet method, called local-CLI, is useful for debugging when remote Telnet to the AIC's IP address (remote-CLI) is not applicable. For more information, see the "Configuring the NOC IP Address" section.
The asynchronous craft port also supports an AIC boot sequence, similar to the ROM monitor in Cisco IOS software, which allows the user to recover from a corrupted software image or configuration. See the "Override" section.
Configuring the AIC
From a top-level view, AIC configuration involves assigning an IP address to the AIC using Cisco IOS commands and setting up alarm configurations with either TL1 or the AIC command-line interface (CLI). The flexible TL1 and AIC CLI permit a broad range of alarm configuration scenarios. The following are examples of alarm configurations that can be programmed with the AIC CLI:
Configuring a Discrete Alarm
enableconfig terminalalarm 1description "west door"normally closeddescription normal "door closed"description alarm "door open"level 2exitConfiguring an Analog Alarm as an Analog Monitoring Voltage
enableconfig terminalalarm 57description "tank level"description normal "full"description low "low"description low-low "empty"analog voltage 2.5 30 60 60exitConfiguring an Analog Alarm as a Discrete Monitoring Current
enableconfig terminalalarm 58description "east door"discrete current-loop 0.0 3.2 5.9exitConfiguring an Analog Alarm as a Discrete Monitoring Voltage
enableconfig terminalalarm 58description "backup battery"discrete voltage 9.0 highexitConfiguring an Analog Alarm to Act Like a Discrete Alarm (Minimal Configuration Method)
enableconfig terminalalarm 59discreteexitConfiguration Tasks
See the following sections for configuration tasks for the AIC feature. Each task in the list is identified as either required or optional:
•
–
–
•
•
Configuring the AIC
Cisco IOS commands are used for configuring the AIC IP address and the IP routing to the AIC NM. After the IP address and the IP routing are set, alarm configurations can then be set up with either TL1 or the AIC command-line interface. See the"Configuring the NOC IP Address" section or the "Configuring Alarms" section for more information.
The following sections describe how to configure the AIC IP address and the IP Routing to the AIC NM.
Entering Alarm Configuration Mode and Configuring the AIC IP Address
Enter alarm configuration mode and configure the AIC IP address, beginning in privileged EXEC mode:
Configuring the IP Route to the AIC
There are many ways to configure IP routing to the AIC. Below are two methods. The first method uses an unnumbered IP address. It is used when an administrator wants to assign an IP address that is already known to the router, such as an address that is one of the addresses in the subnet of a FastEthernet IP address.
The second method, does not use an unnumbered IP address and is used when there is a subnet available to the serial interface and to the AIC. Usually this subnet is small with a subnet mask such as 255.255.255.252.
Configure IP routing to the AIC with an unnumbered IP address, beginning in global configuration mode:
Configure IP routing to the AIC without an unnumbered IP address, beginning in global configuration mode:
Accessing the AIC
Remote-CLI and local-CLI are the two methods for accessing the AIC:
•
telnet 10.5.5.2•
telnet 10.2.130.105 2001where 10.2.130.105 is the router's IP address and 2001 is on slot 0 of the AIC.
The AIC's TCP port number depends on the slot number in which the AIC is installed. As shown in Table 6-3, the Cisco IOS software reserves the first line of each slot for the asynchronous craft port.
Table 6-3 TCP Port Number Allocation for the AIC on the Cisco 2600 and Cisco 3600 Series
Configuring the NOC IP Address
Note
Configure up to four NOC IP addresses to which the AIC will send SNMP messages, beginning in global configuration mode:
Configuring Alarms
After the AIC and NOC IP addresses have been configured, you can the configure alarms by programming the AIC's discrete and analog contact points. These tasks can be performed on-site or by Telneting as described in the "Accessing the AIC" section.
Alarms are configured using either TL1 or AIC CLI. Information about TL1 commands can be found in the Telcordia Technology (formerly Bellcore) document Network Maintenance: Network Element and Transport Surveillance Messages, GR-833-CORE, Issue 5, November 1996. For a reference of security-related commands (ACT-USER and CANC-USER) refer to Telcordia Technology's Operations Applications Messages-Network Element and Network System Security Admin Messages, TR-NWT-000835, Issue 2, January 1993. The following TL1 messages and commands are supported by the AIC:
•
–
–
–
•
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Programming the Analog Contact Points
Alarm points 57 through 64 are analog inputs, which are configurable as discrete inputs. When configured as an analog input, the user must select whether the point is monitoring voltage or current. The user must also define five ranges by selecting four values for a point monitoring voltage or six ranges for a point monitoring current. For current-monitoring points, the lowest and highest values define the range of possible values. (Valid values are from -9999999.9 to 9999999.9.) For voltage-monitoring alarms, the range of possible values is always -60V to 60V. The other four values must be within the defined range, and they partition the range into low-low, low, high, and high-high ranges. Except for the normal range, each range is associated with an alarm condition.
Analog points have four unique alarm states. Each alarm state has its own alarm description string. Only one alarm state per point may be active at any given time. In other words, when a threshold is crossed, the previous alarm state is cleared and the new alarm state is active.
When an analog input is configured as discrete, the user must select whether the point is monitoring voltage or current. Similar to the analog configuration, the user must also select the range of acceptable values for a current-monitoring alarm. (Valid values are from -9999999.9 to 9999999.9.) The voltage range is always -60V to 60V. The user must define the threshold that will cause the alarm condition and whether the normal state of the alarm is the higher or lower range.
Note
analog current-loop 10 13 16 17 20 26
has 16 units between 10 and 26. If the AIC measures 4 mA, then it will factor that the point is registering at the lower boundary. The AIC will interpret 13 as 7 mA, 16 as 10 mA, 17 as 11 mA, 20 as 14 mA, and 26 as the upper boundary, which is 20 mA.Following are examples:
Point 57 is monitoring the ambient temperature of a building and the sensor range is -20 to 75 degrees Celsius. Below 0 degrees is a critical alarm, 0 to 10 degrees is a major alarm, 10 to 35 degrees is the normal range, 35 to 45 degrees is a minor alarm, and above 45 degrees is a major alarm. The configuration for this point follows:
alarm 57analog current-loop -20 0 10 35 45 75level low-low 1level low 2level high 3level high-high 2Point 58 is monitoring a fuel tank level with a resistive sensor. Below -46 volts is a critical alarm,
-46 to -40 volts is a minor alarm, and above -40 volts is the normal range. This is a unidirectional alarm, so the high thresholds are set equal to the high bound (since this threshold cannot be crossed). The configuration for this point follows:alarm 58analog voltage -46 -40 60 60level low-low 1level low 3Point 59 is monitoring a battery bank. Below -42 volts is a critical alarm and above -42 volts is the normal range. The configuration for this point follows:
alarm 59discrete voltage -42 highlevel 1Programming the Discrete Contact Points
The discrete alarms do not require as much programming as the analog alarms. The AIC CLI commands available are the following:
Verifying the IP Address
To verify that the correct AIC IP address and IP route was entered, use the show run command. Below are samples of before-configuration and after-configuration show run command outputs:
interface Serial5/0ip unnumbered FastEthernet0/0!ip route 10.2.130.102 255.255.255.255 Serial5/0!alarm-interface 5ip address 10.2.130.102********Before Configuration show run Output*******version 12.1no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname uut2-RouterA!logging rate-limit console 10 except errors!ip subnet-zero!!no ip fingerno ip domain-lookup!call rsvp-synccns event-service server!!interface FastEthernet0/0ip address 10.2.130.2 255.255.0.0duplex autospeed autono cdp enable!interface Serial5/0no ip address!ip kerberos source-interface anyip classlessip route 0.0.0.0 0.0.0.0 10.2.0.1ip http server!no cdp run!!dial-peer cor custom!!line con 0exec-timeout 0 0transport input noneline 161no exectransport preferred nonetransport input telnettransport output nonestopbits 1line aux 0line vty 0 4password lablogin!end*****After Configuration show run Output*******version 12.1no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname uut2-3660!logging rate-limit console 10 except errorsno logging console!ip subnet-zero!no ip fingerno ip domain-lookup!call rsvp-synccns event-service server!interface FastEthernet0/0ip address 10.2.130.2 255.255.0.0duplex autospeed autono cdp enable!interface Serial5/0ip unnumbered FastEthernet0/0!ip kerberos source-interface anyip classlessip route 0.0.0.0 0.0.0.0 10.2.0.1ip route 10.2.130.102 255.255.255.255 Serial5/0ip http server!no cdp run!!alarm-interface 5ip address 10.2.130.102!dial-peer cor custom!!!line con 0exec-timeout 0 0transport input noneline 161no exectransport preferred nonetransport input telnettransport output nonestopbits 1line aux 0line vty 0 4password lablogin!endTroubleshooting Tips
If no alarm messages are sent for an unusually long period of time, ping the AIC address to check for connectivity.
Monitoring and Maintaining the NM-AIC-64 Contact Closure Network Module
The AIC provides a TFTP client for software upgrade and configuration image transfer. The methods for both actions, as well as how to override the existing software or configuration, are described below.
Software Upgrade
When upgrading software, the AIC must be reset to run the new software. The AIC provides a protected (login required) command for software download. When the user invokes this command with the TFTP server address as a parameter, the AIC connects to the IP address and, via TFTP, retrieves the software image file. After verifying that the software has been transferred successfully, the AIC replaces its running software with the newly downloaded software.
In the case of incompatible versions of Cisco IOS and AIC software, the Cisco IOS software recognizes the difference and displays this information to the user. The user makes the decision whether to upgrade or downgrade either the Cisco IOS or AIC software or to take no corrective action.
Configuration Backup
The AIC CLI provides commands for storing and restoring configurations. Users can transfer the current configuration of the AIC to or from the TFTP server whose address is given as a parameter to the
get config command. When a configuration file is transferred from the server to the AIC, the AIC takes on the new configuration.The configuration is stored as a list of commands (script) that can be applied to the CLI of an AIC for configuration.
Two other useful commands are the get image and put config commands. Use the get image command to get a new image, and the put config command to back up the configuration to the TFTP server.
Backup is not automatic, but the AIC reminds the user, on logout, to back up the configuration.
Override
In the case that bad software is resident on the AIC or that the configured administrator password is lost, the AIC provides a method for recovering the card. Upon booting, the AIC begins a countdown, visible at the AIC local CLI (Craft Port). If an ASCII character is received on that local CLI channel (DSCC4 channel 2) during this countdown, the AIC enters a mode in which a limited CLI is available. At this limited CLI, available over the Craft Port only, no login is necessary. The user may enter commands for software upgrade and configuration transfer. The new configuration takes effect upon a reset of the AIC card.
After interrupting the countdown, the user will see an AIC Boot]: prompt. From this prompt, the user can enter "?" to see the available commands, "g" to get a new application image, or "d" to delete the current configuration and return to the defaults. (All commands require a carriage return.) In the case of the get command, the user will be prompted for the name of the file, the IP address of the TFTP server, and a confirmation.
Configuration Examples
AIC IP Address Configuration Example
The following example shows a Cisco router configured for AIC IP address:
version 12.2no service single-slot-reload-enableservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname RouterA-top!logging rate-limit console 10 except errors!memory-size iomem 15ip subnet-zero!!no ip fingerno ip domain-lookupip host moe 172.31.10.2ip host mickey 10.1.1.2!no ip dhcp-client network-discoveryframe-relay switchingx25 routing!!call-history-mib max-size 50!interface Ethernet0/0ip address 10.5.37.13 255.255.0.0ip helper-address 223.255.254.254no keepalivehalf-duplex!interface Serial0/0ip address 10.5.5.1 255.255.255.0encapsulation frame-relayno ip mroute-cacheclockrate 500000frame-relay class voice-vcframe-relay traffic-shapingframe-relay map ip 10.5.5.2 990 broadcastframe-relay interface-dlci 990frame-relay intf-type dce!interface Ethernet0/1no ip addresshalf-duplexno cdp enable!interface Serial0/1ip address 10.11.11.1 255.255.255.0encapsulation frame-relayno ip mroute-cacheclockrate 256000frame-relay class voice-vcframe-relay traffic-shapingframe-relay interface-dlci 991frame-relay intf-type dce!interface Serial1/0ip address negotiated!router mobile!ip kerberos source-interface anyip classlessip route 223.255.254.254 255.255.255.255 10.5.0.1ip route 223.255.254.254 255.255.255.255 Ethernet0/0no ip http server!!map-class frame-relay voice-vcframe-relay cir 800000frame-relay bc 512000no frame-relay adaptive-shapingframe-relay fair-queueframe-relay voice bandwidth 500000frame-relay fragment 100frame-relay ip rtp priority 16384 16383 512!map-class frame-relay fr1frame-relay cir 1000000frame-relay bc 1000no frame-relay adaptive-shapingframe-relay fair-queueframe-relay voice bandwidth 1000000frame-relay fragment 100!map-class frame-relay voice-vc2frame-relay cir 800000frame-relay bc 512000no frame-relay adaptive-shapingframe-relay voice bandwidth 800000!map-class frame-relay voice-dataaccess-list 1 deny 192.200.1.20access-list 2 deny 10.10.1.10dialer-list 1 protocol ip permitdialer-list 1 protocol ipx permit!snmp-server packetsize 4096snmp-server manager!alarm-interface 1ip address 10.4.3.2call rsvp-sync!mgcp modem passthrough voip mode cano mgcp timer receive-rtcp!mgcp profile default!dial-peer cor custom!dial-peer voice 1 potsdestination-pattern 3direct-inward-dialforward-digits all!dial-peer voice 100 voipshutdowndestination-pattern 3session target ipv4:10.2.81.1playout-delay maximum 300!dial-peer voice 2 potsshutdowndestination-pattern 3002!dial-peer voice 3 potsshutdowndestination-pattern 3003!dial-peer voice 4 potsshutdowndestination-pattern 3004!dial-peer voice 2000 voipshutdowndestination-pattern 2...session target ipv4:5.5.5.2playout-delay maximum 300!dial-peer voice 110 voipshutdowndestination-pattern 1...session target ipv4:10.2.83.30playout-delay maximum 300!dial-peer voice 922 potsshutdowndestination-pattern 9..!dial-peer voice 22 potsshutdowndestination-pattern 22!dial-peer voice 6001 potsshutdowndestination-pattern 6001!dial-peer voice 333 voipshutdowndestination-pattern 1session target ipv4:10.2.79.55playout-delay maximum 300!dial-peer voice 200 vofrshutdowndestination-pattern 1!dial-peer voice 7001 potsshutdowndestination-pattern 7001!dial-peer voice 5000 voipshutdowndestination-pattern 5...session target ipv4:10.11.11.2playout-delay maximum 300!dial-peer voice 20 voipshutdowndestination-pattern 1session target ipv4:10.11.11.2playout-delay maximum 300!dial-peer voice 2001 voippreference 2shutdowndestination-pattern 2...session target ipv4:10.2.79.7playout-delay maximum 300!dial-peer voice 1000 voipdestination-pattern 1...session target ipv4:10.2.81.6playout-delay maximum 300no vad!dial-peer voice 1001 voatmshutdowndestination-pattern 1...!dial-peer voice 1100 vofrshutdowndestination-pattern 1...session target Serial0/0 990no vad!gateway!gateway!gatekeepershutdown!!line con 0exec-timeout 0 0transport input noneline 33no exectransport preferred nonetransport input telnettransport output nonestopbits 1line aux 0line vty 0 4login!endIP Route to the AIC Configuration Examples
Following examples show the configuration of an IP route to the AIC with an unnumbered and numbered IP address.
With an Unnumbered IP Address
The following example shows a Cisco router, with an IP route to an AIC, is configured with an unnumbered IP address:
version 12.1no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname uut2-RouterB!logging rate-limit console 10 except errorsno logging console!ip subnet-zero!!no ip fingerno ip domain-lookup!call rsvp-synccns event-service server!interface FastEthernet0/0ip address 10.2.130.2 255.255.0.0duplex autospeed autono cdp enable!interface Serial5/0ip unnumbered FastEthernet0/0!ip kerberos source-interface anyip classlessip route 0.0.0.0 0.0.0.0 10.2.0.1ip route 10.2.130.102 255.255.255.255 Serial5/0ip http server!no cdp run!alarm-interface 5ip address 10.2.130.102!dial-peer cor custom!!!line con 0exec-timeout 0 0transport input noneline 161no exectransport preferred nonetransport input telnettransport output nonestopbits 1line aux 0line vty 0 4password lablogin!endWithout an Unnumbered IP Address
The following example shows a Cisco router configured without an unnumbered IP address:
uut5-2621#s runBuilding configuration...Current configuration :1318 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname uut5-RouterC!logging rate-limit console 10 except errorsno logging console!ip subnet-zero!no ip fingerno ip domain-lookup!no ip dhcp-client network-discovery!interface FastEthernet0/0ip address 10.2.130.5 255.255.0.0duplex autospeed autono cdp enable!interface Serial1/0ip address 172.128.12.1 255.255.255.252!router ripnetwork 10.0.0.0!ip kerberos source-interface anyip classlessip route 0.0.0.0 0.0.0.0 10.2.0.1no ip http server!no cdp run!snmp-server packetsize 4096snmp-server manager!!alarm-interface 1ip address 172.128.12.2call rsvp-sync!dial-peer cor custom!line con 0exec-timeout 0 0transport input noneline 33no exectransport preferred nonetransport input telnettransport output nonestopbits 1line aux 0line vty 0 4password lablogin!no scheduler allocate!endAIC CLI Configuration for Alarms
These examples are output from the show alarm config # command.
Discrete Alarm
description:west doornormally closednormal state description:door closedalarm state description:door openSNMP trap:enabledAnalog Alarm Monitoring Current
description:thermostathigh-high state description:very hothigh state description:hotnormal state description:just rightlow state description:coldlow-low state description:very coldcurrent-loop -5.2 5.4 15.0 25.0 35.1 45.6SNMP trap:enabledAnalog Alarm Monitoring Current Configured as a Discrete
description:east doorconfigured as discretenormal state description:door closedalarm description:door opencurrent-loop 0.0 3.2 5.9SNMP trap:enabled
Configuring QoS Attributes
To use QoS on the MWR 1941-DC router in a Cell Site DCN, create a class map that defines the criteria that a packet much match to be placed in that class and then tell the router the action to take on those packets that match by creating a policy map. These two components make up the QoS boilerplate and once you have created the QoS boilerplate, you can assign it to an interface.
Note
Creating a Class Map
For each class map that you want to create, do the following in global configuration mode:
Step 1
Router(config)# class-map [match-all | match-any] class_nameWhere match-any means a single match rule is sufficient for class membership and match-all means only those packets that have all the attributes you specify are part of the class.
When you enter the class-map command, you are placed in class map configuration mode.
Step 2
Router(config-cmap)# match access-group numberRouter(config-cmap)# match ip dscp numberRouter(config-cmap)# match ip precedence numberRouter(config-cmap)# match input-interface interface-nameRouter(config-cmap)# match protocol protocol•
•
•
•
•
For more information about these commands, see the "Cisco IOS Quality of Service Solutions Command Reference."
Step 3
Router(config-cmap)# exit
Creating a Policy Map
To create a policy map, do the following in global configuration mode:
Step 1
Router(config)# policy-map policy_nameWhen you enter the policy-map command, you are placed in policy map configuration mode.
Step 2
Router(config-pmap)# class class_nameSpecify the same class_name as you did in Step 1 of Creating a Class Map. When you enter the class command, you are placed in class submode of the policy-map configuration mode.
Step 3
Router(config-pmap-c)# priority percent numberRouter(config-pmap-c)# bandwidth percent numberRouter(config-pmap-c)# queue-limit numberRouter(config-pmap-c)# priority rate-in-kbpsRouter(config-pmap-c)# shape {average | peak} cir [bc] [be]Router(config-pmap-c)# shape max-buffers number-of-buffers•
•
•
•
•
Note
For more information about these commands, see the "Cisco IOS Quality of Service Solutions Command Reference."
Step 4
Step 5
Router(config-pmap-c)# exitRouter(config-pmap)# exit
Assigning a QoS Boilerplate to an Interface
To assign a QoS boilerplate to an interface, do the following in global configuration mode.
Step 1
Router(config)# interface numberStep 2
Router(config-if)# service-policy output policy_name
Configuration Example
The following is an example configuration of QoS configured on the MWR 1941-DC router in a Cell Site DCN.
class-map match-all voice-classmatch protocol rtpclass-map match-all nm-classmatch protocol snmpmatch protocol syslogclass-map match-all data-classmatch protocol telnetmatch protocol ftpmatch protocol http!policy-map protoclass nm-classbandwidth percent 20queue-limit 300class data-classbandwidth percent 40queue-limit 300class voice-classbandwidth percent 40queue-limit 300Filtering IP Packets Using Access Lists
Packet filtering helps control packet movement through the network. Such control can help limit network traffic and restrict network use by certain users or devices. To permit or deny packets from crossing specified interfaces, we provide access lists.
You can use access lists in the following ways:
•
•
•
This section summarizes how to create IP access lists and how to apply them.
An access list is a sequential collection of permit and deny conditions that apply to IP addresses. The Cisco IOS software tests addresses against the conditions in an access list one by one. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the software rejects the address.
The two main tasks involved in using access lists are as follows:
1.
2.
These and other tasks are described in this section and are labeled as required or optional. Either the first or second task is required, depending on whether you identify your access list with a number or a name.
•
•
•
•
•
•
•
Creating Standard and Extended Access Lists Using Numbers
Cisco IOS software supports the following types of access lists for IP:
•
•
•
•
Note
To create a standard access list, use the following commands in global configuration mode:
Step 1
Router(config)# access-list access-list-number remark remark
Indicates the purpose of the deny or permit statement.1
Step 2
Router(config)# access-list access-list-number {deny | permit} source [source-wildcard] [log]
or
Router(config)# access-list access-list-number {deny | permit} any [log]
Defines a standard IP access list using a source address and wildcard.
Defines a standard IP access list using an abbreviation for the source and source mask of 0.0.0.0 255.255.255.255.
1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
The Cisco IOS software can provide logging messages about packets permitted or denied by a standard IP access list. That is, any packet that matches the access list will cause an informational logging message about the packet to be sent to the console. The level of messages logged to the console is controlled by the logging console global configuration command.
The first packet that triggers the access list causes an immediate logging message, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals.
Caution
Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so each cache is emptied at the end of 5 minutes, regardless of the count of messages in each cache. Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a threshold is not specified.
Note
Note
For an example of a standard IP access list using logs, see the "Numbered Access List Examples" section.
To create an extended access list, use the following commands in global configuration mode:
Step 1
Router(config)# access-list access-list-number remark remark
Indicates the purpose of the deny or permit statement.1
Step 2
Router(config)# access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]
or
Router(config)# access-list access-list-number {deny | permit} protocol any any [log | log-input] [time-range time-range-name] [fragments]
or
Router(config)# access-list access-list-number {deny | permit} protocol host source host destination [log | log-input] [time-range time-range-name][fragments]
or
Router(config)# access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]
Defines an extended IP access list number and the access conditions. Specifies a time range to restrict when the permit or deny statement is in effect. Use the log keyword to get access list logging messages, including violations. Use the log-input keyword to include input interface, source MAC address, or VC in the logging output.
or
Defines an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255, and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255.
or
Defines an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0, and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.
or
Defines a dynamic access list. For information about lock-and-key access, refer to the "Configuring Traffic Filters" chapter in the Cisco IOS Security Configuration Guide.
1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
Note
After you create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.
Note
Note
Note
After creating an access list, you must apply it to a line or interface, as shown in the "Applying Access Lists" section. See the "Implicit Masks in Access Lists Examples" section for examples of implicit masks.
Creating Standard and Extended Access Lists Using Names
You can identify IP access lists with an alphanumeric string (a name) rather than a number. Named access lists allow you to configure more IP access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. Currently, only packet and route filters can use a named list.
Consider the following guidelines before configuring named access lists:
•
•
•
•
Note
To create a standard access list, use the following commands beginning in global configuration mode:
Step 1
Router(config)# ip access-list standard name
Defines a standard IP access list using a name and enters standard named access list configuration mode.
Step 2
Router(config-std-nacl)# remark remark
Allows you to comment about the following deny or permit statement in a named access list.1
Step 3
Router(config-std-nacl)# deny {source [source-wildcard] | any}[log]
and/or
Router(config-std-nacl)# permit {source [source-wildcard] | any}[log]
Specifies one or more conditions allowed or denied, which determines whether the packet is passed or dropped.
Step 4
Router(config-std-nacl)# exit
Exits access-list configuration mode.
1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
To create an extended access list, use the following commands beginning in global configuration mode:
Step 1
Router(config)# ip access-list extended name
Defines an extended IP access list using a name and enters extended named access list configuration mode.
Step 2
Router(config-ext-nacl)# remark remark
Allows you to comment about the following deny or permit statement in a named access list.1
Step 3
Router(config-ext-nacl)# deny | permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]
and
Router(config-ext-nacl)# deny | permit protocol any any [log | log-input] [time-range time-range-name] [fragments]
or
Router(config-ext-nacl)# deny | permit protocol host source host destination [log | log-input] [time-range time-range-name] [fragments]
or
Router(config-ext-nacl)# dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log | log-input] [time-range time-range-name] [fragments]
In access-list configuration mode, specifies the conditions allowed or denied. Specifies a time range to restrict when the permit or deny statement is in effect. Use the log keyword to get access list logging messages, including violations. Use the log-input keyword to include input interface, source MAC address, or VC in the logging output.
or
Defines an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255, and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255.
or
Defines an extended IP access list using an abbreviation for a source and source wildcard of source 0.0.0.0, and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.
or
Defines a dynamic access list.
1 This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
Note
Note
After you initially create an access list, you place any subsequent additions (possibly entered from the terminal) at the end of the list. In other words, you cannot selectively add access list command lines to a specific access list. However, you can use no permit and no deny commands to remove entries from a named access list.
Note
After creating an access list, you must apply it to a line or interface, as shown in "Applying Access Lists" section".
See the "Named Access List Example" section for an example of a named access list.
Specifying IP Extended Access Lists with Fragment Control
This section describes the functionality added to IP extended named and numbered access lists. You can now specify whether the system examines noninitial IP fragments of packets when applying an IP extended access list.
Prior to this feature, nonfragmented packets and the initial fragment of a packet were processed by IP extended access lists (if such an access list was applied), but noninitial fragments were permitted by default. The IP Extended Access Lists with Fragment Control feature now allows more granularity of control over noninitial packets.
Because noninitial fragments contain only Layer 3 information, access-list entries containing only Layer 3 information can and now are applied to noninitial fragments. The fragment has all the information the system needs to filter, so the entry is applied to the fragments.
This feature adds the optional fragments keyword to four IP access list commands [access-list (IP extended), deny (IP), dynamic, and permit (IP)]. By specifying the fragments keyword in an access list entry, that particular access list entry applies only to noninitial fragments of packets; the fragment is either permitted or denied accordingly.
The behavior of access-list entries regarding the presence or absence of the fragments keyword can be summarized as follows:
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
The fragments keyword can be applied to dynamic access lists also.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Turbo Access Lists
A turbo access list treats fragments and uses the fragments keyword in the same manner as a nonturbo access list.
Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Benefits of Fragment Control in an IP Extended Access List
If the fragments keyword is used in additional IP access list entries that deny fragments, the fragment control feature provides the following benefits:
Additional Security
You are able to block more of the traffic you intended to block, not just the initial fragment of such packets. The unwanted fragments no longer linger at the receiver until the reassembly timeout is reached because they are blocked before being sent to the receiver. Blocking a greater portion of unwanted traffic improves security and reduces the risk from potential hackers.
Reduced Cost
By blocking unwanted noninitial fragments of packets, you are not paying for traffic you intended to block.
Reduced Storage
By blocking unwanted noninitial fragments of packets from ever reaching the receiver, that destination does not have to store the fragments until the reassembly timeout period is reached.
Expected Behavior is Achieved
The noninitial fragments will be handled in the same way as the initial fragment, which is what you would expect. There are fewer unexpected policy routing results and fewer fragment of packets being routed when they should not be.
For an example of fragment control in an IP extended access list, see the "IP Extended Access List with Fragment Control Example" section.
Enabling Turbo Access Control Lists
The Turbo Access Control Lists (Turbo ACL) feature processes access lists more expediently than conventional access lists. This feature enables a Cisco router to evaluate ACLs for more expedient packet classification and access checks.
ACLs are normally searched sequentially to find a matching rule, and ACLs are ordered specifically to take this factor into account. Because of the increasing needs and requirements for security filtering and packet classification, ACLs can expand to the point that searching the ACL adds a substantial amount of time and memory when packets are being forwarded. Moreover, the time taken by the router to search the list is not always consistent, adding a variable latency to the packet forwarding. A high CPU load is necessary for searching an access list with several entries.
The Turbo ACL feature compiles the ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are used to access these tables in a small, fixed number of lookups, independently of the existing number of ACL entries. The benefits of this feature include the following:
•
•
Note
The Turbo ACL builds a set of lookup tables from the ACLs in the configuration; these tables increase the internal memory usage, and in the case of large and complex ACLs, tables containing 2 MB to 4 MB of memory are usually required. Routers enabled with the Turbo ACL feature should allow for this amount of memory usage. The show access-list compiled EXEC command displays the memory overhead of the Turbo ACL tables for each access list.
To configure the Turbo ACL feature, perform the tasks described in the following sections. The task in the first section is required; the task in the remaining section is optional:
•
•
Configuring Turbo ACLs
To enable the Turbo ACL feature, use the following command in global configuration mode:
Verifying Turbo ACLs
Use the show access-list compiled EXEC command to verify that the Turbo ACL feature has been successfully configured on your router. This command also displays the memory overhead of the Turbo ACL tables for each access list. The command output contains the following states:
•
•
•
•
•
The following is sample output from the show access-lists compiled EXEC command:
Router# show access-lists compiledCompiled ACL statistics:12 ACLs loaded, 12 compiled tablesACL State Tables Entries Config Fragment Redundant Memory1 Operational 1 2 1 0 0 1Kb2 Operational 1 3 2 0 0 1Kb3 Operational 1 4 3 0 0 1Kb4 Operational 1 3 2 0 0 1Kb5 Operational 1 5 4 0 0 1Kb9 Operational 1 3 2 0 0 1Kb20 Operational 1 9 8 0 0 1Kb21 Operational 1 5 4 0 0 1Kb101 Operational 1 15 9 7 2 1Kb102 Operational 1 13 6 6 0 1Kb120 Operational 1 2 1 0 0 1Kb199 Operational 1 4 3 0 0 1KbFirst level lookup tables:Block Use Rows Columns Memory used0 TOS/Protocol 6/16 12/16 660481 IP Source (MS) 10/16 12/16 660482 IP Source (LS) 27/32 12/16 1320963 IP Dest (MS) 3/16 12/16 660484 IP Dest (LS) 9/16 12/16 660485 TCP/UDP Src Port 1/16 12/16 660486 TCP/UDP Dest Port 3/16 12/16 660487 TCP Flags/Fragment 3/16 12/16 66048Applying Time Ranges to Access Lists
You can implement access lists based on the time of day and week using the time-range global configuration command. To do so, first define the name and times of the day and week of the time range, then reference the time range by name in an access list to apply restrictions to the access list.
Currently, IP and Internetwork Packet Exchange (IPX) named or numbered extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. The time-range keyword is referenced in the named and numbered extended access list task tables in the "Creating Standard and Extended Access Lists Using Numbers" section and "Creating Standard and Extended Access Lists Using Names" section. The time-range command is described in the "Performing Basic System Management" chapter of the Cisco IOS Configuration Fundamentals Configuration Guide. See the "Time Range Applied to an IP Access List Example" section for a configuration example of IP time ranges.
Possible benefits of using time ranges include the following:
•
•
–
–
•
•
•
•
Including Comments About Entries in Access Lists
You can include comments (remarks) about entries in any named IP access list using the remark access-list configuration command. The remarks make the access list easier for the network administrator to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements. The standard and extended access list task tables in the "Creating Standard and Extended Access Lists Using Numbers" section and "Creating Standard and Extended Access Lists Using Names" section include the remark command. See the "Commented IP Access List Entry Examples" section for examples of commented IP access list entries.
Remember to apply the access list to an interface or terminal line after the access list is created. See the following section "Applying Access Lists" for more information.
Applying Access Lists
After creating an access list, you must reference the access list to make it work. To use an access list, perform the tasks described in the following sections. The tasks in the first section are required; the tasks in the remaining sections are optional:
•
•
•
Controlling Access to a Line or Interface
After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. This section describes guidelines on how to accomplish this task for both terminal lines and network interfaces. Remember the following:
•
•
To restrict access to a vty and the addresses in an access list, use the following command in line configuration mode. Only numbered access lists can be applied to lines. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.
To restrict access to an interface, use the following command in interface configuration mode:
Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
Controls access to an interface.
For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.
When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.
Controlling Policy Routing and the Filtering of Routing Information
To use access lists to control policy routing and the filtering of routing information, see the "Configuring IP Routing Protocol-Independent Features" chapter in the Cisco IOS IP Configuration Guide.
Controlling Dialer Functions
To use access lists to control dialer functions, refer to the "Preparing to Configure DDR" chapter in the Cisco IOS Dial Technologies Configuration Guide.
Configuration Examples
The following are access list configuration examples.
Numbered Access List Examples
In the following example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the Cisco IOS software would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the software would accept addresses on all other network 36.0.0.0 subnets.
access-list 2 permit 36.48.0.3access-list 2 deny 36.48.0.0 0.0.255.255access-list 2 permit 36.0.0.0 0.255.255.255interface ethernet 0ip access-group 2 inThe following example defines access lists 1 and 2, both of which have logging enabled:
interface ethernet 0ip address 1.1.1.1 255.0.0.0ip access-group 1 inip access-group 2 out!access-list 1 permit 5.6.0.0 0.0.255.255 logaccess-list 1 deny 7.9.0.0 0.0.255.255 log!access-list 2 permit 1.2.3.4 logaccess-list 2 deny 1.2.0.0 0.0.255.255 logIf the interface receives 10 packets from 5.6.7.7 and 14 packets from 1.2.23.21, the first log will look like the following:
list 1 permit 5.6.7.7 1 packetlist 2 deny 1.2.23.21 1 packetFive minutes later, the console will receive the following log:
list 1 permit 5.6.7.7 9 packetslist 2 deny 1.2.23.21 13 packetsTurbo Access Control List Example
The following is a Turbo ACL configuration example. The access-list compiled global configuration command output indicates that Turbo ACL is enabled.
interface Ethernet2/7no ip addressip access-group 20 outno ip directed-broadcastshutdown!no ip classlessip route 192.168.0.0 255.255.255.0 10.1.1.1!access-list compiledaccess-list 1 deny anyaccess-list 2 deny 192.168.0.0 0.0.0.255access-list 2 permit anyImplicit Masks in Access Lists Examples
IP access lists contain implicit masks. For instance, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. Consider the following example configuration:
access-list 1 permit 0.0.0.0access-list 1 permit 131.108.0.0access-list 1 deny 0.0.0.0 255.255.255.255For this example, the following masks are implied in the first two lines:
access-list 1 permit 0.0.0.0 0.0.0.0access-list 1 permit 131.108.0.0 0.0.0.0The last line in the configuration (using the deny keyword) can be left off, because IP access lists implicitly deny all other access. Leaving off the last line in the configuration is equivalent to finishing the access list with the following command statement:
access-list 1 deny 0.0.0.0 255.255.255.255The following access list only allows access for those hosts on the three specified networks. It assumes that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255access-list 1 permit 128.88.0.0 0.0.255.255access-list 1 permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)To specify a large number of individual addresses more easily, you can omit the address mask that is all 0s from the access-list global configuration command. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3access-list 2 permit 36.48.0.3 0.0.0.0Extended Access List Examples
In the following example, the first line permits any incoming TCP connections with destination ports greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255interface ethernet 0ip access-group 102 inFor another example of using an extended access list, suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the router always will be accepting mail connections on port 25 is what makes possible separate control of incoming and outgoing services. The access list can be configured on either the outbound or inbound interface.
In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25interface ethernet 0ip access-group 102 inNamed Access List Example
The following configuration creates a standard access list named Internet_filter and an extended access list named marketing_group:
interface Ethernet0/5ip address 2.0.5.1 255.255.255.0ip access-group Internet_filter outip access-group marketing_group in...ip access-list standard Internet_filterpermit 1.2.3.4deny anyip access-list extended marketing_grouppermit tcp any 171.69.0.0 0.0.255.255 eq telnetdeny tcp any anypermit icmp any anydeny udp any 171.69.0.0 0.0.255.255 lt 1024deny ip any any logIP Extended Access List with Fragment Control Example
The first statement will match and deny only noninitial fragments destined for host 1.1.1.1. The second statement will match and permit only the remaining nonfragmented and initial fragments that are destined for host 1.1.1.1 TCP port 80. The third statement will deny all other traffic. In order to block noninitial fragments for any TCP port, we must block noninitial fragments for all TCP ports, including port 80 for host 1.1.1.1.
access-list 101 deny ip any host 1.1.1.1 fragmentsaccess-list 101 permit tcp any host 1.1.1.1 eq 80access-list 101 deny ip any anyTime Range Applied to an IP Access List Example
The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m. on IP. The example allows UDP traffic on Saturday and Sunday from noon to 8:00 p.m. only.
time-range no-httpperiodic weekdays 8:00 to 18:00!time-range udp-yesperiodic weekend 12:00 to 20:00!ip access-list extended strictdeny tcp any any eq http time-range no-httppermit udp any any time-range udp-yes!interface ethernet 0ip access-group strict inCommented IP Access List Entry Examples
In the following example of a numbered access list, the workstation belonging to Jones is allowed access and the workstation belonging to Smith is not allowed access:
access-list 1 remark Permit only Jones workstation throughaccess-list 1 permit 171.69.2.88access-list 1 remark Do not allow Smith workstation throughaccess-list 1 deny 171.69.3.13In the following example of a numbered access list, the Winter and Smith workstations are not allowed to browse the web:
access-list 100 remark Do not allow Winter to browse the webaccess-list 100 deny host 171.69.3.85 any eq httpaccess-list 100 remark Do not allow Smith to browse the webaccess-list 100 deny host 171.69.3.13 any eq httpIn the following example of a named access list, the Jones subnet is not allowed access:
ip access-list standard preventionremark Do not allow Jones subnet throughdeny 171.69.0.0 0.0.255.255In the following example of a named access list, the Jones subnet is not allowed to use outbound Telnet:
ip access-list extended telnettingremark Do not allow Jones subnet to telnet outdeny tcp 171.69.0.0 0.0.255.255 any eq telnetSaving Configuration Changes
To prevent the loss of the router configuration, save it to NVRAM.
Verifying the Configuration
To verify the configuration of the MWR 1941-DC, enter the following command:
MWR1941-1#show running-configversion 12.2service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname cellsite_router1!logging queue-limit 100enable secret 5 $1$7w/U$C10zHvVw9lD8OOCAoKBKN.!memory-size iomem 25clock timezone EST -5!redundancymode y-cablestandalone!ip subnet-zero!!ip cefno ip domain lookupip host bizarre 64.102.16.25ip host ax 172.18.28.222!ip dhcp-server 3.0.0.1ip dhcp-server 5.0.0.7multilink bundle-name bothframe-relay switching!no voice hpi capture bufferno voice hpi capture destination!mta receive maximum-recipients 0!controller E1 0/0clock source internalchannel-group 0 timeslots 1-3tdm-group 1 timeslots 4-31!controller E1 0/1clock source internaltdm-group 1 timeslots 4-31!controller T1 0/3framing esflinecode b8zschannel-group 0 timeslots 1-24 speed 64!controller T1 0/2framing esfclock source internallinecode b8zschannel-group 0 timeslots 1-24 speed 64!class-map match-all voice-classmatch protocol rtpclass-map match-all nm-classmatch protocol snmpmatch protocol syslogclass-map match-all data-classmatch protocol telnetmatch protocol ftpmatch protocol http!policy-map protoclass nm-classbandwidth percent 20queue-limit 300class data-classbandwidth percent 40queue-limit 300class voice-classbandwidth percent 40queue-limit 300!interface FastEthernet0/0ip address 172.18.28.202 255.255.255.128ip helper-address 99.1.1.2no ip mroute-cachespeed 100full-duplex!interface Serial0/0:0description backhaul interfaceip address 4.0.0.8 255.0.0.0no ip proxy-arpmax-reserved-bandwidth 100service-policy output protoencapsulation pppip tcp header-compression iphc-formatip tcp compression-connections 256load-interval 30no keepaliveip rtp header-compression iphc-formatip rtp compression-connections 256!interface FastEthernet0/1ip address 100.0.0.2 255.0.0.0ip helper-address 3.0.0.1no ip proxy-arpno ip mroute-cacheload-interval 30speed 100full-duplexno cdp enable!interface Serial0/2:0ip address 44.0.0.2 255.255.255.0encapsulation ppp!interface Serial0/3:0ip address 55.0.0.2 255.255.255.0encapsulation pppshutdown!interface Serial0/4no ip addressshutdownclockrate 125000!interface Serial0/5no ip addressshutdownclockrate 125000!interface Serial1/0ip address 99.1.1.1 255.0.0.0ip helper-address 99.1.1.2ip helper-address 172.18.61.23no ip mroute-cache!ip http serverip classlessip route 0.0.0.0 0.0.0.0 172.18.28.129ip route 4.0.0.8 255.255.255.255 Serial1/0ip route 23.0.0.0 255.255.255.0 4.0.0.9ip route 125.0.0.0 255.255.255.0 4.0.0.9ip route 126.0.0.0 255.255.255.0 2.0.0.7ip route 129.0.0.0 255.255.255.0 126.0.0.10ip route 172.18.28.204 255.255.255.255 Serial1/0ip route 200.0.0.0 255.255.255.0 4.0.0.9!logging 172.18.61.23access-list 151 permit icmp host 1.1.1.1 host 23.0.0.7access-list 151 permit icmp host 31.0.0.7 host 23.0.0.7access-list 151 permit icmp host 10.0.0.7 host 23.0.0.7access-list 151 permit tcp host 31.0.0.7 eq telnet host 23.0.0.7 gt 1024access-list 151 permit tcp host 31.0.0.7 eq ftp host 23.0.0.7 gt 1024access-list 151 permit tcp host 31.0.0.7 eq www host 23.0.0.7 gt 1024access-list 151 permit udp host 1.1.1.1 eq snmp host 23.0.0.7 gt 1024access-list 151 permit udp host 1.1.1.1 eq syslog host 23.0.0.7 gt 1024access-list 151 permit udp host 10.0.0.7 gt 16000 host 23.0.0.7 gt 1024access-list 151 permit tcp host 31.0.0.7 eq ftp-data host 23.0.0.7 gt 1024access-list 151 permit udp host 1.1.1.1 eq snmptrap host 23.0.0.7 gt 1024connect TDM E1 0/0 1 E1 0/1 1!!tftp-server nvram:/startup-configsnmp-server community public ROsnmp-server community private RWsnmp-server enable traps snmp authentication linkdown linkup coldstart warmstartsnmp-server enable traps ttysnmp-server enable traps isdn call-informationsnmp-server enable traps isdn layer2snmp-server enable traps isdn chan-not-availsnmp-server enable traps isdn ietfsnmp-server enable traps hsrpsnmp-server enable traps configsnmp-server enable traps entitysnmp-server enable traps envmonsnmp-server enable traps ds0-busyoutsnmp-server enable traps ds1-loopbacksnmp-server enable traps bgpsnmp-server enable traps ipmulticastsnmp-server enable traps msdpsnmp-server enable traps rsvpsnmp-server enable traps frame-relaysnmp-server enable traps frame-relay subifsnmp-server enable traps rtrsnmp-server enable traps syslogsnmp-server host 172.18.61.23 public!alarm-interface 1ip address 99.1.1.2call rsvp-sync!!line con 0exec-timeout 0 0line 33session-timeout 1flush-at-activationno exectransport preferred nonetransport input telnettransport output nonestopbits 1line aux 0line vty 0 4password lablogin!end
Monitoring and Managing the MWR 1941-DC Router
There are several methods you can use to remotely manage the MWR 1941-DC router and attached devices at the cell site. Examples of these methods include using CiscoWorks2000 for Mobile Wireless (CW4MW) and Telnet.
To enable remote network management of the MWR 1941-DC using CW24MW, do the following:
Step 1
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#Step 2
Router(config)# ip host hostname ip_addressWhere hostname is the name assigned to the Operations and Maintenance (O&M) workstation and ip_address is the address of the network management workstation.
Step 3
Router(config)# interface loopback numberRouter(config-if)# ip address ip_address subnet_maskStep 4
Router(config-if)# exitStep 5
Router(config)# snmp-server host hostname [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]Where hostname is the name assigned to the CW4MW workstation with the ip host command in Step 2.
Step 6
Router(config)# snmp-server community public RORouter(config)# snmp-server community private RWStep 7
Router(config)# snmp-server enable trapsStep 8
Router(config)# snmp-server trap-source loopback numberWhere number is the number of the loopback interface you configured for the O&M in Step 3.
Step 9
Step 10
Router# copy running-config startup-config
Show Commands for Monitoring the MWR 1941-DC
To monitor and maintain the MWR 1941-DC router, use the following commands:
Where to Go Next
At this point you can proceed to the following:
•
•
•
