This document contains questions and answers in the following categories:
• Product descriptions and positioning
• General software features
• Security features
• Hardware features
• DSL features
• Wireless features
Product Descriptions and Positioning
Q. What are the Cisco® 870 and Cisco 850 Series Integrated Services Router models? What current models do they compare to?
A. The Cisco 870 and Cisco 850 Series Integrated Services Routers are fixed-configuration routers that provide highly secure, concurrent services over broadband connections in small remote offices, teleworker, and small business sites. Tables 1 and 2 show the new models and the corresponding existing but now end-of-sale models in the Cisco 830 and SOHO 90 Series.
Table 1. Cisco 870 Series Models
10/100 Fast Ethernet
4-port managed switch
Asymmetric DSL (ADSL) over ISDN
4-port managed switch
ADSL over basic telephone service
4-port managed switch
ADSL over basic telephone service, annex M support
4-port managed switch
Symmetrical High-Data-Rate DSL (G.SHDSL) (4-wire)
4-port managed switch
Table 2. Cisco 850 Series Models
10/100 Fast Ethernet
ADSL over basic telephone service
Q. What is the difference between Cisco 870 Series and Cisco 850 Series routers?
A. Cisco 870 Series routers are ideal for small offices, recommended for up to 20 users or teleworker sites where high-quality voice/video over IP and reliable connectivity using backup WAN links are required, in addition to secure access. Cisco 870 Series routers offer:
• High performance for broadband access in small offices
• Enhanced security, including:
– Stateful Inspection Firewall
– IP Security (IPsec) VPNs (Triple Data Encryption Standard [3DES] or Advanced Encryption Standard [AES]) as well as Dynamic Multipoint VPN (DMVPN) and Tunnel-less Group Encrypted Transport (GETVPN)
– Intrusion prevention systems
• Advanced quality of service (QoS)
• Four-port 10/100 managed switch with VLAN support
• Secure WLAN 802.11b/g option with use of multiple antennas
• Easy setup and deployment through Web-based tools and remote management capabilities through Cisco IOS® Software
• Power over Ethernet (PoE) support (optional external adapter for inline power) for IP phones or external wireless access points
Cisco 850 Series routers are targeted at small offices, recommended for up to 10 users or teleworker sites where only secure and affordable access is needed. Cisco 850 Series routers offer:
• Secure connectivity with Stateful Inspection Firewall and IPsec VPN support for small offices
• 4-port 10/100 switch
• Basic quality of service (QoS)
• Secure WLAN 802.11b/g option with a single fixed antenna
• Easy setup and deployment and remote management capabilities through Web-based tools and Cisco IOS Software
Due to the lack of advanced security and QoS features, the 850 series is not supported for voice deployments.
Q. How do Cisco 870 Series routers compare with Cisco 830 Series routers?
A. Major additions that differentiate the Cisco 870 Series include improved performance for both clear text and IPsec, integrated 802.11b/g wireless capabilities, and VLAN support. Universal Serial Bus (USB) ports have also been added (to Cisco 871 routers only) for security token support. An optional PoE external adapter for IP phones or external wireless access points is available. Most features found in the Cisco 830 Series are available in the Cisco 870 Series, making it easy for customers to migrate.
Q. How do Cisco 850 Series routers compare with Cisco SOHO 90 Series routers?
A. The Cisco 850 Series improves performance and adds an option for integrated 802.11b/g WLANs. Most features found in the Cisco SOHO 90 Series will be found in the Cisco 850 Series, for easy migration.
Q. When will the end of sale of Cisco 830 Series and SOHO 90 Series routers be announced?
A. The End of Sale announcment for the Cisco SOHO 90 and the Cisco 830 Series products took place June 30, 2006. The last date for shipping will be September 29, 2007.
Q. Are there any migration issues that the customers should keep in mind when moving to new platforms?
A. Cisco has designed the new platforms for smooth migration. All features from old platforms have been retained, and new features have been added to provide more value to customers.
Q. How do these platforms compare to Linksys® products?
A. Cisco small-office routers offer advanced security and manageability compared to Linksys routers. Cisco products are sold to small to large businesses and service providers and are used for small-office and teleworking applications. Linksys products are sold to consumers and small office/home office (SOHO) customers. They do not incorporate the advanced features for security and manageability that are required when connecting small offices to larger networks as part of managed applications. Linksys products are offered from a separate division of Cisco and do not offer the same service and support that many enterprise, commercial, and service provider customers require.
Q. Are there any replacement models for Cisco SOHO 96, Cisco SOHO 78, and Cisco 827-4V routers?
For the Cisco SOHO 96 and Cisco SOHO 78 routers, customers can consider migrating to the Cisco 876 and 878 routers, respectively.
Platform Software Features
Q. What Cisco IOS Software feature set options are offered on Cisco 870 Series and Cisco 850 Series routers?
A. The Cisco 870 Series has three feature set options. Table 3 provides details for some of the main categories of feature differentiation. Please refer to the 870 series datasheet for more details.
Table 3. Cisco IOS Software Features for Cisco 870 Series Routers
Advanced Security Software Image (Default Image)
Advanced IP Services Cisco IOS Software Image
Advanced Enterprise Cisco IOS Software Image (ISDN Backup) on Cisco 876 Only
Group Encrypted Transport VPN (GET VPN)
Routing Protocols (Open Shortest Path First [OSPF], Enhanced Interior Gateway Routing Protocol [EIGRP], and Border Gateway Protocol [BGP])
Advanced QoS Features Like Class-Based Classification/Marking using DSCP, Class-Based Weighted Random Early Detection (CBWRED), Network-Based Address Recognition (NBAR), Link Fragmentation and Interleaving (LFI), Resource Reservation Protocol (RSVP), Priority and Custom Queuing
Intelligent Protection Switching (IPS)/Intrusion Detection System (IDS)
The Cisco 850 Series has only one feature-set option, which includes Stateful Inspection Firewall, IPsec, and basic QoS features. Please refer to the 850 series datasheet for more details.
Wireless capability is available across all feature sets of the wireless models in the Cisco 870 Series and 850 Series.
Q. Is there a limit to the number of users supported by Cisco 870 Series and 850 Series routers?
A. No. The Cisco 870 Series is recommended for up to 20 users and the Cisco 850 Series is recommended for up to 10 users.
Q. What is Dynamic Domain Name System (DDNS)?
A. DDNS updates make sure that even dynamically assigned IP addresses are associated with an IP host DNS name. This feature enables routers and hosts on the LAN to be accessible through a DNS name. Both the Cisco 870 Series and the Cisco 850 Series support this feature.
Q. Is L2TPv3 supported on the Cisco 850 and 870 Series
A. Since the Cisco 850 Series and Cisco 870 Series have only a single WAN interface and SVI will be required to implement L2TPv3. L2TPv3 can be supported using the SVI interface starting with IOS release 12.4(20)T. This feature is not supported on the 850 series.
Q. What Web-based or GUI tools are available for the platforms?
A. The Cisco 870 Series and 850 Series support the Cisco Router and Security Device Manager (SDM) tool for easy router setup. They are also supported by Cisco Configuration Professional, the next generation device manager. Please refer to the Cisco Configuration Professional datasheet for more details and minimum platform IOS requirements.
Q. Is there any other network management application supported by the Cisco 870 Series and Cisco 850 Series?
A. Yes. CiscoWorks applications, including CiscoView Resource Manager Essentials and Web-based network and device management applications, installed on a dedicated CiscoWorks server, can be used to manage the Cisco 850 Series and 870 Series. CiscoView can be used to view graphical representations of front and back device panels, configure parameters, and monitor real-time statistics for device performance and resource utilization. Resource Manager Essentials provides tools to support inventory management, device configuration, and software image updates; audit changes in the network; and analyze syslog messages .
The Cisco 850 Series and Cisco 870 Series are also supported by a suite of security management tools including Cisco Security Manager and Cisco Security Monitoring, Analysis, and Response System (CS-MARS). Together, these tools allow users to centrally provision firewall, VPN, IPS, and other features and to monitor the network to identify, manage, and counter security threats.
Q. Can the CiscoView client and Cisco SDM/CCP coexist on the same workstation to manage the Cisco devices?
A. Yes. Cisco SDM and CiscoView client interfaces can coexist on the same workstation: Cisco SDM can be used primarily for router and security feature configuration, and CiscoView can be used for real-time display of the physical router status and for Simple Network Management Protocol (SNMP)-based device monitoring.
Q. How do you set the router back to its factory default settings?
A. To set the router back to its factory defaults, you can either use Cisco SDM or you can go into the Cisco IOS Software CLI and do a "write erase" on the router itself, or grab the factory default configuration from Cisco Configuration Express. In addition, when the reset button is pressed within 5 seconds of the boot up and there is a valid xxx.cfg file in the flash, the router boots up with the xxx.cfg file and avoids the startup-config file in NVRAM.
Q. Is hardware-based encryption available on Cisco 870 Series and Cisco 850 Series routers?
A. Yes. Hardware-assisted IPsec 3DES and AES encryption is available on both the Cisco 870 Series and Cisco 850 Series routers. Cisco 870 Series routers have superior performance compared to the Cisco 850 Series, including encryption speed.
Q. What VPN features do the platforms support?
A. The hardware-accelerated IPsec VPN feature is available on both the Cisco 870 Series and the Cisco 850 Series. Encryption algorithms DES, 3DES, and AES are supported. In addition, the Cisco 870 Series supports Dynamic Multipoint VPN (DMVPN), Tunnel-lessGroup Encrypted Transport VPN (GET), and Easy VPN.
Q. What intrusion prevention features are supported on the platforms?
A. Cisco 870 Series routers with the Advanced IP Services feature set support the Cisco IOS Intrusion Prevention System (IPS) feature. Cisco IOS IPS is an inline, deep-packet inspection-based feature that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. As a core facet of the Cisco Self-Defending Network, Cisco IOS IPS enables the network to defend itself with the intelligence to accurately identify, classify, and stop or block malicious or damaging traffic in real time. For more information on Cisco IOS IPS support, visit http://www.cisco.com/en/US/products/ps6634/products_ios_protocol_group_home.html. The Cisco 850 Series does not support the IPS features.
Q. Do the platforms support transparent Cisco IOS Firewall?
A. Yes. Transparent Cisco IOS Firewall is supported only on the Cisco 870 Series routers.
Q. Do the platforms support Zone Based Cisco IOS Firewall?
A. Zone-Based Cisco IOS Firewall is supported only on the Cisco 870 Series routers.
Q. Do the Cisco 870 Series and Cisco 850 Series support 802.1x on the switch ports (that is, Fast Ethernet 0-3)?
A. Starting with Cisco IOS Software Release 12.4(11)T, the Cisco 870 series supports 802.1x VLAN Assignment, 802.1x Guest VLAN, 802.1x Spouse & Kids (on the SVI), and 802.1x with VVID.
The Cisco 850 Series does not support 802.1x on the switch ports.
Q. What does the integrated 10/100 switch provide?
A. All models have an integrated 10/100 four-port switch. The Cisco 870 Series provide a managed switch with up to four 802.1Q VLANs in addition to a default VLAN; each switch port could be assigned to a different VLAN as desired. Beside the capability to set the speed/duplex capabilities on the switch ports, switch port monitoring (SPAN) and IGMP Snooping is also supported.
The Cisco 850 Series has a partially managed switch providing the ability to set the speed and duplex capabilities on switch ports, the ability to shut/unshut switch ports, and SNMP management. But VLANs are configurable only on the Cisco 870 Series and not the Cisco 850 Series.
Q. How is demilitarized zone (DMZ) functionality supported on the Cisco 870 Series?
A. On Cisco 870 Series routers, traffic separation can be achieved using VLANs.
Q. What is the USB port of the Cisco 871 Integrated Services Router used for?
A. The USB port supports holding removable security credentials. USB memory drives can also hold router configuration information. This is not a general-purpose USB port to connect external devices to the router, and the router does not carry drivers to support additional functions.
Q. Do the Cisco 870 Series and 850 Series support dial backup and out-of-band management?
A. The Cisco 870 Series supports both dial backup and out-of-band management on its virtual auxiliary port with an external modem connected to it. The Cisco 876 router has an ISDN S/T port for ISDN dial backup and out-of-band management. The Cisco 878 has an ISDN S/T port for out-of-band management only in addition to its virtual auxiliary port. The Cisco 850 Series does not support dial backup but does support out-of-band management on its virtual auxiliary port.
Q. Can you explain the virtual auxiliary port function?
A. On Cisco 870 Series routers, the console port supports modem control signals. By connecting an external modem to this port, this interface can be used for out-of-band remote management of the router or as a backup WAN interface. An optional RJ-45 to DB-25 male straight-through cable is available as an orderable option to connect modems to this port. A limited set of modems and terminal adapters has been tested, but any Hayes-compatible modem or terminal adapter can be used to connect to this port. The console port will behave like a standard Cisco auxiliary (AUX) port if configured as such and can provide bit rates up to 115.2 kbps.
The Cisco 850 Series supports only out-of-band management with this feature.
Q. Is it possible to upgrade a nonwireless model to support wireless?
A. No, a nonwireless model can never be upgraded to support wireless. The Cisco 870 Series and Cisco 850 Series have two separate versions, a wireless model and a nonwireless model.
Q. What is the use of the reset button on Cisco 870 and 850 Series routers?
A. The reset button is used to restore the router to the default factory settings if pressed within 5 seconds of router power up. In line with this implementation, the following scenarios are possible:
• The router will not react to the reset button if pressed after the 5 seconds of power up.
• When the reset button is pressed within 5 seconds of boot up and there is no valid xxx.cfg file in the flash memory, the router boots up with the factory defaults.
• When the reset button is pressed within 5 seconds of boot up and there is a valid xxx.cfg file in the flash, the router boots up with the xxx.cfg file and avoids the startup-config file in NVRAM.
Q. What are the DSL models in the Cisco 800 Integrated Services Routers?
A. Cisco 870 Series and Cisco 850 Series support ADSL over analog telephone lines (Cisco 877 and Cisco 857), ADSL over analog telephone lines with annex M support (Cisco 877M), ADSL over ISDN (Cisco 876), and G.SHDSL (Cisco 878). Customers can choose the router models based on the DSL technologies they intend to deploy.
Q. Do the platforms support ADSL2/2+?
A. The Cisco 857, 876, 877 and 877M routers support ADSL2/2+ standards.
Q. What DSL chipset is used on Cisco 870 Series and Cisco 850 Series routers?
A. The Cisco 870 Series and Cisco 850 Series routers use the ST Micro (previously known as Alcatel Microelectronics) MTK20196 chipset. The Cisco SOHO 90 and Cisco 830 Series routers use the ST Micro MTK20150 chipset.
Q. What's the difference between the Cisco 877 and Cisco 877M?
A. Cisco 877M provides annex M support with the MTK20196P chipset. Cisco 877 can not be upgraded to provide annex M support.
Q. What is Annex-M?
A. Annex-M is an enhancement of the G.992.3 standard that doubles the upstream bandwidth by `borrowing' 32 additional tones from the downstream frequency range. This feature enables service providers to provision symmetric data rates for ADSL2 and ADSL2+ services with data rates up to 2Mbps. The achievable upstream rates are a function of loop length and specific DSLAM Annex-M implementation.
Q. What does the term "mask" imply in Annex-M?
A. The mask refers to the submode power spectral density (PSD) mask applicable for Annex-M. Service providers use the mask to minimize the cross-talk between adjacent pairs to an acceptable level. G.992.3 specifies the masks, as shown in Table 4.
Table 4. Annex-M Masks
Upstream Mask Number
Cutoff Frequency f1 (kHz)
Q. What mask does Cisco 877M support?
A. Cisco 877M is optimized for Mask M-9. It can operate in other masks, but the performance may be lower than a CPE that is optimized for that mask.
Q. Does Cisco 877M support the PSD mask required to comply with the Annex M standards in the United Kingdom?
A. With ADSL firmware version 4.0.17, Cisco 887M supports UK Annex M only with Huawei 5300 DSLAM and its EADB linecard.
Q. What is INP?
A. INP stands for Impulse Noise Protection. Support for INP allows the CPE to provide error-correction capability for impulse noise. The unit for this parameter is in number of symbols. Support for up to 16 symbols is provided by an amendment to the original G.992.5 standard and is referred to as extended INP function (G992.5-addemdum II edited on May 2005). Support for optional INP capability of at least 16 DMT symbols (INP = 16) protects against impulse noise of up to 4 milliseconds. Increasing the INP also increases the latency.
Q. Does the Cisco 870 and 850 series support extended INP functions?
A. All the platforms support INP, but only Cisco 877M supports the extended INP functions.
Q. What do I need to know about INP support on the Cisco 870 and 850 series?
A. With Cisco 877 and Cisco 857, customers may experience lower than expected downstream rate when INP is enabled on the DSLAM. This is due to a limitation with the MTK20196 chipset. This issue is addressed with the Cisco 877M platform, using the newer MTK20196P chipset.
Q. Briefly explain the G.SHDSL features that Cisco 878 routers support?
A. The Cisco 878 G.SHDSL router supports symmetrical data rate of up to 2.304 Mbps over a single copper pair, and up to 4.608 Mbps over two copper pairs. The G.SHDSL link can be established with a DSLAM, or via back-to-back operation. In back-to-back operation, one side must be designated as the central office device. The Cisco 878 platform also supports wetting/sealing current and dying gasp to notify the central office on local power loss, as well as Rate Adaptation with either DSLAM or back-to-back connections.
Q. Is there a way to load different firmware apart from that embedded with the Cisco IOS Software?
A. Yes. This option is available for the ADSL platforms (857, 876, 877, and 877M) to allow independent ADSL firmware upgrade to resolve ADSL interoperability related issues. There's no need to upgrade Cisco IOS software when the issue can be resolved with a different version of firmware.
Q. What wireless standards are supported on Cisco 870 Series and 850 Series routers?
A. The 802.11b/g standards are available on these routers; 802.11a is not available on the routers.
Q. Is VLAN capability available for the WLAN on the new models?
A. VLAN is available on WLANs for both the Cisco 870 and Cisco 850 Series with the default image (Advanced Security feature set).
Q. Are 802.11g access points backward-compatible to support both 802.11b and 802.11g?
A. Yes. The 802.11g access points are backward-compatible to support both 802.11b and 802.11g client devices.
Q. How do Cisco 870 Series and 850 Series wireless routers compare with Cisco Aironet® wireless products?
A. The optional WLAN features on Cisco 870 Series and 850 Series routers incorporate access, security, and wireless in a single device for the small office. Only wireless features relevant to environments that require a single access point are supported. These routers do not support bridging or repeater functionality. The integrated access points in the Cisco integrated services routers do not support the Light Weight Access Point Protocol (LWAPP) and therefore are not supported by the Cisco Wireless LAN Controllers nor the Cisco Wireless Controller System (WCS).
Q. What software is used to configure the integrated 802.11 access points?
A. The software used to configure the access points in the Cisco 870 Series and 850 Series is either Cisco SDM, Cisco Configuration Professional, CiscoWorks LAN Management Solution, or the Cisco IOS Software command-line interface (CLI).
Q. Are the Cisco 870 Series and Cisco 850 Series part of the Unified Wireless Network?
Q. What is the default user name and password for integrated access points in Cisco 870 Series and 850 Series routers?
A. There is no default user name and password for the access points integrated in Cisco 870 Series and 850 Series routers. The access point is fully integrated with the 850 and 870 series platforms. It is treated as a separate physical interface by these platforms.
Q. How do you extend access point coverage?
A. To extend the coverage of integrated access points in the Cisco 870 Series, customers can choose from different externally mounted antennas to allow the router to be located in one area (such as behind a counter) while coverage can be focused and extended to other areas (such as wall or ceiling placement). The Cisco 850 Series only has a single, fixed antenna connected directly to the router; there are no antenna options.
Q. Can two external antennas be used to cover two radio cells (for example, antenna 1 for cell 1 and antenna 2 for cell 2)?
A. No. The external antennas are used in tandem to create more coverage and diversity. You should use the VLAN capability to separate traffic.
Q. At what frequency do the integrated access points communicate?
Q. What is a WEP key? What are the security issues associated with WEP and how are they overcome?
A. WEP is the encryption algorithm built into the 802.11 (Wi-Fi) standard. WEP encryption uses the RC4 Stream Cipher with 40- or 104-bit keys and a 24-bit initialization vector.
The security issues with WEP are as follows:
• There is a great deal of administrative overhead maintaining a shared WEP key.
• WEP has the same problem as all systems based on shared keys. Any secret given to one person becomes public after a period of time.
• The initialization vector that seeds the WEP algorithm is sent in clear text.
• The WEP checksum is linear and predictable.
The collection of enhancements added to WEP to address the above-listed issues is called Temporal Key Integrity Protocol (TKIP).
Like WEP, TKIP uses Ron's Code 4 (RC4) encryption. However, TKIP enhances WEP by adding measures such as per packet key hashing, Message Integrity Check (MIC), and broadcast key rotation to address known vulnerabilities of WEP.TKIP uses RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication.
Q. How can you recover forgotten passwords?
A. To recover forgotten WEP passwords you must go into the access point portion of the router using the Cisco IOS Software CLI or the Cisco SDM graphical interface and change the WEP password.
Q. How many clients can associate to the unit?
A. It is recommended that each router associate only as many clients as each router will support in the number of simultaneous users. With Cisco 870 Series routers, the recommendation is up to 20 clients; with the Cisco 850 Series, the recommendation is up to 10 clients.
Q. What is the typical range for an access point?
A. The 802.11b basic range is 50 to 100 feet, and there is a 300-foot maximum. Within a typical office environment, most access points can provide good wireless coverage up to 150 feet. The 802.11b standard uses the same radio signaling frequency-2.4 GHz-as the original 802.11 standard. Being an unregulated frequency, 802.11b gear can incur interference from microwave ovens, cordless phones, and other appliances using the same 2.4 GHz range. However, by installing 802.11b gear a reasonable distance from other appliances, interference can easily be avoided.
The 802.11g standard attempts to combine the best of 802.11a and 802.11g. The 802.11g standard supports bandwidth up to 54 Mbps, and it uses the 2.4 GHz frequency for greater range. The 802.11g standard is backward compatible with 802.11b, meaning that 802.11g access points will work with 802.11b wireless network adapters and vice versa.
Q. Are Cisco 800 Series Integrated Services Routers and their integrated access points interoperable with the Cisco Aironet 340, 350, 1100, and 1200 Series products?
A. Yes. The Cisco 800 Series Integrated Services Routers are interoperable with the other Cisco wireless products and Wi-Fi certified products. The routers will always work in Root AP mode and do not support Wireless Uplink to another AP.
Q. Do the integrated access points in the Cisco 800 Series Integrated Services Routers support LEAP?
A. Yes. When you use LEAP, you should specify the same port number for the access control server (ACS) that you would use to associate with RADIUS. The default ports for RADIUS are 1645 and 1646.
Q. What are the settings that can be configured for each SSID?
A. Following is the list of settings:
• Client authentication method
• Maximum number of client associations using the SSID
• Radius accounting for traffic using the SSID
• Guest mode
Q. Do the integrated access points in the Cisco 800 Series Routers support local survivable authentication?
A. Yes. The access point can authenticate wireless client devices using LEAP, EAP-FAST, or MAC-based authentication. The access point performs up to five authentications per second.
Q. Is there a separate wireless feature set for Cisco 870 Series and Cisco 850 Series wireless models?
A. No separate Cisco IOS Software feature sets are required.
Q. What is Universal Client Mode?
A. Universal Client Mode allows the AP in the 870 Series to be configured as a wireless client that can connect to an 802.11b/g WLAN. The router can then utilize this wireless link to connect wired devices to the wireless LAN. An example is using an outdoor wireless mesh network offered by a service provider. This 802.11b/g network can be used as a WAN link for wired devices sitting behind the router. Note: Cisco 850 does not support Universal Client Mode.
Q. What are the performance characteristics of the Cisco 870 Series and Cisco 850 Series Integrated Services Routers?
A. Aggregate performance with IPsec 3DES for the Cisco 870 Series is up to 8 Mbps with IMIX packets, and up to 30 Mbps with 1400-byte packets.
Aggregate performance with IPsec 3DES for the Cisco 850 Series is up to 4 Mbps with IMIX packets, and up to 8 Mbps with 1400-byte packets.