This chapter includes several network scenarios and their configurations for the Cisco 806 router. This chapter is useful if you are building a new network and want some guidance. If you already have a network set up and you want to add specific features, see "Feature-by-Feature Router Configurations."
The following scenarios are included:
•Small Office/Telecommuter with Basic Security
•Small Office/Telecommuter with Business-Class Security
•Small Office/Telecommuter with Business-Class Security and Enterprise Applications
Each scenario is described in this chapter; a network diagram and configuration network examples are provided as models on which you can pattern your network. They cannot, however, anticipate all of your network needs. You can choose not to use features presented in the examples, or you can choose to add or substitute features that better suit your needs.
Note When you configure Ethernet interfaces, be aware that Ethernet 0 is the interface for hubbed ETHERNET ports 1 through 4, which support the local area network (LAN) on the premises, and Ethernet 1 is the interface for the INTERNET ETHERNET port.
Figure 2-1 shows how the Cisco 806 router can be used in a virtual private network (VPN). The Cisco 806 router is linked to the Internet service provider (ISP) via a digital subscriber line (DSL) or a cable modem. Security is provided via IP security (IPSec) configuration.
Figure 2-1 Virtual Private Network
The following topics are covered in this section:
•Configuring Internet Protocol Parameters
•Configuring a Generic Routing Encapsulation Tunnel Interface
•Configuring the Ethernet Interfaces
To configure additional features for this network, see "Feature-by-Feature Router Configurations."
Perform the following tasks to configure Internet Protocol (IP) parameters, starting in global configuration mode.
Use the access-list command to create an access list that permits the GRE protocol, and that specifies the starting and ending IP addresses of the GRE tunnel. Use the following syntax:
access-list 101 permit gre host ip-address host ip-address
In the preceding command line, the first host ip-address specifies the tunnel starting point, and the second host ip-address refers to the tunnel end point.
Perform the following tasks to configure IPSec, starting in global configuration mode.
Perform the following tasks to configure generic routing encapsulation (GRE) tunnel interface, starting in global configuration mode.
Perform the following tasks to configure the Ethernet 0 and Ethernet 1 interfaces, starting in global configuration mode.
Perform the following tasks to configure static routes, starting in global configuration mode.
This sample configuration shows IPSec being used over a GRE tunnel.You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the
show running-config command.
version 12.2
no service single-slot-reload-enable
no service pad (default)
service timestamps debug uptime (default)
service timestamps log uptime (default)
no service password-encryption (default)
!
hostname 806-uut1
!
logging rate-limit console 10 except errors
no logging console
enable password lab
!
username 3620-1 password 0 testme
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 140.10.10.6
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap local-address Ethernet1
crypto map mymap 10 ipsec-isakmp
set peer 140.10.10.6
set transform-set myset
match address 101
!
!
!
interface Tunnel0
ip address 11.0.0.1 255.0.0.0
tunnel source Ethernet1
tunnel destination 140.10.10.6
crypto map mymap
!
interface Ethernet0
ip address 192.168.2.100 255.255.255.0
!
interface Ethernet1
ip address 140.10.10.5 255.255.255.0
crypto map mymap
!
ip classless (default)
ip route 140.10.10.0 255.255.255.0 Ethernet1
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 140.10.10.6
ip http server (default)
!
access-list 101 permit gre host 140.10.10.5 host 140.10.10.6
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
password lab
login
!
scheduler max-task-time 5000
end
Figure 2-2 shows how the Cisco 806 router can be used to provide basic security to users in a small office or to a single telecommuter. The router is either connected to an xDSL modem or to a cable modem that has a connection to an ISP. The router is configured to provide private IP addresses to the devices connected to it, fast switching services, and basic security in the form of access lists and virtual private networking. The router uses Point-to-Point Protocol (PPP) over Ethernet, enabling the computer systems connected to the router to continue to use PPP to connect to the ISP. Private addressing for devices on the premises is provided by network address translation (NAT).
Figure 2-2 Small Office/Telecommuter with Basic Security Configuration
The following topics are covered in this section:
•Configuring the IP Parameters
•Configuring Dynamic Host Configuration Protocol Parameters
•Configuring a Virtual Private Dial-Up Network
•Configuring the Ethernet Interfaces
•Configuring the Dialer Interface
To configure additional features for this network, see "Feature-by-Feature Router Configurations."
Perform the following tasks to configure IP parameters, starting in global configuration mode.
Perform the following tasks to configure Dynamic Host Configuration Protocol (DHCP), starting in global configuration mode.
Complete the following tasks to configure a virtual private dial-up network (VPDN), starting in global configuration mode.
Configure the Ethernet interfaces by performing the following tasks, starting in global configuration mode.
Complete the following tasks to configure the dialer interface, starting in global configuration mode.
The following steps will configure an access list that will enable the user to run any Transmission Control Protocol (TCP) application, but it will block other applications.
Complete the following tasks, starting in global configuration mode.
The configuration example that follows shows configurations for DHCP, VPDN, PPPoE, and access lists. Access list configurations in this example will allow TCP applications such as FTP, Telnet, and HTTP.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
!
version 12.2
no service single-slot-reload-enable
no service pad (default)
service timestamps debug uptime (default)
service timestamps log uptime (default)
no service password-encryption (default)
!
hostname router1
!
no logging buffered
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
ip dhcp excluded-address 192.168.1.1
dhcp pool PrivateNet
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 140.10.10.1
!
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip tcp adjust-mss 1452 (required for router to reach all websites)
ip nat inside
ip route-cache
!
!
interface Ethernet1
no ip address
ip tcp adjust-mss 1452
pppoe enable
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address 140.10.10.5 255.255.255.0
ip nat outside
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap
!
ip classless
! ACL For Nat
access-list 101 permit ip 192.168.1.0 0.255.255.255 any
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
!
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
login
!
scheduler max-task-time 5000
end
Figure 2-3 shows how the Cisco 806 router can be used to provide business-class security to a small office or to a telecommuter. Besides configuring the security features described in the "Small Office/Telecommuter with Basic Security" section, the network administrator has configured the router to inspect the application-layer protocols of the packets that arrive. The Cisco 806 router is connected either to a DSL modem or to a cable modem in this configuration. The router uses PPPoE and private addressing provided by NAT.
Figure 2-3 Business Class Security Configuration
This section includes the following topics:
•Configuring the IP Parameters
•Configuring a Set of Inspection Rules
•Configuring the Ethernet Interfaces
•Configuring the Dialer Interface
To configure additional features for this network, see "Feature-by-Feature Router Configurations."
Perform the following tasks to configure the IP parameters, starting in global configuration mode.
Perform the following tasks to configure DHCP, starting in global configuration mode.
Specify which protocols to examine by using the ip inspect name command. For each protocol you want to inspect, enter a line in global configuration mode, using the following syntax:
ip inspect name inspection-name protocol timeout seconds
Use the same inspection-name in multiple statements to group them into one set of rules that can be referenced elsewhere in the configuration.
Complete the following tasks to configure a VPDN, starting in global configuration mode.
Configure the Ethernet interfaces by performing the following tasks, starting in global configuration mode.
Complete the following tasks to configure the dialer interface, starting in global configuration mode.
The following configuration steps will configure a firewall that will allow TCP sessions originating from the local area network (LAN), but will block all TCP sessions that originate on the wide area network (WAN).
Complete the following tasks, starting in global configuration mode.
The Dialer 0 interface is the WAN interface. Therefore, all access lists and inspect lists are applied to that interface. The firewall configured in this example will allow TCP and User Datagram Protocol (UDP) connections that originate inside the firewall. However, any connection that originates outside the firewall would be blocked, except for certain types of ICMP packets.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
version 12.2
no service single-slot-reload-enable
no service pad (default)
service timestamps debug uptime (default)
service timestamps log uptime (default)
no service password-encryption (default)
!
hostname router1
!
no logging buffered
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
ip dhcp excluded-address 192.168.1.1
dhcp pool PrivateNet
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 140.10.10.1
!
ip inspect name myfw tcp alert on
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip tcp adjust-mss 1452 (required for router to reach all websites)
ip nat inside
ip route-cache
!
!
interface Ethernet1
no ip address
ip tcp adjust-mss 1452
pppoe enable
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address 140.10.10.5 255.255.255.0
ip nat outside
ip inspect myfw out
ip access-group 105 in
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap
!
ip classless
!for blocking all traffic originating from outside premises
access-list 105 deny ip host 255.255.255.255 any
!Done for antispoofing
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
!
!done to permit administrative ICMP messages
!
!
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any traceroute
access-list 105 permit icmp any any unreachable
!
! ACL For Nat
access-list 101 permit ip 192.168.1.0 0.255.255.255 any
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
!
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
login
!
scheduler max-task-time 5000
end
!
This scenario includes the business-class security features described in Small Office/Telecommuter with Business-Class Security, and includes support for enterprise applications such as NetMeeting. It also supports multicasting, which enables users at the premises to share a single data stream to the Cisco 806 router for things like video-on-demand presentations and video conferencing, thus conserving network bandwidth.
Figure 2-4 shows three branch offices linked to a headquarters office using xDSL modems or cable modems that connect to an ISP.
Figure 2-4 Business-Class Security and Enterprise Applications Configuration
This section includes the following topics:
•Configuring the IP Parameters
•Configuring Multicast Routing
•Configuring a Set of Inspection Rules
•Configuring the Ethernet Interfaces
•Configuring the Dialer Interface
To configure additional features for this network, see "Feature-by-Feature Router Configurations."
Perform the following tasks to configure the IP parameters, starting in global configuration mode.
Configure multicast routing by completing the following tasks, starting in global configuration mode.
|
|
|
---|---|---|
Step 1 |
ip multicast-routing |
Enable IP multicast forwarding. |
Step 2 |
ip pim rp-address address |
Configure the Protocol Independent Multicasting (PIM) Rendezvous Point (RP) address. |
Configure DHCP by completing the following tasks, starting in global configuration mode.
Specify which protocols to examine by using the ip inspect name command. For each protocol you want to inspect, enter a line in global configuration mode, using the following syntax:
ip inspect name inspection-name protocol timeout seconds
Use the same inspection-name in multiple statements to group them into one set of rules that can be referenced elsewhere in the configuration.
Complete the following tasks to configure a VPDN, starting in global configuration mode.
Configure the Ethernet interfaces by performing the following tasks, starting in global configuration mode.
Complete the following tasks to configure the dialer interface, starting in global configuration mode.
Complete the following configuration steps to configure a firewall that will allow TCP sessions originating from the local area network (LAN), but will block all TCP sessions that originate on the wide area network (WAN).
Complete the following tasks, starting in global configuration mode.
The configuration example that follows shows configurations for DHCP, VPDN, PPPoE, IP multicasting, and firewalls. The firewalls configured in this example will allow TCP and UDP connections that originate from the premises. However, any connection that originates outside the firewall would be blocked. Access list configurations will allow TCP applications such as FTP, Telnet, and HTTP, while blocking raw IP packets.
You do not need to enter the commands marked "default." These commands appear automatically in the configuration file that is generated when you use the show running-config command.
Note Multicasting is configured in PIM sparse mode. The user must change the IP address of the RP server manually.
!
version 12.2
no service single-slot-reload-enable
no service pad (default)
service timestamps debug uptime (default)
service timestamps log uptime (default)
no service password-encryption (default)
!
hostname router1
!
no logging buffered
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
ip dhcp excluded-address 192.168.1.1
dhcp pool PrivateNet
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 140.10.10.1
!
!Multicast Protocol - PIM
ip multicast-routing
ip pim rp-address 192.168.20.3
!
ip inspect name myfirewall tcp alert on
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
no ip dhcp-client network-discovery
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip pim sparse-mode
ip tcp adjust-mss 1452 (required for router to reach all websites)
ip nat inside
!
!
interface Ethernet1
no ip address
ip tcp adjust-mss 1452
pppoe enable
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address 140.10.10.5 255.255.255.0
ip pim sparse-mode
ip access-group 102 out
ip nat outside
ip inspect myfw out
ip access-group 105 in
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap
ip route-cache
!
ip classless
!for blocking all traffic originating from outside premises
access-list 105 deny ip host 255.255.255.255 any
!Done for antispoofing
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
!
!done to permit administrative ICMP messages
!
!
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any traceroute
access-list 105 permit icmp any any unreachable
!
! ACL For Nat
access-list 101 permit ip 192.168.1.0 0.255.255.255 any
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
!
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
login
!
scheduler max-task-time 5000
end
!
The configuration for this scenario is identical to the configuration described in the "Small Office/Telecommuter with Business-Class Security and Enterprise Applications" section. In this case, however, the Cisco 806 router connects to a long-reach Ethernet (LRE) modem or to an Ethernet switch, as shown in Figure 2-5. Remote offices and telecommuters can be carried by a metropolitan area network (MAN), or an ISPs network.
Figure 2-5 Ethernet Gateway Configuration
See the "Small Office/Telecommuter with Business-Class Security and Enterprise Applications" section for configuration instructions and a configuration example.