Manuals / Cisco Systems / Power Tools / Router

Cisco Systems C819GUK9, C819HG4GVK9 manual Configuration Example, 9-16, Command or Action, Purpose

Models: C819GUK9

1 196

Download 196 pages 51.42 Kb

Page 110

Configuration Example

Chapter 9 Configuring Security Features

Configuring VPN

	Command or Action	Purpose
Step 4
Step 4	mode {client network-extension network	Specifies the VPN mode of operation.
	extension plus}
	Example:
	Router(config-crypto-ezvpn)# mode client
	Router(config-crypto-ezvpn)#
Step 5
Step 5	exit	Returns to global configuration mode.
	Example:
	Router(config-crypto-ezvpn)# exit
	Router(config)#
Step 6
Step 6	crypto isakmp keepalive seconds	Enables dead peer detection messages. Time
	Example:	between messages is given in seconds, with a
	Example:	range of 10 to 3600.
	Router(config-crypto-ezvpn)# crypto isakmp
	keepalive 10
	Router(config)#
Step 7
Step 7	interface type number	Enters the interface configuration mode for the
	Example:	interface to which you want the Cisco Easy VPN
	Example:	remote configuration applied.
	Router(config)# interface fastethernet 4	Note	For routers with an ATM WAN interface,
	Router(config-if)#	Note	For routers with an ATM WAN interface,
	Router(config-if)#		this command would be interface atm 0.
			this command would be interface atm 0.
Step 8
Step 8	crypto ipsec client ezvpn name [outside	Assigns the Cisco Easy VPN remote configuration
	inside]	to the WAN interface, causing the router to
	Example:	automatically create the NAT or port address
	Example:	translation (PAT) and access list configuration
		translation (PAT) and access list configuration
	Router(config-if)# crypto ipsec client	needed for the VPN connection.
	ezvpn ezvpnclient outside
	Router(config-if)#
Step 9
Step 9	exit	Returns to global configuration mode.
	Example:
	Router(config-crypto-ezvpn)# exit
	Router(config)#

Configuration Example

The following configuration example shows a portion of the configuration file for the VPN and IPSec tunnel described in this chapter:

!

aaanew-model

!

aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common

!

username Cisco password 0 Cisco

	Cisco 819 Series Integrated Services Routers Software Configuration Guide
9-16	OL-23590-02

Image 110

Cisco Systems C819GUK9, C819HG4GVK9 manual Configuration Example, 9-16, Command or Action, Purpose

Contents

800 553-NETS Fax 408 Americas HeadquartersCisco Systems, Inc 170 West Tasman Drive San Jose, CA Text Part Number OL-23590-02 September 2THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS WLAN Features Information Needed for ConfigurationNew Features Wireless Device OverviewConfiguring DDR Configuring a Cellular InterfacePrerequisites for Configuring the 3G Wireless Interface Verifying ConfigurationInterface Enablement Configuration Examples Ignoring DCD and Monitoring DSR as Line Up/Down IndicatorConfiguration Examples Configuring Security FeaturesConfigure a Site-to-Site GRE Tunnel Configure the IKE PolicyCreate a Cisco Easy VPN Remote Configuration Configuring the Ethernet SwitchesConfiguring 802.1x Authentication Configure the Virtual Private Dialup Network Group NumberConfiguring VLANs Configuration TasksConfigure Group Policy Information Entering Global Configuration Mode A-5Configure the IKE Policy Understanding Command ModesBackup Interface Changing the Configuration Register Manually C-11Changing the Configuration Register Using Prompts C-11 ROM Monitor CommandsContents OL-23590-02General Description General Description, page SKU Information, page New Features, pageProduct Overview C H A P T E RChapter 1 Product Overview General Description Figure 1-1 Cisco 819HG Integrated Services RouterFigure 1-2 Cisco 819HGW Integrated Services Router OL-23590-023G Features, page WLAN Features, page 4G LTE Features, page New Features3G Features Platform Features, page Security Features, pageSecurity Features WLAN FeaturesPlatform Features ScanSafe, page TFTP support with Ethernet WAN interface, page Wireless Device OverviewScanSafe LEDs, pageColor TFTP support with Ethernet WAN interfaceLEDs DescriptionDescription show platform led for all LEDs show controller cellular 0 for 3G LEDsColor 3G LED Descriptions continuedChapter 2 Wireless Device Overview LEDs router# show controllers cellularDual-Radio, page Images Supported, page CleanAir Technology, page Wireless Local Area NetworkWLAN Features Dual-RadioDynamic Frequency Selection CleanAir TechnologyImages Supported LEDsDescription WLAN LEDColor WLAN LED DescriptionsChapter 3 Wireless Local Area Network WLAN Features OL-23590-024G LTE Wireless WAN C H A P T E RChapter 4 4G LTE Wireless WAN OL-23590-02Information Needed for Configuration, page Basic Router ConfigurationInterface Ports, page Default Configuration, page Configuring Command-Line Access, pageRouter Default ConfigurationInterface Ports InterfaceInformation Needed for Configuration 3G-ACC-OUT-LA-See Cisco 3G Lightning Arrestor 3G-ACC-OUT-LA If you are setting up IP routing3. login Configuring Command-Line Access1. line aux console tty vty line-number 2. password password 4. exec-timeout minutes secondsPurpose CommandDETAILED STEPS ExamplePurpose ExampleCommand Exampleenable secret password Configuring Global Parametersconfigure terminal hostname nameConfiguring a Gigabit Ethernet WAN Interface, page Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface Configuring the Cellular Wireless WAN Interface, pageEnters the configuration mode for a Gigabit Configuring the Cellular Wireless WAN InterfaceCommand Enables the Ethernet interface, changing its5-11 Prerequisites for Configuring the 3G Wireless InterfaceRestrictions for Configuring the Cellular Wireless Interface Configuring a GSM Modem Data Profile, page Verifying Signal Strength and Service AvailabilityVerifying Signal Strength and Service Availability, page Command or ActionCommand or Action Configuring a GSM Modem Data Profile5-13 Command or ActionUsername provided by your service provider authenticationType of authentication, for example, CHAP, PAP Passwordrouter # cellular 0 cdma activate otasp phonenumber Activating with Over-the-Air Service Provisioningcellular cdma activate iota 5-154. ppp chap hostname hostname 5. ppp chap password 0 password Configuring a Cellular Interface1. configure terminal 2. interface cellular 3. encapsulation ppp 6. asynchronous mode interactive 7. ip address negotiated4. dialer idle-timeout seconds 5. dialer string string Configuring DDR1. configure terminal 2. interface cellular 3. dialer in-band 9. ip access-list access list number permit ip source addressDETAILED STEPS 5-18Command or Action PurposePurpose 5-19Command or Action ExampleBasic Cellular Interface Configuration, page Examples for Configuring Cellular Wireless InterfacesBasic Cellular Interface Configuration Tunnel over Cellular Interface Configuration, page5-21 Tunnel over Cellular Interface ConfigurationConfiguration for 8705 modem Chapter 5 Basic Router Configuration Configuring WAN Interfaces5-22 Configuring Dual SIM for Cellular NetworksSyntax CommandCommand Configuring Router for Image and Config Recovery Using Push Button5-23 SyntaxROMMON Behavior Output When Button Is Not Pushed ExampleOutput When Button Is Pushed Example IOS BehaviorPush Button in WLAN AP Configuring a Loopback InterfaceConfiguring the Fast Ethernet LAN Interfaces 3. exitExits configuration mode for the loopback Verifying ConfigurationEnters configuration mode for the loopback interface and returns to global configurationIOS IP Routing Protocol-Independent Command Configuring Static RoutesFor details about this command and about Exits router configuration mode and entersConfiguring Routing Information Protocol, page Configuring Dynamic RoutesVerifying Configuration Configuring Enhanced Interior Gateway Routing Protocol, page2. version 1 Configuring Routing Information Protocolrouter rip 3. network ip-address2. network ip-address Configuring Enhanced Interior Gateway Routing Protocol1. router eigrp as-number 3. endCommand 5-31Verifying Configuration ExampleOL-23590-02 5-32Chapter 5 Basic Router Configuration Configuring Dynamic Routes Configuring Backup Interfaces, page Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces Configuring Cellular Dial-on-Demand Routing Backup, pageCommand 2. backup interface interface-type interface-number1. interface type number SUMMARY STEPS1. configure terminal Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch 6. ip access-list access list number permit ip source addressPurpose Command or ActionDETAILED STEPS Example1. configure terminal Configuring DDR Backup Using Floating Static RouteCellular Wireless Modem as Backup with NAT and IPsec Configuration Command or Actionno aaa new-model Chapter 6 Configuring Backup Data Lines and Remote ManagementConfiguring Cellular Dial-on-Demand Routing Backup OL-23590-02 Chapter 6 Configuring Backup Data Lines and Remote ManagementConfiguring Cellular Dial-on-Demand Routing Backup line vty 0 4 login line con no modem enable line aux 0 lineexec-timeout 0 0 script dialer gsm login route-map track-primary-if permit 10 match ip address1 A Cisco 819 router4. chat-script script-name expect-send 5. interface type number 15. modem enable 16. exit1. ip name-server server-address 2. ip dhcp pool name 3. exit 6. exitCommand section on page6-11 DETAILED STEPSa default gateway Exits the interface configuration modeEnables dynamic translation of addresses on the Defines an extended access list that indicatesChapter 6 Configuring Backup Data Lines and Remote Management 6-13Command modem enable6-14 Chapter 6 Configuring Backup Data Lines and Remote Managementno ip http server ip pim bidir-enable 6-15Chapter 6 Configuring Backup Data Lines and Remote Management OL-23590-02OL-23590-02 6-16Chapter 6 Configuring Backup Data Lines and Remote Management Environmental and Power Management C H A P T E RCisco EnergyWise Support Information About Configuring Serial Interfaces, page Configuring the Serial InterfaceLegacy Protocol Transport, page Configuring Serial Interfaces, page How to Configure Serial Interfaces, page Configuration Examples, pageLegacy Protocol Transport Configuring Serial InterfacesConnector Type Product NumberCisco HDLC Encapsulation Information About Configuring Serial InterfacesKeepalive Timer, page Frame Relay Encapsulation, page PPP EncapsulationKeepalive Timer Multilink PPPInformation About Configuring Serial Interfaces Frame Relay EncapsulationChapter 8 Configuring the Serial Interface OL-23590-02Configuring a Synchronous Serial Interface, page How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface Configuring Low-Speed Serial Interfaces, pageInverting the Transmit Clock Signal, page 8-10 Optional Configuring Compression of HDLC Data, page 8-9 OptionalUsing the NRZI Line-Coding Format, page 8-9 Optional Setting Transmit Delay, page 8-11 OptionalCommand Configuring PPPConfiguring Bisync Command1. encapsulation hdlc 2. compress stac Configuring Compression of HDLC DataUsing the NRZI Line-Coding Format 1. nrzi-encoding1. transmit-clock-internal Inverting the Transmit Clock SignalEnabling the Internal Clock 1. invert txclock 2. invert rxclockIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Setting Transmit DelayConfiguring DTR Signal Pulsing 8-11Specifying the Serial Network Interface Module Timing 1. dce-terminal-timing enableConfigures the DCE to use SCTE from the DTE 1. ignore-dcdCommand or Action 1. dte-invert-txc8-13 Chapter 8 Configuring the Serial InterfaceHalf-Duplex DTE State Machines Configuring Low-Speed Serial InterfacesUnderstanding Half-Duplex DTE and DCE State Machines Understanding Half-Duplex DTE and DCE State Machines, pageHalf-Duplex DTE Receive State Machine Half-Duplex DCE State Machines8-15 8-16 Half-Duplex DCE Transmit State Machine8-17 Placing a Low-Speed Serial Interface in Constant-Carrier Mode1. no half-duplex controlled-carrier Command or ActionChanging Between Synchronous and Asynchronous Modes Tuning Half-Duplex Timerssdlc cts-delay sdlc rts-timeout 1. physical-layer sync async1. no physical-layer Configuration ExamplesInterface Enablement Configuration Examples 8-19Low-Speed Serial Interface Examples Half-Duplex Timers ExampleHalf-Duplex Timers Example, page Synchronous or Asynchronous Mode ExamplesAuthentication, Authorization, and Accounting, page Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuring AutoSecure, page Configuring Access Lists, pageConfiguration Commands Configuring AutoSecureConfiguring Access Lists access-list 1-99permit deny source-addr source-maskip inspect name inspection-name protocol timeout seconds Configuring Cisco IOS FirewallAccess Groups Remote Access VPN, page Site-to-Site VPN, page Configuring Cisco IOS IPSConfiguring VPN Configuration Examples, pageRemote Access VPN Site-to-Site VPN Library, Cisco IOS Release 12.4TConfigure the IKE Policy Configuration ExamplesConfigure a VPN over an IPSec Tunnel Configure the IKE Policy, pageSpecifies the authentication method used in the Command or ActionMD5 algorithm. The default is Secure Hash Exits IKE policy configuration mode and enters6. ip local pool default poolname low-ip-address high-ip-address Configure Group Policy Information1. crypto isakmp client configuration group group-name default 2. key name1. crypto map map-name isakmp authorization list list-name Apply Mode Configuration to the Crypto MapTechnologies Command Reference 2. crypto map tag client configuration address initiate responddetails, see Securing User Services Configuration Enable Policy Lookup2. aaa authentication login default list-name method1 method2 IOS Security Command ReferenceConfigures IPSec profile to apply protection on Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters See Secure Connectivity Configuration Guidemore details about this command crypto map configuration modeSee Cisco IOS Security Command Reference for Returns to global configuration modeApply the Crypto Map to the Physical Interface Where to Go NextEnters the interface configuration mode for the 2. crypto map map-name 3. exitand enters Cisco Easy VPN remote configuration Create a Cisco Easy VPN Remote ConfigurationCreates a Cisco Easy VPN remote configuration hostname resolutionCommand or Action Configuration Example9-16 Purpose7. ip access-list standard extended access-list-name Configure a Site-to-Site GRE Tunnel4. tunnel destination default-gateway-ip-address 3. tunnel source interface-type numberEnters ACL configuration mode for the named tunnel interface must be configured toExits interface configuration mode and returns to Creates a tunnel interface and enters interfaceoutbound interface Returns to global configuration modeSpecifies that only GRE traffic is permitted on the 9-19hash md5 authentication pre-share crypto isakmp key cisco123 address 9-20Chapter 9 Configuring Security Features Configuring VPN Restrictions for the FE Switch Configuring the Ethernet SwitchesSwitch Port Numbering and Naming Switch Port Numbering and Naming, page802.1x Authentication Information About Ethernet SwitchesLayer 2 Ethernet Switching VLANs and VLAN Trunk Protocol, page Layer 2 Ethernet Switching, pageIGMP Snooping Switched Port AnalyzerOverview of SNMP MIBs Storm ControlMIBs BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW MIBs LinkRouterconfig#Routersnmp-server group public v2c context bridge-group MAC Address Notification10-5 Routerconfig#snmp-server community public RWConfiguring VLANs, page Configuring Layer 2 Interfaces, page How to Configure Ethernet SwitchesConfiguring VLANs Configuring 802.1x Authentication, pageVLANs on the GE Port Configuring Layer 2 Interfacesswitchport mode dynamic desirable Comand10-8 Configuring 802.1x AuthenticationConfiguring Spanning Tree Protocol Manipulation Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol Port SecurityConfiguring IGMP Snooping Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Per-Port Storm ControlConfiguring Fallback Bridging 10-11Managing the Switch 10-12C H A P T E R Configuring PPP over Ethernet with NAT11-1 Configure the Virtual Private Dialup Network Group Number, page Configuration TasksConfigure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces, pageCommand or Action Configure the Fast Ethernet WAN Interfaces11-3 DETAILED STEPSConfigures the PPPoE client and specifies the Configure the Dialer InterfaceEnters interface configuration mode for a Enables the Fast Ethernet interface and the1. interface dialer dialer-rotary-group-number 5. ppp authentication protocol1 protocol2 6. dialer pool numberCommand Reference 2. ip address negotiated 3. ip mtu bytesExits the dialer 0 interface configuration Configure Network Address TranslationUsing a dialer group controls access to For details about this command and additional8. ip nat inside outside 9. no shutdown 10. exit 3. interface type number4. ip nat inside outside 5. no shutdown 6. exit 11-7Command Reference, Volume 1 of 4 Addressing by the access list 1 to be translated to one of thepermitted by access list acl1 to be translated to one and ServicesDefines a standard access list indicating which Configuration ExampleEnters configuration mode for the Fast Ethernet WAN interface FE4 to be the outside interfaceConfiguration Example 11-10Chapter 11 Configuring PPP over Ethernet with NAT vpdn enable vpdn-group 1 request-dialin protocol pppoeChapter 11 Configuring PPP over Ethernet with NAT Verifying Your Configuration11-11 Configuration ExampleConfiguration Example 11-12Chapter 11 Configuring PPP over Ethernet with NAT OL-23590-0212-1 Configuring a LAN with DHCP and VLANsDHCP C H A P T E R7. default-router address address2...address8 Configure DHCPConfigure DHCP, page Configure VLANs, page VLANsenters DHCP pool configuration mode. The name Identifies the default domain that the router uses toresolution Specifies up to eight default routers for a DHCPSpecifies up to eight DNS servers available to a Verify Your DHCP ConfigurationExits DHCP configuration mode and enters global DHCP client12-5 Configure VLANs1. vlan ? 2. ISL VLAN ID 3. exit Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks1. interface switch port id Assign a Switch Port to a VLANServices Command Reference 2. switchport access vlan vlan-id 3. endto the VLAN Verify Your VLAN ConfigurationSpecifies the switch port that you want to assign Assigns a port to the VLANCisco 819 Integrated Services Routers Software Configuration Guide 12-8Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Router# vlan databaseRouter# show vlan-switch 12-9Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks OL-23590-02Cisco 819 Integrated Services Routers Software Configuration Guide 12-10Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks OL-23590-02C H A P T E R Configuring a VPN Using Easy VPN and an IPSec Tunnel13-1 Figure 13-1 Remote Access VPN Using IPSec Tunnel Cisco Easy VPN13-2 13-3 Configure the IKE PolicyCreate an Easy VPN Remote Configuration, page Configuration TasksThe example specifies a pre-shared key The example specifies 168-bit data encryptionstandard SHA-1 Specifies the Diffie-Hellman group to be used in1. crypto isakmp client configuration group group-name default Configure Group Policy Information13-5 6. ip local pool default poolname low-ip-address high-ip-addressCommand or Action Apply Mode Configuration to the Crypto Map13-6 Technologies Command Reference2. aaa authentication login default list-name method1 method2 Enable Policy Lookup13-7 Command or Action13-8 Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters Command or Actioncrypto map configuration mode 13-9Command or Action See Cisco IOS Security Command Reference for2. group group-name key group-key 3. peer ipaddress hostname Create an Easy VPN Remote ConfigurationApply the Crypto Map to the Physical Interface 13-106. interface type number remote configuration appliedthis command would be interface atm 7. crypto ipsec client ezvpn name outside inside 8. exitConfiguration Example Verifying Your Easy VPN Configuration13-12 Command or ActionConfiguration Example 13-13Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel OL-23590-02Configuration Example 13-14Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Cisco 819 Integrated Services Routers Software Configuration GuideUnderstanding Command Modes, page A-2 Getting Help, page A-4 Configuring the Router from a PCConfiguring the Router from a PC, page A-1 Enable Secret Passwords and Enable Passwords, page A-5Terminal Emulation Software Understanding Command ModesPC Operating System Enable Passwords” procedure on Access Methodthe “Enable Secret Passwords and ModeAccess Method Getting Helprouter rip-from ModeEnable Secret Passwords and Enable Passwords Entering Global Configuration ModeUndoing Commands Using CommandsAbbreviating Commands Command-Line Error MessagesSummary Saving Configuration ChangesWhere to Go Next OL-18906-02 Appendix A Cisco IOS Software Basic Skills Where to Go NextCisco 819 Integrated Services Routers Software Configuration Guide Easy IP Phase 1, page B-6 Easy IP Phase 2, page B-7 QoS, page B-7 PPP Authentication Protocols, page B-3 TACACS+, page B-4Ethernet, page B-4 Dial Backup, page B-5 NAT, page B-6 Access Lists, page B-9Protocol Routing UpdatesRouting Protocol Options Ideal TopologyPPP Authentication Protocols Enhanced IGRPCHAP TACACS+Ethernet Backup Interface, page B-5 Floating Static Routes, page B-5 Dial BackupBackup Interface Floating Static RoutesEasy IP Phase Easy IP Phase IP Precedence, page B-8 PPP Fragmentation and Interleaving, page B-8CBWFQ, page B-8 RSVP, page B-8 Low Latency Queuing, page B-9 CBWFQ IP PrecedencePPP Fragmentation and Interleaving RSVPAccess Lists Low Latency QueuingOL-18906-02 B-10Appendix B Concepts Access Lists Disaster Recovery with TFTP Download, page C-3 Entering the ROM Monitor, page C-1 ROM Monitor Commands, page C-2Command Descriptions, page C-3 Configuration Register, page C-10 Console Download, page C-12reload ROM Monitor Commandsexit Descriptions” section on page C-3reset or Command DescriptionsDisaster Recovery with TFTP Download Configuration Fundamentals and Network Management GuideVariable TFTP Download Command VariablesRequired Variables CommandCommand Using the TFTP Download CommandOptional Variables VariableExamples OL-18906-02 Appendix C ROM Monitor Disaster Recovery with TFTP DownloadCisco 819 Integrated Services Routers Software Configuration Guide Appendix C ROM Monitor Disaster Recovery with TFTP Download Cisco 819 Integrated Services Routers Software Configuration GuideOL-18906-02 Disaster Recovery with TFTP DownloadAppendix C ROM Monitor Appendix C ROM Monitor Configuration Register Configuration RegisterC-10 Cisco 819 Integrated Services Routers Software Configuration GuideC-11 Changing the Configuration Register ManuallyChanging the Configuration Register Using Prompts Console Download Command Descriptionrecognize it, the name of the configuration file must be routerconfg xmodem -cyrx destinationfilenameC-13 Debug CommandsError Reporting Exiting the ROM Monitor C-14Port Common Port AssignmentsA P P E N D I X D KeywordDescription PortKeyword Table D-1