Page 1
Cisco 1710 Security Router Software Configuration Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7812696= Text Part Number: 78-12696-01...
Page 2
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures: •...
Page 3
Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
Page 5
Ordering Documentation Documentation Feedback Obtaining Technical Assistance Cisco.com Technical Assistance Center Contacting TAC by Using the Cisco TAC Website Contacting TAC by Telephone xvii Introduction to Router Configuration C H A P T E R Configuring the Router from a PC...
Page 7
Defining the VLAN Encapsulation Format Assigning an IP Address to a Network Interface Configuring IPX Routing over IEEE 802.1Q Enabling NetWare Routing Defining the VLAN Encapsulation Format Configuring NetWare on the Subinterface Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Page 8
4-10 show vlans 4-11 Syntax Description 4-11 Command Mode 4-11 Example 4-11 ROM Monitor A P P E N D I X Entering the ROM Monitor ROM Monitor Commands Command Descriptions Cisco 1710 Security Router Software Configuration Guide viii 78-12696-01...
Page 9
TFTP Download Command Variables Required Variables Optional Variables Using the TFTP Download Command Configuration Register Console Download A-10 Command Description A-11 Error Reporting A-12 Debug Commands A-12 I N D E X Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Page 11
Preface This preface describes the objectives, audience, organization, and conventions of the Cisco 1710 Security Router Software Configuration Guide. It also provides information about additional documentation and how to obtain technical assistance. Objectives This software configuration guide explains how to configure the Cisco 1710 router.
Page 12
Cisco IOS. Chapter 2, “Cisco 1710 Security Router Configuration”—Describes what you • need to know about the Cisco IOS software (the software that runs the router) before you begin to configure the router. • Chapter 3, “Overview of Routing Between Virtual LANs”—Provides an...
Cisco IOS Software Configuration: Cisco IOS Release 12.2: Configuration • Guides and Command References provide complete information about all the Cisco IOS CLI commands and how to use them, as well as information on designing and configuring LANs and WANs. •...
Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com http://www-china.cisco.com •...
553-NETS(6387). Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.
This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco. Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions,...
Page 17
P4—You need information or assistance on Cisco product capabilities, • product installation, or basic product configuration. In each of the above cases, use the Cisco TAC website to quickly find answers to your questions. To register for Cisco.com, go to the following website: http://www.cisco.com/register/...
Page 19
Understanding these concepts saves you time when you are configuring your router. If you have never used the Cisco IOS software or need a refresher, take a few minutes to read this chapter before you proceed to the next chapter.
You can now configure your router using your PC. Understanding Command Modes This section describes the Cisco IOS command mode structure. Each command mode supports specific Cisco IOS commands. For example, the interface type_number command is used only when in global configuration mode.
Page 21
Chapter 1 Introduction to Router Configuration Understanding Command Modes You use the following Cisco IOS command modes when configuring the scenarios described in this document: • User EXEC Privileged EXEC • Global configuration • Interface configuration • Router configuration •...
Page 22
You should configure command. your router with an enable password to prevent anyone from making unauthorized changes to the router configuration. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Page 23
EXEC 10BaseT Ethernet • configuration mode, enter the interface. mode. exit command, or • 10/100BaseT press Ctrl-Z. FastEthernet To enter interface. • subinterface configuration mode, specify a subinterface with the interface command. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
You can restrict the list to all commands starting with a specific letter by entering that letter, followed by a question mark (no space): Router (config-if)# s? shutdown snapshot snmp standby Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Page 25
For maximum security, the passwords should be different. If you enter the same password for both during the setup process, your router accepts the passwords, but warns you that they should be different. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
The enable password does not show on the screen when you enter it. This example shows how to enter configuration mode on a Cisco 1710 Security router: 1710> enable enable_password Password: <...
Chapter 1 Introduction to Router Configuration Using Commands Using Commands This section provides some tips about entering Cisco IOS commands at the command-line interface (CLI). Abbreviating Commands You only have to enter enough characters for the router to recognize the command as unique.
Router# copy running-config startup-config Building configuration... It might take a minute or two to save the configuration to NVRAM. After the configuration has been saved, the following appears: [OK] Router# Cisco 1710 Security Router Software Configuration Guide 1-10 78-12696-01...
You can find additional information and documentation about the debug commands in the Debug Command Reference document on the Cisco IOS software documentation CD-ROM that came with your router. If you are not sure where to find this document on the CD-ROM, use the Search function in the Verity Mosaic browser that comes with the CD-ROM.
Introduction to Router Configuration Where to Go Next Where to Go Next Now that you have learned some Cisco IOS software basics, you can begin to configure your router. Remember that You can use the question mark (?) and arrow keys to help you enter •...
Page 31
Cisco 1710 Security Router Configuration This chapter presents basic configuration procedures for features of the Cisco 1710 Security router. For a full description of these features and their configurations, please refer to Cisco IOS Software Configuration: Cisco IOS Release 12.2.
IPSec implements the Data Encryption Standard (DES) and triple DES (3DES). Refer to the Cisco IOS Security Configuration Guide, Release 12.1, for more detailed information on IPSec. Perform the following tasks to configure IPSec. Start in global configuration mode.
Exit crypto map configuration mode. Disabling Hardware Encryption The Cisco 1710 Security router is equipped with a Virtual Private Network (VPN) module that provides hardware 3DES encryption by default. It is possible to disable the VPN module and use Cisco IOS software encryption/decryption instead.
Page 35
The following is a useful command that shows statistical information about the VPN module: show crypto engine accelerator statistic An example of its use is as follows: c1710#show crypto engine accelerator statistic C1700_EM: ds: 0x81784BA4 idb:0x81780560 Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Set the size of the IP maximum transmission unit (MTU). Step 4 encapsulation ppp Set the encapsulation type to PPP. Step 5 dialer pool 1 Specify the dialer pool to be used. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
172.16.0.0, one in subnetwork 172.16.1.0, and one in subnetwork 172.16.2.0. Attributes from network 172.16.0.0, such as the domain name, DNS server, NetBIOS name server, and NetBIOS node type, are inherited in subnetworks Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
30 Manual Binding Configuration Example The following example creates a manual binding for a client named Mars.cisco.com. The MAC address of the client is 02c7.f800.0422 and the IP address of the client is 172.16.2.254. ip dhcp pool Mars host 172.16.2.254 hardware-address 02c7.f800.0422 ieee802...
The openings allow returning traffic for the specified session (that would normally be blocked) back through the firewall. Refer to the Cisco IOS Security Configuration Guide, Release 12.1, for more detailed information on traffic filtering and firewalls. Cisco 1710 Security Router Software Configuration Guide...
The order of commands in the sequence is important. A packet will be • operated on by the first command. If there is no match (neither a permit nor a deny occurs), the next command operates on the packet, and so on. Cisco 1710 Security Router Software Configuration Guide 2-13 78-12696-01...
Complete Sample Configuration An example configuration is presented here, in which a Cisco 1710 Security router is a PPPoE client connected through a modem to an external network access router. The router might be located in a branch office with the network access router located at the corporate site.
Page 46
Cisco 1710 Security Router Configuration Complete Sample Configuration In this example, both the Cisco 1710 Security router and the network access router have inside and outside interfaces. The outside interfaces have global IP addresses while the inside interfaces have local IP addresses. These addresses are as follows: Cisco 1710 Security router outside interface: 24.119.216.150 255.255.255.0...
Page 48
102 permit ahp any any access-list 102 permit udp any eq isakmp any eq isakmp access-list 102 deny udp any any access-list 102 permit ip any any access-list 102 permit icmp any any Cisco 1710 Security Router Software Configuration Guide 2-18 78-12696-01...
Complete Sample Configuration Network Access Router Configuration The following commands configure the network access router so that it provides a secure connection to the Cisco 1710 Security router. crypto isakmp key 12abcjhrweit345 address 24.19.216.150 crypto isakmp policy 1 authentication pre-share...
Page 51
VLAN, regardless of their physical connections to the network or their intermingling with other teams. The network can be reconfigured by using software rather than by physically unplugging and moving the devices or wires. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
LAN environments that support broadcast- or multicast-intensive protocols and applications that flood packets throughout the network. Figure 3-1 illustrates the difference between traditional physical LAN segmentation and logical VLAN segmentation. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Just as switches isolate collision domains for attached hosts and only forward appropriate traffic out a particular port, VLANs provide complete isolation between VLANs. A VLAN is a bridging domain; all broadcast and multicast traffic is contained within the VLAN. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Communication Between VLANs Communication between VLANs is accomplished through routing, and the traditional security and filtering functions of the router can be used. Cisco IOS software provides network services such as security filtering, quality of service (QoS), and accounting on a per VLAN basis. As switched networks evolve to distributed VLANs, Cisco IOS provides key inter-VLAN communications and allows the network to scale.
Network additions, moves, and changes • Communicating Between VLANs The Cisco 1710 Security router uses the IEEE 802.1Q protocol for routing between VLANs. The IEEE 802.1Q protocol is used to interconnect multiple switches and routers and for defining VLAN topologies. IEEE 802.1Q support is currently available only for Fast Ethernet interfaces.
VLAN Translation VLAN translation refers to the ability of the Cisco IOS software to translate between different virtual LANs or between VLAN and non-VLAN encapsulating interfaces at Layer 2. Translation is typically used for selective inter-VLAN switching of non-routable protocols and to extend a single VLAN topology across hybrid switching environments.
This chapter describes the required and optional tasks for configuring routing between VLANs with IEEE 802.1Q encapsulation. For complete descriptions of the VLAN commands used in this chapter, refer to the “Cisco IOS Switching Commands” chapter in the Cisco IOS Switching Services Command Reference.
AppleTalk can be routed over virtual LAN (VLAN) subinterfaces, using the IEEE 802.1Q VLAN encapsulation protocol. AppleTalk Routing provides full-feature Cisco IOS software AppleTalk support on a per VLAN basis, allowing standard AppleTalk capabilities to be configured on VLANs. To route AppleTalk over IEEE 802.1Q between VLANs, you need to customize the subinterface to create the environment in which it will be used.
VLAN identifier. Configuring IP Routing over IEEE 802.1Q IP routing over IEEE 802.1Q extends IP routing capabilities to include support for routing IP frame types in VLAN configurations using the IEEE 802.1Q encapsulation. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Assigning an IP Address to a Network Interface • Enabling IP Routing IP routing is automatically enabled in the Cisco IOS software for routers. To re-enable IP routing if it has been disabled, use the following command in global configuration mode:...
Novell Ethernet_802.3 encapsulation frames to be routed using IEEE 802.1Q encapsulation across VLAN boundaries. To configure Cisco IOS software on a router with connected VLANs to exchange IPX Novell Ethernet_802.3 encapsulated frames, perform these tasks in the order...
This section provides configuration examples for each of the protocols described in this chapter. The section provides the examples for the following: Configuring AppleTalk over IEEE 802.1Q • • Configuring IP Routing over IEEE 802.1Q • Configuring IPX Routing over IEEE 802.1Q Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
VLAN Commands This section provides an alphabetical listing of all the VLAN commands that are new or specific to the Cisco 1710 router. All other commands used with this feature are documented in the Cisco IOS Release 12.1T command reference documents.
Example The following is sample output from the debug vlan packets output: Router# debug vlan packets Virtual LAN packet information debugging is on Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Usage Guidelines IEEE 802.1Q encapsulation is configurable on Fast Ethernet interfaces. Example The following example encapsulates VLAN traffic, using the IEEE 802.1Q protocol for VLAN 100: interface fastethernet 0.100 encapsulation dot1q 100 Cisco 1710 Security Router Software Configuration Guide 4-10 78-12696-01...
Page 68
Virtual LAN ID Domain number of the VLAN vLAN Trunk Interface Subinterface that carries the VLAN traffic Protocols Configured Protocols configured on the VLAN Address Network address Received Packets received Transmitted Packets transmitted Cisco 1710 Security Router Software Configuration Guide 4-12 78-12696-01...
You can perform certain configuration tasks, such as recovering a lost password or downloading software over the console port, by using ROM monitor. If there is no Cisco IOS software image loaded on the router, the ROM monitor runs the router.
Page 70
1700# reload register value. The router remains in ROM monitor and does not boot the Cisco IOS software. As long as the configuration value is 0x0, you must manually boot the operating system from the console. Refer to the boot command in the “Command...
Ctrl and the Break keys at the same time. If you are using another type of terminal emulator or terminal emulation software, refer to the documentation for that product for information on how to send a Break command. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
0xb86d c1700-bk9no3r2sy7-mz.0412 Boot Commands For more information about the ROM monitor boot commands, see the Cisco IOS Configuration Guide and Cisco IOS Command Reference publications. Boots the first image in Flash memory. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
The standard way to load new software on your router is using the copy tftp flash privileged EXEC command from the Cisco IOS software command-line interface (CLI). However, if the router is unable to boot the Cisco IOS software, you can load new software while in ROM monitor mode.
DEFAULT_GATEWAY= ip_address the router. IP address of the TFTP server from TFTP_SERVER= ip_address which the software will be downloaded. The name of the file that will be TFTP_FILE= filename downloaded to the router. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
The default is 2, 400 seconds (40 minutes). Whether or not the router performs a TFTP_CHECKSUM=setting checksum test on the downloaded image: 1—Checksum test is performed. 0—No checksum test is performed. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Step 3 output: Do you wish to continue? y/n: [n]:y The router will begin to download the new file. Pressing Ctrl-C or Break stops the transfer before the Flash memory is erased. Cisco 1710 Security Router Software Configuration Guide 78-12696-01...
Configuration Register The virtual configuration register is in NVRAM and has the same functionality as other Cisco routers. You can view or modify the virtual configuration register from either the ROM monitor or the operating system software. To change the virtual configuration register from the ROM monitor, enter confreg by itself for menu mode, or enter the new value of the register in hexadecimal.
If you want to download a software image or a configuration file to the router over the console port, you must use the ROM monitor command. If you are using a PC to download a Cisco IOS image over the router console Note port at 115,200 bps, ensure that the PC serial port is using a 16550 universal asynchronous receiver/transmitter (UART).
The name of the system image file or the system configuration file. In order for the router to recognize it, the name of the configuration file must be router_confg. Cisco 1710 Security Router Software Configuration Guide A-11 78-12696-01...
Debug Commands Most ROM monitor debugging commands are functional only when Cisco IOS software has crashed or is halted. If you enter a debugging command and Cisco IOS crash information is not available, you see the following error message: "xxx: kernel context state is invalid, can not proceed."...
Page 81
(NVRAM). For example: rommon 3> meminfo Main memory size: 64 MB. Available main memory starts at 0x10000, size 65472KB IO (packet) memory size: 25 percent of main memory. NVRAM size: 32KB Cisco 1710 Security Router Software Configuration Guide A-13 78-12696-01...
Page 82
Appendix A ROM Monitor Debug Commands Cisco 1710 Security Router Software Configuration Guide A-14 78-12696-01...
Page 84
1-11 using in a Telnet session 1-11 firewall configuration 2-12 when to use 1-11 firewalls debug vlan packets command and access lists 2-13 to 2-15 dev (device) command and inspection rules 2-15 Cisco 1710 Router Software Configuration Guide IN-2 78-12696-01...