Professional Documents
Culture Documents
This preface describes the objectives, audience, organization, and conventions of the software
configuration documentation for your router. It contains the following sections:
• Objectives, page 1
• Audience, page 1
• Conventions, page 1
• Obtaining Documentation, page 2
• Documentation Feedback, page 3
• Obtaining Technical Assistance, page 3
• Obtaining Additional Publications and Information, page 5
Objectives
These documents explains how to configure and maintain your Cisco router.
Audience
These documents are designed for the person installing, configuring, and maintaining the Cisco router,
who should be familiar with networking technology and terminology.
Conventions
These documents use the conventions listed in Table 1 to convey instructions and information.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Convention Description
boldface font Commands and keywords.
italic font Variables for which you supply values.
[ ] Optional keywords or arguments appear in square brackets.
{x | y | z} A choice of required keywords appears in braces separated by vertical bars. You
must select one.
screen font Examples of information displayed on the screen.
boldface screen Examples of information you must enter.
font
< > Nonprinting characters, for example passwords, appear in angle brackets in
contexts where italics are not available.
[ ] Default responses to system prompts appear in square brackets.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Tip Means the following information will help you solve a problem. The tips information might not be
troubleshooting or even an action, but could be useful information, similar to a Timesaver.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/cisco/web/support/index.html
Preface
2 OL-5591-01
Documentation Feedback
Ordering Documentation
For information on obtaining documentationsee the monthly What’s New in Cisco Product
Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Ordering tool:
http://www.cisco.com/web/ordering/root/index.html
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in
North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
For your convenience a documentation feedback form is located at the bottom of every online document.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Preface
OL-5591-01 3
Obtaining Technical Assistance
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support
Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product
Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product
Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID
or model name; by tree view; or for certain products, by copying and pasting show command output.
Search results show an illustration of your product with the serial number label location highlighted.
Locate the serial number label on your product and record the information before placing a service call.
Preface
4 OL-5591-01
Obtaining Additional Publications and Information
Preface
OL-5591-01 5
Obtaining Additional Publications and Information
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Preface
6 OL-5591-01
Overview
Cisco 2800 series integrated service routers provide a range of models in which you can install a variety
of modules. The number and type of modules vary by platform. Examples of these modules include
WAN interface cards (WICs), voice interface cards (VICs), voice/WAN interface cards (VWICs),
high-speed WAN interface cards (HWICs.), packet voice data modules (PVDMs), network modules
enhanced (NME), advanced integration modules (AIMs), and extension voice modules (EVMs).
These routers feature the following:
• The Cisco 2801 router supports two HWIC/WIC/VIC/VWIC slots, capable of supporting both
single-wide and double-wide HWICs, one WIC/VIC/VWIC slot, one VIC/VWIC (voice only) slot,
two Fast Ethernet connections, optional inline power output of up to 120 Watts, and two advanced
integration module (AIM) slots.
• The Cisco 2811 router, in addition to the features in the Cisco 2801, supports one single-wide
network module enhanced (NME), four single-width or two double-wide HWICs, and optional
inline power output of up to 160 Watts.
• In Cisco 2821 routers, in addition to the features in the Cisco 2811, the network module slot adds
support for a single-wide network module enhanced extended (NME-X), and an additional slot
supports an extension voice module (EVM). Three PVDMs are supported, the LAN ports support
Gigabit Ethernet, and optional inline power output of up to 240 Watts is provided.
• In Cisco 2851 routers, in addition to the features in the Cisco 2821, the network module slot adds
support for network module double-wide (NMDs) and network module enhanced extended
double-wide (NME-XDs), and optional inline power output of up to 360 Watts is provided.
Note The interface numbering and asynchronous line numbering on Cisco 2800 series routers are different
from the numbering schemes used on other Cisco modular routers. For details, see the hardware
installation documentation for your router.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Note Besides the setup facility and the IOS command-line interface, a third way of configuring Cisco routers
is through the Cisco Router and Security Device Manager. Additional information about SDM features,
is available at this URL: http://www.cisco.com/go/sdm
Note You must have an account on Cisco.com to access many of the available tools. If you do not have an
account or have forgotten your username or password, click Cancel at the login dialog box and follow
the instructions.
Contents
Following is a list of the main topics covered in the remainder of this overview:
• Performing Initial Configuration, page 3
• Using the Cisco IOS Startup Sequence, page 8
Overview
2 OL-6154-01
Performing Initial Configuration
Initial Configuration Using the Cisco Router and Security Device Manager
Note We recommend that you use the Cisco Router and Security Device Manager to configure your router.
Built-in verification systems and sanity checks help to ensure both correct configurations and robust
security practices.
The Cisco Router and Security Device Manager (SDM) is an easy-to-use device management tool that
allows you to configure Cisco IOS security features and network connections through an intuitive
web-based graphical user interface.You can use SDM wizards to:
• Configure additional LAN and WAN connections
• Create firewalls
• Configure Virtual Private Network (VPN) connections
• Perform security audits
SDM also provides an advanced mode, through which you can configure advanced features, such as
Firewall Policy, Network Address Translation (NAT), VPNs, routing protocols, and other options.
Overview
OL-6154-01 3
Performing Initial Configuration
You should consult the SDM release notes to determine if SDM is supported for the router on which you
want to install it.
If the following messages appear at the end of the startup sequence, Cisco Router and Security Device
Manager (SDM) is installed on your router:
yourname con0 is now available
Tip If these messages do not appear, SDM was not shipped with your router. If you want to use SDM, you
can download the latest version of SDM and instructions for installing it on your router from the
following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm
To obtain the SDM quick start guide, SDM release notes, and other SDM documentation, go to
http://www.cisco.com/go/sdm and click the Technical Documentation link.
For instructions on configuring your router by using SDM, refer to the Cisco Router and Security Device
Manager (SDM) Quick Start Guide that shipped with your router.
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
The setup command facility prompts you for basic information about your router and network, and it
creates an initial configuration file. After the configuration file is created, you can use the CLI or
Security Device Manager to perform additional configuration.
The prompts in the setup command facility vary, depending on your router model, the installed interface
modules, and the software image. The following example and the user entries (in bold) are shown as
examples only.
Note If you make a mistake while using the setup command facility, you can exit and run the setup command
facility again. Press Ctrl-C, and enter the setup command at the privileged EXEC mode prompt
(Router#).
Overview
4 OL-6154-01
Performing Initial Configuration
Step 2 When the following messages appear, enter yes to enter basic management setup:
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Step 3 Enter a hostname for the router (this example uses Router):
Configuring global parameters:
Enter host name [Router]: Router
Step 4 Enter an enable secret password. This password is encrypted (more secure) and cannot be seen when
viewing the configuration:
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: xxxxxx
Step 5 Enter an enable password that is different from the enable secret password. This password is not
encrypted (less secure) and can be seen when viewing the configuration:
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
Enter enable password: xxxxxx
Step 6 Enter the virtual terminal password, which prevents unauthenticated access to the router through ports
other than the console port:
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: xxxxxx
Note The interface numbering that appears depends on the type of Cisco modular router platform and on the
installed interface modules and cards.
Any interface listed with OK? value "NO" does not have a valid configuration
Overview
OL-6154-01 5
Performing Initial Configuration
Step 8 Select one of the available interfaces for connecting the router to the management network:
Enter interface name used to connect to the
management network from the above interface summary: fastethernet0/0
hostname Router
enable secret 5 $1$D5P6$PYx41/lQIASK.HcSbfO5q1
enable password xxxxxx
line vty 0 4
password xxxxxx
snmp-server community public
!
no ip routing
!
interface FastEthernet0/0
no shutdown
speed 100
duplex half
ip address 172.1.2.3 255.255.0.0
!
interface FastEthernet0/1
shutdown
no ip address
end
Step 11 Respond to the following prompts. Select [2] to save the initial configuration.
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Step 12 Verify the initial configuration. See the “Verifying the Initial Configuration” section on page 8 for
verification procedures.
For more information, see the Basic Software Configuration Using the Setup Command Facility section,
available at this URL:
http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/b_setup.htm
l
Overview
6 OL-6154-01
Performing Initial Configuration
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
If these messages do not appear, SDM and a default configuration file were installed on the router at the
factory. To use SDM to configure the router, see the “Initial Configuration Using the Cisco Router and
Security Device Manager” section on page 3.
Note Be sure to save your configuration changes occasionally so that they are not lost during resets, power
cycles, or power outages. Use the copy running-config startup-config command at the privileged
EXEC mode prompt (Router#) to save the configuration to NVRAM.
Step 1 To proceed with manual configuration using the CLI, enter no when the power-up messages end:
Would you like to enter the initial configuration dialog? [yes/no]: no
Step 2 Press Return to terminate autoinstall and continue with manual configuration:
Would you like to terminate autoinstall? [yes] Return
Step 5 Verify the initial configuration. See the “Verifying the Initial Configuration” section on page 8 for
verification procedures.
For more information on using the CLI for router configuration, see the Basic Software Configuration
Using the Cisco IOS Command-Line Interface section, available at this URL:
http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/b_cli.html
Overview
OL-6154-01 7
Using the Cisco IOS Startup Sequence
Note Because SDM uses a default configuration file, if you have used SDM to configure your router, it will
not execute the standard Cisco IOS startup sequence.
Using the Cisco IOS setup utility enables you to use TFTP or BOOTP configuration download, or use
other features available through the standard Cisco IOS startup sequence.
The configuration file shipped with your router does the following:
• Provides an IP address for your Fast Ethernet interface, enabling an interface to your LAN
• Enables your router’s HTTP/HTTPS server, allowing HTTP access from your LAN
• Creates a default username (cisco) and password (cisco) with privilege level 15
• Enables Telnet/SSM access to the router from your LAN
To erase the existing configuration and use the Cisco IOS startup sequence, perform the following steps.
Note SDM remains installed on the router. See the “Enabling SDM on a Router Configured to Use the IOS
Startup Sequence” section on page 9 for instructions to reenable it.
Step 1 Connect the light blue console cable, included with your router, from the blue console port on your router
to a serial port on your PC. Refer to the hardware installation guide that came with your router for
instructions.
Step 2 Connect the power supply to your router, plug the power supply into a power outlet, and turn on your
router. Refer to the quick start guide that came with your router for instructions.
Step 3 Use Hyperterminal or a similar terminal emulation program on your PC, with the terminal emulation
settings of 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to your router.
Overview
8 OL-6154-01
Using the Cisco IOS Startup Sequence
Step 4 At the prompt, enter the enable command. The default configuration file does not configure an enable
password:
yourname> enable
yourname#
The router begins executing the standard startup sequence. If you want to use SDM to perform
subsequent configurations for the router, you must reconfigure the router manually to support web-based
applications, and the Telnet and Secure Shell (SSH) protocols. You must also create a user account with
a privilege level of 15. See the “Enabling SDM on a Router Configured to Use the IOS Startup
Sequence” section on page 9 for information on doing this.
Configuring the Router to Support Web-Based Applications, a User with Priv 15, and Telnet/SSH
Step 1 Enable the HTTP/HTTPS server on the router, using the following Cisco IOS commands in the global
configuration mode:
Router(config)#ip http server
Router(config)#ip http secure-server
Router(config)#ip http authentication local
If the router uses an IPSec IOS image, the HTTPS server is enabled. Otherwise only the HTTP server is
enabled.
Step 2 Create a user account with privilege level 15 (enable privileges, if necessary).
Router(config)#username <username> privilege 15 password 0 <password>
Replace <username> and <password> with the username and password of your choosing.
Step 3 Configure SSH and Telnet for local login and privilege level 15:
line vty 0 4
privilege level 15
login local
transport input telnet
transport input telnet ssh
Overview
OL-6154-01 9
Using the Cisco IOS Startup Sequence
Step 4 (Optional) Enable local logging to support the log monitoring function:
Router(config)#logging buffered 51200 warning
To use SDM on a router that has received a manual configuration, see the “Starting SDM on a Manually
Configured Router” section on page 10.
Note By default, the DHCP server is turned off on the Cisco 28xx series routers.
SDM is a web-based application that must be run from a PC that is connected to the router over a LAN.
If the router is configured as a DHCP server, the PC must be configured to receive an IP address
automatically. If the router is not configured as a DHCP server, you must configure the PC with a static
IP address on the same subnet as the router interface to which you are connecting the PC. For example,
if the router has the IP address 172.16.30.1, and the subnet mask is 255.255.255.248, you must configure
the PC to use a network address in the range 172.16.30.2 through 172.16.30.6, and use the same subnet
mask as the router.
Step 1 Open a web browser on the PC, and enter the IP address for the router.
https://IP-address
The https://... specifies that the Secure Socket Layer (SSL) protocol will be used for a secure
connection. You can use http://... if SSL is not available.
Step 2 Enter the username and password that you specified in Step 2 of “Configuring the Router to Support
Web-Based Applications, a User with Priv 15, and Telnet/SSH.”
To continue configuring your router, see the “Initial Configuration Using the Cisco Router and Security
Device Manager” section on page 3.
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Overview
10 OL-6154-01
Basic Software Configuration Using the Setup
Command Facility
You can configure your router by using the Cisco Router and Security Device Manager (SDM), the
Cisco IOS setup command facility, or the Cisco IOS command-line interface (CLI).
Note Wherever possible, we recommend that you use SDM to configure your router. For information on the
availability and use of SDM, see the quick start guide that shipped with your router.
The software configuration documentation describes how to perform configuration tasks by using the
CLI. However, this specific document describes how to perform basic configurations by using the
Cisco IOS setup command facility.
Contents
• Platforms Supported by This Document, page 1
• Information About the Setup Command Facility, page 2
• Using the Setup Command Facility to Perform Basic Configuration, page 2
• Examples of Using the Setup Command Facility to Configure Interface Parameters, page 5
• Completing the Configuration, page 25
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/ffcprt1/fcf002.htm
Note The messages that will be displayed will vary, depending on your router model, the installed interface
modules, and the software image. The following example and the user entries (in bold) are shown as
examples only.
Note If you make a mistake while using the setup command facility, you can exit and run the setup command
facility again. Press Ctrl-C, and enter the setup command in privileged EXEC mode (Router#).
Step 1 Enter the setup command facility by using one of the following methods:
• From the Cisco IOS CLI, enter the setup command in privileged EXEC mode:
Router> enable
Password: <password>
Router# setup
• If your router reloads and does not already have a configuration file, you are prompted to enter the
setup command facility:
Would you like to enter the initial configuration dialog? [yes/no]:
Step 3 When the following messages appear, enter yes to enter basic management setup:
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Step 4 Enter a hostname for the router (this example uses myrouter):
Configuring global parameters:
Enter host name [Router]: myrouter
Step 5 Enter an enable secret password. This password is encrypted (for more security) and cannot be seen
when viewing the configuration.
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: xxxxxx
Step 6 Enter an enable password that is different from the enable secret password. This password is not
encrypted (and is less secure) and can be seen when viewing the configuration.
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
Enter enable password: xxxxxx
Step 7 Enter the virtual terminal password, which prevents unauthenticated access to the router through ports
other than the console port:
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: xxxxxx
Note The interface numbering that appears is dependent on the type of Cisco modular router platform
and on the installed interface modules and cards.
Any interface listed with OK? value "NO" does not have a valid configuration
Step 9 Select one of the available interfaces for connecting the router to the management network:
Enter interface name used to connect to the
management network from the above interface summary: fastethernet0/0
hostname myrouter
enable secret 5 $1$D5P6$PYx41/lQIASK.HcSbfO5q1
enable password xxxxxx
line vty 0 4
password xxxxxx
snmp-server community public
!
no ip routing
!
interface FastEthernet0/0
no shutdown
media-type 100BaseX
half-duplex
ip address 172.1.2.3 255.255.0.0
!
interface FastEthernet0/1
shutdown
no ip address
!
end
Step 11 Respond to the following prompts. Select [2] to save the initial configuration:
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
After you complete the initial configuration tasks, you can start configuring your Cisco router for
specific functions.
Note The messages that will be displayed will vary, depending on your router model, the installed interface
modules, and the software image. The following example and the user entries (in bold) are shown as
examples only.
Note Cisco 1841 and Cisco 2801 routers have a hardware limitation on the Fast Ethernet ports FE0/0 and
FE0/1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than
5 Mbps in each direction), the interface will experience excessive collisions and reset once per second.
To avoid this problem, traffic must be limited to less than 100% of capacity.
Note The Gigabit Ethernet interface is not supported on Cisco 1841, Cisco 2801, or Cisco 2811 routers.
Note On Cisco 3800 series routers, the port gig 0/0 supports both the small form-factor pluggable Gigabit
Ethernet Interface Converter (SFP GBIC) and RJ-45 media types. The port gig 0/1 supports only RJ-45.
To select between SFP or RJ-45 for port gig 0/0, use the media-type command. More details follow in
the “Selecting the Port for the Gigabit Ethernet Interface” section on page 6.
The following are two examples of configurations for the Gigabit Ethernet (GE) interface. The first
example shows a sample configuration for RJ-45 mode, applicable to either port gig 0/0 or port gig 0/1:
interface GigabitEthernet0/0
ip address 1.3.153.13 255.0.0.0
duplex auto
speed auto
media-type RJ-45
SFP mode (on Cisco 3800 seriers routers only) is available only on port gig 0/0:
interface GigabitEthernet0/0
ip address 1.3.153.13 255.0.0.0
duplex auto
speed auto
media-type sfp
Note The SFP port can only be set to 1000-Mbps or automatic speed. Duplex can be set to full-duplex or
automatic mode. Half-duplex communication is not supported.
The following is a typical show running config command output for gig 0/0:
router# show run int gigabitEthernet 0/0
Building configuration...
Both the RJ-45 (copper) and SFP (fiber) modes of operations suppot flow control. This means that
during congestion conditions, pause frames are sent to the far end by the Media Access Control (MAC)
hardware. Also, the MAC hardware will react to the pause frames received. There is no way in current
MAC hardware to track the number of pause frames received or sent.
Flow control is on by default
Currently, there is no command to turn off the flow control capability for any of the Gigabit Ethernet
ports in any of the RJ45 or SFP modes.
Typically, speed and/or duplex communications are configured manually using the speed and/or duplex
CLI commands.
Note For the SFP port, the speed settings can be set to 1000 Mbps or auto only, and duplex can be set to full
or auto only.
router(config-if)# duplex ?
If the speed is set to 1000 Mbps, the CLI duplex options change as follows:
router(config-if)# speed 1000
router(config-if)# duplex ?
Similarly, when duplex is set to half, the supported speeds are 10 Mbps, 100 Mbps, or “auto” as shown
here:
router(config-if)# speed ?
If the media type is SFP, the available speed and duplex settings are as follows:
router(config-if)# media-type sfp
router(config-if)# duplex ?
Note If the speed and duplex setting for g0/0 in SFP mode is speed=1000 and duplex=full,
autonegotiation is in forced mode and autonegotation is turned off. For all other mode settings
of speed or duplex for SFP, autonegotiation is turned on.
If speed=1000 and duplex=full modes are specified for both g0/0 and g0/1 interfaces in copper
mode (RJ-45), autonegotiation is still turned on. This is considered to be in forced mode for
speed=1000. This occurence is per the Annex 28D.5 extensions required for clause 40
(1000-BASE-T) IEEE 802.3.
When the speed and duplex modes are forced for 10/100, and full or half modes are forced for
g0/0 and g0/1 interfaces, autonegotiation is turned off. If the interfaces are not in forced mode
for 10/100 speeds, then autonegotation will be turned on.
Note The following sections describe the prompts for each encapsulation type. For PPP and High-Level Data
Link Control (HDLC) encapsulation, no further configuration is needed.
If no cable is plugged in to your router, you must indicate whether the interface is to be used as DTE or
DCE. If a cable is present, the setup command facility determines the DTE/DCE status. If the serial cable
is DCE, you see the following prompt:
Serial interface needs clock rate to be set in dce mode.
The following clock rates are supported on the serial interface.
0
1200, 2400, 4800, 9600, 19200, 38400
56000, 64000, 72000, 125000, 148000, 500000
800000, 1000000, 1300000, 2000000, 4000000, 8000000
Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if
you specify none for the Local Management Interface (LMI) type. If you accept the default or specify
another LMI type, the DLCI number is provided by the specified protocol.
If Internetwork Packet Exchange (IPX) is configured on the router, the setup command facility prompts
you for the IPX map:
Do you want to map a remote machine's IPX address to dlci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
The following is a sample of configuration for Link Access Procedure, Balanced (LAPB) encapsulation,
selecting either DCE or DTE mode, with DTE as the default:
lapb circuit can be either in dce/dte mode.
Choose either from (dce/dte) [dte]:
X.25 Encapsulation
Do you want to map the remote machine’s x25 address to IP address? [yes]:
IP address for the remote interface: 192.0.0.2
Do you want to map the remote machine’s x25 address to IPX address? [yes]:
IPX address for the remote interface: 40.1234.5678
The following is an example of asynchronous transfer mode data exchange interface (ATM-DXI)
encapsulation:
Enter VPI number [1]:
Enter VCI number [1]:
Do you want to map the remote machine’s IP address to vpi and vci? [yes]:
IP address for the remote interface: 192.0.0.2
Do you want to map the remote machine’s IPX address to vpi and vci? [yes]:
IPX address for the remote interface: 40.1234.5678
The following is a sample configuration for switched multimegabit data service (SMDS) encapsulation:
Enter smds address for the local interface: c141.5556.1415
Do you want to map the remote machine’s smds address to IP address? [yes]:
IP address for the remote interface: 192.0.0.2
Do you want to map the remote machine’s smds address to IPX address? [yes]:
IPX address for the remote interface: 40.1234.5678
Note The following sections describe the prompts for each encapsulation type. For PPP and High-Level Data
Link Control (HDLC) encapsulation, no further configuration is needed.
If no cable is plugged in to your router, you must indicate whether the interface is to be used as DTE or
DCE. If a cable is present, the setup command facility determines the DTE/DCE status. If the serial cable
is DCE, you see the following prompt:
Configure IP on this interface? [no]: yes
Configure IP unnumbered on this interface? [no]:
IP address for this interface: 192.0.0.0
Subnet mask for this interface [255.0.0.0]:
Class A network is 2.0.0.0, 0 subnet bits; mask is /8
Configure LAT on this interface? [no]:
Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if
you specify none for the Link Management Interface (LMI) type. If you accept the default or specify
another LMI type, the DLCI number is provided by the specified protocol.
If Internetwork Packet Exchange (IPX) is configured on the router, the setup command facility prompts
you for the IPX map:
Do you want to map a remote machine's IPX address to dlci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
LAPB Encapsulation
The following is an example of configuration for LAPB encapsulation, selecting either DCE or DTE
mode, with DTE as the default:
lapb circuit can be either in dce/dte mode.
Choose either from (dce/dte) [dte]:
X.25 Encapsulation
Do you want to map the remote machine’s x25 address to IP address? [yes]:
IP address for the remote interface: 2.0.0.2
Do you want to map the remote machine’s x25 address to IPX address? [yes]:
IPX address for the remote interface: 40.1234.5678
ATM-DXI Encapsulation
The following is a sample configuration for asynchronous transfer mode, data exchange interface
(ATM-DXI) encapsulation:
Enter VPI number [1]:
Enter VCI number [1]:
Do you want to map the remote machine’s IP address to vpi and vci? [yes]:
IP address for the remote interface: 2.0.0.2
Do you want to map the remote machine’s IPX address to vpi and vci? [yes]:
IPX address for the remote interface: 40.1234.5678
SMDS Encapsulation
The following is a sample configuration for switched multimegabit data service (SMDS) encapsulation:
Enter smds address for the local interface: c141.5556.1415
Do you want to map the remote machine’s smds address to IP address? [yes]:
IP address for the remote interface: 2.0.0.2
Do you want to map the remote machine’s smds address to IPX address? [yes]:
IPX address for the remote interface: 40.1234.5678
Note The following sections describe the prompts for each encapsulation type. No further configuration is
needed for HDLC encapsulation.
Note The setup command facility prompts you for the service profile identifier (SPID) number only if you
specify basic-5ess, basic-ni1, or basic-dms100 for the switch type.
Do you want to map the remote machine's IP address in dialer map? [yes]:
IP address for the remote interface: 192.0.0.1
Do you want to map the remote machine's IP address in dialer map? [yes]:
IPX address of the remote interface: 40.0060.34c6.90ed
Note If your router has at least one configured LAN interface, you can choose to use an unnumbered IP
address on the interface.
Note If your router does not have a configured LAN interface, you must use a numbered IP address.
Note The password, which is used by the Challenge Handshake Authentication Protocol (CHAP)
authentication process, is case sensitive and must exactly match the password for the remote router.
Note The setup command facility prompts you for the DLCI number only if you specify none for the LMI
type. If you accept the default or specify another LMI type, the DLCI number is provided by the
specified protocol.
Note If IPX is configured on the router, the setup command facility prompts you for the IPX map:
The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation,
with DTE mode as the default:
lapb circuit can be either in dce/dte mode
Choose either from (dce/dte) [dte]:
ATM-DXI Encapsulation
The following is a sample configuration for asynchronous transfer mode data exchange interface
(ATM-DXI) encapsulation:
Enter VPI number [1]:
Enter VCI number [1]:
Do you want to map the remote machine's IP address to vpi and vci? [yes]:
IP address for the remote interface: 6.0.0.1
Do you want to map the remote machine's IPX address to vpi and vci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
SMDS Encapsulation
The following is a sample configuration for switched multimegabit data service (SMDS) encapsulation:
Enter smds address for the local interface: c141.5556.1415
We will need to map the remote smds station's address to the remote station’s IP address
Enter smds address for the remote interface: c141.5556.1414
Do you want to map the remote machine's smds address to IP address? [yes]:
IP address for the remote interface: 192.0.0.1
Do you want to map the remote machine's smds address to IP address? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
X.25 Encapsulation
Note Although the LDN is an optional parameter in the command, you may need to enter it so that the router
can answer calls made to the second directory number.
Note Channelized E1/T1 ISDN PRI interfaces are not supported on Cisco 1841 routers.
The following is a sample configuration for a channelized E1/T1 ISDN PRI interface:
The following ISDN switch types are available:
[0] none............If you do not want to configure ISDN
[1] primary-4ess....AT&T 4ESS switch type for US and Canada
[2] primary-5ess....AT&T 5ESS switch type for US and Canada
[3] primary-dms100..Northern Telecom switch type for US and Canada
[4] primary-net5....European switch type for NET5
[5] primary-ni......National ISDN Switch type for the U.S
[6] primary-ntt.....Japan switch type
[7] primary-ts014...Australian switch type
Choose ISDN PRI Switch Type [2]:
E1 Channelized Mode
The following is a sample configuration for E1 channelized mode:
The following framing types are available:
no-crc4 | crc4
Enter the framing type [crc4]:
Note The following sections describe the prompts you for each encapsulation type. No further configuration
is needed for HDLC encapsulation.
PPP Encapsulation
Note The password, which is used by the Challenge Handshake Authentication Protocol (CHAP)
authentication process, is case sensitive and must exactly match the password for the remote router.
Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if
you specify none for the LMI type. If you accept the default or specify another Local Management
Interface (LMI) type, the DLCI number is provided by the specified protocol.
If Internetwork Packet Exchange (IPX) is configured on the router, the setup command facility prompts
you for the IPX map:
Do you want to map a remote machine's IPX address to dlci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
LAPB Encapsulation
The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation:
lapb circuit can be either in dce/dte mode
Choose either from (dce/dte) [dte]:
ATM-DXI Encapsulation
The following is a sample configuration for asynchronous transfer mode data exchange interface
(ATM-DXI) encapsulation:
Enter VPI number [1]:
Enter VCI number [1]:
Do you want to map the remote machine's IP address to vpi and vci? [yes]:
IP address for the remote interface: 6.0.0.1
Do you want to map the remote machine's IPX address to vpi and vci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
SMDS Encapsulation
The following is a sample configuration for switched multimegabit data service (SMDS) encapsulation:
Enter smds address for the local interface: c141.5556.1415
We will need to map the remote smds station's address to the remote station’s IP address
Enter smds address for the remote interface: c141.5556.1414
Do you want to map the remote machine's smds address to IP address? [yes]:
IP address for the remote interface: 192.0.0.1
Do you want to map the remote machine's smds address to IP address? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
X.25 Encapsulation
T1 Channelized Mode
The following is a sample configuration for T1 channelized mode:
The following framing types are available:
esf | sf
Enter the framing type [esf]:
Note The following sections describe the prompts for each encapsulation type. No further configuration is
needed for High-Level Data Link Control (HDLC) encapsulation.
PPP Encapsulation
Note The password, which is used by the Challenge Handshake Authentication Protocol (CHAP)
authentication process, is case sensitive and must exactly match the password for the remote router.
Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if
you specify none for the LMI type. If you accept the default or specify another Local Management
Interface (LMI) type, the DLCI number is provided by the specified protocol.
If Internetwork Packet Exchange (IPX) is configured on the router, the setup command facility prompts
you for the IPX map:
Do you want to map a remote machine's IPX address to dlci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
LAPB Encapsulation
The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation:
lapb circuit can be either in dce/dte mode
Choose either from (dce/dte) [dte]:
ATM-DXI Encapsulation
The following is a sample configuration for asynchronous transfer mode data exchange interface
(ATM-DXI) encapsulation:
Enter VPI number [1]:
Enter VCI number [1]:
Do you want to map the remote machine's IP address to vpi and vci? [yes]:
IP address for the remote interface: 6.0.0.1
Do you want to map the remote machine's IPX address to vpi and vci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
SMDS Encapsulation
The following is a sample configuration for switched multimegabit data service (SMDS) encapsulation:
Enter smds address for the local interface: c141.5556.1415
We will need to map the remote smds station's address to the remote station’s IP address
Enter smds address for the remote interface: c141.5556.1414
Do you want to map the remote machine's smds address to IP address? [yes]:
IP address for the remote interface: 192.0.0.1
Do you want to map the remote machine's smds address to IP address? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
Switched Mode
The following is a sample configuration for a switched mode interface:
Do you want to configure Serial0/0/0 interface? [yes]:
Some encapsulations supported are
ppp/hdlc/frame-relay/lapb/atm-dxi/smds/x25
Choose encapsulation type [ppp]:
The following switched carrier types are to be set when in switched mode
(at&t, sprint or other)
Choose carrier (at&t/sprint/other) [other]:
Do you want to map the remote machine's ip address in dialer map? [yes]:
IP address for the remote interface : 1.0.0.2
Do you want to map the remote machine's ipx address in dialer map? [yes]:
IPX address for the remote interface : 40.0060.34c6.90ed
Note The setup command facility asks for only one telephone number for both IP and Internetwork Packet
Exchange (IPX) (if enabled).
Dedicated Mode
The following is a sample configuration for a dedicated mode interface:
Do you want to configure Serial0/0/0 interface? [yes]:
When in dds mode, the clock for sw56 module can either from line/internal.
Choose clock from (line/internal) [line]:
Note If the internal clock is selected, speed cannot be set to “auto.” Autosensing is allowed only when the
clock source is line.
When in dds mode, the clock for the sw56 module can either be line or internal.
Choose clock from (line/internal) [line]: internal
Warning: internal can be chosen only when connected back-to-back.
Step 1 A setup command facility prompt asks if you want to save this configuration.
If you answer no, the configuration information you entered is not saved, and you return to the router
enable prompt (Router#). Enter setup to return to the System Configuration Dialog.
If you answer yes, the configuration is saved, and you are returned to the user EXEC prompt
(Router>).
Use this configuration? {yes/no} : yes
Building configuration...
Use the enabled mode 'configure' command to modify this configuration.
Step 2 When the messages stop appearing on your screen, press Return to get the Router> prompt.
Note If you see the next message, it means that no other AppleTalk routers were found on the network
attached to the port.
Step 3 The Router> prompt indicates that you are now at the command-line interface (CLI) and you have just
completed a basic router configuration. Nevertheless, this is not a complete configuration. At this point,
you have two choices:
• Run the setup command facility again, and create another configuration.
Router> enable
Password: password
Router# setup
• Modify the existing configuration or configure additional features by using the CLI:
Router> enable
Password: password
Router# configure terminal
Router(config)#
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
This document describes how to use the Cisco IOS command-line interface (CLI) to perform a basic
software configuration for your router.
Contents
• Platforms Supported by This Document, page 1
• Prerequisites for Basic Software Configuration Using the Cisco IOS CLI, page 2
• Restrictions for Basic Software Configuration Using the Cisco IOS CLI, page 2
• How to Perform a Basic Software Configuration Using the Cisco IOS CLI, page 2
• Where to Go Next, page 19
• Additional References, page 19
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Timesaver Before powering up the router, disconnect all WAN cables from the router to keep it from trying to run
the AutoInstall process. The router may try to run AutoInstall if you power it on while there is a WAN
connection on both ends and the router does not have a valid configuration file stored in NVRAM (for
instance, when you add a new interface). It can take several minutes for the router to determine that
AutoInstall is not connected to a remote TCP/IP host.
SUMMARY STEPS
1. enable
2. configure terminal
3. hostname name
4. Verify that the router prompt displays your new hostname.
5. end
DETAILED STEPS
Example:
Router# configure terminal
Step 3 hostname name Specifies or modifies the hostname for the network server.
Example:
Router(config)# hostname myrouter
Step 4 Verify that the router prompt displays your new —
hostname.
Example:
myrouter(config)#
Step 5 end (Optional) Returns to privileged EXEC mode.
Example:
myrouter# end
What to Do Next
Proceed to the “Configuring the Enable and Enable Secret Passwords” section on page 4.
Restrictions
If you configure the enable secret command, it takes precedence over the enable password command;
the two commands cannot be in effect simultaneously.
SUMMARY STEPS
1. enable
2. configure terminal
3. enable password password
4. enable secret password
5. end
6. enable
7. end
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# end
Step 6 enable Enables privileged EXEC mode.
• Verify that your new enable or enable secret password
Example: works.
Router> enable
Step 7 end (Optional) Returns to privileged EXEC mode.
Example:
Router(config)# end
Troubleshooting Tips
If you forget the password that you configured, or if you cannot access privileged EXEC (enable) mode,
see the Password Recovery Procedures for your router, available at
http://www.cisco.com/warp/public/474.
What to Do Next
If you want to set the console interface privileged EXEC timeout to a value other than 10 minutes (the
default), proceed to the “Configuring the Console Idle Privileged EXEC Timeout” section on page 5.
If you do not wish to change the privileged EXEC timeout, proceed to the “Specifying a Default Route
or Gateway of Last Resort” section on page 9.
SUMMARY STEPS
1. enable
2. configure terminal
3. line console 0
4. exec-timeout minutes [seconds]
5. end
6. show running-config
7. exit
Note The exec-timeout command or any changes to the exec-command value is triggered only after you exit
from the EXEC mode and login again.
DETAILED STEPS
Example:
Router# configure terminal
Step 3 line console 0 Configures the console line and starts the line configuration
command collection mode.
Example:
Router(config)# line console 0
Step 4 exec-timeout minutes [seconds] Sets the idle privileged EXEC timeout, which is the interval
that the privileged EXEC command interpreter waits until
user input is detected.
Example:
Router(config-line)# exec-timeout 0 0 • The example shows how to specify no timeout.
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-line)# end
Examples
The following example shows how to set the console idle privileged EXEC timeout to 2 minutes 30
seconds:
line console
exec-timeout 2 30
The following example shows how to set the console idle privileged EXEC timeout to 10 seconds:
line console
exec-timeout 0 10
What to Do Next
Proceed to the “Configuring Fast Ethernet and Gigabit Ethernet Interfaces” section on page 7.
Note Cisco 1841 and Cisco 2801 routers have a hardware limitation on the Fast Ethernet ports FE0/0 and
FE0/1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than 5
Mbps in each direction), the interface will experience excessive collisions and reset once per second. To
avoid this problem, traffic must be limited to less than 100% of capacity.
SUMMARY STEPS
1. enable
2. show ip interface brief
3. configure terminal
4. interface {fastethernet | gigabitethernet} 0/port
5. description string
6. ip address ip-address mask
7. no shutdown
8. end
9. show ip interface brief
DETAILED STEPS
Example:
Router# configure terminal
Step 4 interface {fastethernet | gigabitethernet} Specifies the Ethernet interface and enters interface
0/port configuration mode.
Note For information on interface numbering, see the
Example: quick start guide that shipped with your router.
Router(config)# interface fastethernet 0/1
Example:
Router(config)# interface gigabitethernet 0/0
Step 5 description string (Optional) Adds a description to an interface configuration.
• The description helps you remember what is attached to
Example: this interface. The description can be useful for
Router(config-if)# description FE int to 2nd troubleshooting.
floor south wing
Step 6 ip address ip-address mask Sets a primary IP address for an interface.
Example:
Router(config-if)# ip address 172.16.74.3
255.255.255.0
Step 7 no shutdown Enables an interface.
Example:
Router(config-if)# no shutdown
Example:
Router(config)# end
Step 9 show ip interface brief Displays a brief status of the interfaces that are configured
for IP.
Example: • Verify that the Ethernet interfaces are up and
Router# show ip interface brief configured correctly.
Examples
Configuring the Fast Ethernet Interface: Example
!
interface FastEthernet0/0
description FE int to HR group
ip address 172.16.3.3 255.255.255.0
duplex auto
speed auto
no shutdown
!
What to Do Next
Proceed to the “Specifying a Default Route or Gateway of Last Resort” section on page 9.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip routing
4. ip route dest-prefix mask next-hop-ip-address [admin-distance] [permanent]
5. ip default-network network-number
or
ip route dest-prefix mask next-hop-ip-address
6. end
7. show ip route
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip routing Enables IP routing.
Example:
Router(config)# ip routing
Step 4 ip route dest-prefix mask next-hop-ip-address Establishes a static route.
[admin-distance] [permanent]
Example:
Router(config)# ip route 192.168.24.0
255.255.255.0 172.28.99.2
Step 5 ip default-network network-number Selects a network as a candidate route for computing the
or gateway of last resort.
ip route dest-prefix mask next-hop-ip-address
Creates a static route to network 0.0.0.0 0.0.0.0 for
computing the gateway of last resort.
Example:
Router(config)# ip default-network 192.168.24.0
Example:
Router(config)# ip route 0.0.0.0 0.0.0.0
172.28.99.1
Example:
Router(config)# end
Step 7 show ip route Displays the current routing table information.
• Verify that the gateway of last resort is set.
Example:
Router# show ip route
Examples
Specifying a Default Route: Example
!
ip routing
!
ip route 192.168.24.0 255.255.255.0 172.28.99.2
!
ip default-network 192.168.24.0
!
What to Do Next
Proceed to the “Configuring Virtual Terminal Lines for Remote Console Access” section on page 12.
SUMMARY STEPS
1. enable
2. configure terminal
3. line vty line-number [ending-line-number]
4. password password
5. login
6. end
7. show running-config
8. From another network device, attempt to open a Telnet session to the router.
DETAILED STEPS
Example:
Router# configure terminal
Step 3 line vty line-number [ending-line-number] Starts the line configuration command collection mode for
the virtual terminal lines (vty) for remote console access.
Example: • Make sure that you configure all vty lines on your
Router(config)# line vty 0 4 router.
Note To verify the number of vty lines on your router, use
the line vty ? command.
Step 4 password password Specifies a password on a line.
Example:
Router(config-line)# password guessagain
Step 5 login Enables password checking at login.
Example:
Router(config-line)# login
Step 6 end Returns to privileged EXEC mode.
Example:
Router(config-line)# end
Example:
Router# 172.16.74.3
Password:
Examples
The following example shows how to configure virtual terminal lines with a password:
!
line vty 0 4
password guessagain
login
!
What to Do Next
After you configure the vty lines, follow these steps:
• (Optional) To encrypt the virtual terminal line password, see the “Configuring Passwords and
Privileges” chapter in the Cisco IOS Security Configuration Guide. Also see the Cisco IOS
Password Encryption Facts tech note.
• (Optional) To secure the VTY lines with an access list, see “Part 3: Traffic Filtering and Firewalls”
in the Cisco IOS Security Configuration Guide.
• To continue with the basic software configuration for your router, proceed to the “Configuring the
Auxiliary Line” section on page 14.
http://www.cisco.com/warp/public/471/mod-aux-exec.html
Configuring Dialout Using a Modem on the AUX Port, sample configuration
http://www.cisco.com/warp/public/471/mod-aux-dialout.html
Connecting a SLIP/PPP Device to a Router’s AUX Port, tech note
http://www.cisco.com/warp/public/701/6.html
Configuring AUX-to-AUX Port Async Backup with Dialer Watch, sample configuration
http://www.cisco.com/warp/public/471/aux-aux-watch.html
Modem-Router Connection Guide, tech note
http://www.cisco.com/warp/public/76/9.html
SUMMARY STEPS
1. enable
2. configure terminal
3. line aux 0
4. See the tech notes and sample configurations to configure the line for your particular
implementation of the AUX port.
DETAILED STEPS
Example:
Router# configure terminal
Step 3 line aux 0 Starts the line configuration command collection mode for
the auxiliary line.
Example:
Router(config)# line aux 0
Step 4 See the tech notes and sample configurations to —
configure the line for your particular implementation
of the AUX port.
What to Do Next
Proceed to the “Verifying Network Connectivity” section on page 15.
Prerequisites
• Complete all previous configuration tasks in this document.
• The router must be connected to a properly configured network host.
SUMMARY STEPS
1. enable
2. ping [ip-address | hostname]
3. telnet {ip-address | hostname}
DETAILED STEPS
Examples
The following display shows sample output for the ping command when you ping the IP address
192.168.7.27:
Router# ping
Protocol [ip]:
Target IP address: 192.168.7.27
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.27, timeout is 2 seconds:
!!!!!
Success rate is 100 percent, round-trip min/avg/max = 1/2/4 ms
The following display shows sample output for the ping command when you ping the IP hostname
donald:
Router# ping donald
What to Do Next
Proceed to the “Saving Your Router Configuration” section on page 17.
SUMMARY STEPS
1. enable
2. copy running-config startup-config
DETAILED STEPS
What to Do Next
Proceed to the “Saving Backup Copies of Your Configuration and System Image” section on page 17.
SUMMARY STEPS
1. enable
2. copy nvram:startup-config {ftp: | rcp: | tftp:}
3. show flash:
4. copy flash: {ftp: | rcp: | tftp:}
DETAILED STEPS
Examples
Copying the Startup Configuration to a TFTP Server: Example
The following example shows the startup configuration being copied to a TFTP server:
Router# copy nvram:startup-config tftp:
Where to Go Next
• When you complete the basic software configuration, consider implementing routing protocols or
access lists and other security-improving methods to protect your router. See the documents listed
in the “Related Documents—Additional Configuration” section on page 20.
• To configure features on your router, see Finding Feature Documentation.
Additional References
The following sections provide references related to basic software configuration using the
Cisco IOS CLI.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Contents
• Introduction, page 1
• Before You Begin, page 2
• Configure, page 3
• Verify, page 6
• Troubleshoot, page 10
• Related Information, page 11
Introduction
This document provides a sample configuration for securing a branch router by implementing the
following features:
• Context-Based Access Control (CBAC)—CBAC creates temporary openings in access lists at
firewall interfaces. These openings are created when specified traffic exits your internal network
through the firewall. The openings allow returning traffic (that would normally be blocked) and
additional data channels to enter your internal network back through the firewall. The traffic is
allowed back through the firewall only if the traffic is part of the same session as the original traffic
that triggered CBAC when exiting through the firewall.
• Cisco IOS Intrusion Prevention System (IPS)—The Cisco IOS IPS feature restructures the
existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the
default, built-in signatures or to load a Signature Definition File (SDF) called attack-drop.sdf onto
the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS)
signatures, providing customers with the latest available detection of security threats.
• Cisco IOS Firewall Authentication Proxy—Authentication proxy provides dynamic, per-user
authentication and authorization, authenticating users against industry standard TACACS+ and
RADIUS authentication protocols. Per-user authentication and authorization of connections provide
more robust protection against network attacks.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
• Firewall Websense URL Filtering—The Firewall Websense URL Filtering feature enables your
Cisco IOS firewall (also known as Cisco Secure Integrated Software) to interact with the Websense
URL filtering software, thereby allowing you to prevent users from accessing specified websites on
the basis of some policy. The Cisco IOS firewall works with the Websense server to know whether
a particular URL should be allowed or denied (blocked).
Conventions
For more information on document conventions, see Conventions Used in Cisco Technical Tips.
Components Used
The information in this document is based on the software and hardware versions below.
• Cisco 2801 router
• Cisco IOS Release 12.3(8)T4
• Advanced IP Services feature set
Note The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make
sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with the following hardware:
• Cisco 1800 series integrated services router (modular)
• Cisco 2800 series integrated services router
• Cisco 3800 series integrated services router
A similar configuration can also be used with a Cisco 3800 series integrated services router that is
equipped with a Cisco Content Engine network module (NM-CE-BP), which has an embedded Websense
URL filtering server (UFS).
OL-6329-01
2
Secured Branch Router Configuration Example
Configure
Configure
In this section, you are presented with the information to configure the features described in this
document.
Tip To find additional information on the commands used in this document, use the Command Lookup Tool.
You must have an account on Cisco.com. If you do not have an account or have forgotten your username
or password, click Cancel at the login dialog box and follow the instructions that appear.
Network Diagram
This document uses the network setup shown in the diagram below.
121239
Branch office
PC
192.168.1.118/24
FE 0/0 FE 0/1
192.168.1.2/24 192.168.101.2/24
Secured branch Cisco Secure
router Authentication
Control Server (ACS)
Websense URL 192.168.101.119/24
Filtering Server (UFS)
192.168.1.116/24
Not shown in the diagram is an HTTP server with IP address 192.168.102.119/24. The HTTP server may
be located anywhere in the network. In this case, it is on the Fast Ethernet 0/1 side of the secured branch
router.
Configurations
This document uses the configuration shown below.
router# show running-config
Building configuration...
.
.
.
!---Enable the authentication, authorization, and accounting (AAA) access control model.
aaa new-model
!
!---Identify the Cisco Secure Authentication Control Server (ACS) as a member of a
!---AAA server group. In this example, the AAA server group is called “SJ.”
aaa group server tacacs+ SJ
server 192.168.101.119
!
!---Enable AAA authentication at login and specify the authentication methods to try.
aaa authentication login default local group SJ none
OL-6329-01
3
Secured Branch Router Configuration Example
Configure
OL-6329-01
4
Secured Branch Router Configuration Example
Configure
!---Configure the firewall interface that connects to the branch office PCs
!---and the Firewall Websense UFS:
!---Apply access lists and inspection rules to control access to the interface.
!---In this example, access list 116 is used to filter outbound packets, and
!---the inspection rule named “myfw” is used to filter inbound packets.
!---Enable the authentication proxy rule for dynamic, per-user authentication
!---and authorization. See the previous “aaa authorization auth-proxy default group SJ”
!---and “ip auth-proxy name aprule http” command entries.
!---Apply the Cisco IPS rule to outbound traffic.
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip access-group 116 out
ip inspect myfw in
ip auth-proxy aprule
ip ips ids-policy out
.
.
.
!---Configure the interface that connects to the
!---Cisco Secure Authentication Control Server (Cisco Secure ACS).
!---Apply access lists to control access to the interface.
!---In this example, access list 111 is used to filter inbound packets.
interface FastEthernet0/1
ip address 192.168.101.2 255.255.255.0
ip access-group 111 in
.
.
.
ip classless
!---The following command establishes a static route to the HTTP server,
!---which in this example has an IP address of 192.168.102.119.
ip route 192.168.102.0 255.255.255.0 FastEthernet0/1
!
!---Enable the HTTP server on your system.
!---Also, specify that the authentication method used for AAA login service
!---should be used for authenticating HTTP server users.
ip http server
ip http authentication aaa
no ip http secure-server
!
!---Configure the access list for the interface that connects to the
!---Cisco Secure ACS.
access-list 111 permit tcp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit udp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit icmp any any
access-list 111 deny ip any any
!
!---Configure the access list for the firewall interface that connects to the
!---branch office PCs and the Websense URL Filtering Server (UFS).
access-list 116 permit tcp host 192.168.1.118 host 192.168.1.2 eq www
access-list 116 deny tcp host 192.168.1.118 any
access-list 116 deny udp host 192.168.1.118 any
access-list 116 deny icmp host 192.168.1.118 any
access-list 116 permit tcp 192.168.1.0 0.0.0.255 any
access-list 116 permit udp 192.168.1.0 0.0.0.255 any
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any
!
!
OL-6329-01
5
Secured Branch Router Configuration Example
Verify
Verify
This section provides information you can use to confirm your configuration is working properly:
• Commands for Verifying Firewall Websense URL Filtering, page 6
• Commands for Verifying Cisco IOS Firewall Authentication Proxy, page 7
• Commands for Verifying Context-Based Access Control, page 7
• Commands for Verifying Cisco IOS Intrusion Prevention System, page 8
Tip Certain show commands are supported by the Output Interpreter Tool, which allows you to view an
analysis of show command output. You must have an account on Cisco.com. If you do not have an
account or have forgotten your username or password, click Cancel at the login dialog box and follow
the instructions that appear.
• show ip urlfilter config—Displays the configured vendor servers, including the size of the cache,
the maximum number of outstanding requests, and the allow mode state.
Router# show ip urlfilter config
Websense URL Filtering is ENABLED
OL-6329-01
6
Secured Branch Router Configuration Example
Verify
• show ip urlfilter statistics—Displays URL filtering statistics, such as the number of requests that
are sent to the Websense server, the number of responses received from the Websense server, the
number of pending requests in the system, the number of failed requests, and the number of blocked
URLs.
Router# show ip urlfilter statistics
configuration
Authentication global cache time is 120 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled
OL-6329-01
7
Secured Branch Router Configuration Example
Verify
OL-6329-01
8
Secured Branch Router Configuration Example
Verify
OL-6329-01
9
Secured Branch Router Configuration Example
Troubleshoot
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
See the following documents:
• Troubleshooting CBAC Configurations, tech note
• Troubleshooting Authentication Proxy, tech note
Troubleshooting Commands
Note Before issuing debug commands, please see Important Information on Debug Commands.
OL-6329-01
10
Secured Branch Router Configuration Example
Related Information
Related Information
• Cisco IOS Security Configuration Guide, Release 12.3:
– “Configuring Context-Based Access Control” chapter
– “Configuring Authentication Proxy” chapter
• Cisco IOS Intrusion Prevention System (IPS), Cisco IOS Release 12.3(8)T feature module
• Firewall Websense URL Filtering, Cisco IOS Releases 12.2(11)YU and 12.2(15)T feature module
• Troubleshooting CBAC Configurations, tech note
• Troubleshooting Authentication Proxy, tech note
• Technical Support—Cisco Systems
OL-6329-01
11
Secured Branch Router Configuration Example
Related Information
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
OL-6329-01
12
IP Communication Solution for Group
Applications Configuration Example
Contents
• Introduction, page 1
• Prerequisites, page 2
• Configure, page 4
• Verify, page 19
• Troubleshoot, page 42
• Related Information, page 43
Introduction
This document provides a configuration example in which:
• A small branch office uses both analog and IP phones. The small branch office implementation
addressed in this document requires IP Telephony services and may also use other full-service
branch (FSB) features of Cisco access routers. These features include Cisco Content Engines (CEs),
Voice over IP (VoIP) services and integration with back-end VoIP call control devices. The small
branch office requires a robust and integrated voice-mail solution. The integrated services routers
also support various options for WAN uplink and integrated LAN switching modules.
• Land Mobile Radio (LMR) is used by an enterprise for several reasons which include loss
prevention (premise safety and security) and Push–to–Talk (PTT) communication for mobile
workers within range of the radio system. LMR base stations can be connected to an E&M port for
integration with an IP network and can be accessed via VoIP. The LMR feature also allows
connecting walkie-talkies to the radios using multicast.
• Multicast is dial-plan enabled so that IP phones and public switched telephone network (PSTN)
phones can dial in to the LMR by using E.164 numbers. Traditionally, the E&M ports were used to
connect to PSTN or Hoot-and-Holler networks. The E&M ports connected to the LMR can be
multicast–to–VoIP enabled. This configuration permits desktop clients and IP-Phone clients on the
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
LAN that are using XML services to directly connect to the radio via the multicast features on Cisco
IOS. The LMR can be integrated with the E&M port on the gateway; the commands on the gateway
support this router-to-radio adaptation.
• This document provides a workaround method that bridges the multicast VoIP to unicast VoIP using
a physical T1 loopback. This is not an essential configuration. It is documented to demonstrate how
you can integrate multicast VoIP audio into standards-based VoIP call-control schemes such as
Skinny, H.323, or SIP. IP–to–IP gateway is the preferred and recommended option to use for
bridging between standards-based VoIP protocols. The VoIP-to-multicast bridge using a physical
loopback can also be used for local multi-party conferencing via Cisco CallManager Express (Cisco
CME) phones or PSTN phones.
• Onboard DSPs are used for the voice modules on the WAN interface car (WIC) slots
• Cisco CallManager seamlessly connects to Cisco CME over an H.323 trunk defined on the Cisco
CallManager [Release 3.3 (3) or later].
• Cisco CME (Release 3.2) manages the local phone network. Cisco CME and Cisco Unity Express
enable users to use a gateway as though it were a PBX coupled to a voice-mail system.
• Cisco Unity Express (with Cisco Service Engine 1.1) on the NM-CUE provides voice-mail and
auto-attendant services.
• Cisco CME seamlessly integrates with the Cisco CallManager at the headquarters site and supports
all supplementary services.
• Content Engine (CE) modules support web caching, video–on–demand and live-splitting
applications.
• Cisco Access Control Network Server (ACNS) on CE (ce2636-sw-5.1.3) saves WAN bandwidth by
web-caching and splitting streaming video over unicast and multicast.
Prerequisites
Prerequisites included in this section:
• Requirements, page 2
• Components Used, page 2
• Related Products, page 3
• Conventions, page 3
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on the following software and Cisco 3845 router hardware
and software:
• 16 FastEthernet interfaces (NM-ESW-16)
• 1 serial interface
• 3 terminal lines
OL-6574-01
2
IP Communication Solution for Group Applications Configuration Example
Prerequisites
Related Products
This configuration can also be used with any Cisco 2800 and Cisco 3800 series routers.
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
OL-6574-01
3
IP Communication Solution for Group Applications Configuration Example
Configure
Configure
In this section, you are presented with the information to configure the features described in this
document.
Note To find additional information on the commands used in this document, use the Cisco IOS Command
Lookup tool. You must have an account on Cisco.com. If you do not have an account or have forgotten
your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Configuration Tips
• The gigabit port on the router does not provide inline power.
• Routing should be enabled and assumed to be configured.
• The external flash card on the integrated services routers holds the router image, VLAN database,
graphical user interface (GUI) files for Cisco CME and Cisco Unity Express. It should not be
removed during the normal operation of the router.
• The LMR integration to the router might require radio frequency (RF)/radio skills (typically a
non-IP and proprietary implementation). The radio–to–router physical cable might not be available
off–the–shelf.
Network Diagram
This document uses the network setup shown in the following diagram.
11
1
10
IP IP IP 5
4
9
2 3
8
6
121378
OL-6574-01
4
IP Communication Solution for Group Applications Configuration Example
Configure
Configurations
This example presents configuration for the Cisco 3845 router.
OL-6574-01
5
IP Communication Solution for Group Applications Configuration Example
Configure
no network-clock-participate aim 1
aaa new-model
!
!
aaa group server tacacs+ admin
server 192.x or 10.x
server 192.x or 10.x
!
aaa group server radius vpn
server 192.x or 10.x auth-port 1645 acct-port 1646
!
!---AAA configuration used for local authentication
!
aaa authentication login admin group tacacs+ enable
aaa authentication login remote group vpn
aaa authentication login NOTACACS line
aaa authentication login LOCAL local
aaa authentication login WEB none
aaa authentication ppp LOCAL local
aaa authentication dot1x default group vpn
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
ip cef
!
!
!---Configure a DHCP address pool for each IP phone:
ip dhcp excluded-address 192.168.10.1 192.168.10.99
!
ip dhcp pool NONAT
network 10.1.153.0 255.255.255.248
default-router 10.1.153.1
dns-server 10.1.162.183 10.1.156.120
option 150 ip 10.1.152.9
domain-name cisco.com
!
ip dhcp pool NAT
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 10.1.162.183 1010.1.156.120
option 150 ip 10.1.152.9
domain-name cisco.com
!
ip domain name cisco.com
ip name-server 10.1.162.183
ip name-server 10.1.156.120
ip multicast-routing
ip sap cache-timeout 30
ip ssh time-out 30
ip ssh version 1
ip ids po max-events 100
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd rsh-enable
!
voice-card 0
OL-6574-01
6
IP Communication Solution for Group Applications Configuration Example
Configure
no dspfarm
!
!
!
!---Configuration to enable “H.323 to H.323” and “H.323 to SIP” calls between Cisco
!---CallManager-Cisco CME-Cisco Unity Express. The “allow connections h323 to h323” &
!---“allow-connections h323 to sip” enable an easy configuration on gateway without the
!---need for loopback-dn for incoming calls from Cisco CallManager or for call flow from
!---Cisco CallManager to SIP for Voice Mail.
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12 advertise-only
h323
!
!
!
!---Configuration to support LMR(Land Mobile Radio) integration through E&M port on the
!---router (similar to Hoot and Holler configuration)
!
voice class permanent 1
signal timing oos restart 50000
signal timing oos timeout disabled
signal keepalive disabled
signal sequence oos no-action
!
!
!---Two T1 ports connected back-to-back to bridge VoIP to multicast audio bridging. This
!---is required to enable dialing into multicast. Connecting the TDM T1 port back-to-back
!---offers the possibility of using E.164 number as a conference ID, or for using the
!---multicast stream for application such as Hoot and Holler.
!---
!---Cisco CME offers 3-party conference calling and is the recommended method for a
!---small branch office, the following T1 loopback cable is not required for configuring
!---the conferencing features.
!---
!---Cisco IOS supports audio mixing of loudest three streams. The TDM back to
!---back connection enables the bridging of 23 channels of VoIP to one or
!---more multicast connections (one side with multicast configuration and the
!---other side with VoIP configuration)
!---This method provides a way to connect the standards-based VoIP call control to
!---the multicast audio streams that do not have any associated call control.
!
controller T1 0/2/0
framing esf
linecode b8zs
ds0-group 1 timeslots 1 type e&m-immediate-start
ds0-group 2 timeslots 2 type e&m-immediate-start
ds0-group 3 timeslots 3 type e&m-immediate-start
ds0-group 4 timeslots 4 type e&m-immediate-start
ds0-group 5 timeslots 5 type e&m-immediate-start
ds0-group 6 timeslots 6 type e&m-immediate-start
!
controller T1 0/2/1
framing esf
clock source internal
linecode b8zs
ds0-group 1 timeslots 1 type e&m-immediate-start
ds0-group 2 timeslots 2 type e&m-immediate-start
ds0-group 3 timeslots 3 type e&m-immediate-start
OL-6574-01
7
IP Communication Solution for Group Applications Configuration Example
Configure
!
!
!---WAN uplink
!
interface Serial0/0/0
ip address 10.1.152.30 255.255.255.252
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly
no fair-queue
!
!--- Content Engine connected as a Network Module.
!
interface Content-Engine1/0
ip unnumbered Loopback3
ip pim sparse-dense-mode
service-module ip address 10.1.152.250 255.255.255.252
service-module ip default-gateway 10.1.152.249
!
!
interface FastEthernet3/0
switchport access vlan 110
switchport trunk native vlan 100
switchport mode trunk
switchport voice vlan 110
no ip address
!
interface FastEthernet3/1
switchport access vlan 100
switchport trunk native vlan 100
switchport mode trunk
OL-6574-01
8
IP Communication Solution for Group Applications Configuration Example
Configure
OL-6574-01
9
IP Communication Solution for Group Applications Configuration Example
Configure
!
!
access-list 11 permit 192.168.11.0 0.0.0.255
access-list 11 permit 192.168.20.0 0.0.0.255
access-list 11 permit 192.168.10.0 0.0.0.255
!
!
!---Router serves as TFTP server for Signed Image for 7960 phone on Local LAN.
!
tftp-server flash:P00306000300.bin
tftp-server flash:P00306000300.loads
tftp-server flash:P00306000300.sb2
!
control-plane
!
!
!---VoIP side of the Back-to-Back T1 used for bridging VoIP to multicast streams defined
!---by the dial-peer with “ session protocol multicast”
!
voice-port 0/2/0:1
auto-cut-through
!
voice-port 0/2/0:2
auto-cut-through
!
voice-port 0/2/0:3
auto-cut-through
!
voice-port 0/2/0:4
auto-cut-through
!
voice-port 0/2/0:3
auto-cut-through
!
voice-port 0/2/0:4
auto-cut-through
!
voice-port 0/2/0:5
auto-cut-through
!
voice-port 0/2/0:6
auto-cut-through
!
!---E&M ports connected to the LMR (Land Mobile Radio). Each radio may have a different
!---radio frequency (such as VHF or UHF)
!
voice-port 0/1/0
auto-cut-through
voice-class permanent 1
operation 4-wire
signal lmr
lmr e-lead voice
timeouts call-disconnect 3
connection trunk 20480
!
voice-port 0/1/1
auto-cut-through
voice-class permanent 1
operation 4-wire
signal lmr
lmr m-lead audio-gate-in
lmr e-lead voice
timeouts call-disconnect 3
OL-6574-01
10
IP Communication Solution for Group Applications Configuration Example
Configure
OL-6574-01
11
IP Communication Solution for Group Applications Configuration Example
Configure
destination-pattern 27748
session protocol sipv2
session target ipv4:10.1.152.242
dtmf-relay sip-notify
codec g711ulaw
no vad
!
!---Dial peers for dialing out; pointing to Cisco CallManager Release 3.3(3)
!
dial-peer voice 101 voip
description CCM-IT-Cisco
destination-pattern .T
session target ipv4:10.1.148.178
dtmf-relay h245-alphanumeric
codec g711ulaw
!
dial-peer voice 9 voip
preference 1
destination-pattern 91..........
session target ipv4:10.1.148.178
!
dial-peer voice 2 voip
destination-pattern 2....
session target ipv4:10.1.148.178
!
!---Dial Peers for multicast streaming from TDM port
!
dial-peer voice 20480 voip
description VoIP to multicast bridging for LMR integration
destination-pattern 20480
voice-class permanent 1
session protocol multicast
session target ipv4:239.192.17.191:20480
codec g711ulaw
vad aggressive
!
dial-peer voice 20481 voip
description VoIP to multicast bridging for LMR integration
destination-pattern 20481
voice-class permanent 1
session protocol multicast
session target ipv4:239.192.17.192:20480
codec g711ulaw
vad aggressive
!
dial-peer voice 21111 voip
description VoIP to multicast bridging for Local Conferencing
destination-pattern 21111
voice-class permanent 1
session protocol multicast
session target ipv4:239.192.17.195:20480
dtmf-relay cisco-rtp
codec g711ulaw
vad aggressive
!---Dial Peers for the T1 physical loopback used for bridging multicast to VoIP
!---(VoIP Side)
!
dial-peer voice 1 pots
description VoIP to multicast bridging for LMR
destination-pattern 27737
port 0/2/0:1
!
dial-peer voice 3 pots
OL-6574-01
12
IP Communication Solution for Group Applications Configuration Example
Configure
voicemail 27749
mwi relay
mwi expires 99999
max-conferences 8
call-forward pattern .....
web admin customer name cisco password admin
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern .....
secondary-dialtone 9
!
OL-6574-01
13
IP Communication Solution for Group Applications Configuration Example
Configure
!
ephone-dn 1 dual-line
number 27725
description Ross
name Ross
call-forward busy 27749
call-forward noan 27749 timeout 10
!
!
ephone-dn 2 dual-line
number 27726
description Rachel
name Rachel
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 3 dual-line
number 27727
description Chandler
name Chandler
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 4 dual-line
number 27728
description Monica
name Monica
call-forward busy 27749
call-forward noan 27749 timeout 10
!
!
ephone-dn 5 dual-line
number 27729
description Jen-Shue Shih
name Jen-Shue Shih
call-forward busy 27749
call-forward noan 27749 timeout 10
!
!
ephone-dn 6 dual-line
number 27730
description Mike
name Mike
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 7 dual-line
number 27731
description Phoebe
name Phoebe
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 8 dual-line
number 27732
description Cosmo
name Cosmo
call-forward busy 27749
call-forward noan 27749 timeout 18
OL-6574-01
14
IP Communication Solution for Group Applications Configuration Example
Configure
!
!
ephone-dn 9 dual-line
number 27733
description Jerry
name Jerry
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 10 dual-line
number 27734
description George
name George
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 11 dual-line
number 27735
description Frank
name Frank
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 12 dual-line
number 27736
description Estelle
name Estelle
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 13 dual-line
!
!
ephone-dn 14 dual-line
!
!
ephone-dn 15 dual-line
number 27739
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 16 dual-line
number 27740
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 17 dual-line
number 27741
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 18 dual-line
number 27742
call-forward busy 27749
call-forward noan 27749 timeout 18
!
OL-6574-01
15
IP Communication Solution for Group Applications Configuration Example
Configure
!
ephone-dn 19 dual-line
number 27743
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 20 dual-line
number 27744
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 21 dual-line
number 27745
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 25
!
!
ephone-dn 27
number 27749
call-forward busy 27749
call-forward noan 27749 timeout 18
!
!
ephone-dn 39
number 8000.....
mwi off
!
!
ephone-dn 40
number 8001.....
mwi on
!
!
ephone 1
mac-address 0003.4713.5554
type CIPC
button 1:1
!
!
!
ephone 2
mac-address 0002.8A3E.6606
type CIPC
button 1:2
!
!
!
ephone 3
mac-address 0001.022C.88A1
type CIPC
button 1:3
!
!
!
ephone 4
mac-address 0009.6B10.494D
type CIPC
button 1:4
OL-6574-01
16
IP Communication Solution for Group Applications Configuration Example
Configure
!
!
!
ephone 5
mac-address 0002.8A4B.000B
type CIPC
button 1:5
!
!
!
ephone 6
mac-address 0009.6B53.44C6
type CIPC
button 1:6
!
!
!
ephone 7
mac-address 0009.6B30.E399
type CIPC
button 1:7
!
!
!
ephone 8
mac-address 000B.BE37.1AB1
type 7960
button 1:8
!
!
!
ephone 9
mac-address 0006.D74B.15B3
type 7960
button 1:9
!
!
!
ephone 10
mac-address 000B.5F92.5784
type 7960
button 1:10
!
!
!
ephone 11
mac-address 000C.CE3A.87FA
type 7960
button 1:11
!
!
!
ephone 12
mac-address 000C.CE35.1B23
type 7960
button 1:12
!
!
!
ephone 13
mac-address 0002.8A9B.0CE5
type CIPC
button 1:13
OL-6574-01
17
IP Communication Solution for Group Applications Configuration Example
Configure
!
!
!
ephone 14
mac-address 0003.47D8.C236
type CIPC
button 1:14
!
!
!
ephone 15
mac-address 000C.CE35.1935
type 7960
button 1:15
!
!
!
ephone 16
mac-address 0030.94C3.BE45
type 7960
button 1:16
!
!
!
ephone 17
!
!
!
ephone 18
!
!
!
ephone 19
!
!
!
ephone 20
!
!
!
ephone 21
!
!
!
line con 0
authorization exec LOCAL
stopbits 1
line aux 0
stopbits 1
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output all
line 130
no activation-character
no exec
transport preferred none
transport input all
transport output all
line 258
no activation-character
OL-6574-01
18
IP Communication Solution for Group Applications Configuration Example
Verify
no exec
transport preferred none
transport input all
transport output all
line vty 0 4
exec-timeout 0 0
password 7 04490E020D205E4107
line vty 5 8
exec-timeout 0 0
password 7 03165E0F040E334340
!
scheduler allocate 20000 1000
ntp clock-period 1079741
ntp master
ntp update-calendar
ntp server 10.68.10.80
ntp server 10.68.10.150
end
Verify
This section provides information you can use to confirm that your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only),
which allows you to view an analysis of show command output. In summary, use these commands:
• show telephony-service—Shows the IP telephony services available for Cisco CallManager server
• show ephone registered—Verifies IP phone registration occurring and lists information associated
with each registered IP phone
• show commands for the voice gateway
– show voice port summary—Displays a summary of all voice ports
– show voip rtp connections—Displays VoIP RTP active connections
– show voip dsp—Displays DSP information
– show voice trace—Displays voice-channel configuration information for all DSP channels
– show voice call summary—Displays the call status for all voice ports
– show running-config—Displays the contents of the currently running configuration file
• show commands for CE
– show version—Displays information about the currently loaded CE software version along
with hardware and device information
– show running-config—Displays the contents of the currently running configuration file
– show processes cpu—Displays detailed CPU utilization statistics (CPU use per process)
– show statistics wmt streamstat—Displays statistics for Windows Media Technologies (WMT)
streaming connections
– show statistics wmt all—Display all WMT statistics
• show and service commands on Cisco CME for Cisco Unity Express
– show interface service-engine—Displays the status of the service-engine interface
– service-module service-engine 4/0 status—Displays status of Cisco Unity Express
OL-6574-01
19
IP Communication Solution for Group Applications Configuration Example
Verify
The following is an example of output for the show telephony-service command on the Cisco CME:
CCME-CUE-SJC# show telephony-service
CONFIG (Version=3.2)
=====================
Version 3.2
Cisco CallManager Express
For on-line documentation please see:
www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/index.htm
OL-6574-01
20
IP Communication Solution for Group Applications Configuration Example
Verify
retain-timer: 15
create cnf-files version-stamp 7960 Apr 12 2004 12:16:53
transfer-system full-consult
auto assign 1 to 27
fxo hook-flash
local directory service: enabled.
The following example illustrates output using the show ephone registered command:
CCME-CUE-SJC# show ephone registered
The following is an example of output for the show voice port summary command on the branch office
router:
IN OUT
PORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC
========= == ============ ===== ==== ======== ======== ==
0/2/0:1 01 e&m-imd up dorm idle idle y
0/2/0:2 02 e&m-imd up dorm idle idle y
0/2/0:3 03 e&m-imd up dorm idle idle y
0/2/0:4 04 e&m-imd up dorm idle idle y
0/2/0:5 05 e&m-imd up dorm idle idle y
0/2/0:6 06 e&m-imd up dorm idle idle y
0/1/0 -- e&m-lmr up up trunked trunked y
0/1/1 -- e&m-lmr up up trunked trunked y
0/2/1:1 01 e&m-imd up up trunked trunked y
0/2/1:2 02 e&m-imd up up trunked trunked y
0/2/1:3 03 e&m-imd up up trunked trunked y
0/2/1:4 04 e&m-imd up up trunked trunked y
0/2/1:5 05 e&m-imd up up trunked trunked y
0/2/1:6 06 e&m-imd up up trunked trunked y
0/3/0 -- fxs-ls up dorm on-hook idle y
0/3/1 -- fxs-ls up dorm on-hook idle y
0/3/2 -- fxs-ls up dorm on-hook idle y
0/3/3 -- fxs-ls up dorm on-hook idle y
50/0/1 1 efxs up up on-hook idle y
50/0/1 2 efxs up up on-hook idle y
50/0/2 1 efxs up up on-hook idle y
50/0/2 2 efxs up up on-hook idle y
50/0/3 1 efxs up up on-hook idle y
.
50/0/40 1 efxs up dorm on-hook idle y
OL-6574-01
21
IP Communication Solution for Group Applications Configuration Example
Verify
The following is an example of output for the show voice rtp connections command on the branch
office router:
3845-gw# show voip rtp connections
The following is an example of output for the show voip dsp command on the branch office router:
3845-gw# show voip dsp
The following is an example of output for the show voice trace command on the branch office router:
OL-6574-01
22
IP Communication Solution for Group Applications Configuration Example
Verify
0/2/1:1 1 State Transitions: timestamp (state, event) -> (state, event) ...
42.808 (S_SETUP_INDICATED, E_CC_PROCEEDING) ->
42.808 (S_PROCEEDING, E_CC_CONNECT) ->
The following is an example of output for the show voice call summary command on the branch office
router:
3845-gw# show voice call summary
The following is an example of output for the show version command on the CE:
sjc22-13a-rb-CE3# show version
The following is an example of output for the show running-config command on the CE:
sjc22-13a-rb-CE3# show running-config
hostname sjc22-13a-rb-CE3
!
OL-6574-01
23
IP Communication Solution for Group Applications Configuration Example
Verify
wmt enable
!
!
multicast accept-license-agreement
!
!
ip name-server 10.68.162.183
ip name-server 10.72.156.120
!
!
wccp router-list 1 10.1.152.249
wccp web-cache router-list-num 1
wccp version 2
!
!
!
!
!
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
cdm ip 10.86.46.81
cms enable
!
!
!
End of ACNS configuration
The following is an example of output for the show processes cpu command on the CE:
sjc22-13a-rb-CE3# show processes cpu
OL-6574-01
24
IP Communication Solution for Group Applications Configuration Example
Verify
CPU usage:
Current Peak
cpu: 96 % 100 %
CPU average usage since last reboot:
cpu: 0.03% User, 7.28% System, 1.80% User(nice), 90.90% Idle
cpu0: 0.03% User, 7.28% System, 1.80% User(nice), 90.90% Idle
--------------------------------------------------------------------
PID STATE PRI User T SYS T COMMAND
----- ----- --- ------ ------ --------------------
1 S 0 744 4839 (init)
2 R 0 0 0 (keventd)
3 S 19 0 0 (ksoftirqd_CPU0)
4 S 0 0 0 (kswapd)
5 S 0 0 0 (bdflush)
6 S 0 0 0 (kupdated)
157 S 0 0 0 (streamd)
197 S 10 30143 3926 (nodemgr)
201 S 10 0 0 (syslogd)
202 R 10 396 150 (dataserver)
298 S 0 0 0 (kjournald)
902 S 10 108 23 (ruby_disk)
1494 S 10 2 1 (parser_server)
1544 S 10 3 1 (su)
The following is an example of output for the show statistics xmt streamstat command on the CE:
sjc22-13a-rb-CE3# show statistics wmt streamstat
Incoming Streams:
=================
Bandwidth in Kbps, Duration in seconds
Outgoing Streams:
=================
Client-IP Type Transport Source State Pkts_sent Bytes_sent Duration BW
Server-IP Filename Stream-Id
10.21.96.174 LIVE HTTP RMT_MMS Play 216441 312540804 11946 216
24.6.215.172 lanka 13830
10.21.81.206 LIVE MMS(UDP) RMT_MMS Play 59505 85925220 3283 216
24.6.215.172 lanka 15639
10.21.88.96 LIVE HTTP RMT_MMS Play 165227 238587788 9129 216
24.6.215.172 lanka 14402
10.21.113.252 LIVE MMS(UDP) RMT_MMS Play 596188 860895472 32961 216
24.6.215.172 lanka 8644
10.21.116.124 LIVE HTTP RMT_MMS Play 53848 77756512 3033 216
24.6.215.172 lanka 15682
10.21.115.95 LIVE MMS(UDP) RMT_MMS Play 481970 695964680 26584 216
24.6.215.172 lanka 10694
10.21.65.223 LIVE MMS(UDP) RMT_MMS Play 15883 22935052 878 216
24.6.215.172 lanka 16161
sjc22-13a-rb-CE3#
The following is an example of output for the show statistics xmt all command on the CE:
OL-6574-01
25
IP Communication Solution for Group Applications Configuration Example
Verify
Total % of Total
Unicast Requests
--------------------------------------------
By Type of Content
------------------
Live content: 75 100.00%
On-Demand Content: 0 0.00%
By Transport Protocol
---------------------
MMSU: 32 42.67%
MMST: 1 1.33%
HTTP: 42 56.00%
By Source of Content
--------------------
Local: 0 0.00%
Remote MMS: 75 100.00%
Remote HTTP: 0 0.00%
Multicast: 0 0.00%
By Type of Content
------------------
Live content: 1178064843 100.00%
On-Demand Content: 0 0.00%
By Transport Protocol
---------------------
MMSU: 0 0.00%
MMST: 1178064843 100.00%
HTTP: 0 0.00%
OL-6574-01
26
IP Communication Solution for Group Applications Configuration Example
Verify
========================
Total unicast outgoing bytes: 4698135144
---------------------------------
Total % of Total Unicast
Outgoing Bytes
--------------------------------------------
By Type of Content
------------------
Live content: 4698135144 100.00%
On-Demand Content: 0 0.00%
By Transport Protocol
---------------------
MMSU: 3148201513 67.01%
MMST: 0 0.00%
HTTP: 1549933631 32.99%
Total % of Total
Live Outgoing Bytes
--------------------------------------------
Live Splitting
--------------
Incoming bytes: 1178064843 25.08%
Outgoing bytes: 4698135144 100.00%
Bytes saved: 3520070301 74.92%
Bytes cache-bypassed: 0
Cacheable requests
------------------
Req cache-miss: 0 0.00%
Req cache-hit: 0 0.00%
Req cache-partial-hit: 0 0.00%
Req cache-total: 0 0.00%
Req cache-bypassed: 81
OL-6574-01
27
IP Communication Solution for Group Applications Configuration Example
Verify
------------------
Cache bypassed: 81
Exceed max-size: 0
Usage Summary
=============
Concurrent Unicast Client Sessions
----------------------------------
Current: 8
Max: 8
Max: 216.765
Error Statistics
================
Total request errors: 0
OL-6574-01
28
IP Communication Solution for Group Applications Configuration Example
Verify
URL Filtered: 0
The following is an example of output for the show interface service-engine 4/0 command on the Cisco
CME for Cisco Unity Express:
OL-6574-01
29
IP Communication Solution for Group Applications Configuration Example
Verify
The following is an example of output for the service-module service-engine 4/0 status command on
the Cisco CME for Cisco Unity Express:
3845-gw# service-module service-Engine 4/0 status
The following is an example of output for the service-module service-engine 4/0 status session
command on the Cisco CME for Cisco Unity Express:
3845-gw# service-module service-engine 4/0 session
Username: cisco
Password:
se-10-32-152-242#
se-10-32-152-242#
OL-6574-01
30
IP Communication Solution for Group Applications Configuration Example
Verify
The following is an example of output for the show running-config command on Cisco Unity Express:
se-10-32-152-242# show running-config
Generating configuration:
hostname se-10-32-152-242
ip domain-name cisco.com
ip name-server 10.64.2.113 10.64.11.48
OL-6574-01
31
IP Communication Solution for Group Applications Configuration Example
Verify
ccn engine
end engine
OL-6574-01
32
IP Communication Solution for Group Applications Configuration Example
Verify
end
The following is an example of output for the show voicemail mailboxes command on Cisco Unity
Express:
se-10-32-152-242# show voicemail mailboxes
OL-6574-01
33
IP Communication Solution for Group Applications Configuration Example
Verify
The following is an example of output for the show voicemail usage command on Cisco Unity Express:
se-10-32-152-242# show voicemail usage
personal mailboxes: 12
general delivery mailboxes: 0
orphaned mailboxes: 0
capacity of voicemail (minutes): 6000
allocated capacity (minutes): 600.0
message time used (seconds): 141
message count: 3
average message length (seconds): 47.0
greeting time used (seconds): 0
greeting count: 0
average greeting length (seconds): 0.0
total time used (seconds): 141
total time used (minutes): 2.3499999046325684
percentage used time (%): 1
The following is an example of output for the show voicemail limits command on Cisco Unity Express:
se-10-32-152-242# show voicemail limits
The following is an example of output for the show ccn application command on Cisco Unity Express:
se-10-32-152-242# show ccn application
Name: ciscomwiapplication
Description: ciscomwiapplication
Script: setmwi.aef
ID number: 0
Enabled: yes
Maximum number of sessions: 8
strMWI_OFF_DN: 8000
strMWI_ON_DN: 8001
CallControlGroupID: 0
Name: voicemail
Description: voicemail
Script: voicebrowser.aef
ID number: 1
Enabled: yes
Maximum number of sessions: 8
logoutUri: http://localhost/voicemail/vxmlscripts/m
bxLogout.jsp
uri: http://localhost/voicemail/vxmlscripts/l
ogin.vxml
Name: autoattendant
Description: autoattendant
Script: aa.aef
ID number: 2
Enabled: yes
Maximum number of sessions: 8
MaxRetry: 3
operExtn: 0
welcomePrompt: AAWelcome.wav
OL-6574-01
34
IP Communication Solution for Group Applications Configuration Example
Verify
Name: promptmgmt
Description: promptmgmt
Script: promptmgmt.aef
ID number: 3
Enabled: yes
Maximum number of sessions: 1
The following is an example of output for the show ccn trigger command on Cisco Unity Express:
se-10-32-152-242# show ccn trigger
Name: 27749
Type: SIP
Application: voicemail
Locale: en_US
Idle Timeout: 10000
Enabled: yes
Maximum number of sessions: 8
Name: 27751
Type: SIP
Application: promptmgmt
Locale: en_US
Idle Timeout: 10000
Enabled: yes
Maximum number of sessions: 1
Name: 27748
Type: SIP
Application: autoattendant
Locale: en_US
Idle Timeout: 10000
Enabled: yes
Maximum number of sessions: 8
se-10-32-152-242#
OL-6574-01
35
IP Communication Solution for Group Applications Configuration Example
Verify
OL-6574-01
36
IP Communication Solution for Group Applications Configuration Example
Verify
The screen display example below depicts media termination point (MTP) software configuration.
OL-6574-01
37
IP Communication Solution for Group Applications Configuration Example
Verify
OL-6574-01
38
IP Communication Solution for Group Applications Configuration Example
Verify
The screen display example below provides details about Cisco CME phones.
OL-6574-01
39
IP Communication Solution for Group Applications Configuration Example
Verify
OL-6574-01
40
IP Communication Solution for Group Applications Configuration Example
Verify
The screen display example below provides details about voice mailboxes on Cisco Unity Express.
OL-6574-01
41
IP Communication Solution for Group Applications Configuration Example
Troubleshoot
The screen display example below depicts the Group Profile-Administrator display.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
See the following tech notes:
• IP Security Troubleshooting - Understanding and Using debug Commands
Note Before issuing debug commands, see Important Information on Debug Commands.
For troubleshooting and debugging VoIP call basics, see the following document:
• http://www.cisco.com/warp/public/788/voip/voip_debugcalls.html
OL-6574-01
42
IP Communication Solution for Group Applications Configuration Example
Related Information
Related Information
For additional information about Cisco CallManager Express, go to:
• http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html
For additional information about Cisco Unity Express, go to:
• http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html
OL-6574-01
43
IP Communication Solution for Group Applications Configuration Example
Related Information
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
OL-6574-01
44
Easy VPN Configuration Example
This document provides a Easy VPN (EzVPN) sample configuration, using Cisco 1800 series,
Cisco 2800 series, and Cisco 3800 series routers.
Contents
• Introduction, page 1
• Before You Begin, page 2
• Configure, page 3
• Verify, page 12
• Troubleshoot, page 14
• Related Information, page 16
Introduction
This document provides a sample Easy VPN (or EzVPN) configuration with the following
characteristics:
• All traffic between two client branch sites and headquarters passes through a Virtual Private
Network (VPN) of IP Security (IPSec) encrypted tunnels.
• Techniques used include Internet Key Exchange (IKE) dead peer detection (DPD), split tunneling,
and group policy on the server with Domain Name Server (DNS) information, Windows Information
Name Service (WINS) information, domain name, and an IP address pool for clients.
• Headquarters uses an EzVPN concentrator, a Cisco 3800 series router, with an ATM interface.
• One branch uses a Cisco 2800 series router and employs a network-mode EzVPN client with a serial
interface, while another branch uses a Cisco 1800 series router and uses client mode EzVPN with
an SHDSL interface.
• The various show commands demonstrate configurations for the Internet Security Association Key
Management Protocol (ISAKMP) and IPSec Security Associations (SAs) on the EzVPN
concentrator, as well as IPSec client EzVPN status on the clients.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
List of Terms
ATM—Asynchronous Transfer Mode. A connection switching protocol that organizes data into 53-byte
cell units, transmitting them via digital signals. Each cell is processed asynchronously (hence the name)
relative to the transmission or arrival of other cells within a single message. Cells are also queued before
being transmitted in a multiplexing fashion. ATM can be used for many different services, including
voice, video, or data.
DNS—Domain Name Server. Maps names to Internet Protocol (IP) addresses and addresses to names.
Domain Name Servers maintain lists of domain name and IP address mappings.
DPD—Dead peer detection. An implementation of a client keepalive functionality, to check the
availability of the VPN device on the other end of an IPSec tunnel.
IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for
services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each
router/firewall/host must verify the identity of its peer. This can be done by manually entering preshared
keys into both hosts or can be done by a certification authority (CA) service.
IPSec—IP Security. A framework of open standards that provides data confidentiality, data integrity,
and data authentication between participating peers. IPSec provides these security services at the IP
layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to
generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a
host.
ISAKMP—Internet Security Association Key Management Protocol. A protocol for key exchange
encryption and authentication. ISAKMP requires at least one pair of messages to be exchanged between
two VPN-connected peers before a secure link can be established.
NETBEUI—NetBIOS extended user interface. A transport protocol associated with Microsoft-based
networks. Unlike TCP/IP, NETBEUI is not a routable network protocol.
NetBIOS—Network Basic Input/Output System. A peer-to-peer low-level networking protocol dating
back to the 1980s, NetBIOS links network operating systems with network hardware. NetBIOS is not
routable and must be encapsulated with TCP/IP to pass through routers.
SA—Security association. This is a unidirectional channel negotiated by IPSec, with a pair of SAs
required for two-way communication. SAs are used to index session keys and initialization vectors.
SHDSL—Symmetrical High-Speed Digital Subscriber Line. An implementation of DSL that operates at
equal speeds in both transmission directions, at rates from 192 kbps to 2.3 Mbps.
WINS—Windows Internet Naming Service. A service in Microsoft-based networks that translates
hostnames into IP addresses. Using NETBEUI protocol, it is also compatible with NetBIOS.
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
OL-6340-01
2
Easy VPN Configuration Example
Configure
Components Used
The information in this document is based on these software and hardware versions:
• At Headquarters, a Cisco 3845 router with a Cisco CallManager cluster, and with ATM access to
the Internet
• At Branch 1, a Cisco 1841 router with a WIC-1SHDSL interface card installed, and with DSL access
to the Internet
• At Branch 2, a Cisco 2811 router with a serial interface connection to the Internet
• For Cisco 1800 series routers and Cisco 2800 series routers: Cisco IOS Release 12.3(8)T4
• For Cisco 3800 series routers: Cisco IOS Release 12.3(11)T
• Advanced Enterprise Services feature set
The information presented in this document resulted from the use of devices in a specific lab setup and
environment. All the devices used in this document started with a cleared (default) configuration. If you
are working in a live network, ensure that you understand the potential impact of any command before
you use it.
Note When configuring stateful failover for IPSec on the Cisco 2811 router, you may get the following
message if there is no AIM-VPN module installed:
%crypto_ha_ipsec-4-crypto_ha_not_supported_by_hw 2811
Once an AIM-VPN module is installed in the Cisco 2811 router, this error message will no longer appear.
Related Products
This configuration can also be used with the following hardware:
• Cisco 1800 series routers
• Cisco 2800 series routers
• Cisco 3800 series routers
Configure
This section presents the information for configuring the features described in this document.
Note For additional information on the commands used in this document, use the Cisco IOS Command
Lookup tool. You must have an account on Cisco.com. If you do not have an account or have forgotten
your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Configuration Tips
• Make sure that the tunnels work before you apply the crypto maps.
OL-6340-01
3
Easy VPN Configuration Example
Configure
• Apply IPSec crypto maps to both the tunnel interface and the physical interface
Network Diagram
This document uses the network setup shown in the following illustration:
3
1 6
2 5 IP IP IP
4 7
9
117861
IP IP IP IP IP IP
Following are the callout terms and definitions for the diagram, identified by number:
The Headquarters location (callout 1) uses a Cisco 3845 router with these characteristics:
• EzVPN server
• ATM access to the Internet
• Operating in a Cisco CallManager cluster
• Public IP address: 10.32.152.26
• Private IP address pool: 192.168.1.0/24
The Branch 1 location (callout 8) uses a Cisco 1841 router with these characteristics:
• EzVPN client using client mode
• DSL access to the Internet
• WIC-1SHDSL interface card installed
• Public IP address: 10.32.152.46
OL-6340-01
4
Easy VPN Configuration Example
Configure
OL-6340-01
5
Easy VPN Configuration Example
Configure
The Branch 2 location (callout 9) uses a Cisco 2811 router with these characteristics:
• EzVPN client using network mode
• Serial access to the Internet
• Public IP address: 10.32.150.46
• Private IP address pool: 192.168.3.1/24
Configurations
This example uses these configurations:
• Headquarters Office Configuration (Cisco 3845 Router), page 5
• Branch 1 Router Configuration (Cisco 1841 Router), page 8
• Branch 2 Router Configuration (Cisco 2811 Router), page 10
Building configuration...
Current configuration : 6824 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EzVPN-Hub
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$t8oN$hXnGodPh8ZM/ka6k/9aO51
!
username admin secret 5 $1$cfjP$kKpB7e3pfKXfpK0RIqX/E.
username ezvpn-spoke2 secret 5 $1$vrSS$AhSPxEUnPOsSpJkGdzjXg/
username ezvpn-spoke1 secret 5 $1$VK0p$4D0YXNOtC6K7MR4/vinUL.
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
aaa session-id common
ip subnet-zero
!
ip cef
no ip domain lookup
ip domain name cisco.com
ip audit notify log
ip audit po max-events 100
OL-6340-01
6
Easy VPN Configuration Example
Configure
no ftp-server write-enable
voice-card 0
no dspfarm
!
!--- IKE configuration
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group VPN1
acl SPLIT_T
ip access-list extended SPLIT_T
permit ip 192.168.0.0 0.0.255.255 any
key cisco123
dns 192.168.168.183 192.168.226.120
wins 192.168.179.89 192.168.2.87
domain cisco.com
pool VPN-POOL
save-password
!
!--- IPSec configuration
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface ATM0/0/0
description === public interface ===
ip address 10.32.152.26 255.255.255.252
ip pim sparse-dense-mode
ip ospf network point-to-point
no atm ilmi-keepalive
pvc 10/100
OL-6340-01
7
Easy VPN Configuration Example
Configure
OL-6340-01
8
Easy VPN Configuration Example
Configure
interface FastEthernet4/15
switchport access vlan 10
no ip address
!
!-- Entries for FastEthernet 4/16 through 4/35 omitted for redundancy
!
interface GigabitEthernet4/0
no ip address
shutdown
!
interface GigabitEthernet4/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
!
!
ip local pool VPN-POOL 10.1.1.1 10.1.1.10
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.152.25
!
ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login authentication USERLIST
!
!
end
!
Building configuration...
.
.
Current configuration : 4252 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EzVPN-Spoke-1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
OL-6340-01
9
Easy VPN Configuration Example
Configure
OL-6340-01
10
Easy VPN Configuration Example
Configure
Building configuration...
.
Current configuration : 4068 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EzVPN-Spoke-2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9BB/$KP4mHUWzUxzpuEPg5s7ow/
!
username admin password 7 10481A110C07
memory-size iomem 25
aaa new-model
!
!
aaa authentication login USERLIST local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip dhcp excluded-address 192.168.3.1
OL-6340-01
11
Easy VPN Configuration Example
Configure
!
ip dhcp pool PRIVATE_DHCP
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
!
!
no ip domain lookup
ip multicast-routing
ip ids po max-events 100
!
no ftp-server write-enable
voice-card 0
no dspfarm
!
!--- IPSec configuration
!
crypto ipsec client ezvpn VPN1
connect auto
group VPN1 key cisco123
mode network-extension
peer 10.32.152.26
username ezvpn-spoke2 password cisco2
!
interface FastEthernet0/0
description === private interface ===
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn VPN1 inside
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
description === public interface ===
ip address 10.32.150.46 255.255.255.252
crypto ipsec client ezvpn VPN1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.150.45
!
ip http server
no ip http secure-server
!
control-plane
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login authentication USERLIST
!
end
OL-6340-01
12
Easy VPN Configuration Example
Verify
Verify
This section provides instructions for verifying that your configuration works properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only), which
allows you to view an analysis of show command output. In summary:
• show crypto engine connections active—Shows the encrypted and decrypted packets.
• show crypto ipsec sa—Shows the phase 2 IPSec security associations for the hub.
• show crypto ipsec client ezvpn—Shows the phase 2 IPSec security associations for the EzVPN
client.
• show crypto isakmp sa—Shows the phase 1 ISAKMP security associations.
One of the first indications of successful IPSec negotiation is a message displayed on the Virtual Private
Network (VPN) concentrator console. Upon successful IPSec negotiation by the EzVPN clients, a
message similar to the following is displayed on the VPN concentrator console, indicating the
establishment of crypto connections to the remote EzVPN clients.
EzVPN-Hub#
The following examples show sample output for the show crypto ipsec sa and show crypto ipsec client
ezvpn commands.
The following is sample output from the show crypto ipsec sa command, performed using the
configuration on the EzVPN Hub location:
EzVPN-Hub# show crypto ipsec sa
interface: ATM0/0/0
Crypto map tag: INT_MAP, local addr. 10.32.152.26
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.3/255.255.255.255/0/0)
current_peer: 10.32.152.46:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
OL-6340-01
13
Easy VPN Configuration Example
Verify
inbound ah sas:
outbound ah sas:
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 10.32.150.46:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
inbound ah sas:
OL-6340-01
14
Easy VPN Configuration Example
Troubleshoot
outbound ah sas:
The following is sample output from the show crypto ipsec client ezvpn command, performed using the
configuration on the EzVPN Spoke 1 location:
EzVPN-Spoke-1#show crypto ipsec client ezvpn
The following is sample output from the show crypto ipsec client ezvpn command, performed using the
configuration on the EzVPN Spoke 2 location:
EzVPN-Spoke-2#show crypto ipsec client ezvpn
Troubleshoot
This section provides information for troubleshooting your configuration.
See the following tech note:
• IP Security Troubleshooting - Understanding and Using debug Commands
OL-6340-01
15
Easy VPN Configuration Example
Troubleshoot
Troubleshooting Commands
Note Before issuing debug commands, please see Important Information on Debug Commands.
The following debug commands must be running on both IPSec routers (peers). Security associations
must be cleared on both peers.
• debug crypto engine—Displays information pertaining to the crypto engine, such as when
Cisco IOS software is performing encryption or decryption operations.
• debug crypto ipsec—Displays the IPSec negotiations of phase 2.
• debug crypto ipsec client ezvpn—Displays the negotiation of the EzVPN client to the VPN
concentrator.
• debug crypto isakmp—Displays the ISAKMP negotiations of phase 1.
• clear crypto ipsec client ezvpn—Clears an existing EzVPN connection.
• clear crypto isakmp—Clears the security associations for phase 1.
• clear crypto sa—Clears the security associations for phase 2.
The following is an example of output for the debug crypto ipsec client ezvpn command:
EzVPN-Spoke-1# debug crypto ipsec client ezvpn
OL-6340-01
16
Easy VPN Configuration Example
Related Information
Related Information
• Cisco IOS Wide-Area Networking Configuration Guide
• Cisco IOS Dial Technologies Configuration Guide
• Cisco IOS Security Configuration Guide
• Cisco IOS Interface and Hardware Component Configuration Guide
• Cisco Technical Assistance Center
OL-6340-01
17
Easy VPN Configuration Example
Related Information
OL-6340-01
18
Easy VPN Configuration Example
Related Information
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
OL-6340-01
19
Easy VPN Configuration Example
Related Information
OL-6340-01
20
Hoot and Holler over V3PN Configuration
Example
This document provides a configuration example that illustrates a basic multicast-based voice
application over a Cisco Virtual Private Network (VPN).
Contents
• Introduction, page 1
• Prerequisites, page 2
• Configure, page 3
• Verify, page 17
• Troubleshoot, page 40
• Related Information, page 43
Introduction
This document provides a configuration example for Cisco Voice and Video over VPN (V3PN). The
voice application used in this example is Hoot and Holler, which is typically used in trading floor
financial institutions for communications to branch offices. The configuration scenario emphasizes
implementation of the quality of service (QoS) and VPN capabilities; the configuration has the following
characteristics:
• All traffic between two client branch sites and headquarters passes through a VPN of IPSec-
encrypted tunnels.
• This implementation of Cisco V3PN features the use of Protocol Independent Multicast (PIM) in
Sparse Mode and Auto-RP. The routing protocol used to transport traffic is Open Shortest Path First
(OSPF).
• The techniques used include Internet Key Exchange/Dead Peer Detection (IKE/DPD), split
tunneling, and group policy on the server with Domain Name System (DNS) information, Windows
Information Name Service (WINS) information, domain name, and an IP address pool for clients.
• Headquarters uses a Cisco 3800 series router with an ATM interface.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
• One branch uses a Cisco 2800 series router and employs a serial interface, while another branch with
a Cisco 2800 Series router uses a Symmetrical High-Speed Digital Subscriber Line (SHDSL)
interface.
• The various show commands demonstrate configurations for the Internet Security Association Key
Management Protocol (ISAKMP) and IP Security (IPSec) security associations (SA) on the
concentrator, as well as status on the clients.
Prerequisites
The following sections provide information important to understand this configuration example. Read
these sections before you continue with the configuration example:
• Conventions
• Requirements
• Related Products
• Components Used
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
• At Headquarters, a Cisco 3845 router with a Cisco CallManager cluster, with ATM access to the
Internet
• At Branch 1, a Cisco 2801 router with a WIC-SHDSL-V2 interface card installed, and with DSL
access to the Internet
• At Branch 2, a Cisco 2811 router with a serial interface connection to the Internet
• Cisco IOS Release 12.3(11)T or later releases
• Advanced Enterprise Services feature set
The information presented in this document was created from the devices in a specific lab environment.
All of the devices used in this document started with a cleared (default) configuration. If your network
is live, make sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with the following hardware and software:
• Cisco 2800 series routers
• Cisco 3800 series routers
• For Cisco 2800 series routers, Cisco IOS Release 12.3(8)T4 or later releases. For Cisco 3800 series
routers, Cisco IOS Release 12.3(11)T and later releases.
OL-6573-01
2
Hoot and Holler over V3PN Configuration Example
Configure
Conventions
For information on document conventions, see the Cisco Technical Tips Conventions.
Configure
In this section, you are presented with the information to configure the features described in this
document.
Note For additional information on the commands used in this document, use the Cisco IOS Command
Lookup tool. You must have an account on Cisco.com. If you do not have an account or have forgotten
your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Configuration Tips
• Make sure that the tunnels work before you apply the crypto maps.
• Apply IPSec crypto maps to both the tunnel interface and the physical interface.
Network Diagram
This document uses the network setup shown in the diagram below.
1
6
3
IP IP IP
2
7 9
5
121225
IP IP IP
OL-6573-01
3
Hoot and Holler over V3PN Configuration Example
Configure
Following are the callout terms and definitions for the diagram, identified by number:
The Headquarters location (callout 1) uses a Cisco 3845 router with these characteristics:
• ATM access to the Internet
• Operating in a Cisco CallManager cluster
• Public IP address: 10.32.152.26
• Private IP address pool: 192.168.1.0/24
The Branch 1 location (callout 8) uses a Cisco 2801 router with these characteristics:
• DSL access to the Internet
• WIC-SHDSL-V2 interface card installed
• Public IP address: 10.32.153.32
• Private IP address pool: 192.168.2.0/24
The Branch 2 location (callout 9) uses a Cisco 2811 router with these characteristics:
• Serial access to the Internet
• Public IP address: 10.32.150.46/30
• Private IP address pool: 192.168.3.0/24
Configurations
This document uses the following configurations:
• Headquarters Office Configuration (Cisco 3845 Router), page 4
• Branch 1 Router Configuration (Cisco 2801 Router), page 9
• Branch 2 Router Configuration (Cisco 2811 Router), page 14
Building configuration...
OL-6573-01
4
Hoot and Holler over V3PN Configuration Example
Configure
OL-6573-01
5
Hoot and Holler over V3PN Configuration Example
Configure
OL-6573-01
6
Hoot and Holler over V3PN Configuration Example
Configure
! CREATE TUNNELS TO THE SPOKE ROUTERS. THE MTU IS LOWERED TO ALLOW THE GRE AND IP-SEC
HEADER
! PIM SD IS ENABLED SO AS TO ALLOW MULTICAST, AND THE TUNNEL SOURCE AND DESTINATION ARE
SPECIFIED
!
interface Tunnel0
description === Peer device = Branch-2 ===
bandwidth 10000
ip unnumbered Vlan10
ip mtu 1420
ip pim sparse-dense-mode
qos pre-classify
tunnel source ATM1/0
tunnel destination 10.32.150.46
crypto map INT_CM
!
interface Tunnel1
description === Peer device = Branch-1 ===
bandwidth 10000
ip unnumbered Vlan10
ip mtu 1420
ip pim sparse-dense-mode
qos pre-classify
tunnel source ATM1/0
tunnel destination 10.32.153.34
crypto map INT_CM
!
! THIS LOOPBACK INTERFACE ACTS AS THE MULTICAST RP
!
interface Loopback100
ip address 192.168.4.1 255.255.255.255
ip pim sparse-dense-mode
!
! THIS VIF INTERFACE IS USED AS THE MULTICAST SOURCE FOR THE VOICE ENDPOINT
interface Vif1
ip address 192.168.6.1 255.255.255.0
ip pim sparse-dense-mode
!
! NOT USED
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
! NOT USED
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
! INTERFACE CONNECTING TO THE PUBLIC NETWORK IN OUR SCENARIO
! ATM PVC 10/100 IS USED IN THIS EXAMPLE. THE PREVIOUSLY DEFINED LLQ QOS POLICY IS USED
HERE
interface ATM1/0
description === Public interface ===
bandwidth 155000
OL-6573-01
7
Hoot and Holler over V3PN Configuration Example
Configure
OL-6573-01
8
Hoot and Holler over V3PN Configuration Example
Configure
Building configuration...
OL-6573-01
9
Hoot and Holler over V3PN Configuration Example
Configure
hostname Branch-1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
enable secret 5 $1$b7.Q$Y2x1UXyRifSStbkR/YyrP.
!
username cisco password 7 0519050B234D5C0617
memory-size iomem 20
no network-clock-participate wic 1
no network-clock-participate wic 2
no network-clock-participate wic 3
no network-clock-participate wic 4
no network-clock-participate wic 5
no network-clock-participate wic 6
no network-clock-participate wic 7
no network-clock-participate wic 8
no network-clock-participate aim 0
no network-clock-participate aim 1
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login USERLIST local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool LOCAL
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
no ip domain lookup
ip domain name cisco.com
ip multicast-routing
ip sap cache-timeout 30
ip ssh time-out 30
ip ids po max-events 100
no ftp-server write-enable
voice-card 0
!
!
no virtual-template subinterface
!
!
!
voice class permanent 1
signal timing oos timeout 65535
signal keepalive disabled
signal sequence oos no-action
!
!
!
controller T1 3/0
framing sf
linecode ami
OL-6573-01
10
Hoot and Holler over V3PN Configuration Example
Configure
controller T1 3/1
framing sf
linecode ami
!
! CLASSIFY DIFFERENT QOS TRAFFIC, SETTING IP PRECEDENCE AND DSCP
!
class-map match-all data
match ip precedence 2
class-map match-all control-traffic
match ip dscp af31
class-map match-all video
match ip precedence 4
class-map match-all voice
match ip dscp ef
!
! ALLOCATE AVAILABLE BANDWIDTH FOR EACH QOS CLASSIFICATION, DEPENDING ON EXPECTED NEED
! FOR EXAMPLE, DSCP VALUE EF (CLASS VOICE) WILL BE GIVEN 35% OF THE BANDWIDTH
!
policy-map LLQ
class control-traffic
bandwidth percent 5
class voice
priority percent 35
class video
bandwidth percent 15
class data
bandwidth percent 20
class class-default
fair-queue
!
!
! SET THE IKE POLICY TO USE 3DES
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 10.32.152.26 no-xauth
!
!
crypto ipsec transform-set TRANSFORM_1 esp-3des esp-sha-hmac
!
! SPECIFY REMOTE PEER
!
crypto map INT_CM 1 ipsec-isakmp
description === Peer device = HUB-R1 ===
set peer 10.32.152.26
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM_1
match address IPSEC_ACL_1
!
!
! CREATE TUNNEL TO THE HUB ROUTERS. THE MTU IS LOWERED TO ALLOW THE GRE AND IPSEC HEADER
! PIM SD IS ENABLED SO AS TO ALLOW MULTICAST, AND THE TUNNEL SOURCE AND DESTINATION ARE
SPECIFIED
!
!
interface Tunnel0
description === Peer device = HUB-R1 ===
bandwidth 10000
ip unnumbered FastEthernet0/0
ip mtu 1420
ip pim sparse-dense-mode
OL-6573-01
11
Hoot and Holler over V3PN Configuration Example
Configure
qos pre-classify
tunnel source 10.32.153.34
tunnel destination 10.32.152.26
crypto map INT_CM
!
! VIF INTERFACE FOR MULTICAST SOURCE ADDRESS (USED FOR VOICE MULTICAST)
!
interface Vif1
ip address 192.168.7.1 255.255.255.0
ip pim sparse-dense-mode
!
interface FastEthernet0/0
description === Private interface ===
ip address 192.168.2.1 255.255.255.0
ip pim sparse-dense-mode
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
! DSL INTERFACE CONNECTING TO THE PUBLIC NETWORK IN OUR SCENARIO
! ATM PVC 8/35 IS USED IN THIS EXAMPLE.
!
interface ATM2/0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
pvc 0/35
encapsulation aal5snap
!
pvc 8/35
vbr-nrt 2000 1000
encapsulation aal5mux ppp Virtual-Template1
!
!
interface FastEthernet4/0
no ip address
!
interface FastEthernet4/1
no ip address
!
interface FastEthernet4/2
no ip address
!
interface FastEthernet4/3
no ip address
!
! LOGICAL INTERFACE FOR DSL LINK. THE PREVIOUSLY DEFINED LLQ QOS POLICY IS USED HERE
! PPP MULTILINK IS ENABLED SO INTERFACE CAN SUPPORT QOS
!
interface Virtual-Template1
description === Public interface ===
ip address 10.32.153.34 255.255.255.252
service-policy output LLQ
ppp multilink
ppp multilink fragment delay 8
ppp multilink interleave
crypto map INT_CM
OL-6573-01
12
Hoot and Holler over V3PN Configuration Example
Configure
interface Vlan1
no ip address
!
router ospf 1
log-adjacency-changes
network 192.168.2.0 0.0.0.255 area 0
network 192.168.7.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.153.33
ip route 192.168.1.0 255.255.255.0 Null0 249
!
ip http server
no ip http secure-server
!
! SPECIFY TRAFFIC TO BE ENCRYPTED (HERE IT'S ALL GRE TRAFFIC)
!
ip access-list extended IPSEC_ACL_1
permit gre host 10.32.153.34 host 10.32.152.26
!
!
!
control-plane
!
!
!
! CONFIGURE THE VOICE PORT AND LINK IT TO DIAL-PEER 100. THIS CONNECTION IS PERMANENT. THE
VOICE-CLASS WAS DEFINED EARLIER IN
! THE CONFIGURATION, AND ESTABLISHES AN 'ALWAYS ON' CONNECTION
!
voice-port 1/0
voice-class permanent 1
timeouts call-disconnect 3
connection trunk 100
!
voice-port 1/1
!
voice-port 1/2
!
voice-port 1/3
!
!
!THIS DIAL-PEER CONNECTS THE VOICE PORT TO MULTICAST GROUP 239.168.1.100. g711 CODEC (64k)
IS USED, AND VAD IS ENABLED
!
dial-peer voice 100 voip
destination-pattern 100
session protocol multicast
session target ipv4:239.168.1.100:19890
codec g711ulaw
vad aggressive
!
!
!
line con 0
line aux 0
line vty 0 4
login authentication USERLIST
!
end
OL-6573-01
13
Hoot and Holler over V3PN Configuration Example
Configure
OL-6573-01
14
Hoot and Holler over V3PN Configuration Example
Configure
OL-6573-01
15
Hoot and Holler over V3PN Configuration Example
Configure
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/3/0
no ip address
shutdown
!
interface FastEthernet0/3/1
no ip address
shutdown
!
interface FastEthernet0/3/2
no ip address
shutdown
!
interface FastEthernet0/3/3
no ip address
shutdown
!
interface Serial0/0/0
description === Public interface ===
ip address 10.32.150.46 255.255.255.252
service-policy output LLQ
crypto map INT_CM
!
interface Vlan1
no ip address
!
router ospf 1
log-adjacency-changes
network 192.168.3.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.150.45
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
no ip http secure-server
!
ip access-list extended IPSEC_ACL_1
permit gre host 10.32.150.46 host 10.32.152.26
!
!
!
control-plane
!
!
voice-port 0/1/0
voice-class permanent 1
timeouts call-disconnect 3
connection trunk 100
!
voice-port 0/1/1
!
!
!
dial-peer cor custom
!
!
OL-6573-01
16
Hoot and Holler over V3PN Configuration Example
Verify
Verify
This section provides information you can use to confirm your configuration is working properly. The
verification process includes two parts:
• Verify Headquarters Connectivity, page 17
• Verify Remote Location Connectivity, page 27
OL-6573-01
17
Hoot and Holler over V3PN Configuration Example
Verify
• show voice call summary—Shows information about a call (such as the codec being used or the
state of the phone).
• show class-map—Displays the QoS marking scheme (such as voice traffic that is marked up). This
defines it as a V3PN implementation.
• show policy-map interface atm 1/0 output—Shows how traffic has been queued on the ATM
interface. Note that different queues have different packet counts because traffic is assigned on the
basis of differentiated services code point (DCSP) and IP precedence values.
• show crypto engine brief—Shows the VPN engine currently being run.
Representative output from each of these commands is presented in the verification summaries that
follow.
The following is an output example for the show crypto isakmp sa command, performed using the
configuration on the Headquarters router:
HUB-R1# show crypto isakmp sa
The following is an output example for the show crypto ipsec sa command, performed using the
configuration on the Headquarters router:
HUB-R1# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: INT_CM, local addr. 10.32.152.26
protected vrf:
local ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0)
current_peer: 10.32.153.34:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 174918, #pkts encrypt: 174918, #pkts digest: 174918
#pkts decaps: 126855, #pkts decrypt: 126855, #pkts verify: 126855
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 66, #recv errors 0
inbound ah sas:
OL-6573-01
18
Hoot and Holler over V3PN Configuration Example
Verify
outbound ah sas:
protected vrf:
local ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.150.46/255.255.255.255/47/0)
current_peer: 10.32.150.46:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 168329, #pkts encrypt: 168329, #pkts digest: 168329
#pkts decaps: 127676, #pkts decrypt: 127676, #pkts verify: 127676
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
inbound ah sas:
OL-6573-01
19
Hoot and Holler over V3PN Configuration Example
Verify
outbound ah sas:
interface: Tunnel1
Crypto map tag: INT_CM, local addr. 10.32.152.26
protected vrf:
local ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0)
current_peer: 10.32.153.34:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 171877, #pkts encrypt: 171877, #pkts digest: 171877
#pkts decaps: 123829, #pkts decrypt: 123829, #pkts verify: 123829
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 66, #recv errors 0
inbound ah sas:
outbound ah sas:
OL-6573-01
20
Hoot and Holler over V3PN Configuration Example
Verify
protected vrf:
local ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.150.46/255.255.255.255/47/0)
current_peer: 10.32.150.46:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 165228, #pkts encrypt: 165228, #pkts digest: 165228
#pkts decaps: 124592, #pkts decrypt: 124592, #pkts verify: 124592
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
inbound ah sas:
outbound ah sas:
OL-6573-01
21
Hoot and Holler over V3PN Configuration Example
Verify
interface: ATM1/0
Crypto map tag: INT_CM, local addr. 10.32.152.26
protected vrf:
local ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0)
current_peer: 10.32.153.34:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 172131, #pkts encrypt: 172131, #pkts digest: 172131
#pkts decaps: 124081, #pkts decrypt: 124081, #pkts verify: 124081
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 66, #recv errors 0
inbound ah sas:
outbound ah sas:
protected vrf:
local ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.150.46/255.255.255.255/47/0)
current_peer: 10.32.150.46:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 165491, #pkts encrypt: 165491, #pkts digest: 165491
#pkts decaps: 124855, #pkts decrypt: 124855, #pkts verify: 124855
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
OL-6573-01
22
Hoot and Holler over V3PN Configuration Example
Verify
inbound ah sas:
outbound ah sas:
The following is an output example for the show ip ospf neighbors command, performed using the
configuration on the Headquarters router:
OL-6573-01
23
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show ip route command, performed using the configuration
on the Headquarters router:
HUB-R1# show ip route
The following is an output example for the show ip pim neighbors command, performed using the
configuration on the Headquarters router:
HUB-R1# show ip pim neighbor
The following is an output example for the show ip pim rp map command, performed using the
configuration on the Headquarters router:
HUB-R1# show ip pim rp map
Group(s) 224.0.0.0/4
RP 192.168.4.1 (?), v2v1
Info source: 192.168.4.1 (?), elected via Auto-RP
Uptime: 2d02h, expires: 00:02:25
The following is an output example for the show ip mroute active command, performed using the
configuration on the Headquarters router:
HUB-R1# show ip mroute active
OL-6573-01
24
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show voice trunk-conditioning supervisory command,
performed using the configuration on the Headquarters router:
HUB-R1# show voice trunk-conditioning supervisory
SLOW SCAN
0/1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master
status: trunk connected
sequence oos : no-action
pattern :
timing : idle = 0, restart = 0, standby = 0, timeout = 65535
supp_all = 0, supp_voice = 0, keep_alive = 0
timer: oos_ais_timer = 0, timer = 0
The following is an output example for the show voip rtp connections command, performed using the
configuration on the Headquarters router:
HUB-R1# show voip rtp connections
The following is an output example for the show voice call summary command, performed using the
configuration on the Headquarters router:
HUB-R1# show voice call summary
The following is an output example for the show class-map command, performed using the
configuration on the Headquarters router:
The following is an output example for the show policy-map interface atm 1/0 output command,
performed using the configuration on the Headquarters router:
HUB-R1# show policy-map interface atm 1/0 output
ATM1/0: VC 10/100 -
OL-6573-01
25
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show crypto engine brief command, performed using the
configuration on the Headquarters router:
HUB-R1# show crypto engine brief
OL-6573-01
26
Hoot and Holler over V3PN Configuration Example
Verify
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0500
Maximum SA index: 0500
Maximum Flow index: 1000
Maximum RSA key size: 2048
OL-6573-01
27
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show crypto ipsec sa command, performed using the
configuration on the Branch 1 router:
Branch-1# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: INT_CM, local addr. 10.32.153.34
protected vrf:
local ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
current_peer: 10.32.152.26:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 78341, #pkts encrypt: 78341, #pkts digest: 78341
#pkts decaps: 118387, #pkts decrypt: 118387, #pkts verify: 118387
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
inbound ah sas:
outbound ah sas:
interface: Virtual-Template1
Crypto map tag: INT_CM, local addr. 10.32.153.34
protected vrf:
local ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
current_peer: 10.32.152.26:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 78380, #pkts encrypt: 78380, #pkts digest: 78380
OL-6573-01
28
Hoot and Holler over V3PN Configuration Example
Verify
inbound ah sas:
outbound ah sas:
interface: Virtual-Access3
Crypto map tag: INT_CM, local addr. 10.32.153.34
protected vrf:
local ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
current_peer: 10.32.152.26:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 78508, #pkts encrypt: 78508, #pkts digest: 78508
#pkts decaps: 118555, #pkts decrypt: 118555, #pkts verify: 118555
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
OL-6573-01
29
Hoot and Holler over V3PN Configuration Example
Verify
inbound ah sas:
outbound ah sas:
interface: Virtual-Access4
Crypto map tag: INT_CM, local addr. 10.32.153.34
protected vrf:
local ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
current_peer: 10.32.152.26:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 78628, #pkts encrypt: 78628, #pkts digest: 78628
#pkts decaps: 118675, #pkts decrypt: 118675, #pkts verify: 118675
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
inbound ah sas:
OL-6573-01
30
Hoot and Holler over V3PN Configuration Example
Verify
outbound ah sas:
The following is an output example for the show ip ospf neighbor command, performed using the
configuration on the Branch 1 router:
Branch-1# show ip ospf neighbor
The following is an output example from the show ip route command, performed using the
configuration on the Branch 1 router:
Branch-1# show ip route
The following is an output example for the show ip pim neighbor command, performed using the
configuration on the Branch 1 router:
Branch-1# show ip pim neighbor
The following is an output example for the show ip pim rp mapping command, performed using the
configuration on the Branch 1 router:
Branch-1# show ip pim rp mapping
OL-6573-01
31
Hoot and Holler over V3PN Configuration Example
Verify
Group(s) 224.0.0.0/4
RP 192.168.4.1 (?), v2v1
Info source: 192.168.4.1 (?), elected via Auto-RP
Uptime: 00:20:28, expires: 00:02:23
The following is an output example for the show ip mroute active command, performed using the
configuration on the Branch 1 router:
Branch-1# show ip mroute active
The following is an output example for the show voice trunk-conditioning supervisory command,
performed using the configuration on the Branch 1 router:
Branch-1# show voice trunk-conditioning supervisory
SLOW SCAN
1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master
status: trunk connected
sequence oos : no-action
pattern :
timing : idle = 0, restart = 0, standby = 0, timeout = 65535
supp_all = 0, supp_voice = 0, keep_alive = 0
timer: oos_ais_timer = 0, timer = 0
The following is an output example for the show voip rtp connections command, performed using the
configuration on the Branch 1 router:
Branch-1# show voip rtp connections
The following is an output example for the show voice call summary command, performed using the
configuration on the Branch 1 router:
Branch-1# show voice call summary
The following is an output example for the show class map command, performed using the
configuration on the Branch 1 router:
Branch-1# show class-map
OL-6573-01
32
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show policy-map interface virtual-access 4 output
command, performed using the configuration on the Branch 1 router:
Branch-1 #show policy-map interface virtual-access 4 output
Virtual-Access4
OL-6573-01
33
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show crypto engine brief command, performed using the
configuration on the Branch 1 router:
Branch-1# show crypto engine brief
The following is an output example for the show crypto ipsec sa command, performed using the
configuration on the Branch 2 router:
Branch-2# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: INT_CM, local addr. 10.32.150.46
OL-6573-01
34
Hoot and Holler over V3PN Configuration Example
Verify
protected vrf:
local ident (addr/mask/prot/port): (10.32.150.46/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
current_peer: 10.32.152.26:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1706, #pkts encrypt: 1706, #pkts digest: 1706
#pkts decaps: 1715, #pkts decrypt: 1715, #pkts verify: 1715
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
inbound ah sas:
outbound ah sas:
OL-6573-01
35
Hoot and Holler over V3PN Configuration Example
Verify
protected vrf:
local ident (addr/mask/prot/port): (10.32.150.46/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0)
current_peer: 10.32.152.26:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1864, #pkts encrypt: 1864, #pkts digest: 1864
#pkts decaps: 1874, #pkts decrypt: 1874, #pkts verify: 1874
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
inbound ah sas:
inbound pcp sas:
outbound ah sas:
outbound pcp sas:
OL-6573-01
36
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show ip ospf neighbor command, performed using the
configuration on the Branch 2 router:
Branch-2# show ip ospf neighbor
The following is an output example for the show ip route command, performed using the configuration
on the Branch 2 router:
Branch-2# show ip route
The following is an output example for the show ip pim neighbor command, performed using the
configuration on the Branch 2 router:
Branch-2# show ip pim neighbor
The following is an output example for the show ip pim rp mapping command, performed using the
configuration on the Branch 2 router:
Branch-2# show ip pim rp mapping
Group(s) 224.0.0.0/4
RP 192.168.4.1 (?), v2v1
Info source: 192.168.4.1 (?), elected via Auto-RP
Uptime: 2d03h, expires: 00:02:47
The following is an output example for the show ip mroute active command, performed using the
configuration on the Branch 2 router:
Branch-2# show ip mroute active
OL-6573-01
37
Hoot and Holler over V3PN Configuration Example
Verify
The following is an output example for the show voice trunk-conditioning supervisory command,
performed using the configuration on the Branch 2 router:
Branch-2# show voice trunk-conditioning supervisory
SLOW SCAN
0/1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master
status: trunk connected
sequence oos : no-action
pattern :
timing : idle = 0, restart = 0, standby = 0, timeout = 65535
supp_all = 0, supp_voice = 0, keep_alive = 0
timer: oos_ais_timer = 0, timer = 0
The following is an output example for the show voip rtp connections command, performed using the
configuration on the Branch 2 router:
Branch-2# show voip rtp connections
The following is an output example for the show voice call summary command, performed using the
configuration on the Branch 2 router:
Branch-2# show voice call summary
The following is an output example for the show policy-map interface serial 0/0/0 output command,
performed using the configuration on the Branch 2 router:
Branch-2# show policy-map interface serial 0/0/0 output
Serial0/0/0
OL-6573-01
38
Hoot and Holler over V3PN Configuration Example
Verify
Match: ip dscp ef
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 35 (%)
Bandwidth 540 (kbps) Burst 13500 (Bytes)
(pkts matched/bytes matched) 13/3532
(total drops/bytes drops) 0/0
The following is an output example for the show crypto engine brief command, performed using the
configuration on the Branch 2 router:
Branch-2# show crypto engine brief
OL-6573-01
39
Hoot and Holler over V3PN Configuration Example
Troubleshoot
Troubleshoot
This section provides information you can use to confirm that your configuration is working properly.
See the following tech notes:
• IP Security Troubleshooting - Understanding and Using debug Commands
Troubleshooting Commands
Note Before issuing debug commands, please see Important Information on Debug Commands.
The following debug commands must be running on both IPSec routers (peers). Security associations
must be cleared on both peers.
• debug crypto engine—Displays information pertaining to the crypto engine, such as when the
Cisco IOS software is performing encryption or decryption operations.
• debug crypto ipsec—Displays IPSec negotiations of phase 2.
• debug crypto isakmp—Displays ISAKMP negotiations of phase 1.
• debug ip pim auto-rp—Displays the contents of each PIM packet used in the automatic discovery
of group-to-rendezvous point (RP) mapping as well as the actions taken on the address-to-RP
mapping database.
• clear crypto isakmp—Clears the security associations related to phase 1.
• clear crypto sa—Clears the security associations related to phase 2.
The following is an example of output for the debug crypto isakmp and debug crypto ipsec commands.
Relevant display output is shown in bold text, and comments are preceded by an exclamation point and
shown in italics.
Jul 29 16:06:33.619 PDT: ISAKMP (0:134217730): received packet from 10.32.150.46 dport 500
sport 500 Global (I) MM_SA_SETUP
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
Jul 29 16:06:33.635 PDT: ISAKMP: Looking for a matching key for 10.32.150.46 in default :
success
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 10.32.150.46
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):SKEYID state generated
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payload
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): vendor ID is Unity
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payload
OL-6573-01
40
Hoot and Holler over V3PN Configuration Example
Troubleshoot
OL-6573-01
41
Hoot and Holler over V3PN Configuration Example
Troubleshoot
OL-6573-01
42
Hoot and Holler over V3PN Configuration Example
Related Information
Related Information
• Cisco IOS Quality of Service Configuration Guide, Release 12.3
• Cisco IOS Security Configuration Guide
• Cisco IOS Voice Command Reference, Release 12.3
• Cisco IOS Wide-Area Networking Configuration Guide
• Cisco Technical Assistance Center
OL-6573-01
43
Hoot and Holler over V3PN Configuration Example
Related Information
isco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
rvice marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Ce
k Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation,
olver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ
ss Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-
RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath
d trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
demarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relati
co and any other company. (0501R)
OL-6573-01
44
Finding Feature Documentation
Note We recommend that you use the Cisco Router and Security Device Manager (SDM) to configure your
router. To access SDM, see the quick start guide that you received with your router.
You can access Cisco IOS feature documentation in the following ways:
• Using Cisco.com Feature Resources, page 1
• Finding Documentation for a Specific Feature by Using Cisco Feature Navigator, page 2
• Finding Documentation for All Supported Features on Your Router by Using Cisco Feature
Navigator, page 3
• Finding Feature Documentation by Browsing Feature Modules by Cisco IOS Release, page 4
• Finding Feature Documentation by Browsing Cisco IOS Release Notes, page 4
For a list of key supported features, see the data sheet and other product literature for your router.
Additional IOS-related technical documentation can be found at this URL:
http://www.cisco.com/cisco/web/support/index.html
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Note Cisco Feature Navigator does not support all platforms and software releases, such as some older
releases and some limited-lifetime releases.
Note Cisco Feature Navigator does not support all platforms and software releases, such as some older
releases and some limited-lifetime releases.
Note Feature modules are not created for all features, such as uncomplicated features that do not involve any
user configuration. To access all feature descriptions and configuration information, go to Cisco Feature
Navigator, or read the Cisco IOS release notes in addition to browsing the Cisco IOS feature modules.
Step 1 Go to http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm.
Step 2 Select the appropriate release.
Step 3 Click New Feature Documentation.
Step 4 Navigate to your Cisco IOS software release.
Step 5 Select the feature module.
Note Cisco IOS release notes typically include descriptions only of uncomplicated features that were
introduced in the software release, but that do not involve any user configuration. To access all feature
descriptions and configuration information, go to Cisco Feature Navigator, or read the Cisco IOS release
notes in addition to browsing the Cisco IOS feature modules.
Step 1 Go to http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm.
Step 2 Select the appropriate release.
Step 3 Click Release Notes.
Step 4 Select your platform.
Step 5 Select the release notes for your Cisco IOS software release.
Step 6 Navigate to the “New and Changed Information” section. If you selected a “T” release, the section might
be called “New Features and Important Notes.”
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
This document describes the 16-bit configuration register in NVRAM and includes the following
sections:
• Platforms Supported by This Document, page 1
• About the Configuration Register, page 1
• Changing the Configuration Register Settings, page 4
• Displaying the Configuration Register Settings, page 5
• Configuring the Console Line Speed (Cisco IOS CLI), page 5
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Bit
Number Hexadecimal Meaning
00–03 0x0000–0x000F Boot field. The boot field setting determines whether the router loads an
operating system and where it obtains the system image.
See Table 2 for details.
06 0x0040 Causes the system software to ignore the contents of NVRAM.
07 0x0080 Original Equipment Manufacturer (OEM) bit enabled.
08 0x0100 Controls the console Break key:
• (Factory default) Setting bit 8 causes the processor to ignore the
console Break key.
• Clearing bit 8 causes the processor to interpret Break as a command
to force the router into the ROM monitor mode, halting normal
operation.
Break can always be sent in the first 60 seconds while the router is
rebooting, regardless of the configuration register settings.
09 0x0200 This bit controls the system boot:
• Setting bit 9 causes the system to use the secondary bootstrap.
• (Factory default) Clearing bit 9 causes the system to boot from flash
memory.
This bit is typically not modified.
10 0x0400 Controls the host portion of the IP broadcast address:
• Setting bit 10 causes the processer to use all zeros.
• (Factory default) Clearing bit 10 causes the processor to use all ones.
Bit 10 interacts with bit 14, which controls the network and subnet
portions of the IP broadcast address. See Table 3 for the combined effects
of bits 10 and 14.
05, 11, 0x0020, Controls the console line speed. See Table 4 for the eight available bit
12 0x0800, 0x1000 combinations and console line speeds.
Factory default is 9600 baud, where bits 5, 11, and 12 are all zero (clear).
Note You cannot change the console line speed configuration register
bits from the Cisco IOS command-line interface (CLI). You can,
however, change these bits from the ROM monitor (see “Using
the ROM Monitor”). Or, instead of changing the configuration
register settings, you can set the console line speed through other
Cisco IOS commands..
13 0x2000 Determines how the router responds to a network boot failure:
• Setting bit 13 causes the router to boot the default ROM software
after 6 unsuccessful network boot attempts.
• (Factory default) Clearing bit 13 causes the router to indefinitely
continue network boot attempts.
Bit
Number Hexadecimal Meaning
14 0x4000 Controls the network and subnet portions of the IP broadcast address:
• Setting bit 10 causes the processor to use all zeros.
• (Factory default) Clearing bit 10 causes the processor to use all ones.
Bit 14 interacts with bit 10, which controls the host portion of the IP
broadcast address. See Table 3 for the combined effect of bits 10 and 14.
15 0x8000 Enables diagnostic messages and ignores the contents of NVRAM.
Table 2 describes the boot field, which is the lowest four bits of the configuration register (bits 3, 2, 1,
and 0). The boot field setting determines whether the router loads an operating system and where the
router obtains the system image.
Boot Field
(Bits 3, 2, 1, and 0) Meaning
0000 At the next power cycle or reload, the router boots to the ROM monitor (bootstrap
program). To use the ROM monitor, you must use a terminal or PC that is
(0x0)
connected to the router console port. For information about connecting the router
to a PC or terminal, see the hardware installation guide for your router.
In ROM monitor mode, you must manually boot the system image or any other
image by using the boot ROM monitor command. See the section “Booting an
Image (boot)” in “Using the ROM Monitor.”
0001 Boots the first image in flash memory as a system image.
(0x01)
0010 - 1111 At the next power cycle or reload, the router sequentially processes each boot
system command in global configuration mode that is stored in the configuration
(0x02 - 0xF)
file until the system boots successfully.
If no boot system commands are stored in the configuration file, or if executing
those commands is unsuccessful, then the router attempts to boot the first image
file in flash memory.
Table 3 shows how each setting combination of bits 10 and 14 affects the IP broadcast address.
Table 4 shows the console line speed for each setting combination of bits 5, 11, and 12.
Step 1 Connect a terminal or PC to the router console port. If you need help, see the hardware installation guide
for your router.
Step 2 Configure your terminal or terminal emulation software for 9600 baud (default), 8 data bits, no parity,
and 2 stop bits.
Step 3 Power on the router.
Step 4 If you are asked whether you would like to enter the initial dialog, answer no:
Would you like to enter the initial dialog? [yes]: no
Step 7 To change the configuration register settings, enter the config-register value command, where value is
a hexadecimal number preceded by 0x:
Router(config)# config-register 0xvalue
Note The Cisco IOS software does not allow you to change the console speed bits directly with the
config-register command. To change the console speed from the Cisco IOS CLI, see the
“Configuring the Console Line Speed (Cisco IOS CLI)” section on page 5.
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Many users do not use the ROM monitor at all, unless during power up or reload, the router does not
find a valid system image, the last digit of the boot field in the configuration register is 0, or you enter
the Break key sequence during the first 60 seconds after reloading the router.
This document describes how to use the ROM monitor to manually load a system image, upgrade the
system image when there are no TFTP servers or network connections, or for disaster recovery.
Contents
• Platforms Supported by This Document, page 1
• Prerequisites for Using the ROM Monitor, page 1
• Information About the ROM Monitor, page 2
• How to Use the ROM Monitor—Typical Tasks, page 3
• Additional References, page 31
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
– TFTP download (tftpdnld)—Use this method if you can connect a TFTP server directly to the
fixed LAN port on your router. See the “Recovering the System Image (tftpdnld)” section on
page 20.
Note Recovering the system image is different from upgrading the system image. You need to
recover the system image if it becomes corrupt or if it is deleted because of a disaster that
affects the memory device severely enough to require deleting all data on the memory device
in order to load a system image.
Accessibility
This product can be configured using the Cisco command-line interface (CLI). The CLI conforms to
accessibility code 508 because it is text based and because it relies on a keyboard for navigation. All
functions of the router can be configured and monitored through the CLI.
For a complete list of guidelines and Cisco products adherence to accessibility, see Cisco Accessibility
Products at the following URL:
http://www.cisco.com/web/about/responsibility/accessibility/products
Note This section does not describe how to perform all possible ROM monitor tasks. Use the command help
to perform any tasks that are not described in this document. See the “Displaying Commands and
Command Syntax in ROM Monitor Mode (?, help, -?)” section on page 8.
Prerequisites
Connect a terminal or PC to the router console port. For help, see the quick start guide that shipped with
your router or see the hardware installation guide for your router.
Using the Break Key Sequence to Interrupt the System Reload and Enter ROM Monitor Mode
This section describes how to enter ROM monitor mode by reloading the router and entering the Break
key sequence.
SUMMARY STEPS
1. enable
2. reload
3. Press Ctrl-Break.
DETAILED STEPS
Example:
Router# reload
Step 3 Press Ctrl-Break. Interrupts the router reload and enters ROM monitor mode.
• You must perform this step within 60 seconds after you
Example: enter the reload command.
Router# send break • The Break key sequence varies, depending on the
software on your PC or terminal. If Ctrl-Break does
not work, see the Standard Break Key Sequence
Combinations During Password Recovery tech note.
Examples
Troubleshooting Tips
The Break key sequence varies, depending on the software on your PC or terminal. See the Standard
Break Key Sequence Combinations During Password Recovery tech note.
What to Do Next
• Proceed to the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)”
section on page 8.
• If you use the Break key sequence to enter ROM monitor mode when the router would otherwise
have booted the system image, you can exit ROM monitor mode by doing one of the following:
– Enter the i or reset command, which restarts the booting process and loads the system image.
– Enter the cont command, which continues the booting process and loads the system image.
Caution Do not set the configuration register by using the config-register 0x0 command after you have set the
baud rate. To set the configuration register without affecting the baud rate, use the the current
configuration register setting by entering the show ver | inc configuration command, and then replacing
the last (rightmost) number with a 0 in the configuration register command.
SUMMARY STEPS
1. enable
2. configure terminal
3. config-register 0x0
4. exit
5. write memory
6. reload
DETAILED STEPS
Example:
Router# configure terminal
Step 3 config-register 0x0 Changes the configuration register settings.
• The 0x0 setting forces the router to boot to the ROM
Example: monitor at the next system reload.
Router(config)# config-register 0x0
Step 4 exit Exits global configuration mode.
Example:
Router(config)# exit
Step 5 write memory Sets to boot the system image from flash memory.
Example:
Router# write memory
Step 6 reload Reloads the operating system.
• Because of the 0x0 configuration register setting, the
Example: router boots to ROM monitor mode.
Router# reload
<output deleted>
rommon 1>
Examples
The following example shows how to set the configuration register to boot to ROM monitor mode:
Router>
Router> enable
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# config-register 0x0
Router(config)# exit
Router#
*Sep 23 16:01:24.351: %SYS-5-CONFIG_I: Configured from console by console
Router# write memory
Building configuration...
[OK]
Router# reload
Proceed with reload? [confirm]
What to Do Next
Proceed to the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)”
section on page 8.
Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)
This section describes how to display ROM monitor commands and command syntax options.
SUMMARY STEPS
1. ?
or
help
2. command -?
DETAILED STEPS
Example:
rommon 1 > ?
Example:
rommon 1 > help
Step 2 command -? Displays syntax information for a ROM monitor command.
Example:
rommon 16 > display -?
Examples
This section provides the following examples:
• Sample Output for the ? or help ROM Monitor Command, page 9
• Sample Output for the xmodem -? ROM Monitor Command, page 10
For more information about using Xmodem, see the Xmodem Console Download Procedure Using
ROMmon at the following URL:
http://www.cisco.com/warp/public/130/xmodem_generic.html
Prerequisites
Determine the filename and location of the system image that you want to load.
SUMMARY STEPS
1. boot
or
boot flash:[filename]
or
boot filename tftpserver
or
boot [filename]
or
boot usbflash<x>:[filename]
DETAILED STEPS
Examples
The following example shows how to load boot flash memory and USB boot flash memory:
rommon 7 > boot flash:[filename]
program load complete, entry point: 0x8000f000, size: 0xcb80
TOTAL: 0X009FAFD8
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 22-Jul-05 11:37 by hqluong
Image text-base: 0x40098478, data-base: 0x41520000
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 22-Jul-05 11:37 by hqluong
*Sep 23 16:11:46.331: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold
start
*Sep 23 16:11:46.539: %SYS-6-BOOTTIME: Time taken to reboot after reload = 605 seconds
*Sep 23 16:11:46.735: %CONTROLLER-5-UPDOWN: Controller T1 0/2/0, changed state to down
(LOS detected)
*Sep 23 16:11:46.735: %CONTROLLER-5-UPDOWN: Controller T1 0/2/1, changed state to down
(LOS detected)
*Sep 23 16:11:48.055: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to
administratively down
*Sep 23 16:11:48.067: %LINK-5-CHANGED: Interface Serial0/3/0, changed state to
administratively down
*Sep 23 16:11:48.079: %LINK-5-CHANGED: Interface Serial0/3/1, changed state to
administratively down
Router>
rommon 1 > boot usbflash1:image
program load complete, entry point: 0x8000f000, size: 0x3d240
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE
(fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 22-Jul-05 11:37 by hqluong
What to Do Next
If you want to configure the router to load a specified image at the next system reload or power-cycle,
see the following documents:
• “Booting Commands” chapter of the Cisco IOS Configuration Fundamentals Command Reference
• Cisco IOS Configuration Fundamentals and Network Management Configuration Guide
Prerequisites
• Download the file to your PC. Go to the Software Center at the following URL:
http://www.cisco.com/kobayashi/sw-center/index.shtml.
• Connect your PC to the router console port and launch a terminal emulator program. To see
examples for how to perform this task for similar routers, see the Xmodem Console Download
Procedure Using ROMmon tech note.
Restrictions
• If you use a PC to download a file over the router console port at 115,200 bps, make sure that the
PC serial port uses a 16550 universal asynchronous receiver/transmitter (UART).
• If the PC serial port does not use a 16550 UART, we recommend using a speed equal to or lower
than 38,400 bps for downloading a file over the console port.
• Transfer using the xmodem command works only on the console port.
• You can only download files to the router. You cannot use the xmodem command to retrieve files
from the router.
• Because the ROM monitor console download uses the console to perform the data transfer, error
messages are displayed on the console only after the data transfer is terminated. If an error occurs
during console download, the download is terminated, and an error message is displayed. If you
changed the baud rate from the default rate, the error message is followed by a message that tells
you to restore the terminal to the baud rate that is specified in the configuration register.
SUMMARY STEPS
DETAILED STEPS
What to Do Next
If you want to configure the router to load a specified image at the next system reload or power-cycle,
see the following documents:
• “Booting Commands” chapter of the Cisco IOS Configuration Fundamentals Command Reference
• Cisco IOS Configuration Fundamentals and Network Management Configuration Guide
Caution Do not set the configuration register by using the config-register 0x0 command after setting the baud
rate. To set the configuration register without affecting the baud rate, use the the current configuration
register setting by entering the show ver | inc configuration command and then replacing the last
(rightmost) number with a 0 in the configuration register command.
Prerequisites
To learn about the configuration register and the function of each of the 16 bits, see the Changing the
Configuration Register Settings document.
Restrictions
The modified configuration register value is automatically written into NVRAM, but the new value does
not take effect until you reset or power-cycle the router.
SUMMARY STEPS
1. confreg [value]
DETAILED STEPS
Examples
In the following example, the configuration register is set to boot the system image from flash memory:
rommon 3 > confreg 0x2102
In the following example, no value is entered; therefore, the system prompts for each bit in the register:
rommon 7 > confreg
Configuration Summary
enabled are:
console baud: 9600
boot: the ROM Monitor
do you wish to change the configuration? y/n [n]: y
enable "diagnostic mode"? y/n [n]: y
enable "use net in IP bcast address"? y/n [n]: y
enable "load rom after netboot fails"? y/n [n]: y
enable "use all zero broadcast"? y/n [n]: y
enable "break/abort has effect"? y/n [n]: y
enable "ignore system config info"? y/n [n]: y
change console baud rate? y/n [n]: y
enter rate: 0 = 9600, 1 = 4800, 2 = 1200, 3 = 2400 [0]: 0
change the boot characteristics? y/n [n]: y
enter to boot:
0 = ROM Monitor
1 = the boot helper image
2-15 = boot system
[0]: 0
Configuration Summary
enabled are:
diagnostic mode
console baud: 9600
boot: the ROM Monitor
rommon 8>
SUMMARY STEPS
DETAILED STEPS
Examples
Sample Output for the dir usbFlash Command
rommon > dir usbflash0:
Directory of usbflash0:
id name
usbflash0: usbflash0
usbflash1: usbflash1
eprom: eprom
Note Use the iomemset command only if it is needed for temporarily setting the I/O memory from ROM
monitor mode. Using this command improperly can adversely affect the functioning of the router.
The Cisco IOS software can override the I/O memory percentage if the memory-size iomem command
is set in the NVRAM configuration. If the Cisco IOS command is present in the NVRAM configuration,
the I/O memory percentage set in the ROM monitor with the iomemset command is used only the first
time the router is booted up. Subsequent reloads use the I/O memory percentage set by using the
memory-size iomem command that is saved in the NVRAM configuration.
If you need to set the router I/O memory permanently by using a manual method, use the memory-size
iomem Cisco IOS command. If you set the I/O memory from the Cisco IOS software, you must restart
the router for I/O memory to be set properly.
SUMMARY STEPS
DETAILED STEPS
Examples
In the following example, the percentage of DRAM used for I/O memory is set to 15:
rommon 2 > iomemset
usage: iomemset [smartinit | 5 | 10 | 15 | 20 | 25 | 30 | 40 | 50 ]
rommon 3 >
rommon 3 > iomemset 15
Caution Use the tftpdnld command only for disaster recovery because it can erase all existing data in flash
memory before it downloads a new software image to the router.
Before you can enter the tftpdnld command, you must set the ROM monitor environment variables.
Prerequisites
Connect the TFTP server to a fixed network port on your router.
Restrictions
• LAN ports on network modules or interface cards are not active in ROM monitor mode. Therefore,
only a fixed port on your router can be used for TFTP download. This can be a fixed Ethernet port
on the router, that is either of the two Gigabit Ethernet ports on Cisco routers with those ports.
• You can only download files to the router. You cannot use the tftpdnld command to retrieve files
from the router.
SUMMARY STEPS
1. IP_ADDRESS=ip_address
2. IP_SUBNET_MASK=ip_address
3. DEFAULT_GATEWAY=ip_address
4. TFTP_SERVER=ip_address
5. TFTP_FILE=[directory-path/]filename
6. FE_PORT=[0 | 1]
7. FE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5]
8. GE_PORT=[0 | 1]
9. GE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5]
10. MEDIA_TYPE=[0 | 1]
11. TFTP_CHECKSUM=[0 | 1]
12. TFTP_DESTINATION=[flash: | usbflash0: | usbflash1:]
13. TFTP_MACADDR=MAC_address
14. TFTP_RETRY_COUNT=retry_times
15. TFTP_TIMEOUT=time
16. TFTP_VERBOSE=setting
17. set
18. tftpdnld [-hr]
19. y
DETAILED STEPS
Example:
rommon > IP_ADDRESS=172.16.23.32
Step 2 IP_SUBNET_MASK=ip_address Sets the subnet mask of the router.
Example:
rommon > IP_SUBNET_MASK=255.255.255.224
Step 3 DEFAULT_GATEWAY=ip_address Sets the default gateway of the router.
Example:
rommon > DEFAULT_GATEWAY=172.16.23.40
Step 4 TFTP_SERVER=ip_address Sets the TFTP server from which the software will be
downloaded.
Example:
rommon > TFTP_SERVER=172.16.23.33
Step 5 TFTP_FILE=[directory-path/]filename Sets the name and location of the file that will be
downloaded to the router.
Example:
rommon > TFTP_FILE=archive/rel22/c2801-i-mz
Step 6 FE_PORT=[0 | 1] (Optional) Sets the input port to use one of the Fast Ethernet
ports.
Example:
rommon > FE_PORT=0
Step 7 FE_SPEED_MODE=[0 | 1 | 2 | 3 | 4] (Optional) Sets the Fast Ethernet port speed mode, with
these options:
Example: • 0—10 Mbps, half-duplex
rommon > FE_SPEED_MODE=3
• 1—10 Mbps, full-duplex
• 2—100 Mbps, half-duplex
• 3—100 Mbps, full-duplex
• 4—Automatic selection (default)
Examples
Sample Output for Recovering the System Image (tftpdnld)
rommon 16 > IP_ADDRESS=171.68.171.0
rommon 17 > IP_SUBNET_MASK=255.255.254.0
rommon 18 > DEFAULT_GATEWAY=171.68.170.3
rommon 19 > TFTP_SERVER=171.69.1.129
rommon 20 > TFTP_FILE=c2801-is-mz.113-2.0.3.Q
rommon 21 > tftpdnld
IP_ADDRESS: 171.68.171.0
IP_SUBNET_MASK: 255.255.254.0
DEFAULT_GATEWAY: 171.68.170.3
TFTP_SERVER: 171.69.1.129
TFTP_FILE: c2801-is-mz.113-2.0.3.Q
PS1=rommon ! >
IP_ADDRESS=172.18.16.76
IP_SUBNET_MASK=255.255.255.192
DEFAULT_GATEWAY=172.18.16.65
TFTP_SERVER=172.18.16.2
TFTP_FILE=anyname/rel22_Jan_16/c2801-i-mz
What to Do Next
If you want to configure the router to load a specified image at the next system reload or power-cycle,
see the following documents:
• “Booting Commands” chapter of the Cisco IOS Configuration Fundamentals Command Reference
• Cisco IOS Configuration Fundamentals and Network Management Configuration Guide
The ROM monitor commands in this section are all optional and can be entered in any order.
Router Crashes
A router or system crash is a situation in which the system detects an unrecoverable error and restarts
itself. The errors that cause crashes are typically detected by processor hardware, which automatically
branches to special error-handling code in the ROM monitor. The ROM monitor identifies the error,
prints a message, saves information about the failure, and restarts the system. For detailed information
about troubleshooting crashes, see the Troubleshooting Router Crashes and Understanding
Software-forced Crashes tech notes.
Router Hangs
A router or system hang is a situation in which the system does not respond to input at the console port
or to queries sent from the network, such as Telnet and Simple Network Management Protocol (SNMP).
Router hangs occur when:
• The console does not respond
Restrictions
Do not manually reload or power-cycle the router unless reloading or power cycling is required for
troubleshooting a router crash. The system reload or power-cycle can cause important information to be
lost that is needed for determining the root cause of the problem.
SUMMARY STEPS
1. stack
or
k
2. context
3. frame [number]
4. sysret
5. meminfo
DETAILED STEPS
Example:
rommon > stack
Step 2 context (Optional) Displays the CPU context at the time of the fault.
• If it is available, the context from kernel mode and
Example: process mode of a loaded image is displayed.
rommon > context
Examples
This section provides the following examples:
• Sample Output for the stack ROM Monitor Command, page 27
• Sample Output for the context ROM Monitor Command, page 27
• Sample Output for the frame ROM Monitor Command, page 28
• Sample Output for the sysret ROM Monitor Command, page 28
• Sample Output for the meminfo ROM Monitor Command, page 28
-------------------------------------------------
Current Memory configuration is:
Onboard SDRAM: Size = 128 MB : Start Addr = 0x10000000
-----Bank 0 128 MB
-----Bank 1 0 MB
Dimm 0: Size = 256 MB : Start Addr = 0x00000000
-----Bank 0 128 MB
-----Bank 1 128 MB
-------------------------------------------------
Main memory size: 384 MB in 64 bit mode.
Available main memory starts at 0xa0015000, size 393132KB
IO (packet) memory size: 10 percent of main memory.
NVRAM size: 191KB
You can also use the meminfo -l command to show the supported DRAM configurations for the router.
The following is sample output for the command:
Troubleshooting Tips
See the following tech notes:
• Troubleshooting Router Crashes
• Understanding Software-forced Crashes
• Troubleshooting Router Hangs
SUMMARY STEPS
DETAILED STEPS
Examples
Sample Output for the dir flash: Command in ROM Monitor mode
rommon > dir flash:
What to Do Next
Now that you have a system image running on your router, configure the router to load the correct image
at the next system reload or power-cycle. See the following documents:
• “Booting Commands” chapter of the Cisco IOS Configuration Fundamentals Command Reference
• Cisco IOS Configuration Fundamentals and Network Management Configuration Guide
Additional References
The following sections provide references related to using the ROM monitor.
Related Documents
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.1
1. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog
box and follow the instructions that appear.
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers use external
CompactFlash (CF) memory cards to store the system image, some software feature data, and
configuration files. The CF memory cards use the following file systems. The file system that is
supported depends on router model:
• Class B flash file system, also known as the low-end file system (LEFS)
• Class C flash file system, similar to the standard DOS file system
This document contains the following sections:
• Platforms Supported by This Document, page 1
• Requirements and Restrictions, page 2
• Online Insertion and Removal, page 2
• How to Format CompactFlash Memory Cards, page 3
• File Operations on CompactFlash Memory Cards, page 5
• Directory Operations on a CompactFlash Memory Card, page 8
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Cisco 3800 Series Routers and Cisco 2800 Series Routers (Except for Cisco 2801 Routers)
• Support Class B and Class C flash file systems.
• Support only external CF memory cards.
• If you use a PC to format the CF memory cards, you can format the cards with the Microsoft 16-bit
File Allocation Table (FAT16), Microsoft 32-bit File Allocation Table (FAT32), or Microsoft
Windows NT file system (NTFS). Alternatively, you can format the CF memory card on the router.
Note When formatted on the router, flash memory cards are formatted with the DOSFS file system, a
platform-independent industry-standard file system that is supported on all Cisco 3800 series routers,
Cisco 2800 series routers, and Cisco 1800 series routers.
Caution The external CF memory card should not be removed if the flash memory busy “CF” LED on the router
is ON, because this indicates that the software is accessing the CF memory card. Removing the CF
memory card may disrupt the network, because some software features use the CF memory card to store
tables and other important data.
For instructions on inserting, removing, and replacing the external CF memory card, see the hardware
installation documentation that came with your router.
Erasing the flash filesystem will remove all files! Continue? [confirm]
Current DOS File System flash card in flash: will be formatted into Low
End File System flash card! Continue? [confirm]
Erasing device...
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
...erased
Erase of flash: complete
Copying Files
To copy files, enter the copy command in privileged EXEC mode. To indicate a file that is stored in a
CF memory card, precede the filename with flash:.
In the following example, the file my-config2 on the CF memory card is copied into the running-config
file in the system memory:
Router# copy flash:my-config2 running-config
Displaying Files
To display a list of files on a CF memory card, enter the dir flash: command in privileged EXEC mode:
Router# dir flash:
Directory of flash:/
1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata
3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz
63930368 bytes total (51007488 bytes free)
Deleting Files
To delete a file from a CF memory card, enter the delete flash: command.
If you are using a Class B flash file system, after you enter the delete flash: command, the memory space
of the deleted file remains occupied, although the deleted file cannot be recovered. To reclaim the
memory space occupied by a deleted file, enter the squeeze flash: command, in privileged EXEC mode.
Note The squeeze flash command applies only to the Class B flash file system. This command is unnecessary
with Class C flash file systems, because unused file space is recovered automatically. Moreover, the
squeeze flash command is not supported on Cisco 1800 series routers or Cisco 2801 routers.
Note The dir flash: command does not display deleted files and files with errors. On Class B flash file
systems, to display all files, including files with errors and deleted files whose memory space have not
been reclaimed with the squeeze flash: command, enter the dir /all flash: command or the show flash:
command in privileged EXEC mode.
Deleting a File from a CompactFlash Memory Card with a Class B Flash File System: Example
In the following example, the file c28xx-i-mz.tmp is deleted from the external CF memory card:
Router# delete flash:c28xx-i-mz.tmp
Because the file was deleted, it does not appear when you enter the dir flash: command:
Router# dir flash:
Directory of flash:/
1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata
3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz
63930368 bytes total (51007488 bytes free)
However, if you are using a Class B file system, because the deleted file’s memory space has not yet
been reclaimed, the deleted file is listed when you enter the show flash: command:
Router# show flash:
To reclaim the memory space of deleted files, enter the squeeze flash: command:
Router# squeeze flash:
Renaming Files
To rename a file on a CF memory card, enter the rename command in privileged EXEC mode:
Router# dir flash:
Directory of flash:/
Directory of flash:/
To determine which directory you are in, enter the pwd command in privileged EXEC mode. The CLI
displays which directory or file system is specified as the default by the cd command.
Router# pwd
flash:
To display a list of files in the directory that you are in, enter the dir command in privileged EXEC
mode. The command-line interface will display the files in the file system that was specified as the
default by the cd command.
Router# dir
Directory of flash:/
flash:/config/
Router# dir
Directory of flash:/config/
Directory of flash:/
Directory of flash:/
Removing a Directory
To remove a directory in flash memory, enter the rmdir flash: command in privileged EXEC mode.
Before you can remove a directory, you must remove all files and subdirectories from the directory.
Directory of flash:/config/
Directory of flash:/config/
No files in directory
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
This document describes how to upgrade the Cisco IOS software system image on your router.
Contents
• Platforms Supported by This Document, page 1
• Restrictions for Upgrading the System Image, page 1
• Information About Upgrading the System Image, page 2
• How to Upgrade the System Image, page 3
• Additional References, page 24
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
How Do I Choose the New Cisco IOS Release and Feature Set?
To determine which Cisco IOS releases and feature sets support your platform and required features, go
to Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If
you do not have an account or have forgotten your username or password, click Cancel at the login
dialog box and follow the instructions that appear.
For more detailed information on choosing the new Cisco IOS release and feature set, see the How to
Choose a Cisco IOS Software Release tech note.
OL-5595-01
2
Upgrading the System Image
How to Upgrade the System Image
SUMMARY STEPS
1. enable
2. copy nvram:startup-config {ftp: | rcp: | tftp:}
3. dir flash:
4. copy flash: {ftp: | rcp: | tftp:}
DETAILED STEPS
OL-5595-01
3
Upgrading the System Image
How to Upgrade the System Image
Examples
The following examples show how to copy a startup configuration to a TFTP server and how to copy
from flash memory to an FTP server.
OL-5595-01
4
Upgrading the System Image
How to Upgrade the System Image
Prerequisites
Choose the Cisco IOS release and system image to which you want to upgrade. See the “Information
About Upgrading the System Image” section on page 2.
SUMMARY STEPS
1. Select the system image in the Download Software Area at the following URL:
http://www.cisco.com/kobayashi/sw-center/index.shtml.
2. Write down the minimum memory requirements for the image, as displayed in the File Download
Information table.
3. show version
4. Add the memory sizes that are displayed in the show version command output to calculate your
router’s DRAM size.
5. Compare the calculated DRAM size with the minimum memory requirements from Step 2.
a. If the DRAM is equal to or greater than the new system image’s minimum memory
requirements, then proceed to the “Ensuring Adequate Flash Memory for the New System
Image” section on page 6.
b. If the DRAM is less than the new system image’s minimum flash requirements, then you must
upgrade your DRAM. See the hardware installation guide for your router.
DETAILED STEPS
Step 1 Select the system image in the Download Software Area at the following URL:
http://www.cisco.com/kobayashi/sw-center/index.shtml.
You must have an account on Cisco.com. If you do not have an account or have forgotten your username
or password, click Cancel at the login dialog box and follow the instructions that appear.
Step 2 Write down the minimum memory requirements for the image, as displayed in the File Download
Information table.
Step 3 show version
Use this command to display the router processor and memory (shown in bold text in the following
sample output):
Router# show version
OL-5595-01
5
Upgrading the System Image
How to Upgrade the System Image
Router#
Step 4 Add the memory sizes that are displayed in the show version command output to calculate the amount
of DRAM in your router.
For example, in the sample show version command output shown in Step 3, you would add 231424 KB
and 30720 KB for a total of 262144 KB, or 256 MB, of DRAM.
Tip To convert from kilobytes (KB) to megabytes (MB), divide the number of kilobytes by 1024.
Step 5 Compare the amount of DRAM in the router to the minimum memory requirements from Step 2.
a. If the DRAM is equal to or greater than the new system image’s minimum memory requirements,
proceed to the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.
b. If the DRAM is less than the new system image’s minimum memory requirements, you must
upgrade your DRAM. See the hardware installation guide for your router.
What to Do Next
Proceed to the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.
Prerequisites
• Choose the Cisco IOS release and system image to which you want to upgrade. See the “Information
About Upgrading the System Image” section on page 2.
• Select the system image in the Download Software Area at:
http://www.cisco.com/kobayashi/sw-center/index.shtml.
You must have an account on Cisco.com. If you do not have an account or have forgotten your
username or password, click Cancel at the login dialog box and follow the instructions that appear.
From the File Download Information table, write down the minimum flash requirements for the
image.
SUMMARY STEPS
1. enable
2. (Class B file systems only) squeeze flash:
OL-5595-01
6
Upgrading the System Image
How to Upgrade the System Image
3. dir flash:
4. From the displayed output of the dir flash: command, compare the number of bytes available to the
minimum flash requirements for the new system image.
a. If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on
page 10.
b. If the available memory is less than the new system image’s minimum flash requirements,
proceed to Step 5.
5. From the displayed output of the dir flash: command, compare the number of bytes total to the size
of the system image to which you want to upgrade.
a. If the total memory is less than the new system image’s minimum flash requirements, you must
upgrade your compact flash memory card. See the hardware installation guide for your router.
b. If the total memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to Step 6.
6. dir /all flash:
7. From the displayed output of the dir /all flash: command, write down the names and directory
locations of the files that you can delete.
8. (Optional) copy flash: {tftp | rcp}
9. (Optional) Repeat Step 8 for each file that you identified in Step 7.
10. delete flash:directory-path/filename
11. Repeat Step 10 for each file that you identified in Step 7.
12. (Class B file systems only) squeeze flash:
13. dir flash:[partition-number:]
14. From the displayed output of the dir flash: command, compare the number of bytes available to the
size of the system image to which you want to upgrade.
a. If the available memory is less than the new system image’s minimum flash requirements, then
you must upgrade your compact flash memory card to a size that can accommodate both the
existing files and the new system image. See the hardware installation guide for your router.
b. If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on
page 10.
OL-5595-01
7
Upgrading the System Image
How to Upgrade the System Image
DETAILED STEPS
Step 1 enable
Use this command to enter privileged EXEC mode. Enter your password if prompted. For example:
Router> enable
Password:
Router#
Note The squeeze command is only applicable for Class B flash file systems. It is not needed for
Class C flash file systems. For more details on supported flash file systems, see Using
CompactFlash Memory Cards.
Use this command to reclaim the memory space of previously deleted files:
Router# squeeze flash:
Step 4 From the displayed output of the dir flash: command, compare the number of bytes available to the
minimum flash requirements for the new system image.
• If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.
• If the available memory is less than the new system image’s minimum flash requirements, proceed
to Step 5.
Step 5 From the displayed output of the dir flash: command, compare the number of bytes total to the size of
the system image to which you want to upgrade.
• If the total memory is less than the new system image’s minimum flash requirements, you must
upgrade your compact flash memory card. See the hardware installation guide for your router.
• If the total memory is equal to or greater than the new system image’s minimum flash requirements,
proceed to Step 6.
Step 6 dir /all flash:
Use this command to display a list of all files and directories in flash memory:
Router# dir /all flash:
OL-5595-01
8
Upgrading the System Image
How to Upgrade the System Image
Directory of flash:/
Step 7 From the displayed output of the dir /all flash: command, write down the names and directory locations
of the files that you can delete. If you cannot delete any files, you must upgrade your compact flash
memory card. See the hardware installation guide for your router.
Note Do not delete the system image that the router already uses. If you are not sure which files can
be safely deleted, either consult your network administrator or upgrade your compact flash
memory card to a size that can accommodate both the existing files and the new system image.
See the hardware installation guide for your router.
Step 9 (Optional) Repeat Step 8 for each file that you identified in Step 7.
Step 10 delete flash:directory-path/filename
Use this command to delete a file in flash memory:
Router# delete flash:c38xx-i-mz.tmp
Step 11 Repeat Step 10 for each file that you identified in Step 7.
Step 12 (Class B file systems only) squeeze flash:
Use this command to reclaim the memory space of previously deleted files, for example:
Router# squeeze flash:
OL-5595-01
9
Upgrading the System Image
How to Upgrade the System Image
Step 14 From the displayed output of the dir flash: command, compare the number of bytes available to the size
of the system image to which you want to upgrade.
• If the available memory is less than the new system image’s minimum flash requirements, you must
upgrade your compact flash memory card to a size that can accommodate both the existing files and
the new system image. See the hardware installation guide for your router.
• If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.
What to Do Next
Proceed to the “Copying the System Image into Flash Memory” section on page 10.
Using TFTP or Remote Copy Protocol to Copy the System Image into Flash Memory
This section describes how to use TFTP or Remote Copy Protocol (RCP) to upgrade the system image.
This is the recommended and most common method of upgrading the system image.
Prerequisites
• Install a TFTP server or an RCP server application on a TCP/IP-ready workstation or PC. Many
third-party vendors provide free TFTP server software, which you can find by searching for “TFTP
server” in a web search engine.
If you use TFTP:
– Configure the TFTP application to operate as a TFTP server, not a TFTP client.
– Specify the outbound file directory to which you will download and store the system image.
• Download the new Cisco IOS software image into the workstation or PC. See the “Where Do I
Download the System Image?” section on page 2.
• Establish a console session to the router. We recommend that you connect your PC directly to the
router console port. See the quick start guide that shipped with your router.
OL-5595-01
10
Upgrading the System Image
How to Upgrade the System Image
• Verify that the TFTP or RCP server has IP connectivity to the router. If you cannot successfully ping
between the TFTP or RCP server and the router, do one of the following:
– Configure a default gateway on the router.
– Make sure that the server and the router each have an IP address in the same network or subnet.
See the tech note, Determining IP Addresses: Frequently Asked Questions.
Tip For more detailed information on how to perform the prerequisites, see the Software Installation and
Upgrade Procedure tech note.
SUMMARY STEPS
1. enable
2. copy tftp flash
or
copy rcp flash
3. When prompted, enter the IP address of the TFTP or RCP server.
4. When prompted, enter the filename of the Cisco IOS software image to be installed.
5. When prompted, enter the filename as you want it to appear on the router.
6. If an error message appears that says, “Not enough space on device,” do one of the following, as
appropriate:
• If you are certain that all the files in flash memory should be erased, enter y twice when prompted
to erase flash before copying.
• If you are not certain that all files in flash memory should be erased, press Ctrl-Z and follow the
instructions in the “Ensuring Adequate Flash Memory for the New System Image” section on
page 6.
Note Cisco 1841 and Cisco 2801 routers only support DOSFS (Class C) flash memory file
systems. If there is not enough space, you will not be prompted to erase flash memory.
Instead, the operation aborts and you will need to erase some files manually to make enough
space for the image.
7. If the error message does not appear, enter no when prompted to erase the flash memory before
copying.
DETAILED STEPS
Step 1 enable
Use this command to enter privileged EXEC mode. Enter your password if prompted:
Router> enable
Password: <password>
Router#
OL-5595-01
11
Upgrading the System Image
How to Upgrade the System Image
Step 3 When prompted, enter the IP address of the TFTP or RCP server:
Address or name of remote host []? 10.10.10.2
Step 4 When prompted, enter the filename of the Cisco IOS software image to be installed:
Source filename []? c2600-i-mz.121-14.bin
Step 5 When prompted, enter the filename as you want it to appear on the router. Typically, the same filename
is entered as was used in Step 4:
Destination filename []? c2600-i-mz.121-14.bin
Step 6 If an error message appears that says, “Not enough space on device,” do one of the following as
appropriate:
• If you are certain that all the files in flash memory should be erased, enter y when prompted twice
to confirm that flash memory will be erased before copying:
Accessing tftp://10.10.10.2/c2600-i-mz.121-14.bin...
Erase flash: before copying? [confirm] y
Erasing the flash filesystem will remove all files! Continue? [confirm] y
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
• If you are not certain that all the files in flash memory should be erased, press Ctrl-Z and follow
the instructions in the “Ensuring Adequate Flash Memory for the New System Image” section on
page 6.
Step 7 If the error message does not appear, enter no when prompted to erase the flash memory before copying:
Accessing tftp://10.10.10.2/c2600-i-mz.121-14.bin...
Erase flash: before copying? [confirm] no
Troubleshooting Tips
See theCommon Problems in Installing Images Using TFTP or an RCP Server tech note.
What to Do Next
Proceed to the “Loading the New System Image” section on page 17.
Using the ROM Monitor to Copy the System Image over a Network
This section describes how to download a Cisco IOS software image from a remote TFTP server to the
router flash memory by using the tftpdnld ROM monitor command.
OL-5595-01
12
Upgrading the System Image
How to Upgrade the System Image
Before you can enter the tftpdnld ROM monitor command, you must set the ROM monitor environment
variables.
Prerequisites
Restrictions
The LAN ports on network modules or interface cards are not active in ROM monitor mode. Therefore,
only a fixed port on your router can be used for TFTP download. This can be either a fixed Ethernet port
on the router or one of the Gigabit Ethernet ports on routers equipped with them.
Note You can use this command only to download files to the router. You cannot use tftpdnld to get files
from the router.
SUMMARY STEPS
DETAILED STEPS
OL-5595-01
13
Upgrading the System Image
How to Upgrade the System Image
Step 5 Set the TFTP server IP address, which is the location from which the software will be downloaded:
rommon > TFTP_SERVER=172.16.23.33
Step 6 Set the name and directory location to which the image file will be downloaded onto the router. For
example:
rommon > TFTP_FILE=archive/rel22/c2600-i-mz
Step 7 (Optional) Set the input port to use a Gigabit Ethernet port, available on Cisco 2800 series and
Cisco 3800 series routers. Usage is GE_PORT=[0 | 1], selecting either gig 0/0 or gig 0/1. For example:
rommon > GE_PORT=0
Step 8 (Optional) Set the Ethernet connection media type, RJ-45 or SFP. Usage is MEDIA_TYPE=[0 | 1],
where RJ-45=0 and SFP=1 (SFP is applicable only if GE_PORT=0 in the previous step):
rommon > MEDIA_TYPE=1
Step 9 (Optional) Decide whether the router will perform a checksum test on the downloaded image. Usage is
TFTP_CHECKSUM=[0|1], where 1=checksum test is performed (default) and 0=no checksum test. For
example:
rommon > TFTP_CHECKSUM=0
Step 10 (Optional) Set the number of times that the router will attempt Address Resolution Protocol (ARP) and
TFTP download. The default is 7 attempts. For example:
rommon > TFTP_RETRY_COUNT=10
Step 11 (Optional) Set the amount of time, in seconds, before the download process times out. The default is
2400 seconds (40 minutes). The following example shows 1800 seconds (30 minutes):
TFTP_TIMEOUT=1800
Step 12 (Optional) Configure how the router will display the file download progress. Usage is
TFTP_VERBOSE=[0 | 1 | 2], where:
0=No progress is displayed.
1=Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting.
2=Detailed progress is displayed during the file download process, for example:
Initializing interface.
Interface link state up.
ARPing for 1.4.0.1
ARP reply for 1.4.0.1 received.
MAC address 00:00:0c:07:ac:01
Step 13 Use the set command to display the ROM monitor environment variables to verify that you have
configured them correctly. For example:
rommon > set
Step 14 Download the system image, as specified by the ROM monitor environmental variables, using the
tftpdnld [-r] command. Without the -r option, the command downloads the specified image and saves
it in flash memory, deleting all existing data in all partitions in flash memory. Using the -r option
downloads and boots the new software but does not save the software to flash memory.
rommon> tftpdnld [-r]
OL-5595-01
14
Upgrading the System Image
How to Upgrade the System Image
A prompt is displayed:
Do you wish to continue? y/n: [n]: y
Entering “y” confirms that you want to continue with the TFTP download.
What to Do Next
Proceed to the “Loading the New System Image” section on page 17.
Using a PC with a CompactFlash Card Reader to Copy the System Image into Flash Memory
Because the system image is stored on an external CompactFlash memory card, you can use a PC with
a compact flash card reader to format the card and copy a new system image file onto the card. However,
this upgrade method is not commonly used.
For more information about using flash memory cards, see Using CompactFlash Memory Cards.
Prerequisites
• Download the new Cisco IOS Software image to the PC. See the “Where Do I Download the System
Image?” section on page 2.
• Locate the compact flash memory card slot on the router chassis. For help with locating the slot and
instructions for removing and inserting the card, see the hardware installation guide for your router.
Caution Removing the compact flash memory card may disrupt the network because some software features use
the compact flash memory card to store tables and other important data.
SUMMARY STEPS
DETAILED STEPS
Step 1 Remove the compact flash memory card from the router.
Step 2 Insert the card into the compact flash card reader on a PC.
Step 3 Use the PC to copy the system image file to the compact flash memory card.
Step 4 Remove the card from the compact flash card reader.
Step 5 Insert the compact flash memory card into the router.
OL-5595-01
15
Upgrading the System Image
How to Upgrade the System Image
What to Do Next
Proceed to the “Loading the New System Image” section on page 17.
Using Console Download (xmodem) in ROM Monitor to Copy the System Image into Flash Memory
Use console download, a ROM monitor function, when you do not have access to a TFTP server.
For detailed information about the console download function and the xmodem ROM monitor
command, see the Xmodem Console Download Procedure Using ROMmon tech note.
Prerequisites
• Download the new Cisco IOS software image to your PC. See the “Where Do I Download the
System Image?” section on page 2.
• Connect your PC to the router console port, and launch a terminal emulator program. For examples
of performing this task on similar routers, see the Xmodem Console Download Procedure Using
ROMmon tech note.
Restrictions
• If you use a PC to download a Cisco IOS image over the router console port at 115,200 bps, make
sure that the PC serial port uses a 16550 universal asynchronous receiver/transmitter (UART).
• If the PC serial port does not use a 16550 UART, we recommend using a speed of 38,400 bps or
lower when downloading a Cisco IOS image over the console port.
• The xmodem transfer works only on the console port.
• You can only use the xmodem command to download files to the router. You cannot use xmodem
to get files from the router.
• Because the ROM monitor console download uses the console to perform the data transfer, error
messages are displayed on the console only after the data transfer is terminated. If an error occurs
during console download, the download is terminated, and an error message is displayed. If you
changed the baud rate from the default rate, the error message is followed by a message that tells
you to restore the terminal to the baud rate specified in the configuration register.
SUMMARY STEPS
OL-5595-01
16
Upgrading the System Image
How to Upgrade the System Image
DETAILED STEPS
What to Do Next
Proceed to the “Loading the New System Image” section on page 17.
Loading the New System Image from the Cisco IOS Software
This section describes how to load the new system image from the Cisco IOS software.
OL-5595-01
17
Upgrading the System Image
How to Upgrade the System Image
SUMMARY STEPS
1. dir flash:
2. configure terminal
3. no boot system
4. (Optional) boot system flash: system-image-filename
5. (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
6. exit
7. show version
8. If the last digit in the configuration register is 0 or 1, proceed to Step 9. However, if the last digit in
the configuration register is between 2 and F, proceed to Step 12.
9. configure terminal
10. config-register 0x2102
11. exit
12. copy run start
13. reload
14. When prompted to save the system configuration, enter no.
15. When prompted to confirm the reload, enter y.
16. show version
DETAILED STEPS
Directory of flash:/
Note Determine whether the new system image is the first file or the only file listed in the dir flash
command output ( is not required if it is the first file or only file listed).
Router(config)#
OL-5595-01
18
Upgrading the System Image
How to Upgrade the System Image
Step 4 If the new system image is the first file or the only file displayed in the dir flash: command output, you
do not need to perform the following step.
boot system flash: system-image-filename
Use this command to load the new system image after the next system reload or power cycle. For
example:
Router(config)# boot system flash: c2600-i-mz.121-14.bin
Step 5 (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
Step 6 exit
Use this command to exit global configuration mode:
Router(config)# exit
Router#
Router#
Step 8 If the last digit in the configuration register is 0 or 1, proceed to Step 9. However, if the last digit in the
configuration register is between 2 and F, proceed to Step 12.
Step 9 configure terminal
Use this command to enter global configuration mode:
Router# configure terminal
Router(config)#
Step 11 exit
Use this command to exit global configuration mode:
Router(config)# exit
Router#
OL-5595-01
19
Upgrading the System Image
How to Upgrade the System Image
Step 13 reload
Use this command to reload the operating system:
Router# reload
What to Do Next
Proceed to the “Saving Backup Copies of Your New System Image and Configuration” section on
page 22.
SUMMARY STEPS
1. dir flash:[partition-number:]
2. confreg 0x2102
3. boot flash:[partition-number:]filename
4. After the system loads the new system image, press Return a few times to display the Cisco IOS
command-line interface (CLI) prompt.
5. enable
6. configure terminal
7. no boot system
8. boot system flash new-system-image-filename
OL-5595-01
20
Upgrading the System Image
How to Upgrade the System Image
9. (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
10. exit
11. copy run start
DETAILED STEPS
Note whether the new system image is the first file or the only file listed in the dir flash command
output. ( is not required if the image is the first file or only file listed.)
Step 2 confreg 0x2102
Use this command to set the configuration register so that, after the next system reload or power cycle,
the router loads a system image from the boot system commands in the startup configuration file:
rommon > confreg 0x2102
Step 4 After the system loads the new system image, press Return a few times to display the Cisco IOS CLI
prompt.
Step 5 enable
Use this command to enable privileged EXEC mode, and enter your password if prompted:
Router> enable
Password: <password>
Router#
Step 8 If the new system image is the first file or only the file displayed in the dir flash: command output, this
step is not required.
boot system flash new-system-image-filename
OL-5595-01
21
Upgrading the System Image
How to Upgrade the System Image
Use this command to load the new system image after the next system reload or power cycle:
Router(config)# boot system flash c2600-i-mz.121-14.bin
Step 9 (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
Step 10 exit
Use this command to exit global configuration mode:
Router(config)# exit
Router#
What to Do Next
Proceed to the “Saving Backup Copies of Your New System Image and Configuration” section on
page 22.
Tip Do not erase any existing backup copies of your configuration and system image that you saved before
upgrading your system image. If you encounter serious problems using your new system image or
startup configuration, you can quickly revert to the previous working configuration and system image,
if necessary.
For more detailed information, see the “Managing Configuration Files” chapter and the “Loading and
Maintaining System Images” chapter of the Cisco IOS Configuration Fundamentals and Network
Management Configuration Guide.
To save backup copies of the startup configuration file and the system image file, complete the following
steps.
SUMMARY STEPS
1. enable
2. copy nvram:startup-config {ftp: | rcp: | tftp:}
3. dir flash:
4. copy flash: {ftp: | rcp: | tftp:}
OL-5595-01
22
Upgrading the System Image
How to Upgrade the System Image
DETAILED STEPS
Examples
Copying the Startup Configuration to a TFTP Server: Example
The following example shows the startup configuration being copied to a TFTP server:
Router# copy nvram:startup-config tftp:
OL-5595-01
23
Upgrading the System Image
Additional References
Additional References
The following sections provide references related to upgrading the system image on your router.
OL-5595-01
24
Upgrading the System Image
Additional References
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.1
1. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog
box and follow the instructions that appear.
OL-5595-01
25
Upgrading the System Image
Additional References
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
OL-5595-01
26
Troubleshooting Links
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Troubleshooting Links
2 OL-5999-01