2800 SW Guide

Preface
This preface describes the objectives, audience, organization, and conventions of the software
configuration documentation for your router. It contains the following sections:
• Objectives, page 1
• Audience, page 1
• Conventions, page 1
• Obtaining Documentation, page 2
• Documentation Feedback, page 3
• Obtaining Technical Assistance, page 3
• Obtaining Additional Publications and Information, page 5
Objectives
These documents explains how to configure and maintain your Cisco router.
Audience
These documents are designed for the person installing, configuring, and maintaining the Cisco router,
who should be familiar with networking technology and terminology.
Conventions
These documents use the conventions listed in Table 1 to convey instructions and information.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2004 Cisco Systems, Inc. All rights reserved.

Obtaining Documentation
Table 1 Command Conventions
Convention Description
boldface font Commands and keywords.
italic font Variables for which you supply values.
[ ] Optional keywords or arguments appear in square brackets.
{x | y | z} A choice of required keywords appears in braces separated by vertical bars. You
must select one.
screen font Examples of information displayed on the screen.
boldface screen Examples of information you must enter.
font
< > Nonprinting characters, for example passwords, appear in angle brackets in
contexts where italics are not available.
[ ] Default responses to system prompts appear in square brackets.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Tip Means the following information will help you solve a problem. The tips information might not be
troubleshooting or even an action, but could be useful information, similar to a Timesaver.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/cisco/web/support/index.html
Preface
2 OL-5591-01
Documentation Feedback
You can access the Cisco website at this URL:

http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
For information on obtaining documentationsee the monthly What’s New in Cisco Product
Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Ordering tool:
http://www.cisco.com/web/ordering/root/index.html
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in
North America, by calling 1 800 553-NETS (6387).
Documentation Feedback
For your convenience a documentation feedback form is located at the bottom of every online document.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical
Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical
Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service
contract, contact your reseller.
Preface
OL-5591-01 3
Obtaining Technical Assistance
Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and
resolving technical issues with Cisco products and technologies. The website is available 24 hours a day,
365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password.
If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support
Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product
Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product
Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID
or model name; by tree view; or for certain products, by copying and pasting show command output.
Search results show an illustration of your product with the serial number label location highlighted.
Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Preface
4 OL-5591-01
Obtaining Additional Publications and Information
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your

business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit
Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• The Cisco Products and Services Index describes the networking products offered by
Cisco Systems, as well as ordering and customer support services. Access the Products and Services
Index at this URL:
http://www.cisco.com/en/US/products/index.html
• Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
Preface
OL-5591-01 5
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is
a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,
Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0711R)
Preface
6 OL-5591-01
Overview
Cisco 2800 series integrated service routers provide a range of models in which you can install a variety
of modules. The number and type of modules vary by platform. Examples of these modules include
WAN interface cards (WICs), voice interface cards (VICs), voice/WAN interface cards (VWICs),
high-speed WAN interface cards (HWICs.), packet voice data modules (PVDMs), network modules
enhanced (NME), advanced integration modules (AIMs), and extension voice modules (EVMs).
These routers feature the following:
• The Cisco 2801 router supports two HWIC/WIC/VIC/VWIC slots, capable of supporting both
single-wide and double-wide HWICs, one WIC/VIC/VWIC slot, one VIC/VWIC (voice only) slot,
two Fast Ethernet connections, optional inline power output of up to 120 Watts, and two advanced
integration module (AIM) slots.
• The Cisco 2811 router, in addition to the features in the Cisco 2801, supports one single-wide
network module enhanced (NME), four single-width or two double-wide HWICs, and optional
inline power output of up to 160 Watts.
• In Cisco 2821 routers, in addition to the features in the Cisco 2811, the network module slot adds
support for a single-wide network module enhanced extended (NME-X), and an additional slot
supports an extension voice module (EVM). Three PVDMs are supported, the LAN ports support
Gigabit Ethernet, and optional inline power output of up to 240 Watts is provided.
• In Cisco 2851 routers, in addition to the features in the Cisco 2821, the network module slot adds
support for network module double-wide (NMDs) and network module enhanced extended
double-wide (NME-XDs), and optional inline power output of up to 360 Watts is provided.
Note The interface numbering and asynchronous line numbering on Cisco 2800 series routers are different
from the numbering schemes used on other Cisco modular routers. For details, see the hardware
installation documentation for your router.

Cisco 2800 Series Software Configuration Documentation
Cisco 2800 Series Software Configuration Documentation

Unlike traditional documentation, wherein all of the information appears within one printed book, the
Cisco 2800 series routers software configuration documentation takes advantage of the capabilities
inherent in web-based presentation. This includes extensive hyperlinking to other information, tools, and
many other resources on Cisco.com.
Instead of chapters, each topic area can be accessed independently. At the top level, available at
“Cisco 2800 Series Software Configuration,” the main software configuration topics include:
• Basic Software Configuration
– Basic Software Configuration Using the Setup Command Facility
– Basic Software Configuration Using the Cisco IOS Command-Line Interface
• Finding Feature Documentation
• Configuration Examples
• Troubleshooting and Maintenance
– Upgrading the System Image
– Using CompactFlash Memory Cards
– Using the ROM Monitor
– Changing the Configuration Register Settings
– Troubleshooting Links
Note Besides the setup facility and the IOS command-line interface, a third way of configuring Cisco routers
is through the Cisco Router and Security Device Manager. Additional information about SDM features,
is available at this URL: http://www.cisco.com/go/sdm
Note You must have an account on Cisco.com to access many of the available tools. If you do not have an
account or have forgotten your username or password, click Cancel at the login dialog box and follow
the instructions.
Contents
Following is a list of the main topics covered in the remainder of this overview:
• Performing Initial Configuration, page 3
• Using the Cisco IOS Startup Sequence, page 8
Overview
2 OL-6154-01
Performing Initial Configuration

You can configure your router by using one of the following methods:
• Initial Configuration Using the Cisco Router and Security Device Manager, page 3
• Initial Configuration Using the Setup Command Facility, page 4
• Initial Configuration Using the Command-Line Interface, page 7
Initial Configuration Using the Cisco Router and Security Device Manager
Note We recommend that you use the Cisco Router and Security Device Manager to configure your router.
Built-in verification systems and sanity checks help to ensure both correct configurations and robust
security practices.
The Cisco Router and Security Device Manager (SDM) is an easy-to-use device management tool that
allows you to configure Cisco IOS security features and network connections through an intuitive
web-based graphical user interface.You can use SDM wizards to:
• Configure additional LAN and WAN connections
• Create firewalls
• Configure Virtual Private Network (VPN) connections
• Perform security audits
SDM also provides an advanced mode, through which you can configure advanced features, such as
Firewall Policy, Network Address Translation (NAT), VPNs, routing protocols, and other options.
For More Information About SDM and About Your Router

For additional information about SDM features, refer to the SDM online help. Additional information
about SDM is also available at this URL:
http://www.cisco.com/go/sdm
Here you can find detailed information about SDM, including an SDM FAQ, data sheet, customer
presentation, Flash demo, and links to technical documentation and product updates.
Refer to the quick start guide for your router for other procedures, such as connecting a PC to the router
console port so that you can use the CLI when you need to, and using the router LEDs to verify
installation. The quick start guide may also contain important warranty information.
Obtaining the Latest Version of SDM

SDM is regularly enhanced to provide new features. If you are already running SDM on the router, you
can update SDM automatically by clicking on the Tools menu and selecting Update SDM. SDM will
determine whether there is a more recent version available and enables you to download and install it on
the router.
If you have a supported router that does not have SDM installed, you can download the latest version of
SDM free of charge. Instructions for installing it on your router can be found at this URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm
Overview
OL-6154-01 3
You should consult the SDM release notes to determine if SDM is supported for the router on which you
want to install it.
If the following messages appear at the end of the startup sequence, Cisco Router and Security Device
Manager (SDM) is installed on your router:
yourname con0 is now available
Press RETURN to get started.
Tip If these messages do not appear, SDM was not shipped with your router. If you want to use SDM, you
can download the latest version of SDM and instructions for installing it on your router from the
following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm
To obtain the SDM quick start guide, SDM release notes, and other SDM documentation, go to
http://www.cisco.com/go/sdm and click the Technical Documentation link.
For instructions on configuring your router by using SDM, refer to the Cisco Router and Security Device
Manager (SDM) Quick Start Guide that shipped with your router.
Initial Configuration Using the Setup Command Facility

This section shows how to use the setup command facility to configure a host name for the router, set
passwords, and configure an interface for communication with the management network.
If the following messages appear at the end of the startup sequence, the setup command facility has been
invoked automatically:
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Would you like to enter the initial configuration dialog? [yes/no]:
The setup command facility prompts you for basic information about your router and network, and it
creates an initial configuration file. After the configuration file is created, you can use the CLI or
Security Device Manager to perform additional configuration.
The prompts in the setup command facility vary, depending on your router model, the installed interface
modules, and the software image. The following example and the user entries (in bold) are shown as
examples only.
Note If you make a mistake while using the setup command facility, you can exit and run the setup command
facility again. Press Ctrl-C, and enter the setup command at the privileged EXEC mode prompt
(Router#).
Step 1 To proceed using the setup command facility, enter yes:

Would you like to enter the initial configuration dialog? [yes/no]: yes
Overview
4 OL-6154-01
Step 2 When the following messages appear, enter yes to enter basic management setup:
Basic management setup configures only enough connectivity

for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: yes
Step 3 Enter a hostname for the router (this example uses Router):
Configuring global parameters:
Enter host name [Router]: Router
Step 4 Enter an enable secret password. This password is encrypted (more secure) and cannot be seen when
viewing the configuration:
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: xxxxxx
Step 5 Enter an enable password that is different from the enable secret password. This password is not
encrypted (less secure) and can be seen when viewing the configuration:
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
Enter enable password: xxxxxx
Step 6 Enter the virtual terminal password, which prevents unauthenticated access to the router through ports
other than the console port:
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: xxxxxx
Step 7 Respond to the following prompts as appropriate for your network:

Configure SNMP Network Management? [yes]:
Community string [public]:
A summary of the available interfaces is displayed.
Note The interface numbering that appears depends on the type of Cisco modular router platform and on the
installed interface modules and cards.
Current interface summary
Controller Timeslots D-Channel Configurable modes Status

T1 0/0 24 23 pri/channelized Administratively up
Any interface listed with OK? value "NO" does not have a valid configuration
Interface IP-Address OK? Method Status Prol

FastEthernet0/0 unassigned NO unset up up
FastEthernet0/1 unassigned NO unset up dow
Overview
OL-6154-01 5
Step 8 Select one of the available interfaces for connecting the router to the management network:
Enter interface name used to connect to the
management network from the above interface summary: fastethernet0/0

Configuring interface FastEthernet0/0:
Use the 100 Base-TX (RJ-45) connector? [yes]: yes
Operate in full-duplex mode? [no]: no
Configure IP on this interface? [yes]: yes
IP address for this interface: 172.1.2.3
Subnet mask for this interface [255.255.0.0] : 255.255.0.0
Class B network is 172.1.0.0, 26 subnet bits; mask is /16
Step 10 The configuration is displayed:

The following configuration command script was created:
hostname Router
enable secret 5 $1$D5P6$PYx41/lQIASK.HcSbfO5q1
enable password xxxxxx
line vty 0 4
password xxxxxx
snmp-server community public
!
no ip routing
!
interface FastEthernet0/0
no shutdown
speed 100
duplex half
ip address 172.1.2.3 255.255.0.0
!
shutdown
no ip address
end
Step 11 Respond to the following prompts. Select [2] to save the initial configuration.
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]: 2

Building configuration...
Use the enabled mode 'configure' command to modify this configuration.
Press RETURN to get started! RETURN
The user prompt is displayed.

Router>
Step 12 Verify the initial configuration. See the “Verifying the Initial Configuration” section on page 8 for
verification procedures.
For more information, see the Basic Software Configuration Using the Setup Command Facility section,
available at this URL:
http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/b_setup.htm
l
Overview
6 OL-6154-01
Initial Configuration Using the Command-Line Interface

This section describes briefly how to display a command-line interface (CLI) prompt for configuration
using the CLI.
You can use the CLI if the following messages appear at the end of the startup sequence:
If these messages do not appear, SDM and a default configuration file were installed on the router at the
factory. To use SDM to configure the router, see the “Initial Configuration Using the Cisco Router and
Security Device Manager” section on page 3.
Note Be sure to save your configuration changes occasionally so that they are not lost during resets, power
cycles, or power outages. Use the copy running-config startup-config command at the privileged
EXEC mode prompt (Router#) to save the configuration to NVRAM.
Step 1 To proceed with manual configuration using the CLI, enter no when the power-up messages end:
Would you like to enter the initial configuration dialog? [yes/no]: no
Step 2 Press Return to terminate autoinstall and continue with manual configuration:
Would you like to terminate autoinstall? [yes] Return
Several messages appear, ending with a line similar to the following:

Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled <date> <time> by <person>
Step 3 Press Return to display the Router> prompt:

...
flashfs[4]: Initialization complete.
Router>
Step 4 Enter privileged EXEC mode:

Router> enable
Router#
Step 5 Verify the initial configuration. See the “Verifying the Initial Configuration” section on page 8 for
verification procedures.
For more information on using the CLI for router configuration, see the Basic Software Configuration
Using the Cisco IOS Command-Line Interface section, available at this URL:
http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/b_cli.html
Overview
OL-6154-01 7
Using the Cisco IOS Startup Sequence
Verifying the Initial Configuration

To verify that the new interfaces are operating correctly, perform the following tests:
• To verify that the interfaces are operating correctly and that the interfaces and line protocol are in
the correct state—up or down—enter the show interfaces command.
• To display a summary status of the interfaces configured for IP, enter the show ip interface brief
command.
• To verify that you configured the correct host name and password, enter the show configuration
command.
When you have completed and verified the initial configuration, your Cisco router is ready to configure
for specific functions.

This section explains how to use the IOS Startup sequence to configure your router, as an alternative to
using SDM.
Note Because SDM uses a default configuration file, if you have used SDM to configure your router, it will
not execute the standard Cisco IOS startup sequence.
Using the Cisco IOS setup utility enables you to use TFTP or BOOTP configuration download, or use
other features available through the standard Cisco IOS startup sequence.
The configuration file shipped with your router does the following:
• Provides an IP address for your Fast Ethernet interface, enabling an interface to your LAN
• Enables your router’s HTTP/HTTPS server, allowing HTTP access from your LAN
• Creates a default username (cisco) and password (cisco) with privilege level 15
• Enables Telnet/SSM access to the router from your LAN
To erase the existing configuration and use the Cisco IOS startup sequence, perform the following steps.
Note SDM remains installed on the router. See the “Enabling SDM on a Router Configured to Use the IOS
Startup Sequence” section on page 9 for instructions to reenable it.
Step 1 Connect the light blue console cable, included with your router, from the blue console port on your router
to a serial port on your PC. Refer to the hardware installation guide that came with your router for
instructions.
Step 2 Connect the power supply to your router, plug the power supply into a power outlet, and turn on your
router. Refer to the quick start guide that came with your router for instructions.
Step 3 Use Hyperterminal or a similar terminal emulation program on your PC, with the terminal emulation
settings of 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to your router.
Overview
8 OL-6154-01
Step 4 At the prompt, enter the enable command. The default configuration file does not configure an enable
password:
yourname> enable
yourname#
Step 5 Enter the erase startup-config command:

yourname# erase startup-config
Step 6 Confirm the command by pressing Enter.

Step 7 Enter the reload command:
yourname# reload
Step 8 Confirm the command by pressing Enter.
The router begins executing the standard startup sequence. If you want to use SDM to perform
subsequent configurations for the router, you must reconfigure the router manually to support web-based
applications, and the Telnet and Secure Shell (SSH) protocols. You must also create a user account with
a privilege level of 15. See the “Enabling SDM on a Router Configured to Use the IOS Startup
Sequence” section on page 9 for information on doing this.
Enabling SDM on a Router Configured to Use the IOS Startup Sequence

If you erased the factory startup configuration to use the IOS startup sequence, you can still use SDM.
To do so, you must configure the router to support web-based applications, configure it with a user
account defined with privilege level 15, and then configure it to support the Telnet and SSH protocols.
These changes can be made using a telnet session or using a console connection.
Configuring the Router to Support Web-Based Applications, a User with Priv 15, and Telnet/SSH
Step 1 Enable the HTTP/HTTPS server on the router, using the following Cisco IOS commands in the global
configuration mode:
Router(config)#ip http server
Router(config)#ip http secure-server
Router(config)#ip http authentication local
If the router uses an IPSec IOS image, the HTTPS server is enabled. Otherwise only the HTTP server is
enabled.
Step 2 Create a user account with privilege level 15 (enable privileges, if necessary).
Router(config)#username <username> privilege 15 password 0 <password>
Replace <username> and <password> with the username and password of your choosing.
Step 3 Configure SSH and Telnet for local login and privilege level 15:
line vty 0 4
privilege level 15
login local
transport input telnet
transport input telnet ssh
Overview
OL-6154-01 9
Step 4 (Optional) Enable local logging to support the log monitoring function:
Router(config)#logging buffered 51200 warning
To use SDM on a router that has received a manual configuration, see the “Starting SDM on a Manually
Configured Router” section on page 10.
Starting SDM on a Manually Configured Router
Note By default, the DHCP server is turned off on the Cisco 28xx series routers.
SDM is a web-based application that must be run from a PC that is connected to the router over a LAN.
If the router is configured as a DHCP server, the PC must be configured to receive an IP address
automatically. If the router is not configured as a DHCP server, you must configure the PC with a static
IP address on the same subnet as the router interface to which you are connecting the PC. For example,
if the router has the IP address 172.16.30.1, and the subnet mask is 255.255.255.248, you must configure
the PC to use a network address in the range 172.16.30.2 through 172.16.30.6, and use the same subnet
mask as the router.
Step 1 Open a web browser on the PC, and enter the IP address for the router.
https://IP-address
The https://... specifies that the Secure Socket Layer (SSL) protocol will be used for a secure
connection. You can use http://... if SSL is not available.
Step 2 Enter the username and password that you specified in Step 2 of “Configuring the Router to Support
Web-Based Applications, a User with Priv 15, and Telnet/SSH.”
To continue configuring your router, see the “Initial Configuration Using the Cisco Router and Security
Device Manager” section on page 3.
Overview
10 OL-6154-01
Basic Software Configuration Using the Setup
Command Facility
You can configure your router by using the Cisco Router and Security Device Manager (SDM), the
Cisco IOS setup command facility, or the Cisco IOS command-line interface (CLI).
Note Wherever possible, we recommend that you use SDM to configure your router. For information on the
availability and use of SDM, see the quick start guide that shipped with your router.
The software configuration documentation describes how to perform configuration tasks by using the
CLI. However, this specific document describes how to perform basic configurations by using the
Cisco IOS setup command facility.
Contents
• Platforms Supported by This Document, page 1
• Information About the Setup Command Facility, page 2
• Using the Setup Command Facility to Perform Basic Configuration, page 2
• Examples of Using the Setup Command Facility to Configure Interface Parameters, page 5
• Completing the Configuration, page 25
Platforms Supported by This Document

Use this document with the following platforms:
• Cisco 1800 series routers

Information About the Setup Command Facility
Information About the Setup Command Facility

The setup command facility prompts you to enter the information that is needed to configure a router
quickly. The facility steps you through a basic configuration, including LAN and WAN interfaces. For
more general information about the setup command facility, see the following document:
Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2:
Part 1: Cisco IOS User Interfaces:
Using AutoInstall and Setup
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/ffcprt1/fcf002.htm
Using the Setup Command Facility to Perform Basic

Configuration
This section shows how to configure a hostname for the router, set passwords, and configure an interface
for communication with the management network.
Note The messages that will be displayed will vary, depending on your router model, the installed interface
examples only.
Note If you make a mistake while using the setup command facility, you can exit and run the setup command
facility again. Press Ctrl-C, and enter the setup command in privileged EXEC mode (Router#).
Step 1 Enter the setup command facility by using one of the following methods:
• From the Cisco IOS CLI, enter the setup command in privileged EXEC mode:
Router> enable
Password: <password>
Router# setup

Continue with configuration dialog? [yes/no]:
• If your router reloads and does not already have a configuration file, you are prompted to enter the
setup command facility:
Step 2 To proceed using the setup command facility, enter yes.
Basic Software Configuration Using the Setup Command Facility

2 OL-5992-01
Using the Setup Command Facility to Perform Basic Configuration
Step 3 When the following messages appear, enter yes to enter basic management setup:
Basic management setup configures only enough connectivity

for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: yes
Step 4 Enter a hostname for the router (this example uses myrouter):
Configuring global parameters:
Enter host name [Router]: myrouter
Step 5 Enter an enable secret password. This password is encrypted (for more security) and cannot be seen
when viewing the configuration.
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: xxxxxx
Step 6 Enter an enable password that is different from the enable secret password. This password is not
encrypted (and is less secure) and can be seen when viewing the configuration.
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
Enter enable password: xxxxxx
Step 7 Enter the virtual terminal password, which prevents unauthenticated access to the router through ports
other than the console port:
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: xxxxxx

Configure SNMP Network Management? [yes]:
Community string [public]:
A summary of the available interfaces is displayed.
Note The interface numbering that appears is dependent on the type of Cisco modular router platform
and on the installed interface modules and cards.
Current interface summary
Controller Timeslots D-Channel Configurable modes Status

T1 0/0 24 23 pri/channelized Administratively up
Any interface listed with OK? value "NO" does not have a valid configuration
Interface IP-Address OK? Method Status Prol

FastEthernet0/0 unassigned NO unset up up
FastEthernet0/1 unassigned NO unset up dow

OL-5992-01 3
Using the Setup Command Facility to Perform Basic Configuration
Step 9 Select one of the available interfaces for connecting the router to the management network:
Enter interface name used to connect to the
management network from the above interface summary: fastethernet0/0

Configuring interface FastEthernet0/0:
Use the 100 Base-TX (RJ-45) connector? [yes]: yes
Operate in full-duplex mode? [no]: no
Configure IP on this interface? [yes]: yes
Class B network is 172.1.0.0, 16 subnet bits; mask is /16
The configuration is displayed:
The following configuration command script was created:
hostname myrouter
enable secret 5 $1$D5P6$PYx41/lQIASK.HcSbfO5q1
enable password xxxxxx
line vty 0 4
password xxxxxx
snmp-server community public
!
no ip routing
!
no shutdown
media-type 100BaseX
half-duplex
ip address 172.1.2.3 255.255.0.0
!
shutdown
no ip address
!
end
Step 11 Respond to the following prompts. Select [2] to save the initial configuration:
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]: 2

Press RETURN to get started! RETURN
The user prompt is displayed:

myrouter>
After you complete the initial configuration tasks, you can start configuring your Cisco router for
specific functions.

4 OL-5992-01
Examples of Using the Setup Command Facility to Configure Interface Parameters
Examples of Using the Setup Command Facility to Configure

Interface Parameters
The setup command facility prompts vary and depend on which fixed or modular interfaces are in your
router. This section provides examples that use the setup command facility to perform the following
operations:
• Fast Ethernet Interface Configuration, page 5
• Gigabit Ethernet Interface Configuration, page 6
• 1- or 2-Port Serial Interface Configuration, page 8
• Asynchronous/Synchronous Serial Interface—Asynchronous Configuration, page 11
• Asynchronous/Synchronous Serial Interface—Synchronous Configuration, page 11
• ISDN Basic Rate Interface Configuration, page 13
• Channelized E1/T1 ISDN PRI Interface Configuration, page 19
• 1-Port, 4-Wire, 56-kbps DSU/CSU Configuration, page 24
Note The messages that will be displayed will vary, depending on your router model, the installed interface
examples only.
Fast Ethernet Interface Configuration

The following is a brief example of configuring a Fast Ethernet interface by using the setup command
facility:
Do you want to configure FastEthernet0/0 interface [yes]:
Use the 100 Base-TX (RJ-45) connector? [yes]:
Operate in full-duplex mode? [no]:
Configure IP on this interface? [no]: yes
Number of bits in subnet field [0]:
Class A network is 6.0.0.0, 0 subnet bits, mask is /8
Configure IPX on this interface? [yes]:
IPX network number [1]:
Need to select encapsulation type
[0] sap (IEEE 802.2)
[1] snap (IEEE 802.2 SNAP)
[2] arpa (Ethernet_II)
[3] novell-ether (Novell Ethernet_802.3)
Enter the encapsulation type [2]:
Note Cisco 1841 and Cisco 2801 routers have a hardware limitation on the Fast Ethernet ports FE0/0 and
FE0/1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than
5 Mbps in each direction), the interface will experience excessive collisions and reset once per second.
To avoid this problem, traffic must be limited to less than 100% of capacity.

OL-5992-01 5
Gigabit Ethernet Interface Configuration

The following is a brief example of configuring a Gigabit Ethernet interface by using the setup command
facility:
Note The Gigabit Ethernet interface is not supported on Cisco 1841, Cisco 2801, or Cisco 2811 routers.
Configuring interface GigabitEthernet0/0:

Configure IP on this interface? [yes]:
IP address for this interface [192.168.200.215]: 1.0.0.1
Class A network is 1.0.0.0, 8 subnet bits; mask is /8
Note On Cisco 3800 series routers, the port gig 0/0 supports both the small form-factor pluggable Gigabit
Ethernet Interface Converter (SFP GBIC) and RJ-45 media types. The port gig 0/1 supports only RJ-45.
To select between SFP or RJ-45 for port gig 0/0, use the media-type command. More details follow in
the “Selecting the Port for the Gigabit Ethernet Interface” section on page 6.
The following are two examples of configurations for the Gigabit Ethernet (GE) interface. The first
example shows a sample configuration for RJ-45 mode, applicable to either port gig 0/0 or port gig 0/1:
interface GigabitEthernet0/0
ip address 1.3.153.13 255.0.0.0
duplex auto
speed auto
media-type RJ-45
SFP mode (on Cisco 3800 seriers routers only) is available only on port gig 0/0:
ip address 1.3.153.13 255.0.0.0
duplex auto
speed auto
media-type sfp
Selecting the Port for the Gigabit Ethernet Interface

The SFP port is supported for the GE port 0 only. GE port 1 supports only RJ-45 (or copper mode)
operation.
To select SFP type for GE port 0, use the following commands from the command-line interface (CLI):
router(config)# int gigabitEthernet 0/0
router(config-if)# media-type sfp
GigabitEthernet0/0: Changing media to SFP.
Note The SFP port can only be set to 1000-Mbps or automatic speed. Duplex can be set to full-duplex or
automatic mode. Half-duplex communication is not supported.

6 OL-5992-01
The following is a typical show running config command output for gig 0/0:
router# show run int gigabitEthernet 0/0
Current configuration : 156 bytes

!
no ip address
load-interval 30
shutdown
duplex auto
speed auto
media-type sfp
no cdp enable
end
Flow Control Capabilities
Both the RJ-45 (copper) and SFP (fiber) modes of operations suppot flow control. This means that
during congestion conditions, pause frames are sent to the far end by the Media Access Control (MAC)
hardware. Also, the MAC hardware will react to the pause frames received. There is no way in current
MAC hardware to track the number of pause frames received or sent.
Flow control is on by default
Currently, there is no command to turn off the flow control capability for any of the Gigabit Ethernet
ports in any of the RJ45 or SFP modes.
Speed/Duplex Settings for the Gigabit Ethernet Ports
Typically, speed and/or duplex communications are configured manually using the speed and/or duplex
CLI commands.
Note For the SFP port, the speed settings can be set to 1000 Mbps or auto only, and duplex can be set to full
or auto only.
The following examples show the available options:

interface gigabitEthernet 0/[0-1]
router(config-if)# speed ?
10 Force 10 Mbps operation

auto Enable AUTO speed configuration
router(config-if)# duplex ?
auto Enable AUTO duplex configuration

full Force full duplex operation
half Force half-duplex operation

OL-5992-01 7
If the speed is set to 1000 Mbps, the CLI duplex options change as follows:
router(config-if)# speed 1000

Similarly, when duplex is set to half, the supported speeds are 10 Mbps, 100 Mbps, or “auto” as shown
here:

If the media type is SFP, the available speed and duplex settings are as follows:
router(config-if)# media-type sfp
GigabitEthernet0/0: Changing media to SFP.

You may need to update the speed and duplex settings for this interface.


Note If the speed and duplex setting for g0/0 in SFP mode is speed=1000 and duplex=full,
autonegotiation is in forced mode and autonegotation is turned off. For all other mode settings
of speed or duplex for SFP, autonegotiation is turned on.
If speed=1000 and duplex=full modes are specified for both g0/0 and g0/1 interfaces in copper
mode (RJ-45), autonegotiation is still turned on. This is considered to be in forced mode for
speed=1000. This occurence is per the Annex 28D.5 extensions required for clause 40
(1000-BASE-T) IEEE 802.3.
When the speed and duplex modes are forced for 10/100, and full or half modes are forced for
g0/0 and g0/1 interfaces, autonegotiation is turned off. If the interfaces are not in forced mode
for 10/100 speeds, then autonegotation will be turned on.
1- or 2-Port Serial Interface Configuration

The following is a sample configuration for a 1- or 2-port serial interface:
Do you want to configure Serial0/0/0 interface? [yes]:
Some encapsulations supported are

ppp/hdlc/frame-relay/lapb/atm-dxi/smds/x25
Choose encapsulation type [ppp]:

8 OL-5992-01
Note The following sections describe the prompts for each encapsulation type. For PPP and High-Level Data
Link Control (HDLC) encapsulation, no further configuration is needed.
No serial cable seen.

Choose mode from (dce/dte) [dte]:
If no cable is plugged in to your router, you must indicate whether the interface is to be used as DTE or
DCE. If a cable is present, the setup command facility determines the DTE/DCE status. If the serial cable
is DCE, you see the following prompt:
Serial interface needs clock rate to be set in dce mode.
The following clock rates are supported on the serial interface.
0
1200, 2400, 4800, 9600, 19200, 38400
56000, 64000, 72000, 125000, 148000, 500000
800000, 1000000, 1300000, 2000000, 4000000, 8000000
Choose clock rate from above: [2000000]:

Subnet mask for this interface [255.0.0.0]:
Configure IPX on this interface? [no]: yes
Frame Relay Encapsulation
The following is a sample configuration for Frame Relay encapsulation:

The following lmi-types are available to be set,
when connected to a frame relay switch
[0] none
[1] ansi
[2] cisco
[3] q933a
Enter lmi-type [2]:
Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if
you specify none for the Local Management Interface (LMI) type. If you accept the default or specify
another LMI type, the DLCI number is provided by the specified protocol.
Enter the DLCI number for this interface [16]:
Do you want to map a remote machine’s IP address to dlci? [yes]:

IP address for the remote interface: 192.0.0.2
Do you want to map a remote machine’s IPX address to dlci? [yes]:
IPX address for the remote interface: 40.1234.5678

0
1200, 2400, 4800, 9600, 19200, 38400
56000, 64000, 72000, 125000, 148000, 500000
800000, 1000000, 1300000, 2000000, 4000000, 8000000
choose speed from above: [2000000]: 1200


OL-5992-01 9
If Internetwork Packet Exchange (IPX) is configured on the router, the setup command facility prompts
you for the IPX map:
Do you want to map a remote machine's IPX address to dlci? [yes]:
IPX address for the remote interface: 40.0060.34c6.90ed
Link Access Procedure, Balanced Encapsulation
The following is a sample of configuration for Link Access Procedure, Balanced (LAPB) encapsulation,
selecting either DCE or DTE mode, with DTE as the default:
lapb circuit can be either in dce/dte mode.
Choose either from (dce/dte) [dte]:
X.25 Encapsulation
The following is an example of X.25 encapsulation:

x25 circuit can be either in dce/dte mode.
Choose from either dce/dte [dte]:
Enter local x25 address: 1234
We will need to map the remote x.25 station’s x25 address

to the remote station’s IP/IPX address
Enter remote x25 address: 4321
Do you want to map the remote machine’s x25 address to IP address? [yes]:
Do you want to map the remote machine’s x25 address to IPX address? [yes]:
Enter lowest 2-way channel [1]:

Enter highest 2-way channel [64]:
Enter frame window (K) [7]:
Enter Packet window (W) [2]:
Enter Packet size (must be powers of 2) [128]:
ATM Data Exchange Interface Encapsulation
The following is an example of asynchronous transfer mode data exchange interface (ATM-DXI)
encapsulation:
Enter VPI number [1]:
Enter VCI number [1]:
Do you want to map the remote machine’s IP address to vpi and vci? [yes]:
Do you want to map the remote machine’s IPX address to vpi and vci? [yes]:
Switched Multimegabit Data Service Encapsulation
The following is a sample configuration for switched multimegabit data service (SMDS) encapsulation:
Enter smds address for the local interface: c141.5556.1415
We will need to map the remote smds station’s address

Enter smds address for the remote interface: c141.5556.1414

10 OL-5992-01
Do you want to map the remote machine’s smds address to IP address? [yes]:
Do you want to map the remote machine’s smds address to IPX address? [yes]:
Asynchronous/Synchronous Serial Interface—Asynchronous Configuration

The following is a sample configuration for asynchronous configuration for an
asynchronous/synchronous serial interface:
Do you want to configure Serial1/1 interface? [yes]:
Enter mode (async/sync) [sync]: async
Configure IP unnumbered on this interface? [no]:
Configure LAT on this interface? [no]:
Configure AppleTalk on this interface? [no]:
Configure DECnet on this interface? [no]:
Configure CLNS on this interface? [no]:
Configure IPX on this interface? [no]: yes
Configure Vines on this interface? [no]:
Configure XNS on this interface? [no]:
Configure Apollo on this interface? [no]:
Asynchronous/Synchronous Serial Interface—Synchronous Configuration

The following is a sample configuration for synchronous configuration for an
asynchronous/synchronous serial interface:
Do you want to configure Serial1/0 interface? [yes]:
Enter mode (async/sync) [sync]:
Some supported encapsulations are

ppp/hdlc/frame-relay/lapb/x25/atm-dxi/smds
Choose encapsulation type [hdlc]:
Note The following sections describe the prompts for each encapsulation type. For PPP and High-Level Data
Link Control (HDLC) encapsulation, no further configuration is needed.
No serial cable seen.

Choose mode from (dce/dte) [dte]:
If no cable is plugged in to your router, you must indicate whether the interface is to be used as DTE or
DCE. If a cable is present, the setup command facility determines the DTE/DCE status. If the serial cable
is DCE, you see the following prompt:
Configure IP on this interface? [no]: yes
Configure LAT on this interface? [no]:

OL-5992-01 11

The following lmi-types are available to be set,when connected to a frame relay switch:
[0] none
[1] ansi
[2] cisco
[3] q933a
Enter lmi-type [2]:
you specify none for the Link Management Interface (LMI) type. If you accept the default or specify
another LMI type, the DLCI number is provided by the specified protocol.


0
1200, 2400, 4800, 9600, 19200, 38400
56000, 64000, 72000, 125000, 148000, 500000
800000, 1000000, 1300000, 2000000, 4000000, 8000000

LAPB Encapsulation
The following is an example of configuration for LAPB encapsulation, selecting either DCE or DTE
mode, with DTE as the default:
lapb circuit can be either in dce/dte mode.
X.25 Encapsulation
The following is a sample configuration for X.25 encapsulation:

We will need to map the remote x.25 station’s x25 address


12 OL-5992-01
Do you want to map the remote machine’s x25 address to IP address? [yes]:
Do you want to map the remote machine’s x25 address to IPX address? [yes]:

ATM-DXI Encapsulation
The following is a sample configuration for asynchronous transfer mode, data exchange interface
(ATM-DXI) encapsulation:
Do you want to map the remote machine’s IP address to vpi and vci? [yes]:
Do you want to map the remote machine’s IPX address to vpi and vci? [yes]:
SMDS Encapsulation
We will need to map the remote smds station’s address

Do you want to map the remote machine’s smds address to IP address? [yes]:
Do you want to map the remote machine’s smds address to IPX address? [yes]:
ISDN Basic Rate Interface Configuration

Valid Integrated Services Digital Network (ISDN) switch types are shown in Table 1.
Table 1 ISDN Switch Types
Country ISDN Switch Type Description

Australia basic-ts013 Australian TS013 switches
Europe basic-1tr6 German 1TR6 ISDN switches
basic-nwnet3 Norwegian NET3 ISDN switches (phase 1)
basic-net3 NET3 ISDN switches (UK and others)
basic-net5 NET5 switches (UK and others)
vn2 French VN2 ISDN switches
vn3 French VN3 ISDN switches
Japan ntt Japanese NTT ISDN switches

OL-5992-01 13
Table 1 ISDN Switch Types (continued)
Country ISDN Switch Type Description

New Zealand basic-nznet3 New Zealand NET3 switches
North America basic-5ess AT&T basic rate switches
basic-dms100 NT DMS-100 basic rate switches
basic-ni1 National ISDN-1 switches
The following is a sample configuration for ISDN basic rate communication:

BRI interface needs isdn switch-type to be configured
Valid switch types are:
[0] none..........Only if you don't want to configure BRI.
[1] basic-1tr6....1TR6 switch type for Germany
[2] basic-5ess....AT&T 5ESS switch type for the US/Canada
[3] basic-dms100..Northern DMS-100 switch type for US/Canada
[4] basic-net3....NET3 switch type for UK and Europe
[5] basic-ni......National ISDN switch type
[6] basic-ts013...TS013 switch type for Australia
[7] ntt...........NTT switch type for Japan
[8] vn3...........VN3 and VN4 switch types for France
Choose ISDN BRI Switch Type [2]:
Do you want to configure BRI0/0/0 interface? [yes]:

ppp/hdlc/frame-relay/lapb/x25
Note The following sections describe the prompts for each encapsulation type. No further configuration is
needed for HDLC encapsulation.
Do you have service profile identifiers (SPIDs) assigned? [no]: y

Enter SPID1: 12345
Enter SPID2: 12345
Note The setup command facility prompts you for the service profile identifier (SPID) number only if you
specify basic-5ess, basic-ni1, or basic-dms100 for the switch type.
Do you want to map the remote machine's IP address in dialer map? [yes]:
Do you want to map the remote machine's IP address in dialer map? [yes]:
IPX address of the remote interface: 40.0060.34c6.90ed
To get to 192.0.0.1 we will need to make a phone call.

Please enter the phone number to call: 1234567890
Note If your router has at least one configured LAN interface, you can choose to use an unnumbered IP
address on the interface.
Configure IP unnumbered on this interface? [no]: y

Assign to which interface [Ethernet0/0]:

14 OL-5992-01
Note If your router does not have a configured LAN interface, you must use a numbered IP address.

Enter the subnet mask [255.0.0.0]:
Point-to-Point Protocol Encapsulation
The following is a sample configuration for point-to-point protocol (PPP) encapsulation:

Would you like to enable multilink PPP [yes]:
Enter a username for CHAP authentication [Router]:remote_router

Enter a password for CHAP authentication: secret
Note The password, which is used by the Challenge Handshake Authentication Protocol (CHAP)
authentication process, is case sensitive and must exactly match the password for the remote router.

[0] none
[1] ansi
[2] cisco
[3] q933a
Enter lmi-type [2]:
Note The setup command facility prompts you for the DLCI number only if you specify none for the LMI
type. If you accept the default or specify another LMI type, the DLCI number is provided by the
specified protocol.


0
1200, 2400, 4800, 9600, 19200, 38400
56000, 64000, 72000, 125000, 148000, 500000
800000, 1000000, 1300000, 2000000, 4000000, 8000000

Note If IPX is configured on the router, the setup command facility prompts you for the IPX map:

OL-5992-01 15
Link Access Procedure, Balanced Encapsulation
The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation,
with DTE mode as the default:
lapb circuit can be either in dce/dte mode
The following is a sample configuration for asynchronous transfer mode data exchange interface
Do you want to map the remote machine's IP address to vpi and vci? [yes]:
Do you want to map the remote machine's IPX address to vpi and vci? [yes]:
SMDS Encapsulation
We will need to map the remote smds station's address to the remote station’s IP address
Do you want to map the remote machine's smds address to IP address? [yes]:
X.25 Encapsulation
The following is a sample configuration for X.25 encapsulation:

We will need to map the remote x.25 station's x25 address

Do you want to map the remote machine's x25 address to IP address? [yes]:
Do you want to map the remote machine's x25 address to IPX address? [yes]:

16 OL-5992-01
ISDN BRI Line Configuration

Before using a router with an ISDN basic rate interface (BRI) interface, you must order a correctly
configured ISDN BRI line from your local telecommunications service provider.
The ordering process varies from provider to provider and from country to country. However, some
general guidelines apply:
• Ask for two channels to be called by one number.
• Ask for delivery of calling line identification, also known as Caller ID or automated number
identification (ANI).
• If the router will be the only device attached to the ISDN BRI line, ask for point-to-point service
and a data-only line.
• If you plan to connect another ISDN device (such as an ISDN telephone) to the ISDN BRI line
through the router, ask for point-to-multipoint service (subaddressing is required) and a
voice-and-data line.
ISDN BRI Provisioning by Switch Type

ISDN BRI provisioning refers to the types of services provided by the ISDN BRI line. Although
provisioning is performed by your ISDN BRI service provider, you must tell the provider what you want.
Table 2 lists the provisioning you that should order for the router, based on switch type.
Table 2 ISDN Provisioning by Switch Type
Switch Type Provisioning

5ESS Custom BRI For data only
2 B channels for data.
Point to point.
Terminal type = E.
1 directory number (DN) assigned by service provider.
MiniTerm (MTERM) = 1.
Request delivery of calling line ID on Centrex lines.
Set speed for ISDN calls to 56 kbps outside local exchange.
5ESS Custom BRI For voice and data
(Use these values only if you have an ISDN telephone connected.)
2 B channels for voice or data.
Multipoint.
Terminal type = D.
2 directory numbers assigned by service provider.
2 service profile identifiers (SPIDs) required, assigned by service provider.
MTERM = 2.
Number of call appearances = 1.
Display = No.
Ringing/idle call appearances = idle.
Autohold= no.
Onetouch = no.
Directory number 1 can hunt to directory number 2.

OL-5992-01 17
Table 2 ISDN Provisioning by Switch Type (continued)
Switch Type Provisioning

5ESS National ISDN For voice and data
(NI-1) BRI Terminal type = A.
2 B channels for voice and data.
2 SPIDs required; assigned by service provider.
DMS-100 BRI For voice and data
2 B channels for voice and data.
2 SPIDs required; assigned by service provider.
Functional signaling.
Dynamic terminal endpoint identifier (TEID) assignment.
Maximum number of keys = 64.
Release key = no, or key number = no.
Ringing indicator = no.
Electronic Key Telephone Set (EKTS) = no.
Permanent Virtual Circuit (PVC) = 2.
Defining ISDN Service Profile Identifiers

Some service providers assign service profile identifiers (SPIDs) to define the services subscribed to by
an ISDN device. If your service provider requires SPIDs, your ISDN device cannot place or receive calls
until it sends a valid SPID to the service provider when initializing the connection. A SPID is usually a
seven-digit telephone number plus some optional numbers, but service providers may use different
numbering schemes. SPIDs have significance at the local access ISDN interface only; the SPID is never
sent to remote routers.
At present, only DMS-100 and NI-1 switch types require SPIDs. Two SPIDs are assigned for the
DMS-100 switch type, one for each B channel. The AT&T 5ESS switch type may support SPIDs, but
we recommend that you set up that ISDN service without SPIDs.
If your service provider assigns you SPIDs, you must define these SPIDs on the router. To define SPIDs
and the local directory number (LDN) on the router for both ISDN BRI B channels, use the following
isdn spid command in privileged EXEC mode:
Router(config-if)# isdn spid1 spid-number [ldn]
Router(config-if)# isdn spid2 spid-number [ldn]
Note Although the LDN is an optional parameter in the command, you may need to enter it so that the router
can answer calls made to the second directory number.

18 OL-5992-01
Channelized E1/T1 ISDN PRI Interface Configuration
Note Channelized E1/T1 ISDN PRI interfaces are not supported on Cisco 1841 routers.
The following is a sample configuration for a channelized E1/T1 ISDN PRI interface:
The following ISDN switch types are available:
[0] none............If you do not want to configure ISDN
[1] primary-4ess....AT&T 4ESS switch type for US and Canada
[2] primary-5ess....AT&T 5ESS switch type for US and Canada
[3] primary-dms100..Northern Telecom switch type for US and Canada
[4] primary-net5....European switch type for NET5
[5] primary-ni......National ISDN Switch type for the U.S
[6] primary-ntt.....Japan switch type
[7] primary-ts014...Australian switch type
Choose ISDN PRI Switch Type [2]:
Configuring controller T1 1/0 in pri or channelized mode

Do you want to configure this interface controller? [no]:
Will you be using PRI on this controller? [yes]:
E1/T1 PRI Mode

The following is a sample configuration for E1/T1 PRI mode:
The following framing types are available:
esf | sf
Enter the framing type [esf]:
The following linecode types are available:

ami | b8zs
Enter the line code type [b8zs]:
Enter number of time slots [24]:
Do you want to configure Serial1/0:23 interface? [yes]:
Configuring the PRI D-channel

Would you like to enable multilink PPP? [yes]:
Configure IP on this interface? [no]: y
Configure IP unnumbered on this interface? [no]: y
Assign to which interface [Ethernet0/0]:
All users dialing in through the PRI will need to be

authenticated using CHAP. The username and password are
case sensitive.
Enter more username and passwords for PPP authentication? [no]: y
Enter the username used for dial-in CHAP authentication [Router]:
Enter the PPP password of the user dialing in on PRI:
Enter more username and passwords for PPP authentication? [no]:
E1 Channelized Mode
The following is a sample configuration for E1 channelized mode:
no-crc4 | crc4
Enter the framing type [crc4]:

OL-5992-01 19

ami | hdb3
Enter the line code type [hdb3]:
Do you want to configure Serial1/1:0 interface?: [Yes]:
Configuring the Channelized E1/T1 serial channels

Configure IP on this interface? [no]: y
Note The following sections describe the prompts you for each encapsulation type. No further configuration
is needed for HDLC encapsulation.
PPP Encapsulation
The following is a sample configuration for PPP encapsulation:

Enter a username for CHAP authentication [Router]:remote_router

Enter a password for CHAP authentication: secret

[0] none
[1] ansi
[2] cisco
[3] q933a
Enter lmi-type [2]:
you specify none for the LMI type. If you accept the default or specify another Local Management
Interface (LMI) type, the DLCI number is provided by the specified protocol.


0

20 OL-5992-01
1200, 2400, 4800, 9600, 19200, 38400

56000, 64000, 72000, 125000, 148000, 500000
800000, 1000000, 1300000, 2000000, 4000000, 8000000

LAPB Encapsulation
The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation:
SMDS Encapsulation
X.25 Encapsulation
The following is an example configuration for X.25 encapsulation:

We will need to map the remote x.25 station's x25 address

Do you want to map the remote machine's x25 address to IP address? [yes]:
Do you want to map the remote machine's x25 address to IPX address? [yes]:

OL-5992-01 21

T1 Channelized Mode
The following is a sample configuration for T1 channelized mode:
esf | sf
Enter the framing type [esf]:

ami | b8zs
Enter the line code type [b8zs]:
T1 is capable of being configured for channel 1-24

Enter number of time slots [24]: 3
Configure more channel groups? [no]: y
Enter number of time slots [15]:
Configure more channel groups? [no]:
Note The following sections describe the prompts for each encapsulation type. No further configuration is
needed for High-Level Data Link Control (HDLC) encapsulation.
PPP Encapsulation
The following is a sample configuration for PPP encapsulation:

Enter a remote hostname for PPP authentication [Router]:

Enter a password for PPP authentication:

[0] none
[1] ansi
[2] cisco
[3] q933a
Enter lmi-type [2]:

22 OL-5992-01
you specify none for the LMI type. If you accept the default or specify another Local Management
Interface (LMI) type, the DLCI number is provided by the specified protocol.


0
1200, 2400, 4800, 9600, 19200, 38400
56000, 64000, 72000, 125000, 148000, 500000
800000, 1000000, 1300000, 2000000, 4000000, 8000000

LAPB Encapsulation
The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation:
SMDS Encapsulation

OL-5992-01 23
1-Port, 4-Wire, 56-kbps DSU/CSU Configuration

The switched-56 WAN interface card is configured for dedicated or leased-line service by default, but
it can also be configured for circuit-switched service, here known as 1-port, 4-wire 56-kbps DSU/CSU
configuration. Depending on the type of data transmissions you typically use, you can configure the
switched-56 WAN interface card for either circuit-switched service or dedicated-line service.
Generally, circuit-switched service is ideal for short-duration data transmissions or as an alternative
route if a dedicated line fails. For example, circuit-switched service is ideal for sending electronic mail
messages or doing such tasks as updating inventory and ordering records from one network database to
another at the end of each day.
Dedicated service is ideal for heavy network traffic. Dedicated service is ideal if you need a constant
network connection or you need connection for more than eight hours per day.
Switched Mode
The following is a sample configuration for a switched mode interface:
Switched 56k interface may either be in switched/Dedicated mode

Choose from either (switched/dedicated) [switched]:
The following switched carrier types are to be set when in switched mode
(at&t, sprint or other)
Choose carrier (at&t/sprint/other) [other]:
Do you want to map the remote machine's ip address in dialer map? [yes]:
IP address for the remote interface : 1.0.0.2
Do you want to map the remote machine's ipx address in dialer map? [yes]:
IPX address for the remote interface : 40.0060.34c6.90ed
Note The setup command facility asks for only one telephone number for both IP and Internetwork Packet
Exchange (IPX) (if enabled).
Please enter the phone number to call : 1234567890

Subnet mask for this interface [255.0.0.0] :
Dedicated Mode
The following is a sample configuration for a dedicated mode interface:


24 OL-5992-01
Completing the Configuration
Switched 56k interface may either be in switched/Dedicated mode

Choose from either (switched/dedicated) [switched]: dedi
When in dds mode, the clock for sw56 module can either from line/internal.
Choose clock from (line/internal) [line]:
Note If the internal clock is selected, speed cannot be set to “auto.” Autosensing is allowed only when the
clock source is line.
When in dds mode, the clock for the sw56 module can either be line or internal.
Choose clock from (line/internal) [line]: internal
Warning: internal can be chosen only when connected back-to-back.

auto, 2.4, 4.8, 9.6, 19.2, 38.4

56, 64
choose clock rate from above [56]:

Subnet mask for this interface [255.0.0.0] :

When you have provided all the information requested by the setup command facility, the configuration
appears. To complete your router configuration, follow these steps:
Step 1 A setup command facility prompt asks if you want to save this configuration.
If you answer no, the configuration information you entered is not saved, and you return to the router
enable prompt (Router#). Enter setup to return to the System Configuration Dialog.
If you answer yes, the configuration is saved, and you are returned to the user EXEC prompt
(Router>).
Use this configuration? {yes/no} : yes
Press RETURN to get started!
%LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up

%LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up
%LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
%LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
%LINK-3-UPDOWN: Interface Serial0/2, changed state to down
%LINK-3-UPDOWN: Interface Serial1/0, changed state to up
<Additional messages omitted.>

OL-5992-01 25
Step 2 When the messages stop appearing on your screen, press Return to get the Router> prompt.
Note If you see the next message, it means that no other AppleTalk routers were found on the network
attached to the port.
%AT-6-ONLYROUTER: Ethernet0/0: AppleTalk port enabled; no neighbors found
Step 3 The Router> prompt indicates that you are now at the command-line interface (CLI) and you have just
completed a basic router configuration. Nevertheless, this is not a complete configuration. At this point,
you have two choices:
• Run the setup command facility again, and create another configuration.
Router> enable
Password: password
Router# setup
• Modify the existing configuration or configure additional features by using the CLI:
Router> enable
Password: password
Router# configure terminal
Router(config)#

26 OL-5992-01
Basic Software Configuration Using the
Cisco IOS Command-Line Interface
This document describes how to use the Cisco IOS command-line interface (CLI) to perform a basic
software configuration for your router.
Contents
• Prerequisites for Basic Software Configuration Using the Cisco IOS CLI, page 2
• Restrictions for Basic Software Configuration Using the Cisco IOS CLI, page 2
• How to Perform a Basic Software Configuration Using the Cisco IOS CLI, page 2
• Where to Go Next, page 19
• Additional References, page 19


Prerequisites for Basic Software Configuration Using the Cisco IOS CLI
Prerequisites for Basic Software Configuration Using the

Cisco IOS CLI
Follow the instructions in the quick start guide that shipped with your router to install the chassis,
connect cables, and power up the router.
Timesaver Before powering up the router, disconnect all WAN cables from the router to keep it from trying to run
the AutoInstall process. The router may try to run AutoInstall if you power it on while there is a WAN
connection on both ends and the router does not have a valid configuration file stored in NVRAM (for
instance, when you add a new interface). It can take several minutes for the router to determine that
AutoInstall is not connected to a remote TCP/IP host.
Restrictions for Basic Software Configuration Using the

Cisco IOS CLI
If Cisco Router and Security Device Manager (SDM) is installed on your router, we recommend that you
use Cisco SDM instead of the Cisco IOS CLI to perform the initial software configuration. To access
SDM, see the quick start guide that shipped with your router.
How to Perform a Basic Software Configuration Using the

Cisco IOS CLI
This section contains the following procedures:
• Configuring the Router Hostname, page 3 (Optional)
• Configuring the Enable and Enable Secret Passwords, page 4 (Required)
• Configuring the Console Idle Privileged EXEC Timeout, page 5 (Optional)
• Configuring Fast Ethernet and Gigabit Ethernet Interfaces, page 7 (Required)
• Specifying a Default Route or Gateway of Last Resort, page 9 (Required)
• Configuring Virtual Terminal Lines for Remote Console Access, page 12 (Required)
• Configuring the Auxiliary Line, page 14 (Optional)
• Verifying Network Connectivity, page 15 (Required)
• Saving Your Router Configuration, page 17 (Required)
• Saving Backup Copies of Your Configuration and System Image, page 17 (Optional)
Basic Software Configuration Using the Cisco IOS Command-Line Interface

2 OL-5593-01
How to Perform a Basic Software Configuration Using the Cisco IOS CLI
Configuring the Router Hostname

The hostname is used in CLI prompts and default configuration filenames. If you do not configure the
router hostname, the router uses the factory-assigned default hostname “Router.”
Do not expect capitalization and lowercasing to be preserved in the hostname. Uppercase and lowercase
characters are treated as identical by many Internet software applications. It may seem appropriate to
capitalize a name as you would ordinarily do, but conventions dictate that computer names appear in all
lowercase characters. For more information, see RFC 1178, Choosing a Name for Your Computer.
The name must also follow the rules for Advanced Research Projects Agency Network (ARPANET)
hostnames. They must start with a letter, end with a letter or digit, and have as interior characters only
letters, digits, and hyphens. Names must be 63 characters or fewer. For more information, see RFC 1035,
Domain Names—Implementation and Specification.
SUMMARY STEPS
1. enable
2. configure terminal
3. hostname name
4. Verify that the router prompt displays your new hostname.
5. end
DETAILED STEPS
Command or Action Purpose

Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Step 3 hostname name Specifies or modifies the hostname for the network server.
Example:
Router(config)# hostname myrouter
Step 4 Verify that the router prompt displays your new —
hostname.
Example:
myrouter(config)#
Step 5 end (Optional) Returns to privileged EXEC mode.
Example:
myrouter# end

OL-5593-01 3
What to Do Next
Proceed to the “Configuring the Enable and Enable Secret Passwords” section on page 4.
Configuring the Enable and Enable Secret Passwords

To provide an additional layer of security, particularly for passwords that cross the network or are stored
on a TFTP server, you can use either the enable password command or enable secret command. Both
commands accomplish the same thing—they allow you to establish an encrypted password that users
must enter to access privileged EXEC (enable) mode.
We recommend that you use the enable secret command because it uses an improved encryption
algorithm. Use the enable password command only if you boot an older image of the Cisco IOS
software or if you boot older boot ROMs that do not recognize the enable secret command.
For more information, see the “Configuring Passwords and Privileges” chapter in the Cisco IOS Security
Configuration Guide. Also see the Improving Security on Cisco Routers tech note.
Restrictions
If you configure the enable secret command, it takes precedence over the enable password command;
the two commands cannot be in effect simultaneously.
SUMMARY STEPS
1. enable
3. enable password password
4. enable secret password
5. end
6. enable
7. end
DETAILED STEPS

Example:
Router> enable
Example:

4 OL-5593-01

Step 3 enable password password (Optional) Sets a local password to control access to various
privilege levels.
Example: • We recommend that you perform this step only if you
Router(config)# enable password pswd2 boot an older image of the Cisco IOS software or if you
boot older boot ROMs that do not recognize the enable
secret command.
Step 4 enable secret password Specifies an additional layer of security over the enable
password command.
Example: • Do not use the same password that you entered in
Router(config)# enable secret greentree Step 3.
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config)# end
• Verify that your new enable or enable secret password
Example: works.
Router> enable
Step 7 end (Optional) Returns to privileged EXEC mode.
Example:
Router(config)# end
Troubleshooting Tips
If you forget the password that you configured, or if you cannot access privileged EXEC (enable) mode,
see the Password Recovery Procedures for your router, available at
http://www.cisco.com/warp/public/474.
What to Do Next
If you want to set the console interface privileged EXEC timeout to a value other than 10 minutes (the
default), proceed to the “Configuring the Console Idle Privileged EXEC Timeout” section on page 5.
If you do not wish to change the privileged EXEC timeout, proceed to the “Specifying a Default Route
or Gateway of Last Resort” section on page 9.
Configuring the Console Idle Privileged EXEC Timeout

This section describes how to configure the console line’s idle privileged EXEC timeout. By default, the
privileged EXEC command interpreter waits 10 minutes to detect user input before timing out.
When you configure the console line, you can also set communication parameters, specify autobaud
connections, and configure terminal operating parameters for the terminal that you are using. For more
information on configuring the console line, see the Cisco IOS Configuration Fundamentals and
Network Management Configuration Guide. In particular, see the “Configuring Operating
Characteristics for Terminals” and “Troubleshooting and Fault Management” chapters.

OL-5593-01 5
SUMMARY STEPS
1. enable
3. line console 0
4. exec-timeout minutes [seconds]
5. end
6. show running-config
7. exit
Note The exec-timeout command or any changes to the exec-command value is triggered only after you exit
from the EXEC mode and login again.
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 line console 0 Configures the console line and starts the line configuration
command collection mode.
Example:
Router(config)# line console 0
Step 4 exec-timeout minutes [seconds] Sets the idle privileged EXEC timeout, which is the interval
that the privileged EXEC command interpreter waits until
user input is detected.
Example:
Router(config-line)# exec-timeout 0 0 • The example shows how to specify no timeout.
Example:
Router(config-line)# end

6 OL-5593-01

Step 6 show running-config Displays the running configuration file.
• Verify that you properly configured the idle privileged
Example: EXEC timeout.
Router# show running-config
Step 7 exit Exits privileged EXEC mode.
Note For the exec-timeout command to take effect, you
Example: must exit from the EXEC mode and login again.
Router# exit
Examples
The following example shows how to set the console idle privileged EXEC timeout to 2 minutes 30
seconds:
line console
exec-timeout 2 30
The following example shows how to set the console idle privileged EXEC timeout to 10 seconds:
line console
exec-timeout 0 10
What to Do Next
Proceed to the “Configuring Fast Ethernet and Gigabit Ethernet Interfaces” section on page 7.
Configuring Fast Ethernet and Gigabit Ethernet Interfaces

This sections shows how to assign an IP address and interface description to an Ethernet interface on
your router.
For comprehensive configuration information on Fast Ethernet and Gigabit Ethernet interfaces, see the
“Configuring LAN Interfaces” chapter of the Cisco IOS Interface and Hardware Component
Configuration Guide.
For information on interface numbering, see the quick start guide that shipped with your router.
Note Cisco 1841 and Cisco 2801 routers have a hardware limitation on the Fast Ethernet ports FE0/0 and
FE0/1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than 5
Mbps in each direction), the interface will experience excessive collisions and reset once per second. To
avoid this problem, traffic must be limited to less than 100% of capacity.
SUMMARY STEPS
1. enable
2. show ip interface brief
4. interface {fastethernet | gigabitethernet} 0/port

OL-5593-01 7
5. description string
6. ip address ip-address mask
7. no shutdown
8. end
9. show ip interface brief
DETAILED STEPS

Example:
Router> enable
Step 2 show ip interface brief Displays a brief status of the interfaces that are configured
for IP.
Example: • Learn which type of Ethernet interface is on your
Router# show ip interface brief router: Fast Ethernet or Gigabit Ethernet.
Example:
Step 4 interface {fastethernet | gigabitethernet} Specifies the Ethernet interface and enters interface
0/port configuration mode.
Note For information on interface numbering, see the
Example: quick start guide that shipped with your router.
Router(config)# interface fastethernet 0/1
Example:
Router(config)# interface gigabitethernet 0/0
Step 5 description string (Optional) Adds a description to an interface configuration.
• The description helps you remember what is attached to
Example: this interface. The description can be useful for
Router(config-if)# description FE int to 2nd troubleshooting.
floor south wing
Step 6 ip address ip-address mask Sets a primary IP address for an interface.
Example:
Router(config-if)# ip address 172.16.74.3
255.255.255.0
Step 7 no shutdown Enables an interface.
Example:
Router(config-if)# no shutdown

8 OL-5593-01

Example:
Router(config)# end
Step 9 show ip interface brief Displays a brief status of the interfaces that are configured
for IP.
Example: • Verify that the Ethernet interfaces are up and
Router# show ip interface brief configured correctly.
Examples
Configuring the Fast Ethernet Interface: Example
!
description FE int to HR group
ip address 172.16.3.3 255.255.255.0
duplex auto
speed auto
no shutdown
!
Sample Output for the show ip interface brief Command

Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 172.16.3.3 YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Router#
What to Do Next
Proceed to the “Specifying a Default Route or Gateway of Last Resort” section on page 9.
Specifying a Default Route or Gateway of Last Resort

This section describes how to specify a default route with IP routing enabled. For alternative methods
of specifying a default route, see the Configuring a Gateway of Last Resort Using IP Commands tech
note.
The Cisco IOS software uses the gateway (router) of last resort if it does not have a better route for a
packet and if the destination is not a connected network. This section describes how to select a network
as a default route (a candidate route for computing the gateway of last resort). The way in which routing
protocols propagate the default route information varies for each protocol.
For comprehensive configuration information about IP routing and IP routing protocols, see the
Cisco IOS IP Configuration Guide. In particular, see the “Configuring IP Addressing” chapter and all
“Part 2: IP Routing Protocols” chapters.

OL-5593-01 9
SUMMARY STEPS
1. enable
3. ip routing
4. ip route dest-prefix mask next-hop-ip-address [admin-distance] [permanent]
5. ip default-network network-number
or
ip route dest-prefix mask next-hop-ip-address
6. end
7. show ip route
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 ip routing Enables IP routing.
Example:
Router(config)# ip routing
Step 4 ip route dest-prefix mask next-hop-ip-address Establishes a static route.
[admin-distance] [permanent]
Example:
Router(config)# ip route 192.168.24.0
255.255.255.0 172.28.99.2
Step 5 ip default-network network-number Selects a network as a candidate route for computing the
or gateway of last resort.
ip route dest-prefix mask next-hop-ip-address
Creates a static route to network 0.0.0.0 0.0.0.0 for
computing the gateway of last resort.
Example:
Router(config)# ip default-network 192.168.24.0
Example:
Router(config)# ip route 0.0.0.0 0.0.0.0
172.28.99.1

10 OL-5593-01

Example:
Router(config)# end
Step 7 show ip route Displays the current routing table information.
• Verify that the gateway of last resort is set.
Example:
Router# show ip route

OL-5593-01 11
Examples
Specifying a Default Route: Example
!
ip routing
!
ip route 192.168.24.0 255.255.255.0 172.28.99.2
!
ip default-network 192.168.24.0
!
Sample Output for the show ip route Command

Router# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
Gateway of last resort is 172.28.99.2 to network 192.168.24.0
172.24.0.0 255.255.255.0 is subnetted, 1 subnets

C 172.24.192.0 is directly connected, FastEthernet0
S 172.24.0.0 255.255.0.0 [1/0] via 172.28.99.0
S* 192.168.24.0 [1/0] via 172.28.99.2
172.16.0.0 255.255.255.0 is subnetted, 1 subnets
C 172.16.99.0 is directly connected, FastEthernet1
Router#
What to Do Next
Proceed to the “Configuring Virtual Terminal Lines for Remote Console Access” section on page 12.
Configuring Virtual Terminal Lines for Remote Console Access

Virtual terminal (vty) lines are used to allow remote access to the router. This section shows you how to
configure the virtual terminal lines with a password, so that only authorized users can remotely access
the router.
The router has five virtual terminal lines by default. However, you can create additional virtual terminal
lines as described in the chapter “Configuring Protocol Translation and Virtual Asynchronous Devices”
in the Cisco IOS Terminal Services Configuration Guide.
For more information on line passwords and password encryption, see the “Configuring Passwords and
Privileges” chapter in the Cisco IOS Security Configuration Guide. Also see the Cisco IOS Password
Encryption Facts tech note.
If you want to secure the vty lines with an access list, see “Traffic Filtering and Virus Protection” chapter
in the Cisco IOS Security Configuration Guide.
SUMMARY STEPS
1. enable
3. line vty line-number [ending-line-number]

12 OL-5593-01
4. password password
5. login
6. end
7. show running-config
8. From another network device, attempt to open a Telnet session to the router.
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 line vty line-number [ending-line-number] Starts the line configuration command collection mode for
the virtual terminal lines (vty) for remote console access.
Example: • Make sure that you configure all vty lines on your
Router(config)# line vty 0 4 router.
Note To verify the number of vty lines on your router, use
the line vty ? command.
Step 4 password password Specifies a password on a line.
Example:
Router(config-line)# password guessagain
Step 5 login Enables password checking at login.
Example:
Router(config-line)# login
Example:
Router(config-line)# end

OL-5593-01 13

Step 7 show running-config Displays the running configuration file.
• Verify that you properly configured the virtual terminal
Example: lines for remote access.
Router# show running-config
Step 8 From another network device, attempt to open a Telnet Verifies that you can remotely access the router and that the
session to the router. virtual terminal line password is correctly configured.
Example:
Router# 172.16.74.3
Password:
Examples
The following example shows how to configure virtual terminal lines with a password:
!
line vty 0 4
password guessagain
login
!
What to Do Next
After you configure the vty lines, follow these steps:
• (Optional) To encrypt the virtual terminal line password, see the “Configuring Passwords and
Privileges” chapter in the Cisco IOS Security Configuration Guide. Also see the Cisco IOS
Password Encryption Facts tech note.
• (Optional) To secure the VTY lines with an access list, see “Part 3: Traffic Filtering and Firewalls”
in the Cisco IOS Security Configuration Guide.
• To continue with the basic software configuration for your router, proceed to the “Configuring the
Auxiliary Line” section on page 14.
Configuring the Auxiliary Line

This section describes how to enter line configuration mode for the auxiliary line. How you configure
the auxiliary line depends on your particular implementation of the auxiliary (AUX) port. See the
following documents for information on configuring the auxiliary line:
Configuring a Modem on the AUX Port for EXEC Dialin Connectivity, tech note
http://www.cisco.com/warp/public/471/mod-aux-exec.html
Configuring Dialout Using a Modem on the AUX Port, sample configuration
http://www.cisco.com/warp/public/471/mod-aux-dialout.html
Connecting a SLIP/PPP Device to a Router’s AUX Port, tech note
http://www.cisco.com/warp/public/701/6.html

14 OL-5593-01
Configuring AUX-to-AUX Port Async Backup with Dialer Watch, sample configuration
http://www.cisco.com/warp/public/471/aux-aux-watch.html
Modem-Router Connection Guide, tech note
http://www.cisco.com/warp/public/76/9.html
SUMMARY STEPS
1. enable
3. line aux 0
4. See the tech notes and sample configurations to configure the line for your particular
implementation of the AUX port.
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 line aux 0 Starts the line configuration command collection mode for
the auxiliary line.
Example:
Router(config)# line aux 0
Step 4 See the tech notes and sample configurations to —
configure the line for your particular implementation
of the AUX port.
What to Do Next
Proceed to the “Verifying Network Connectivity” section on page 15.
Verifying Network Connectivity

This section describes how to verify network connectivity for your router.

OL-5593-01 15
Prerequisites
• Complete all previous configuration tasks in this document.
• The router must be connected to a properly configured network host.
SUMMARY STEPS
1. enable
2. ping [ip-address | hostname]
3. telnet {ip-address | hostname}
DETAILED STEPS

Example:
Router> enable
Step 2 ping [ip-address | hostname] Diagnoses basic network connectivity.
• To verify connectivity, ping the next hop router or
Example: connected host for each configured interface to.
Router# ping 172.16.74.5
Step 3 telnet {ip-address | hostname} Logs in to a host that supports Telnet.
• If you want to test the vty line password, perform this
Example: step from a different network device, and use your
Router# telnet 10.20.30.40 router’s IP address.
Examples
The following display shows sample output for the ping command when you ping the IP address
192.168.7.27:
Router# ping
Protocol [ip]:
Target IP address: 192.168.7.27
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.27, timeout is 2 seconds:
!!!!!
Success rate is 100 percent, round-trip min/avg/max = 1/2/4 ms

16 OL-5593-01
The following display shows sample output for the ping command when you ping the IP hostname
donald:
Router# ping donald
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.7.27, timeout is 2 seconds:
!!!!!
Success rate is 100 percent, round-trip min/avg/max = 1/3/4 ms
What to Do Next
Proceed to the “Saving Your Router Configuration” section on page 17.
Saving Your Router Configuration

This section describes how to avoid losing your configuration at the next system reload or power cycle
by saving the running configuration to the startup configuration in NVRAM.
SUMMARY STEPS
1. enable
2. copy running-config startup-config
DETAILED STEPS

Example:
Router> enable
Step 2 copy running-config startup-config Saves the running configuration to the startup
configuration.
Example:
Router# copy running-config startup-config
What to Do Next
Proceed to the “Saving Backup Copies of Your Configuration and System Image” section on page 17.
Saving Backup Copies of Your Configuration and System Image

To aid file recovery and minimize downtime in case of file corruption, we recommend that you save
backup copies of the startup configuration file and the Cisco IOS software system image file on a server.
For more detailed information, see the “Managing Configuration Files” chapter and the “Loading and
Maintaining System Images” chapter of the Cisco IOS Configuration Fundamentals and Network
Management Configuration Guide.

OL-5593-01 17
SUMMARY STEPS
1. enable
2. copy nvram:startup-config {ftp: | rcp: | tftp:}
3. show flash:
4. copy flash: {ftp: | rcp: | tftp:}
DETAILED STEPS

Example:
Router> enable
Step 2 copy nvram:startup-config {ftp: | rcp: | tftp:} Copies the startup configuration file to a server.
• The configuration file copy can serve as a backup copy.
Example: • Enter the destination URL when prompted.
Router# copy nvram:startup-config ftp:
Step 3 show flash: Displays the layout and contents of a flash memory file
system.
Example: • Learn the name of the system image file.
Router# show flash:
Step 4 copy flash: {ftp: | rcp: | tftp:} Copies a file from flash memory to a server.
• Copy the system image file to a server to serve as a
Example: backup copy.
Router# copy flash: ftp:
• Enter the filename and destination URL when
prompted.
Examples
Copying the Startup Configuration to a TFTP Server: Example
The following example shows the startup configuration being copied to a TFTP server:
Router# copy nvram:startup-config tftp:
Remote host[]? 172.16.101.101
Name of configuration file to write [rtr2-confg]? <cr>

Write file rtr2-confg on host 172.16.101.101?[confirm] <cr>
![OK]
Copying from Flash Memory to a TFTP Server: Example

The following example shows the use of the show flash: command in privileged EXEC to learn the name
of the system image file and the use of the copy flash: tftp: privileged EXEC command to copy the
system image (c3640-2is-mz) to a TFTP server. The router uses the default username and password.

18 OL-5593-01
Where to Go Next
Router# show flash:
System flash directory:

File Length Name/status
1 4137888 c3640-c2is-mz
[4137952 bytes used, 12639264 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)\
Router# copy flash: tftp:
IP address of remote host [255.255.255.255]? 172.16.13.110

filename to write on tftp host? c3600-c2is-mz
writing c3640-c2is-mz !!!!...
successful ftp write.
Where to Go Next
• When you complete the basic software configuration, consider implementing routing protocols or
access lists and other security-improving methods to protect your router. See the documents listed
in the “Related Documents—Additional Configuration” section on page 20.
• To configure features on your router, see Finding Feature Documentation.
Additional References
The following sections provide references related to basic software configuration using the
Cisco IOS CLI.
Related Documents—Basic Software Configuration

Topic Related Document Title or Link
Chassis installation, cable connections, power-up Quick start guide for your router
procedures, and interface numbering
Cisco Security Device Manager (SDM) http://www.cisco.com/go/sdm
Guidelines for assigning the router hostname RFC 1035, Domain Names—Implementation and Specification
RFC 1178, Choosing a Name for Your Computer
Access lists, passwords, and privileges Cisco IOS Security Configuration Guide
Password recovery procedures for Cisco products Password Recovery Procedures
Configuring the console line, managing configuration Cisco IOS Configuration Fundamentals and Network Management
files, and loading and maintaining system images Configuration Guide
Configuring interfaces Cisco IOS Interface and Hardware Component Configuration
Guide
IP routing and IP routing protocols Cisco IOS IP Configuration Guide
Configuring default routes or a gateway of last resort Configuring a Gateway of Last Resort Using IP Commands tech
note

OL-5593-01 19

Configuring virtual terminal lines Cisco IOS Terminal Services Configuration Guide
Configuring the auxiliary (AUX) port Configuring a Modem on the AUX Port for EXEC Dialin
Connectivity, tech note
Configuring Dialout Using a Modem on the AUX Port, sample
configuration
Connecting a SLIP/PPP Device to a Router’s AUX Port, tech note
Configuring AUX-to-AUX Port Async Backup with Dialer Watch,
sample configuration
Modem-Router Connection Guide, tech note
Related Documents—Additional Configuration

Cisco configuration settings that network Improving Security on Cisco Routers tech note
administrators should consider changing on their
Note To view this document, you must have an account on
routers, especially on their border routers, to improve
Cisco.com. If you do not have an account or have forgotten
security
your username or password, click Cancel at the login dialog
box and follow the instructions that appear.
IP routing and IP routing protocols Cisco IOS IP Configuration Guide
Access lists Cisco IOS Security Configuration Guide
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.

20 OL-5593-01

OL-5593-01 21

22 OL-5593-01
Secured Branch Router Configuration Example
Contents
• Introduction, page 1
• Before You Begin, page 2
• Configure, page 3
• Verify, page 6
• Troubleshoot, page 10
• Related Information, page 11
Introduction
This document provides a sample configuration for securing a branch router by implementing the
following features:
• Context-Based Access Control (CBAC)—CBAC creates temporary openings in access lists at
firewall interfaces. These openings are created when specified traffic exits your internal network
through the firewall. The openings allow returning traffic (that would normally be blocked) and
additional data channels to enter your internal network back through the firewall. The traffic is
allowed back through the firewall only if the traffic is part of the same session as the original traffic
that triggered CBAC when exiting through the firewall.
• Cisco IOS Intrusion Prevention System (IPS)—The Cisco IOS IPS feature restructures the
existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the
default, built-in signatures or to load a Signature Definition File (SDF) called attack-drop.sdf onto
the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS)
signatures, providing customers with the latest available detection of security threats.
• Cisco IOS Firewall Authentication Proxy—Authentication proxy provides dynamic, per-user
authentication and authorization, authenticating users against industry standard TACACS+ and
RADIUS authentication protocols. Per-user authentication and authorization of connections provide
more robust protection against network attacks.

Before You Begin
• Firewall Websense URL Filtering—The Firewall Websense URL Filtering feature enables your
Cisco IOS firewall (also known as Cisco Secure Integrated Software) to interact with the Websense
URL filtering software, thereby allowing you to prevent users from accessing specified websites on
the basis of some policy. The Cisco IOS firewall works with the Websense server to know whether
a particular URL should be allowed or denied (blocked).
Before You Begin
Conventions
For more information on document conventions, see Conventions Used in Cisco Technical Tips.
Components Used
The information in this document is based on the software and hardware versions below.
• Cisco 2801 router
• Cisco IOS Release 12.3(8)T4
• Advanced IP Services feature set
Note The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make
sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with the following hardware:
• Cisco 1800 series integrated services router (modular)
• Cisco 2800 series integrated services router
• Cisco 3800 series integrated services router
A similar configuration can also be used with a Cisco 3800 series integrated services router that is
equipped with a Cisco Content Engine network module (NM-CE-BP), which has an embedded Websense
URL filtering server (UFS).
OL-6329-01
2
Configure
Configure
In this section, you are presented with the information to configure the features described in this
document.
Tip To find additional information on the commands used in this document, use the Command Lookup Tool.
You must have an account on Cisco.com. If you do not have an account or have forgotten your username
or password, click Cancel at the login dialog box and follow the instructions that appear.
Network Diagram
This document uses the network setup shown in the diagram below.
121239
Branch office
PC
192.168.1.118/24
FE 0/0 FE 0/1
192.168.1.2/24 192.168.101.2/24
Secured branch Cisco Secure
router Authentication
Control Server (ACS)
Websense URL 192.168.101.119/24
Filtering Server (UFS)
192.168.1.116/24
Not shown in the diagram is an HTTP server with IP address 192.168.102.119/24. The HTTP server may
be located anywhere in the network. In this case, it is on the Fast Ethernet 0/1 side of the secured branch
router.
Configurations
This document uses the configuration shown below.
router# show running-config
.
.
.
!---Enable the authentication, authorization, and accounting (AAA) access control model.
aaa new-model
!
!---Identify the Cisco Secure Authentication Control Server (ACS) as a member of a
!---AAA server group. In this example, the AAA server group is called “SJ.”
aaa group server tacacs+ SJ
server 192.168.101.119
!
!---Enable AAA authentication at login and specify the authentication methods to try.
aaa authentication login default local group SJ none
OL-6329-01
3
Configure
!---Restrict user access to the network:

!---(a) Run authorization to determine if the user is allowed to run an EXEC shell.
!---(b) Enable authorization that applies specific security policies on a per-user basis.
!---You must use the “aaa authorization auth-proxy” command together with the
!---”ip auth-proxy <name>” command (later in this configuration). Together, these
!---commands set up the authorization policy to be retrieved by the firewall.
aaa authorization exec default group SJ none
aaa authorization auth-proxy default group SJ
!---Make sure that the same session ID is used for each AAA accounting service type
!---within a call.
aaa session-id common
.
.
.
!---Define a set of inspection rules. In this example, the set is called “myfw.”
!---Include each protocol that you want the Cisco IOS firewall to inspect.
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http urlfilter timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw sqlnet timeout 3600
ip inspect name myfw streamworks timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw vdolive
!
!---(Optional) Set the length of time an authentication cache entry, along with its
!---associated dynamic user access control list, is managed after a period of inactivity.
ip auth-proxy inactivity-timer 120
!---Create an authentication proxy rule; in this example it is named “aprule.”
!---Set HTTP to trigger the authentication proxy.
ip auth-proxy name aprule http
!
!---Configure the Cisco IOS Intrusion Protection System (IPS) feature:
!---Specify the location from which the router loads the Signature Definition File (SDF).
!---(Optional) Specify the maximum number of event notifications that are placed
!---in the router's event queue.
!---Disable the audit of any signatures that your deployment scenario deems unnecessary.
!---Name the IPS rule, so that you can apply the rule to an interface.
!---Later in this example, this rule (named “ids-policy”) is applied to FE 0/0.
ip ips sdf location tftp://192.168.1.3/attack-drop.sdf
ip ips po max-events 100
ip ips signature 1107 0 disable
ip ips signature 3301 0 disable
ip ips name ids-policy
!
!---Configure the Firewall Websense URL Filtering feature:
!---(Optional) Set the maximum number of destination IP addresses that can be cached
!---into the cache table, which consists of the most recently requested IP addresses
!---and respective authorization status for each IP address.
!---Specify domains for which the firewall should permit or deny all traffic
!---without sending lookup requests to the Firewall Websense URL filtering server (UFS).
!---Specify the IP address of the Firewall Websense UFS.
ip urlfilter cache 0
ip urlfilter exclusive-domain permit www.cisco.com
ip urlfilter server vendor websense 192.168.1.116
.
.
.
OL-6329-01
4
Configure
!---Configure the firewall interface that connects to the branch office PCs
!---and the Firewall Websense UFS:
!---Apply access lists and inspection rules to control access to the interface.
!---In this example, access list 116 is used to filter outbound packets, and
!---the inspection rule named “myfw” is used to filter inbound packets.
!---Enable the authentication proxy rule for dynamic, per-user authentication
!---and authorization. See the previous “aaa authorization auth-proxy default group SJ”
!---and “ip auth-proxy name aprule http” command entries.
!---Apply the Cisco IPS rule to outbound traffic.
ip address 192.168.1.2 255.255.255.0
ip access-group 116 out
ip inspect myfw in
ip auth-proxy aprule
ip ips ids-policy out
.
.
.
!---Configure the interface that connects to the
!---Cisco Secure Authentication Control Server (Cisco Secure ACS).
!---Apply access lists to control access to the interface.
!---In this example, access list 111 is used to filter inbound packets.
ip address 192.168.101.2 255.255.255.0
ip access-group 111 in
.
.
.
ip classless
!---The following command establishes a static route to the HTTP server,
!---which in this example has an IP address of 192.168.102.119.
ip route 192.168.102.0 255.255.255.0 FastEthernet0/1
!
!---Enable the HTTP server on your system.
!---Also, specify that the authentication method used for AAA login service
!---should be used for authenticating HTTP server users.
ip http server
ip http authentication aaa
no ip http secure-server
!
!---Configure the access list for the interface that connects to the
!---Cisco Secure ACS.
access-list 111 permit tcp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit udp host 192.168.101.119 eq tacacs host 192.168.101.2
access-list 111 permit icmp any any
access-list 111 deny ip any any
!
!---Configure the access list for the firewall interface that connects to the
!---branch office PCs and the Websense URL Filtering Server (UFS).
access-list 116 permit tcp host 192.168.1.118 host 192.168.1.2 eq www
access-list 116 deny tcp host 192.168.1.118 any
access-list 116 deny udp host 192.168.1.118 any
access-list 116 deny icmp host 192.168.1.118 any
access-list 116 permit tcp 192.168.1.0 0.0.0.255 any
access-list 116 permit udp 192.168.1.0 0.0.0.255 any
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any
!
!
OL-6329-01
5
Verify
!---Specify the Cisco Secure ACS, in this case a TACACS+ server.

!---Set the authentication encryption key used for all TACACS+ communications
!---between the access server and the TACACS+ daemon. This key must match the key
!---used on the TACACS+ daemon.
tacacs-server host 192.168.101.119
tacacs-server directed-request
tacacs-server key cisco
!
.
.
.
end
Verify
This section provides information you can use to confirm your configuration is working properly:
• Commands for Verifying Firewall Websense URL Filtering, page 6
• Commands for Verifying Cisco IOS Firewall Authentication Proxy, page 7
• Commands for Verifying Context-Based Access Control, page 7
• Commands for Verifying Cisco IOS Intrusion Prevention System, page 8
Tip Certain show commands are supported by the Output Interpreter Tool, which allows you to view an
analysis of show command output. You must have an account on Cisco.com. If you do not have an
account or have forgotten your username or password, click Cancel at the login dialog box and follow
the instructions that appear.
Commands for Verifying Firewall Websense URL Filtering

• show ip urlfilter cache—Displays the maximum number of entries that can be cached into the cache
table and the number of entries and the destination IP addresses that are cached into the cache table.
Router# show ip urlfilter cache
Maximum number of cache entries: 0

Number of entries cached: 0
--------------------------------------------------------
IP address Age Time since last hit
(In seconds) (In seconds)
--------------------------------------------------------
• show ip urlfilter config—Displays the configured vendor servers, including the size of the cache,
the maximum number of outstanding requests, and the allow mode state.
Router# show ip urlfilter config
Websense URL Filtering is ENABLED
Primary Websense server configurations

=========================================
Websense server IP address Or Host Name: 192.168.1.116
Websense server port: 15868
Websense retransmission time out: 6 (in seconds)
Websense number of retransmission: 2
OL-6329-01
6
Verify
Secondary Websense servers configurations

============================================
Other configurations
=====================
Allow Mode: OFF
System Alert: ENABLED
Audit Trail: DISABLED
Log message on Websense server: DISABLED
Maximum number of cache entries: 0
Maximum number of packet buffers: 200
Maximum outstanding requests: 1000
• show ip urlfilter statistics—Displays URL filtering statistics, such as the number of requests that
are sent to the Websense server, the number of responses received from the Websense server, the
number of pending requests in the system, the number of failed requests, and the number of blocked
URLs.
Router# show ip urlfilter statistics
URL filtering statistics

=========================
Current requests count: 0
Current packet buffer count(in use): 0
Current cache entry count: 0
Maxever request count: 0

Maxever packet buffer count: 0
Maxever cache entry count: 0
Total requests sent to URL Filter Server :13

Total responses received from URL Filter Server :13
Total requests allowed: 9
Total requests blocked: 4
Commands for Verifying Cisco IOS Firewall Authentication Proxy

• show ip auth-proxy—Displays the authentication proxy entries or configuration.
Router# show ip auth-proxy cache
Authentication Proxy Cache

Client Name admin, Client IP 192.168.1.118, Port 1902, timeout 120, Time Remaining
120, state INIT
Router# show ip auth-proxy statistics
configuration
Authentication global cache time is 120 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled
Authentication Proxy Rule Configuration

Auth-proxy name aprule
http list not specified auth-cache-time 120 minutes
Commands for Verifying Context-Based Access Control

• show ip access-list—Displays the contents of current IP access lists.
• show ip inspect session—Displays CBAC session information.
OL-6329-01
7
Verify
Commands for Verifying Cisco IOS Intrusion Prevention System

• show ip ips signature—Displays Cisco IPS signature information, including which signatures are
disabled and marked for deletion.
Router# show ip ips signature
Signatures were last loaded from tftp://192.168.1.3/attack-drop.sdf
SDF release version not available
*=Marked for Deletion Action=(A)larm,(D)rop,(R)eset Trait=AlarmTraits

MH=MinHits AI=AlarmInterval CT=ChokeThreshold
TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr
WF=WantFrag Ver=Signature Version
Signature Micro-Engine: SERVICE.SMTP (1 sigs)

SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Ver
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ---
3129:0 Y ADR MED 0 0 0 0 15 FA N S59
Signature Micro-Engine: SERVICE.RPC (29 sigs)

----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ---
6100:0 Y AD HIGH 0 0 0 100 30 FA N 1.0
6100:1 Y ADR HIGH 0 0 0 100 30 FA N 1.0
6101:0 Y AD HIGH 0 0 0 100 30 FA N 1.0
6101:1 Y ADR HIGH 0 0 0 100 30 FA N 1.0
6104:0 Y AD HIGH 0 0 0 100 30 FA N 2.2
6104:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2
6105:0 Y AD HIGH 0 0 0 100 30 FA N 2.2
6105:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2
6188:0 Y AD HIGH 0 0 0 100 30 FA N S43
6189:0 Y AD HIGH 0 0 0 100 30 FA N S43
6189:1 Y ADR HIGH 0 0 0 100 30 FA N S43
6190:0 Y AD HIGH 0 0 0 100 30 FA N 2.1
6190:1 Y ADR HIGH 0 0 0 100 30 FA N 2.1
6191:0 Y AD HIGH 0 0 0 100 30 FA N 2.1
6191:1 Y ADR HIGH 0 0 0 100 30 FA N 2.1
6192:0 Y AD HIGH 0 0 0 100 30 FA N 2.1
6192:1 Y ADR HIGH 0 0 0 100 30 FA N 2.1
6193:0 Y AD HIGH 0 0 0 100 30 FA N 2.2
6193:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2
6194:0 Y AD HIGH 0 0 0 100 30 FA N 2.2
6194:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2
6195:0 Y AD HIGH 0 0 0 100 30 FA N 2.2
6195:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2
6196:0 Y AD HIGH 0 0 0 100 30 FA N S4
6196:1 Y ADR HIGH 0 0 0 100 30 FA N S4
6197:0 Y ADR HIGH 0 0 0 100 30 FA N S9
6197:1 Y AD HIGH 0 0 0 100 30 FA N S9
6276:0 Y AD HIGH 0 0 0 100 30 FA N S30
6276:1 Y ADR HIGH 0 0 0 100 30 FA N S30
Signature Micro-Engine: SERVICE.HTTP (23 sigs)

----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ---
3140:3 Y ADR HIGH 0 1 0 0 15 FA N S80
3140:4 Y ADR HIGH 0 1 0 0 15 FA N S80
5045:0 Y ADR HIGH 0 1 0 0 15 FA N 2.2
5047:0 Y ADR HIGH 0 1 0 0 15 FA N 2.2
5055:0 Y AD HIGH 0 1 0 0 15 FA N 2.2
5071:0 Y ADR HIGH 0 1 0 0 15 FA N 2.2
OL-6329-01
8
Verify
5081:0 Y ADR MED 0 1 0 0 15 FA N 2.2

5114:0 Y ADR MED 0 1 0 0 15 FA N 2.2
5114:1 Y ADR MED 0 1 0 0 15 FA N 2.2
5114:2 Y ADR MED 0 1 0 0 15 FA N 2.2
5126:0 Y ADR MED 0 1 0 0 15 FA N S5
5159:0 Y ADR HIGH 0 1 0 0 15 FA N S7
5184:0 Y ADR HIGH 0 1 0 0 15 FA N S12
5188:0 Y ADR HIGH 0 1 0 0 15 FA N S12
5188:1 Y ADR HIGH 0 1 0 0 15 FA N S12
5188:2 Y ADR HIGH 0 1 0 0 15 FA N S12
5188:3 Y ADR HIGH 0 1 0 0 15 FA N S12
5245:0 Y ADR MED 0 1 0 0 15 FA N S21
5326:0 Y ADR HIGH 0 1 0 0 15 FA N S30
5329:0 Y ADR HIGH 0 1 0 0 15 FA N 1.0
5364:0 Y ADR HIGH 0 1 0 0 15 FA N S43
5390:0 Y ADR MED 0 1 0 0 15 FA N S54
5400:0 Y ADR HIGH 0 1 0 0 15 FA N S71
Signature Micro-Engine: ATOMIC.TCP (42 sigs)

----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ---
3038:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2
3039:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2
3040:0 Y AD HIGH 0 0 0 100 30 FA N N 2.2
3041:0 Y AD HIGH 0 0 0 100 30 FA N N 2.2
3043:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2
3300:0 Y AD HIGH 0 0 0 100 30 FA N 2.1
9200:0 Y AD HIGH 0 0 0 100 30 FA N S40
9201:0 Y AD HIGH 0 0 0 100 30 FA N S40
9202:0 Y AD HIGH 0 0 0 100 30 FA N S40
9203:0 Y AD HIGH 0 0 0 100 30 FA N S40
9204:0 Y AD HIGH 0 0 0 100 30 FA N S40
9205:0 Y AD HIGH 0 0 0 100 30 FA N S40
9206:0 Y AD HIGH 0 0 0 100 30 FA N S40
9207:0 Y AD HIGH 0 0 0 100 30 FA N S40
9208:0 Y AD HIGH 0 0 0 100 30 FA N S40
9209:0 Y AD HIGH 0 0 0 100 30 FA N S40
9210:0 Y AD HIGH 0 0 0 100 30 FA N S40
9211:0 Y AD HIGH 0 0 0 100 30 FA N S40
9212:0 Y AD HIGH 0 0 0 100 30 FA N S40
9213:0 Y AD HIGH 0 0 0 100 30 FA N S40
9214:0 Y AD HIGH 0 0 0 100 30 FA N S40
9215:0 Y AD HIGH 0 0 0 100 30 FA N S40
9216:0 Y AD HIGH 0 0 0 100 30 FA N S40
9217:0 Y AD HIGH 0 0 0 100 30 FA N S40
9218:0 Y AD HIGH 0 0 0 100 30 FA N S40
9223:0 Y AD HIGH 0 0 0 100 30 FA N S40
9224:0 Y AD MED 0 0 0 100 30 FA N S44
9225:0 Y AD HIGH 0 0 0 100 30 FA N S46
9226:0 Y AD HIGH 0 0 0 100 30 FA N S46
9227:0 Y AD HIGH 0 0 0 100 30 FA N S46
9228:0 Y AD HIGH 0 0 0 100 30 FA N S46
9229:0 Y AD HIGH 0 0 0 100 30 FA N S46
9230:0 Y AD HIGH 0 0 0 100 30 FA N S46
9231:0 Y AD HIGH 0 0 0 100 30 FA N S66
9232:0 Y AD HIGH 0 0 0 100 30 FA N S69
9233:0 Y AD HIGH 0 0 0 100 30 FA N S67
9236:0 Y AD HIGH 0 0 0 100 30 FA N S71
9237:0 Y AD HIGH 0 0 0 100 30 FA N S71
9238:0 Y AD HIGH 0 0 0 100 30 FA N S71
9239:0 Y AD HIGH 0 0 0 100 30 FA N S76
9240:0 Y AD HIGH 0 0 0 100 30 FA N S79
9241:0 Y AD HIGH 0 0 0 100 30 FA N S82
OL-6329-01
9
Troubleshoot
Signature Micro-Engine: ATOMIC.IPOPTIONS (1 sigs)

----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ---
1006:0 Y AD HIGH 0 0 0 100 30 FA N 2.1
Signature Micro-Engine: ATOMIC.L3.IP (4 sigs)

----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ---
1102:0 Y AD HIGH 0 0 0 100 30 FA N 2.1
1104:0 Y AD HIGH 0 0 0 100 30 FA N 2.2
1108:0 Y AD HIGH 0 0 0 100 30 GS N S27
2154:0 Y AD HIGH 0 0 0 100 30 FA N Y 1.0
Total Active Signatures: 118
Total Inactive Signatures: 0
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
See the following documents:
• Troubleshooting CBAC Configurations, tech note
• Troubleshooting Authentication Proxy, tech note
Troubleshooting Commands
Note Before issuing debug commands, please see Important Information on Debug Commands.
• debug ip inspect—Displays messages about Cisco IOS firewall events.

• debug ip urlfilter—Enables debug information of URL filter subsystems.
Router# debug ip urlfilter detailed
Urlfilter Detailed Debugs debugging is on

Router#
*Aug 26 20:11:58.538: URLF: got cache idle timer event...
*Aug 26 20:11:58.538: URLF: cache table is about to overflow, delete idle entries
*Aug 26 20:12:00.962: URLF: creating uis 0x64EF00A0, pending request 1
*Aug 26 20:12:00.962: URLF: domain name not found in the exclusive list
*Aug 26 20:12:00.962: URLF: got an cbac queue event...
*Aug 26 20:12:00.962: URLF: websns making a lookup request.
*Aug 26 20:12:00.962: URLF: socket send successful...
*Aug 26 20:12:00.962: URLF: holding pak 0x64823210 (192.168.101.119:80) ->
192.168.1.118:1087 seq 3905567052 wnd 17238
*Aug 26 20:12:00.966: URLF: got a socket read event...
*Aug 26 20:12:00.966: URLF: socket recv (header) successful.
*Aug 26 20:12:00.966: URLF: socket recv (data) successful.
*Aug 26 20:12:00.966: URLF: websns lookup code = 1
*Aug 26 20:12:00.966: URLF: websns lookup description code = 1027
*Aug 26 20:12:00.966: URLF: websns category number = 67
*Aug 26 20:12:00.966: URLF: websns cache command = 0
*Aug 26 20:12:00.966: URLF: websns cached entry type = 0
*Aug 26 20:12:00.966: URLF: Site/URL Blocked: sis 0x64A57D50, uis 0x64EF00A0
*Aug 26 20:12:00.966: URLF: Sent Deny page with FIN to client and RST to server
OL-6329-01
10
Related Information
*Aug 26 20:12:00.966: URLF: urlf_release_http_resp_for_url_block - Discarding the pak

0x64823210 held in resp Q (count 1 : thrld 200)
*Aug 26 20:12:00.966: URLF: deleting uis 0x64EF00A0, pending requests 0
• debug ip auth-proxy—Displays authentication proxy activity.

Router# debug ip auth-proxy detailed
*Aug 30 23:16:07.680: AUTH-PROXY:proto_flag=4, dstport_index=4

*Aug 30 23:16:07.680: SYN SEQ 24350097 LEN 0
*Aug 30 23:16:07.680: dst_addr 192.168.102.119 src_addr 192.168.1.118 dst_port 80
src_port 1900
*Aug 30 23:16:07.680: AUTH-PROXY:auth_proxy_half_open_count++ 1
*Aug 30 23:16:07.684: ACK 2787182962 SEQ 24350098 LEN 0
src_port 1900
*Aug 30 23:16:07.684: clientport 1900 state 0
*Aug 30 23:16:07.684: PSH ACK 2787182962 SEQ 24350098 LEN 282
src_port 1900
*Aug 30 23:16:07.684: clientport 1900 state 0
*Aug 30 23:16:07.688: ACK 2787184131 SEQ 24350380 LEN 0
Related Information
• Cisco IOS Security Configuration Guide, Release 12.3:
– “Configuring Context-Based Access Control” chapter
– “Configuring Authentication Proxy” chapter
• Cisco IOS Intrusion Prevention System (IPS), Cisco IOS Release 12.3(8)T feature module
• Firewall Websense URL Filtering, Cisco IOS Releases 12.2(11)YU and 12.2(15)T feature module
• Troubleshooting CBAC Configurations, tech note
• Troubleshooting Authentication Proxy, tech note
• Technical Support—Cisco Systems
OL-6329-01
11
Related Information
OL-6329-01
12
IP Communication Solution for Group
Applications Configuration Example
Contents
• Prerequisites, page 2
• Verify, page 19
Introduction
This document provides a configuration example in which:
• A small branch office uses both analog and IP phones. The small branch office implementation
addressed in this document requires IP Telephony services and may also use other full-service
branch (FSB) features of Cisco access routers. These features include Cisco Content Engines (CEs),
Voice over IP (VoIP) services and integration with back-end VoIP call control devices. The small
branch office requires a robust and integrated voice-mail solution. The integrated services routers
also support various options for WAN uplink and integrated LAN switching modules.
• Land Mobile Radio (LMR) is used by an enterprise for several reasons which include loss
prevention (premise safety and security) and Push–to–Talk (PTT) communication for mobile
workers within range of the radio system. LMR base stations can be connected to an E&M port for
integration with an IP network and can be accessed via VoIP. The LMR feature also allows
connecting walkie-talkies to the radios using multicast.
• Multicast is dial-plan enabled so that IP phones and public switched telephone network (PSTN)
phones can dial in to the LMR by using E.164 numbers. Traditionally, the E&M ports were used to
connect to PSTN or Hoot-and-Holler networks. The E&M ports connected to the LMR can be
multicast–to–VoIP enabled. This configuration permits desktop clients and IP-Phone clients on the

IP Communication Solution for Group Applications Configuration Example
Prerequisites
LAN that are using XML services to directly connect to the radio via the multicast features on Cisco
IOS. The LMR can be integrated with the E&M port on the gateway; the commands on the gateway
support this router-to-radio adaptation.
• This document provides a workaround method that bridges the multicast VoIP to unicast VoIP using
a physical T1 loopback. This is not an essential configuration. It is documented to demonstrate how
you can integrate multicast VoIP audio into standards-based VoIP call-control schemes such as
Skinny, H.323, or SIP. IP–to–IP gateway is the preferred and recommended option to use for
bridging between standards-based VoIP protocols. The VoIP-to-multicast bridge using a physical
loopback can also be used for local multi-party conferencing via Cisco CallManager Express (Cisco
CME) phones or PSTN phones.
• Onboard DSPs are used for the voice modules on the WAN interface car (WIC) slots
• Cisco CallManager seamlessly connects to Cisco CME over an H.323 trunk defined on the Cisco
CallManager [Release 3.3 (3) or later].
• Cisco CME (Release 3.2) manages the local phone network. Cisco CME and Cisco Unity Express
enable users to use a gateway as though it were a PBX coupled to a voice-mail system.
• Cisco Unity Express (with Cisco Service Engine 1.1) on the NM-CUE provides voice-mail and
auto-attendant services.
• Cisco CME seamlessly integrates with the Cisco CallManager at the headquarters site and supports
all supplementary services.
• Content Engine (CE) modules support web caching, video–on–demand and live-splitting
applications.
• Cisco Access Control Network Server (ACNS) on CE (ce2636-sw-5.1.3) saves WAN bandwidth by
web-caching and splitting streaming video over unicast and multicast.
Prerequisites
Prerequisites included in this section:
• Requirements, page 2
• Components Used, page 2
• Related Products, page 3
• Conventions, page 3
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on the following software and Cisco 3845 router hardware
and software:
• 16 FastEthernet interfaces (NM-ESW-16)
• 1 serial interface
• 3 terminal lines
OL-6574-01
2
Prerequisites
• 2 channelized T1/PRI ports

• 4 voice FXS interfaces (VIC-4FXS-DID)
• 2 voice E&M interfaces (VIC2-2E&M)
• 1 Cisco service engine (NM-CUE)
• 1 Cisco Content Engine (NM-CE-BP)
• A VIC2-4FS in slot 0
• A VIC2-2FXS in slot 1
• An HWICD-9ESW with inline power card in slots 2-3 (double-wide)
• Cisco CallManager Release 3.3(3)
• Cisco IOS Release 12.3(11)T or later
• Enterprise Services feature set
The information in this document reflects use of devices in a specific lab environment. All devices used
in this configuration example started with a cleared (default) configuration. If you are working with a
live network, ensure that you understand the potential effects of any command before you use it. The
configuration example presented in this document depicts a combination of features on a single branch
office router. Users of this document should review the documents listed under the“Related
Information” section on page 43.
Related Products
This configuration can also be used with any Cisco 2800 and Cisco 3800 series routers.
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
OL-6574-01
3
Configure
Configure
document.
Note To find additional information on the commands used in this document, use the Cisco IOS Command
Lookup tool. You must have an account on Cisco.com. If you do not have an account or have forgotten
your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Configuration Tips
• The gigabit port on the router does not provide inline power.
• Routing should be enabled and assumed to be configured.
• The external flash card on the integrated services routers holds the router image, VLAN database,
graphical user interface (GUI) files for Cisco CME and Cisco Unity Express. It should not be
removed during the normal operation of the router.
• The LMR integration to the router might require radio frequency (RF)/radio skills (typically a
non-IP and proprietary implementation). The radio–to–router physical cable might not be available
off–the–shelf.
Network Diagram
This document uses the network setup shown in the following diagram.
11
1
10
IP IP IP 5
4
9
2 3
8
6
121378
OL-6574-01
4
Configure
1 Stream encoder, original source 7 LMR (LMR integration to the router)

2 TDM 8 T1 Loopback (unicast to multicast bridge); a
workaround to integrate a multicast
audio–to–standards based VoIP
3 NM-CE multicasting and live splitting on 9 PSTN
ACNS
4 Cisco CME/Cisco Unity Express 10 Headquarters
5 Local multicast on LAN from gateway 11 Cisco CallManager
6 PC client, multicast RTP client, Media Player
(streaming)
Configurations
This example presents configuration for the Cisco 3845 router.
Cisco 3845 Router

3845-gw#show running-config

!
!---Last configuration change at 23:07:46 PDT Wed Jul 7 2004 by cisco
!
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
!
hostname 3845-gw
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
enable secret 5 $1$3do1$SDp9TOK4YaZ7XguJYD2MD1
!
!---Local Database of username and passwords for Web server and local
!---authentication
!
username cisco password 7 1511021F0725
!
clock timezone PST -8
clock summer-time PDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
network-clock-participate wic 2
no network-clock-participate aim 0
OL-6574-01
5
Configure
aaa new-model
!
!
aaa group server tacacs+ admin
server 192.x or 10.x
server 192.x or 10.x
!
aaa group server radius vpn
server 192.x or 10.x auth-port 1645 acct-port 1646
!
!---AAA configuration used for local authentication
!
aaa authentication login admin group tacacs+ enable
aaa authentication login remote group vpn
aaa authentication login NOTACACS line
aaa authentication login LOCAL local
aaa authentication login WEB none
aaa authentication ppp LOCAL local
aaa authentication dot1x default group vpn
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
ip subnet-zero
no ip source-route
!
ip cef
!
!
!---Configure a DHCP address pool for each IP phone:
ip dhcp excluded-address 192.168.10.1 192.168.10.99
!
ip dhcp pool NONAT
network 10.1.153.0 255.255.255.248
default-router 10.1.153.1
dns-server 10.1.162.183 10.1.156.120
option 150 ip 10.1.152.9
domain-name cisco.com
!
ip dhcp pool NAT
network 192.168.10.0 255.255.255.0
dns-server 10.1.162.183 1010.1.156.120
option 150 ip 10.1.152.9
domain-name cisco.com
!
ip domain name cisco.com
ip name-server 10.1.162.183
ip multicast-routing
ip sap cache-timeout 30
ip ssh time-out 30
ip ssh version 1
ip ids po max-events 100
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd rsh-enable
!
voice-card 0
OL-6574-01
6
Configure
no dspfarm
!
!
!
!---Configuration to enable “H.323 to H.323” and “H.323 to SIP” calls between Cisco
!---CallManager-Cisco CME-Cisco Unity Express. The “allow connections h323 to h323” &
!---“allow-connections h323 to sip” enable an easy configuration on gateway without the
!---need for loopback-dn for incoming calls from Cisco CallManager or for call flow from
!---Cisco CallManager to SIP for Voice Mail.
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
no supplementary-service h450.2
no supplementary-service h450.3
supplementary-service h450.12 advertise-only
h323
!
!
!
!---Configuration to support LMR(Land Mobile Radio) integration through E&M port on the
!---router (similar to Hoot and Holler configuration)
!
voice class permanent 1
signal timing oos restart 50000
signal timing oos timeout disabled
signal keepalive disabled
signal sequence oos no-action
!
!
!---Two T1 ports connected back-to-back to bridge VoIP to multicast audio bridging. This
!---is required to enable dialing into multicast. Connecting the TDM T1 port back-to-back
!---offers the possibility of using E.164 number as a conference ID, or for using the
!---multicast stream for application such as Hoot and Holler.
!---
!---Cisco CME offers 3-party conference calling and is the recommended method for a
!---small branch office, the following T1 loopback cable is not required for configuring
!---the conferencing features.
!---
!---Cisco IOS supports audio mixing of loudest three streams. The TDM back to
!---back connection enables the bridging of 23 channels of VoIP to one or
!---more multicast connections (one side with multicast configuration and the
!---other side with VoIP configuration)
!---This method provides a way to connect the standards-based VoIP call control to
!---the multicast audio streams that do not have any associated call control.
!
controller T1 0/2/0
framing esf
linecode b8zs
ds0-group 1 timeslots 1 type e&m-immediate-start
!
controller T1 0/2/1
framing esf
clock source internal
linecode b8zs
OL-6574-01
7
Configure

!
no crypto isakmp enable
!
!
!---Loopback0 used to bind H323 to the Loopback0 interface. RTP Packets
!---originate/terminate on the router using this IP address.
!
interface Loopback0
ip address 10.1.152.9 255.255.255.255
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.1.152.9
!
interface Loopback2
ip address 10.1.152.241 255.255.255.252
ip ospf network point-to-point
!
interface Loopback3
ip address 10.1.152.249 255.255.255.252
ip virtual-reassembly
!
!---Configuration to enable Hoot and Holler using multicast on router. The multicast
!---streaming of packets from the local router uses the VIF interface to derive the local
!---ip address and the port of the packets. This can be verified by the show command “show
!---voip rtp connection”
!
interface Vif1
ip address 10.1.153.41 255.255.255.252
ip pim sparse-dense-mode
!
!
!---WAN uplink
!
interface Serial0/0/0
ip address 10.1.152.30 255.255.255.252
ip nat outside
no fair-queue
!
!--- Content Engine connected as a Network Module.
!
interface Content-Engine1/0
ip unnumbered Loopback3
service-module ip address 10.1.152.250 255.255.255.252
service-module ip default-gateway 10.1.152.249
!
!
switchport access vlan 110
switchport trunk native vlan 100
switchport mode trunk
switchport voice vlan 110
no ip address
!
OL-6574-01
8
Configure

no ip address
!
no ip address
!
no ip address
!
!
!---Cisco Unity Express used for local voice-mail storage
!
interface Service-Engine4/0
ip unnumbered Loopback2
service-module ip address 10.1.152.242 255.255.255.252
service-module ip default-gateway 10.1.152.241
!
!--- Data VLAN, used for the desktops at the branch
!
interface Vlan100
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Vlan110
ip address 10.1.153.1 255.255.255.248
!
!---OSPF used as the routing protocol for scenario
!
router ospf 1
router-id 10.1.152.9
log-adjacency-changes
network 10.1.152.9 0.0.0.0 area 0
network 10.1.152.10 0.0.0.0 area 0
network 10.1.152.28 0.0.0.3 area 0

network 10.1.152.140 0.0.0.3 area 0
network 10.1.152.240 0.0.0.3 area 0
network 10.1.152.248 0.0.0.3 area 0
network 10.1.153.0 0.0.0.3 area 0
!
!---Static routes defined for routing to Service-Engine and Content-Engine network Module
ip classless
ip route 10.1.152.242 255.255.255.255 Service-Engine4/0
ip route 10.1.152.250 255.255.255.255 Content-Engine1/0
!
ip http server
ip http authentication aaa login-authentication LOCAL
ip http path flash:
!
!---PAT (Port address translation used for the Data VLAN.
ip nat inside source list 11 interface Serial0/0/0 overload
OL-6574-01
9
Configure
!
!
access-list 11 permit 192.168.11.0 0.0.0.255
!
!
!---Router serves as TFTP server for Signed Image for 7960 phone on Local LAN.
!
tftp-server flash:P00306000300.bin
tftp-server flash:P00306000300.loads
tftp-server flash:P00306000300.sb2
!
control-plane
!
!
!---VoIP side of the Back-to-Back T1 used for bridging VoIP to multicast streams defined
!---by the dial-peer with “ session protocol multicast”
!
voice-port 0/2/0:1
auto-cut-through
!
voice-port 0/2/0:2
auto-cut-through
!
voice-port 0/2/0:3
auto-cut-through
!
voice-port 0/2/0:4
auto-cut-through
!
voice-port 0/2/0:3
auto-cut-through
!
voice-port 0/2/0:4
auto-cut-through
!
voice-port 0/2/0:5
auto-cut-through
!
voice-port 0/2/0:6
auto-cut-through
!
!---E&M ports connected to the LMR (Land Mobile Radio). Each radio may have a different
!---radio frequency (such as VHF or UHF)
!
voice-port 0/1/0
auto-cut-through
voice-class permanent 1
operation 4-wire
signal lmr
lmr e-lead voice
timeouts call-disconnect 3
connection trunk 20480
!
voice-port 0/1/1
auto-cut-through
operation 4-wire
signal lmr
lmr m-lead audio-gate-in
lmr e-lead voice
OL-6574-01
10
Configure

!
!---Multicast side of the back-to-back T1 used for bridging VoIP to multicast connection
!---trunk points to the dial-peer that is used for streaming into multicast
!
voice-port 0/2/1:1
auto-cut-through
!
voice-port 0/2/1:2
auto-cut-through
!
!---Multicast side of the back-to-back T1 used for bridging VoIP to multicast connection
!---trunk points to the dial-peer that is used for streaming into multicast for local
!---conferencing. 2111 dialed from the network side is looped back to the other side of
!---the T1 that is connected to the multicast dial-peer to convert it into a multicast
!---stream. The 3-party mixing algorithm takes care of conferencing between the dialed
!---parties
!
voice-port 0/2/1:3
auto-cut-through
!
voice-port 0/2/1:4
auto-cut-through
!
voice-port 0/2/1:5
auto-cut-through
!
voice-port 0/2/1:6
auto-cut-through
voice-port 0/3/0
!
voice-port 0/3/1
!
voice-port 0/3/2
!
!---FXS ports tied to multicast Hoot and Holler
!
voice-port 0/3/3
!
!---Dial peers pointing toward the NM-CUE for auto attendant and voice mail
!
dial-peer voice 27749 voip
description Towards CUE-Auto-Attendant
destination-pattern 27749
session protocol sipv2
session target ipv4:10.1.152.242
dtmf-relay sip-notify
codec g711ulaw
no vad
!
description Towards CUE-Voice-Mail
OL-6574-01
11
Configure
session protocol sipv2
dtmf-relay sip-notify
codec g711ulaw
no vad
!
!---Dial peers for dialing out; pointing to Cisco CallManager Release 3.3(3)
!
description CCM-IT-Cisco
destination-pattern .T
dtmf-relay h245-alphanumeric
codec g711ulaw
!
preference 1
destination-pattern 91..........
!
destination-pattern 2....
!
!---Dial Peers for multicast streaming from TDM port
!
description VoIP to multicast bridging for LMR integration
session protocol multicast
session target ipv4:239.192.17.191:20480
codec g711ulaw
vad aggressive
!
description VoIP to multicast bridging for LMR integration
codec g711ulaw
vad aggressive
!
description VoIP to multicast bridging for Local Conferencing
dtmf-relay cisco-rtp
codec g711ulaw
vad aggressive
!---Dial Peers for the T1 physical loopback used for bridging multicast to VoIP
!---(VoIP Side)
!
dial-peer voice 1 pots
description VoIP to multicast bridging for LMR
port 0/2/0:1
!
OL-6574-01
12
Configure

port 0/2/0:1
!
port 0/2/0:2
!
port 0/2/0:2
!
description VoIP to local multicast conference bridge
port 0/2/0:3
!
port 0/2/0:4
!
port 0/2/0:5
!
port 0/2/0:6
!
!
!---Dial Cisco CME Configuration with services configuration
!
!
telephony-service
fxo hook-flash
load 7910 P00403020214
load 7960-7940 P00306000300
max-ephones 27
max-dn 40
ip source-address 10.1.152.9 port 2000
auto assign 1 to 27
timeouts interdigit 5
system message Next GEN Branch Documentation
url services http://phone-xml.berbee.com/menu.xml
create cnf-files version-stamp 7960 Jun 24 2004 14:00:45
dialplan-pattern 1 408902.... extension-length 5
voicemail 27749
mwi relay
mwi expires 99999
max-conferences 8
call-forward pattern .....
web admin customer name cisco password admin
dn-webedit
time-webedit
transfer-system full-consult
transfer-pattern .....
secondary-dialtone 9
!
OL-6574-01
13
Configure
!
ephone-dn 1 dual-line
number 27725
description Ross
name Ross
call-forward busy 27749
call-forward noan 27749 timeout 10
!
!
number 27726
description Rachel
name Rachel
!
!
number 27727
description Chandler
name Chandler
!
!
number 27728
description Monica
name Monica
!
!
number 27729
description Jen-Shue Shih
name Jen-Shue Shih
!
!
number 27730
description Mike
name Mike
!
!
number 27731
description Phoebe
name Phoebe
!
!
number 27732
description Cosmo
name Cosmo
OL-6574-01
14
Configure
!
!
number 27733
description Jerry
name Jerry
!
!
number 27734
description George
name George
!
!
number 27735
description Frank
name Frank
!
!
number 27736
description Estelle
name Estelle
!
!
!
!
!
!
number 27739
!
!
number 27740
!
!
number 27741
!
!
number 27742
!
OL-6574-01
15
Configure
!
number 27743
!
!
number 27744
!
!
number 27745
!
!
ephone-dn 25
!
!
ephone-dn 27
number 27749
!
!
ephone-dn 39
number 8000.....
mwi off
!
!
ephone-dn 40
number 8001.....
mwi on
!
!
ephone 1
mac-address 0003.4713.5554
type CIPC
button 1:1
!
!
!
ephone 2
mac-address 0002.8A3E.6606
type CIPC
button 1:2
!
!
!
ephone 3
mac-address 0001.022C.88A1
type CIPC
button 1:3
!
!
!
ephone 4
mac-address 0009.6B10.494D
type CIPC
button 1:4
OL-6574-01
16
Configure
!
!
!
ephone 5
mac-address 0002.8A4B.000B
type CIPC
button 1:5
!
!
!
ephone 6
mac-address 0009.6B53.44C6
type CIPC
button 1:6
!
!
!
ephone 7
mac-address 0009.6B30.E399
type CIPC
button 1:7
!
!
!
ephone 8
mac-address 000B.BE37.1AB1
type 7960
button 1:8
!
!
!
ephone 9
mac-address 0006.D74B.15B3
type 7960
button 1:9
!
!
!
ephone 10
mac-address 000B.5F92.5784
type 7960
button 1:10
!
!
!
ephone 11
mac-address 000C.CE3A.87FA
type 7960
button 1:11
!
!
!
ephone 12
mac-address 000C.CE35.1B23
type 7960
button 1:12
!
!
!
ephone 13
mac-address 0002.8A9B.0CE5
type CIPC
button 1:13
OL-6574-01
17
Configure
!
!
!
ephone 14
mac-address 0003.47D8.C236
type CIPC
button 1:14
!
!
!
ephone 15
mac-address 000C.CE35.1935
type 7960
button 1:15
!
!
!
ephone 16
mac-address 0030.94C3.BE45
type 7960
button 1:16
!
!
!
ephone 17
!
!
!
ephone 18
!
!
!
ephone 19
!
!
!
ephone 20
!
!
!
ephone 21
!
!
!
line con 0
authorization exec LOCAL
stopbits 1
line aux 0
stopbits 1
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output all
line 130
no exec
transport input all
line 258
OL-6574-01
18
Verify
no exec
transport input all
line vty 0 4
exec-timeout 0 0
password 7 04490E020D205E4107
line vty 5 8
exec-timeout 0 0
password 7 03165E0F040E334340
!
scheduler allocate 20000 1000
ntp clock-period 1079741
ntp master
ntp update-calendar
ntp server 10.68.10.80
ntp server 10.68.10.150
end
Verify
This section provides information you can use to confirm that your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only),
which allows you to view an analysis of show command output. In summary, use these commands:
• show telephony-service—Shows the IP telephony services available for Cisco CallManager server
• show ephone registered—Verifies IP phone registration occurring and lists information associated
with each registered IP phone
• show commands for the voice gateway
– show voice port summary—Displays a summary of all voice ports
– show voip rtp connections—Displays VoIP RTP active connections
– show voip dsp—Displays DSP information
– show voice trace—Displays voice-channel configuration information for all DSP channels
– show voice call summary—Displays the call status for all voice ports
– show running-config—Displays the contents of the currently running configuration file
• show commands for CE
– show version—Displays information about the currently loaded CE software version along
with hardware and device information
– show processes cpu—Displays detailed CPU utilization statistics (CPU use per process)
– show statistics wmt streamstat—Displays statistics for Windows Media Technologies (WMT)
streaming connections
– show statistics wmt all—Display all WMT statistics
• show and service commands on Cisco CME for Cisco Unity Express
– show interface service-engine—Displays the status of the service-engine interface
– service-module service-engine 4/0 status—Displays status of Cisco Unity Express
OL-6574-01
19
Verify
– service-module service-engine 4/0 session—Opens session with Cisco Unity Express

• show commands for Cisco Unity Express
– show voicemail mailboxes—Displays summary of mailbox owners and status
– show voicemail usage—Displays snapshot of voicemail system use
– show voicemail limits—Displays system limits for voicemail system
– show ccn application—Displays details about each configured application
– show ccn trigger—Displays the parameter values for all configured triggers
Representative output for each of these commands is presented in the verification summaries that follow.
Note Relevant display output is highlighted as appropriate.
The following is an example of output for the show telephony-service command on the Cisco CME:
CCME-CUE-SJC# show telephony-service
CONFIG (Version=3.2)
=====================
Version 3.2
Cisco CallManager Express
For on-line documentation please see:
www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/index.htm
ip source-address 10.1.152.9 port 2000

load 7910 P00403020214
load 7960-7940 P00303020214
max-ephones 27
max-dn 40
max-conferences 8
dspfarm units 0
dspfarm transcode sessions 0
max-redirect 5
dialplan-pattern 1 408902.... extension-length 5
voicemail 27749
mwi relay
mwi expires 99999
time-format 12
date-format mm-dd-yy
timezone 0 Greenwich Standard Time
secondary-dialtone 9
url services http://phone-xml.berbee.com/menu.xml
call-forward pattern .....
transfer-pattern .....
keepalive 30
timeout interdigit 5
timeout busy 10
timeout ringing 180
caller-id name-only: enable
system message CCME2 Cisco (MCEBU) Bldg 22
web admin system name cisco password 3800
web admin customer name cisco1 password 38001
edit DN through Web: enabled.
edit TIME through web: enabled.
Log (table parameters):
max-size: 150
OL-6574-01
20
Verify
retain-timer: 15
create cnf-files version-stamp 7960 Apr 12 2004 12:16:53
transfer-system full-consult
auto assign 1 to 27
fxo hook-flash
local directory service: enabled.
The following example illustrates output using the show ephone registered command:
CCME-CUE-SJC# show ephone registered
ephone-1 Mac:0003.4713.5554 TCP socket:[6] activeLine:0 REGISTERED

mediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0
IP:172.19.150.31 1649 CIPC keepalive 10410 max_line 8
button 1: dn 1 number 27725 CH1 IDLE CH2 IDLE
ephone-9 Mac:0006.D74B.15B3 TCP socket:[1] activeLine:0 REGISTERED

IP:192.168.20.4 50475 Telecaster 7960 keepalive 39556 max_line 6
ephone-15 Mac:000C.CE35.1935 TCP socket:[3] activeLine:0 REGISTERED

IP:192.168.20.2 51961 Telecaster 7960 keepalive 39556 max_line 6
The following is an example of output for the show voice port summary command on the branch office
router:
3845-gw# show voice port summary
IN OUT
PORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC
========= == ============ ===== ==== ======== ======== ==
0/2/0:1 01 e&m-imd up dorm idle idle y
0/1/0 -- e&m-lmr up up trunked trunked y
0/1/1 -- e&m-lmr up up trunked trunked y
0/2/1:1 01 e&m-imd up up trunked trunked y
0/3/0 -- fxs-ls up dorm on-hook idle y
50/0/1 1 efxs up up on-hook idle y
.
50/0/40 1 efxs up dorm on-hook idle y
OL-6574-01
21
Verify
The following is an example of output for the show voice rtp connections command on the branch
office router:
3845-gw# show voip rtp connections
VoIP RTP active connections :

No. CallId dstCallId LocalRTP RmtRTP LocalIP RemoteIP
1 2 1 32414 20480 10.1.153.42 239.192.17.191
2 4 3 28764 20480 10.1.153.42 239.192.17.192
3 6 5 16416 20480 10.1.153.42 239.192.17.191
4 8 7 27572 20480 10.1.153.42 239.192.17.192
5 1754 1753 16446 20480 10.1.153.42 239.192.17.195
6 1756 1755 31552 20480 10.1.153.42 239.192.17.195
7 1758 1757 16454 20480 10.1.153.42 239.192.17.195
8 1761 1760 16496 20480 10.1.153.42 239.192.17.195
Found 8 active RTP connections
The following is an example of output for the show voip dsp command on the branch office router:
3845-gw# show voip dsp
----------------------------FLEX VOICE CARD 0 ------------------------------

*DSP VOICE CHANNELS*
DSP DSP DSPWARE CURR BOOT PAK TX/RX
TYPE NUM CH CODEC VERSION STATE STATE RST AI VOICEPORT TS ABRT PACK COUNT
===== === == ======== ======= ===== ======= === == ========= == ==== ============
C5510 013 01 g711ulaw 4.4.1 busy idle 0 0 0/1/0 00 0 1/419970
C5510 013 02 g711ulaw 4.4.1 busy idle 0 0 0/2/1:2 02 0 15/420330
C5510 013 03 g711ulaw 4.4.1 busy idle 0 0 0/2/1:1 01 0 16/420130
C5510 013 04 g711ulaw 4.4.1 busy idle 0 0 0/1/1 01 0 0/419879
C5510 013 05 None 4.4.1 busy idle 0 0 0/2/0:3 03 0 0/14
C5510 013 06 g711ulaw 4.4.1 busy idle 0 0 0/2/1:3 03 0 1873/1655
C5510 014 01 None 4.4.1 busy idle 0 0 0/2/0:4 04 0 0/14
C5510 014 02 g711ulaw 4.4.1 busy idle 0 0 0/2/1:6 06 0 1833/5379
C5510 014 03 None 4.4.1 busy idle 0 0 0/2/0:5 05 0 0/14
C5510 014 04 None 4.4.1 busy idle 0 0 0/2/0:6 06 0 0/14
C5510 014 05 g711ulaw 4.4.1 busy idle 0 0 0/2/1:5 05 0 1424/5334
C5510 014 06 g711ulaw 4.4.1 busy idle 0 0 0/2/1:4 04 0 1402/5057
*DSP SIGNALING CHANNELS*
DSP DSP DSPWARE CURR BOOT PAK TX/RX
TYPE NUM CH CODEC VERSION STATE STATE RST AI VOICEPORT TS ABRT PACK COUNT
===== === == ======== ======= ===== ======= === == ========= == ==== ============
C5510 013 01 {flex} 4.4.1 alloc idle 0 0 0/1/0 02 0 34/0
C5510 013 02 {flex} 4.4.1 alloc idle 0 0 0/1/1 02 0 35/0
C5510 013 03 {flex} 4.4.1 alloc idle 0 0 0/3/1 06 0 14/0
C5510 013 04 {flex} 4.4.1 alloc idle 0 0 0/3/0 06 0 14/0
C5510 013 05 {flex} 4.4.1 alloc idle 0 0 0/3/3 02 0 14/0
C5510 013 06 {flex} 4.4.1 alloc idle 0 0 0/3/2 02 0 14/0
C5510 013 07 {flex} 4.4.1 alloc idle 0 0 0/2/0:1 01 0 4/18
C5510 013 08 {flex} 4.4.1 alloc idle 0 0 0/2/0:2 02 0 4/18
C5510 013 09 {flex} 4.4.1 alloc idle 0 0 0/2/1:1 01 0 27/23
C5510 013 10 {flex} 4.4.1 alloc idle 0 0 0/2/1:2 02 0 27/23
C5510 013 11 {flex} 4.4.1 alloc idle 0 0 0/2/0:3 03 0 454/335
C5510 013 12 {flex} 4.4.1 alloc idle 0 0 0/2/0:4 04 0 465/341
C5510 013 13 {flex} 4.4.1 alloc idle 0 0 0/2/0:5 05 0 433/315
C5510 013 14 {flex} 4.4.1 alloc idle 0 0 0/2/0:6 06 0 421/307
C5510 013 15 {flex} 4.4.1 alloc idle 0 0 0/2/1:3 03 0 3969/3831
C5510 013 16 {flex} 4.4.1 alloc idle 0 0 0/2/1:4 04 0 4050/3933
C5510 014 01 {flex} 4.4.1 alloc idle 0 0 0/2/1:5 05 0 3819/3657
C5510 014 02 {flex} 4.4.1 alloc idle 0 0 0/2/1:6 06 0 3724/3553
------------------------END OF FLEX VOICE CARD 0 ----------------------------
The following is an example of output for the show voice trace command on the branch office router:
OL-6574-01
22
Verify
3845-gw# show voice trace 0/2/1:1
0/2/1:1 1 State Transitions: timestamp (state, event) -> (state, event) ...
42.808 (S_SETUP_INDICATED, E_CC_PROCEEDING) ->
42.808 (S_PROCEEDING, E_CC_CONNECT) ->
State Transitions: timestamp (state, event) -> (state, event) ...

42.808 (S_TRUNK_PEND, E_HTSP_EVENT_TIMER) ->
42.808 (S_TRUNK_PROC, E_HTSP_SETUP_ACK) ->
42.808 (S_TRUNK_PROC, E_HTSP_PROCEEDING) ->
42.808 (S_TRUNK_PROC, E_HTSP_VOICE_CUT_THROUGH) ->
42.808 (S_TRUNK_W_CONNECT, E_HTSP_CONNECT) ->
The following is an example of output for the show voice call summary command on the branch office
router:
3845-gw# show voice call summary
PORT CODEC VAD VTSP STATE VPM STATE

============== ======== === ==================== ======================
0/2/0:1.1 - - - EM_ONHOOK
0/2/0:2.2 - - - EM_ONHOOK
0/2/0:3.3 - - - EM_ONHOOK
0/2/0:4.4 - - - EM_ONHOOK
0/2/0:5.5 - - - EM_ONHOOK
0/2/0:6.6 - - - EM_ONHOOK
0/1/0 g711ulaw y S_CONNECT S_TRUNKED
0/2/1:1.1 g711ulaw y S_CONNECT S_TRUNKED
0/3/0 - - - FXSLS_ONHOOK
50/0/1 .1 - - - EFXS_ONHOOK
50/0/9 .1 - - - EFXS_ONHOOK
50/0/9 .2 - - - EFXS_ONHOOK
The following is an example of output for the show version command on the CE:
sjc22-13a-rb-CE3# show version
Application and Content Networking System Software (ACNS)

Copyright (c) 1999-2003 by Cisco Systems, Inc.
Application and Content Networking System Software Release 5.1.3 (build b15 Feb
13 2004)
Version: ce2636-sw-5.1.3
Compiled 17:52:07 Feb 13 2004 by test

Compile Time Options: PP SS
System was restarted on Tue Jan 1 00:01:12 1980.

The system has been up for 16 hours, 8 seconds.
The following is an example of output for the show running-config command on the CE:
sjc22-13a-rb-CE3# show running-config
hostname sjc22-13a-rb-CE3
!
OL-6574-01
23
Verify
http dns-cache serial-lookup

!
!
ip domain-name cisco.com
!
!
gui-server secure port 8002
!
!
interface FastEthernet external
shutdown
exit
interface FastEthernet internal
exit
!
!
primary-interface FastEthernet 0/1
!
wmt license-key 92W5SNNNSULWCXN78
wmt accept-license-agreement
wmt max-concurrent-sessions 9
wmt mms allow extension asf none nsc wma wmv mp3
wmt broadcast alias-name lanka source mms://24.6.215.172/AAA
wmt enable
!
!
multicast accept-license-agreement
!
!
!
!
wccp router-list 1 10.1.152.249
wccp web-cache router-list-num 1
wccp version 2
!
!
!
!
!
!
!
!
username admin password 1 bVmDmMMmZAPjY
username admin privilege 15
!
!
authentication login local enable primary
authentication configuration local enable primary
!
!
cdm ip 10.86.46.81
cms enable
!
!
!
End of ACNS configuration
The following is an example of output for the show processes cpu command on the CE:
sjc22-13a-rb-CE3# show processes cpu
OL-6574-01
24
Verify
CPU usage:
Current Peak
cpu: 96 % 100 %
CPU average usage since last reboot:
cpu: 0.03% User, 7.28% System, 1.80% User(nice), 90.90% Idle
cpu0: 0.03% User, 7.28% System, 1.80% User(nice), 90.90% Idle
--------------------------------------------------------------------
PID STATE PRI User T SYS T COMMAND
----- ----- --- ------ ------ --------------------
1 S 0 744 4839 (init)
2 R 0 0 0 (keventd)
3 S 19 0 0 (ksoftirqd_CPU0)
4 S 0 0 0 (kswapd)
5 S 0 0 0 (bdflush)
6 S 0 0 0 (kupdated)
157 S 0 0 0 (streamd)
197 S 10 30143 3926 (nodemgr)
201 S 10 0 0 (syslogd)
202 R 10 396 150 (dataserver)
298 S 0 0 0 (kjournald)
902 S 10 108 23 (ruby_disk)
1494 S 10 2 1 (parser_server)
1544 S 10 3 1 (su)
The following is an example of output for the show statistics xmt streamstat command on the CE:
sjc22-13a-rb-CE3# show statistics wmt streamstat
Detailed Stream Statistics

==========================
Incoming Streams:
=================
Bandwidth in Kbps, Duration in seconds
Type Transport Source Pkts_Recd Bytes_Recd Duration BW Server-IP

Filename Stream-Id
LIVE MMS(TCP) RMT_MMS 807995 1165556557 44531 216 24.6.215.172
AAA 5878
Outgoing Streams:
=================
Client-IP Type Transport Source State Pkts_sent Bytes_sent Duration BW
Server-IP Filename Stream-Id
10.21.96.174 LIVE HTTP RMT_MMS Play 216441 312540804 11946 216
24.6.215.172 lanka 13830
10.21.81.206 LIVE MMS(UDP) RMT_MMS Play 59505 85925220 3283 216
24.6.215.172 lanka 15639
24.6.215.172 lanka 14402
24.6.215.172 lanka 8644
24.6.215.172 lanka 15682
24.6.215.172 lanka 10694
24.6.215.172 lanka 16161
sjc22-13a-rb-CE3#
The following is an example of output for the show statistics xmt all command on the CE:
OL-6574-01
25
Verify
sjc22-13a-rb-CE3# show statistics wmt all
Unicast Requests Statistics

===========================
Total unicast requests received: 79
-------------------------------------
Total % of Total
Unicast Requests
--------------------------------------------
Streaming Requests served: 75 94.94%

Mcast nsc file Request: 0 0.00%
Requests error: 0 0.00%
Total % of Total Streaming Requests

---------------------------------------------
By Type of Content
------------------
Live content: 75 100.00%
On-Demand Content: 0 0.00%
By Transport Protocol
---------------------
MMSU: 32 42.67%
MMST: 1 1.33%
HTTP: 42 56.00%
By Source of Content
--------------------
Local: 0 0.00%
Remote MMS: 75 100.00%
Remote HTTP: 0 0.00%
Multicast: 0 0.00%
CDN-Related WMT Requests

--------------------
CDN Content Hits: 0 0.00%
CDN Content Misses: 0 0.00%
CDN Content Live: 0 0.00%
CDN Content Errors: 0 0.00%
Unicast Bytes Statistics
========================
Total unicast incoming bytes: 1178064843
---------------------------------
Total % of Total Unicast
Incoming Bytes
--------------------------------------------
By Type of Content
------------------
Live content: 1178064843 100.00%
---------------------
MMSU: 0 0.00%
MMST: 1178064843 100.00%
HTTP: 0 0.00%
Unicast Bytes Statistics
OL-6574-01
26
Verify
========================
Total unicast outgoing bytes: 4698135144
---------------------------------
Total % of Total Unicast
Outgoing Bytes
--------------------------------------------
By Type of Content
------------------
Live content: 4698135144 100.00%
---------------------
MMSU: 3148201513 67.01%
MMST: 0 0.00%
HTTP: 1549933631 32.99%
Unicast Savings Statistics

==========================
Total bytes saved: 3520070301
--------------------------
Total % of Total Bytes
Saved
--------------------------------------------
By Pre-positioned content: 0 0.00%
By Live-splitting: 3520070301 100.00%
By Cache-hit: 0 0.00%
Total % of Total
Live Outgoing Bytes
--------------------------------------------
Live Splitting
--------------
Incoming bytes: 1178064843 25.08%
Outgoing bytes: 4698135144 100.00%
Bytes saved: 3520070301 74.92%
Total % of Bytes Cache

Total
--------------------------------------------
Caching
-------
Bytes cache-miss: 0 0.00%
Bytes cache-hit: 0 0.00%
Bytes cache-total: 0 0.00%
Bytes cache-bypassed: 0
Total % of Req Cache

Total
--------------------------------------------
Cacheable requests
------------------
Req cache-miss: 0 0.00%
Req cache-hit: 0 0.00%
Req cache-partial-hit: 0 0.00%
Req cache-total: 0 0.00%
Req cache-bypassed: 81
Objects not cached
OL-6574-01
27
Verify
------------------
Cache bypassed: 81
Exceed max-size: 0
Usage Summary
=============
Concurrent Unicast Client Sessions
----------------------------------
Current: 8
Max: 8
Concurrent Active Multicast Sessions

------------------------------------
Current: 0
Max: 0
Concurrent Remote Server Sessions

---------------------------------
Current: 1
Max: 1
Concurrent Unicast Bandwidth (Kbps)

-----------------------------------
Current: 1734.120
Max: 1734.120
Concurrent Multicast Out Bandwidth (Kbps)

-----------------------------------------
Current: 0.000
Max: 0.000
Concurrent Bandwidth to Remote Servers (Kbps)

---------------------------------------------
Current: 216.765
Max: 216.765
Error Statistics
================
Total request errors: 0
Errors generated by this box

Reach MAX connections: 0
Reach MAX incoming bandwidth: 0
Reach MAX outgoing bandwidth: 0
Reach MAX incoming bit rate: 0
Reach MAX outgoing bit rate: 0
MMSU under wccp: 0
MMSU not allowed: 0
MMST not allowed: 0
MMSU/T not allowed: 0
HTTP not allowed: 0
1st tcp pkt error, possible port scan: 0
Illegal url: 0
No socket: 0
Cannot connect: 0
Authentication fail: 0
Remote server error: 0
Client error: 0
Internal error: 0
Local vod file not found: 0
Local vod file header corrupted: 0
OL-6574-01
28
Verify
Local vod file data corrupted: 0

Unknown error: 0
Errors generated by remote servers

Reach MAX connections: 0
Reach MAX bandwidth: 0
Reach MAX bit rate: 0
Illegal url: 0
Invalid request: 0
No socket: 0
Cannot connect: 0
Conection refused: 0
Access deny: 0
Invalid stream type: 0
Remote server error: 0
Remote timeout: 0
Remote proxy error: 0
File not found: 0
File header corrupted: 0
File data corrupted: 0
Remote unknown error: 0
Authentication Retries from Clients: 0
WMT Rule Template Statistics

================
URL Rewrite: 0
Connection Reset: 0
URL Block: 0
No-Auth: 0
No-Cache: 0
Selective Cache: 0
Allow: 0
WMT URL Filter Statistics

================
URL Allowed: 0
URL Filtered: 0
The following is an example of output for the show interface service-engine 4/0 command on the Cisco
CME for Cisco Unity Express:
3845-gw# show interface service-engine 4/0
Service-Engine4/0 is up, line protocol is up

Hardware is I82559FE, address is 000e.8335.7c30 (bia 000e.8335.7c30)
Interface is unnumbered. Using address of Loopback2 (10.1.152.241)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:14, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
138507 packets input, 21920546 bytes, 0 no buffer
Received 2237 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
OL-6574-01
29
Verify
0 input packets with dribble condition detected

421216 packets output, 53661814 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
The following is an example of output for the service-module service-engine 4/0 status command on
the Cisco CME for Cisco Unity Express:
3845-gw# service-module service-Engine 4/0 status
Service Module is Cisco Service-Engine4/0

Service Module supports session via TTY line 258
Service Module is in Steady state
Getting status from the Service Module, please wait..
cisco service engine 1.1
The following is an example of output for the service-module service-engine 4/0 status session
command on the Cisco CME for Cisco Unity Express:
3845-gw# service-module service-engine 4/0 session
Trying 10.1.152.241, 2258 ... Open
User Access Verification
Username: cisco
Password:
se-10-32-152-242#
se-10-32-152-242#
OL-6574-01
30
Verify
The following is an example of output for the show running-config command on Cisco Unity Express:
se-10-32-152-242# show running-config
Generating configuration:
clock timezone America/Los_Angeles
hostname se-10-32-152-242
ip domain-name cisco.com
ip name-server 10.64.2.113 10.64.11.48
ntp server 10.1.152.241
groupname Administrators create
username Ross create

username Rachel create
username Chandler create
username Monica create
username Jeshih create
username Mike create
username Phoebe create
username Cosmo create
username Jerry create
username George create
username Frank create
username Estelle create
username Ross phonenumber "27725"
username Rachel phonenumber "27726"
username chandler phonenumber "27727"
username Monica phonenumber "27728"
username Jeshih phonenumber "27729"
username Mike phonenumber "27730"
username Phoebe phonenumber "27731"
username Cosmo phonenumber "27732"
username Jerry phonenumber "27733"
username George phonenumber "27734"
username Frank phonenumber "27735"
username Estelle phonenumber "27736"
groupname Administrators member cisco

groupname Administrators privilege superuser
groupname Administrators privilege ManagePrompts
backup server url "ftp://127.0.0.1/ftp" credentials hidden "EWlTygcMhYmjazXhE/VN

XHCkplVV4KjescbDaLa4fl4WLSPFvv1rWUnfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35jwAAAAA="
ccn application autoattendant

description "autoattendant"
enabled
maxsessions 8
script "aa.aef"
parameter "MaxRetry" "3"
parameter "operExtn" "0"
parameter "welcomePrompt" "AAWelcome.wav"
end application
ccn application ciscomwiapplication

description "ciscomwiapplication"
enabled
maxsessions 8
script "setmwi.aef"
OL-6574-01
31
Verify
parameter "strMWI_OFF_DN" "8000"

parameter "strMWI_ON_DN" "8001"
parameter "CallControlGroupID" "0"
end application
ccn application promptmgmt

description "promptmgmt"
enabled
maxsessions 1
script "promptmgmt.aef"
end application
ccn application voicemail

description "voicemail"
enabled
maxsessions 8
script "voicebrowser.aef"
parameter "logoutUri" "http://localhost/voicemail/vxmlscripts/mbxLogout.jsp"
parameter "uri" "http://localhost/voicemail/vxmlscripts/login.vxml"
end application
ccn engine
end engine
ccn subsystem jtapi

ccm-manager address
end subsystem
ccn subsystem sip

gateway address "10.1.152.241"
end subsystem
ccn trigger sip phonenumber 27748

application "autoattendant"
enabled
locale "en_US"
maxsessions 8
end trigger

application "voicemail"
enabled
locale "en_US"
maxsessions 8
end trigger

application "promptmgmt"
enabled
locale "en_US"
maxsessions 1
end trigger
voicemail default expiration time 30

voicemail default language en_US
voicemail default mailboxsize 3000
voicemail recording time 900
voicemail default messagesize 60
voicemail operator telephone 0
voicemail capacity time 6000
voicemail mailbox owner "Ross" size 3000
description "Ross mailbox"
end mailbox
OL-6574-01
32
Verify
voicemail mailbox owner "Rachel" size 3000

description "Rachel mailbox"
end mailbox
voicemail mailbox owner "Chandler" size 3000

description "Chandler mailbox"
end mailbox
voicemail mailbox owner "Monica" size 3000

description "Monica mailbox"
end mailbox
voicemail mailbox owner "Jeshih" size 3000

description "Jeshih mailbox"
end mailbox
voicemail mailbox owner "Mike" size 3000

description "Mike mailbox"
end mailbox
voicemail mailbox owner "Phoebe" size 3000

description "Phoebe mailbox"
end mailbox
voicemail mailbox owner "Cosmo" size 3000

description "Cosmo mailbox"
end mailbox
voicemail mailbox owner "Jerry" size 3000

description "Jerry mailbox"
end mailbox
voicemail mailbox owner "George" size 3000

description "George mailbox"
end mailbox
voicemail mailbox owner "Frank" size 3000

description "Frank mailbox"
end mailbox
voicemail mailbox owner "Estelle" size 3000

description "Estelle mailbox"
end mailbox
end
The following is an example of output for the show voicemail mailboxes command on Cisco Unity
Express:
se-10-32-152-242# show voicemail mailboxes
OWNER MSGS NEW SAVED MSGTIME MBXSIZE USED

"Ross" 0 0 0 0 3000 0 %
"Rachel" 0 0 0 0 3000 0 %
"Chandler" 0 0 0 0 3000 0 %
"Monica" 3 3 0 142 3000 5 %
"Jeshih" 0 0 0 0 3000 0 %
"Mike" 0 0 0 0 3000 0 %
"Phoebe" 0 0 0 0 3000 0 %
"Cosmo" 0 0 0 0 3000 0 %
"Jerry" 0 0 0 0 3000 0 %
"George" 0 0 0 0 3000 0 %
"Frank" 0 0 0 0 3000 0 %
"Estelle" 0 0 0 0 3000 0 %
OL-6574-01
33
Verify
The following is an example of output for the show voicemail usage command on Cisco Unity Express:
se-10-32-152-242# show voicemail usage
personal mailboxes: 12
general delivery mailboxes: 0
orphaned mailboxes: 0
capacity of voicemail (minutes): 6000
allocated capacity (minutes): 600.0
message time used (seconds): 141
message count: 3
average message length (seconds): 47.0
greeting time used (seconds): 0
greeting count: 0
average greeting length (seconds): 0.0
total time used (seconds): 141
total time used (minutes): 2.3499999046325684
percentage used time (%): 1
The following is an example of output for the show voicemail limits command on Cisco Unity Express:
se-10-32-152-242# show voicemail limits
Default Mailbox Size (seconds): 3000

Default Caller Message Size (seconds): 60
Maximum Recording Size (seconds): 900
Default Message Age (days): 30
System Capacity (minutes): 6000
Default Prompt Language: en_US
Operator Telephone: 0
The following is an example of output for the show ccn application command on Cisco Unity Express:
se-10-32-152-242# show ccn application
Name: ciscomwiapplication
Description: ciscomwiapplication
Script: setmwi.aef
ID number: 0
Enabled: yes
Maximum number of sessions: 8
strMWI_OFF_DN: 8000
strMWI_ON_DN: 8001
CallControlGroupID: 0
Name: voicemail
Description: voicemail
Script: voicebrowser.aef
ID number: 1
Enabled: yes
logoutUri: http://localhost/voicemail/vxmlscripts/m
bxLogout.jsp
uri: http://localhost/voicemail/vxmlscripts/l
ogin.vxml
Name: autoattendant
Description: autoattendant
Script: aa.aef
ID number: 2
Enabled: yes
MaxRetry: 3
operExtn: 0
welcomePrompt: AAWelcome.wav
OL-6574-01
34
Verify
Name: promptmgmt
Description: promptmgmt
Script: promptmgmt.aef
ID number: 3
Enabled: yes
The following is an example of output for the show ccn trigger command on Cisco Unity Express:
se-10-32-152-242# show ccn trigger
Name: 27749
Type: SIP
Application: voicemail
Locale: en_US
Idle Timeout: 10000
Enabled: yes
Name: 27751
Type: SIP
Application: promptmgmt
Locale: en_US
Idle Timeout: 10000
Enabled: yes
Name: 27748
Type: SIP
Application: autoattendant
Locale: en_US
Idle Timeout: 10000
Enabled: yes
se-10-32-152-242#
Verification Screens: Examples

The following display screen examples depict the graphical user interface for Cisco CallManager, Cisco
CallManager Express (Cisco CME) and Cisco Unity Express for verification purposes. These screen
examples are shown for your reference are presented in the following sections:
• Cisco CallManager Screen Examples, page 36
• Cisco CME Screen Examples, page 38
• Cisco Unity Express Screen Examples, page 40
OL-6574-01
35
Verify
Cisco CallManager Screen Examples

The screen display example below shows Cisco CallManager Release 3.3(3) trunk configuration for a
Cisco CME.
OL-6574-01
36
Verify
The screen display example below depicts media termination point (MTP) software configuration.
OL-6574-01
37
Verify
Cisco CME Screen Examples

The screen display example below identifies Cisco CallManager extensions.
OL-6574-01
38
Verify
The screen display example below provides details about Cisco CME phones.
OL-6574-01
39
Verify
Cisco Unity Express Screen Examples

The screen display example below lists voice mailboxes on Cisco Unity Express user configuration.
OL-6574-01
40
Verify
The screen display example below provides details about voice mailboxes on Cisco Unity Express.
OL-6574-01
41
Troubleshoot
The screen display example below depicts the Group Profile-Administrator display.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
See the following tech notes:
• IP Security Troubleshooting - Understanding and Using debug Commands
Troubleshooting Reference Documents and Commands

The following references and command recommendations offer guidance for troubleshooting Cisco
CME-based Cisco Unity Express implementations.
Note Before issuing debug commands, see Important Information on Debug Commands.
For troubleshooting and debugging VoIP call basics, see the following document:
• http://www.cisco.com/warp/public/788/voip/voip_debugcalls.html
OL-6574-01
42
Related Information
The following specific commands related to troubleshooting VoIP calls:

• show dialplan number—This command is used to show which dial peer is reached when a
particular telephone number is dialed.
• debug vtsp session—This command displays information to help you trace how the router interacts
with the DSP based on the signalling indications from the signalling stack and requests from the
application.
• debug vtsp dsp—This command displays the digits as they are received by the voice port.
• debug vtsp all—This command enables the following debug voice telephony service provider
(VTSP) commands: debug vtsp session, debug vtsp error, and debug vtsp dsp.
• debug vpm signal—This command collects debug information only for signaling events. This
command can also be useful in resolving problems with signaling to a PBX.
• debug voip ccapi—This command traces the execution path through the call control application
programming interface (API),, which serves as the interface between the call session application and
the underlying network-specific software. You can use the output from this command to understand
how calls are being handled by the router.
• debug vpm port—This command is to limit the debug output to a particular port. The debug output
can be quite voluminous for a single port. A six-port chassis might create problems. Use this debug
command with any or all of the other debug modes
Related Information
For additional information about Cisco CallManager Express, go to:
• http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html
For additional information about Cisco Unity Express, go to:
• http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html
OL-6574-01
43
Related Information
OL-6574-01
44
Easy VPN Configuration Example
This document provides a Easy VPN (EzVPN) sample configuration, using Cisco 1800 series,
Cisco 2800 series, and Cisco 3800 series routers.
Contents
• Before You Begin, page 2
• Verify, page 12
Introduction
This document provides a sample Easy VPN (or EzVPN) configuration with the following
characteristics:
• All traffic between two client branch sites and headquarters passes through a Virtual Private
Network (VPN) of IP Security (IPSec) encrypted tunnels.
• Techniques used include Internet Key Exchange (IKE) dead peer detection (DPD), split tunneling,
and group policy on the server with Domain Name Server (DNS) information, Windows Information
Name Service (WINS) information, domain name, and an IP address pool for clients.
• Headquarters uses an EzVPN concentrator, a Cisco 3800 series router, with an ATM interface.
• One branch uses a Cisco 2800 series router and employs a network-mode EzVPN client with a serial
interface, while another branch uses a Cisco 1800 series router and uses client mode EzVPN with
an SHDSL interface.
• The various show commands demonstrate configurations for the Internet Security Association Key
Management Protocol (ISAKMP) and IPSec Security Associations (SAs) on the EzVPN
concentrator, as well as IPSec client EzVPN status on the clients.

Before You Begin
List of Terms
ATM—Asynchronous Transfer Mode. A connection switching protocol that organizes data into 53-byte
cell units, transmitting them via digital signals. Each cell is processed asynchronously (hence the name)
relative to the transmission or arrival of other cells within a single message. Cells are also queued before
being transmitted in a multiplexing fashion. ATM can be used for many different services, including
voice, video, or data.
DNS—Domain Name Server. Maps names to Internet Protocol (IP) addresses and addresses to names.
Domain Name Servers maintain lists of domain name and IP address mappings.
DPD—Dead peer detection. An implementation of a client keepalive functionality, to check the
availability of the VPN device on the other end of an IPSec tunnel.
IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for
services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each
router/firewall/host must verify the identity of its peer. This can be done by manually entering preshared
keys into both hosts or can be done by a certification authority (CA) service.
IPSec—IP Security. A framework of open standards that provides data confidentiality, data integrity,
and data authentication between participating peers. IPSec provides these security services at the IP
layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to
generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a
host.
ISAKMP—Internet Security Association Key Management Protocol. A protocol for key exchange
encryption and authentication. ISAKMP requires at least one pair of messages to be exchanged between
two VPN-connected peers before a secure link can be established.
NETBEUI—NetBIOS extended user interface. A transport protocol associated with Microsoft-based
networks. Unlike TCP/IP, NETBEUI is not a routable network protocol.
NetBIOS—Network Basic Input/Output System. A peer-to-peer low-level networking protocol dating
back to the 1980s, NetBIOS links network operating systems with network hardware. NetBIOS is not
routable and must be encapsulated with TCP/IP to pass through routers.
SA—Security association. This is a unidirectional channel negotiated by IPSec, with a pair of SAs
required for two-way communication. SAs are used to index session keys and initialization vectors.
SHDSL—Symmetrical High-Speed Digital Subscriber Line. An implementation of DSL that operates at
equal speeds in both transmission directions, at rates from 192 kbps to 2.3 Mbps.
WINS—Windows Internet Naming Service. A service in Microsoft-based networks that translates
hostnames into IP addresses. Using NETBEUI protocol, it is also compatible with NetBIOS.
Before You Begin

The following are the requirements for using this configuration example.
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
OL-6340-01
2
Configure
Components Used
The information in this document is based on these software and hardware versions:
• At Headquarters, a Cisco 3845 router with a Cisco CallManager cluster, and with ATM access to
the Internet
• At Branch 1, a Cisco 1841 router with a WIC-1SHDSL interface card installed, and with DSL access
to the Internet
• At Branch 2, a Cisco 2811 router with a serial interface connection to the Internet
• For Cisco 1800 series routers and Cisco 2800 series routers: Cisco IOS Release 12.3(8)T4
• For Cisco 3800 series routers: Cisco IOS Release 12.3(11)T
• Advanced Enterprise Services feature set
The information presented in this document resulted from the use of devices in a specific lab setup and
environment. All the devices used in this document started with a cleared (default) configuration. If you
are working in a live network, ensure that you understand the potential impact of any command before
you use it.
Note When configuring stateful failover for IPSec on the Cisco 2811 router, you may get the following
message if there is no AIM-VPN module installed:
%crypto_ha_ipsec-4-crypto_ha_not_supported_by_hw 2811
Once an AIM-VPN module is installed in the Cisco 2811 router, this error message will no longer appear.
Related Products
This configuration can also be used with the following hardware:
Configure
This section presents the information for configuring the features described in this document.
Note For additional information on the commands used in this document, use the Cisco IOS Command
Configuration Tips
• Make sure that the tunnels work before you apply the crypto maps.
OL-6340-01
3
Configure
• Apply IPSec crypto maps to both the tunnel interface and the physical interface
Network Diagram
This document uses the network setup shown in the following illustration:
3
1 6
2 5 IP IP IP
4 7
9
117861
IP IP IP IP IP IP
Following are the callout terms and definitions for the diagram, identified by number:
1. Headquarters location 6. DSL link from the Branch 1 router to the

Internet
2. ATM link from the Headquarters router to the 7. Serial link from the Branch 2 router to the
Internet Internet
3. VPN tunnel through the Internet to Branch 1 8. Branch 1 location
4. VPN tunnel through the Internet to Branch 2 9. Branch 2 location
5. The Internet, represented by the cloud
The Headquarters location (callout 1) uses a Cisco 3845 router with these characteristics:
• EzVPN server
• ATM access to the Internet
• Operating in a Cisco CallManager cluster
• Public IP address: 10.32.152.26
• Private IP address pool: 192.168.1.0/24
The Branch 1 location (callout 8) uses a Cisco 1841 router with these characteristics:
• EzVPN client using client mode
• DSL access to the Internet
• WIC-1SHDSL interface card installed
OL-6340-01
4
Configure
OL-6340-01
5
Configure
• EzVPN client using network mode
• Serial access to the Internet
Configurations
This example uses these configurations:
• Headquarters Office Configuration (Cisco 3845 Router), page 5
• Branch 1 Router Configuration (Cisco 1841 Router), page 8
Headquarters Office Configuration (Cisco 3845 Router)

EzVPN-Hub# show running-config
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname EzVPN-Hub
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$t8oN$hXnGodPh8ZM/ka6k/9aO51
!
username admin secret 5 $1$cfjP$kKpB7e3pfKXfpK0RIqX/E.
username ezvpn-spoke2 secret 5 $1$vrSS$AhSPxEUnPOsSpJkGdzjXg/
username ezvpn-spoke1 secret 5 $1$VK0p$4D0YXNOtC6K7MR4/vinUL.
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
ip subnet-zero
!
ip cef
no ip domain lookup
ip audit notify log
ip audit po max-events 100
OL-6340-01
6
Configure
no ftp-server write-enable
voice-card 0
no dspfarm
!
!--- IKE configuration
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group VPN1
acl SPLIT_T
ip access-list extended SPLIT_T
permit ip 192.168.0.0 0.0.255.255 any
key cisco123
dns 192.168.168.183 192.168.226.120
wins 192.168.179.89 192.168.2.87
domain cisco.com
pool VPN-POOL
save-password
!
!--- IPSec configuration
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
!
!
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface ATM0/0/0
description === public interface ===
ip address 10.32.152.26 255.255.255.252
no atm ilmi-keepalive
pvc 10/100
OL-6340-01
7
Configure
protocol ip 10.32.152.25 broadcast

!
crypto map INT_MAP
!
no ip address
shutdown
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
OL-6340-01
8
Configure
no ip address
!
!-- Entries for FastEthernet 4/16 through 4/35 omitted for redundancy
!
no ip address
shutdown
!
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
!
!
ip local pool VPN-POOL 10.1.1.1 10.1.1.10
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.152.25
!
ip http server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login authentication USERLIST
!
!
end
!
Branch 1 Router Configuration (Cisco 1841 Router)

EzVPN-Spoke-1# show running-config
.
.
!
version 12.3
no service pad
!
hostname EzVPN-Spoke-1
!
boot-start-marker
boot-end-marker
!
OL-6340-01
9
Configure
enable secret 5 $1$b7.Q$Y2x1UXyRifSStbkH/YyrP.

!
username admin password 7 0519030B234D5C0617
memory-size iomem 20
no mmi pvc
aaa new-model
!
!
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool PRIVATE_DHCP
import all
network 192.168.2.0 255.255.255.0
!
!
no ip domain lookup
ip ssh time-out 30
!
!
crypto ipsec client ezvpn VPN1
connect auto
group VPN1 key cisco123
mode client
peer 10.32.152.26
username ezvpn-spoke1 password cisco1
!
description === private interface ===
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn VPN1 inside
!
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
pvc 0/35
encapsulation aal5snap
!
pvc 8/35
OL-6340-01
10
Configure
encapsulation aal5mux ppp dialer

dialer pool-member 1
!
!
interface Dialer0
ip address 10.32.152.46 255.255.255.252
encapsulation ppp
dialer pool 1
dialer-group 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.152.45
!
ip http server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
end

EzVPN-Spoke-2# show running-config
.
!
version 12.3
no service pad
!
hostname EzVPN-Spoke-2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9BB/$KP4mHUWzUxzpuEPg5s7ow/
!
username admin password 7 10481A110C07
aaa new-model
!
!
ip subnet-zero
!
!
ip cef
OL-6340-01
11
Configure
!
ip dhcp pool PRIVATE_DHCP
import all
network 192.168.3.0 255.255.255.0
!
!
no ip domain lookup
!
voice-card 0
no dspfarm
!
!
connect auto
group VPN1 key cisco123
mode network-extension
peer 10.32.152.26
username ezvpn-spoke2 password cisco2
!
description === private interface ===
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn VPN1 inside
!
no ip address
duplex auto
speed auto
shutdown
!
ip address 10.32.150.46 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.150.45
!
ip http server
!
control-plane
!
dial-peer cor custom
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end
OL-6340-01
12
Verify
Verify
This section provides instructions for verifying that your configuration works properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only), which
allows you to view an analysis of show command output. In summary:
• show crypto engine connections active—Shows the encrypted and decrypted packets.
• show crypto ipsec sa—Shows the phase 2 IPSec security associations for the hub.
• show crypto ipsec client ezvpn—Shows the phase 2 IPSec security associations for the EzVPN
client.
• show crypto isakmp sa—Shows the phase 1 ISAKMP security associations.
One of the first indications of successful IPSec negotiation is a message displayed on the Virtual Private
Network (VPN) concentrator console. Upon successful IPSec negotiation by the EzVPN clients, a
message similar to the following is displayed on the VPN concentrator console, indicating the
establishment of crypto connections to the remote EzVPN clients.
EzVPN-Hub#
*Feb 23 10:33:10.663: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer

10.32.150.46:500 Id: VPN1
*Feb 23 10:33:37.439: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer
10.32.152.46:500 Id: VPN1
The following examples show sample output for the show crypto ipsec sa and show crypto ipsec client
ezvpn commands.
The following is sample output from the show crypto ipsec sa command, performed using the
configuration on the EzVPN Hub location:
EzVPN-Hub# show crypto ipsec sa
interface: ATM0/0/0
Crypto map tag: INT_MAP, local addr. 10.32.152.26
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.3/255.255.255.255/0/0)
current_peer: 10.32.152.46:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.32.152.26, remote crypto endpt.: 10.32.152.46

path mtu 4470, media mtu 4470
current outbound spi: EBA2AC93
OL-6340-01
13
Verify
inbound esp sas:

spi: 0xDBEB20(14412576)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5131, flow_id: 11, crypto map: INT_MAP
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (4570368/14331)
ike_cookies: 787F69F1 41C7488D 92A37C71 AE8FEC38
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xEBA2AC93(3953306771)
ike_cookies: 787F69F1 41C7488D 92A37C71 AE8FEC38
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
protected vrf:
current_peer: 10.32.150.46:500
PERMIT, flags={}

current outbound spi: 59C46762
inbound esp sas:

spi: 0xA9344358(2838774616)
ike_cookies: A479BC19 B6199FB9 E043AE83 9DECB0E8
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
OL-6340-01
14
Troubleshoot
outbound esp sas:

spi: 0x59C46762(1506043746)
ike_cookies: A479BC19 B6199FB9 E043AE83 9DECB0E8
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
The following is sample output from the show crypto ipsec client ezvpn command, performed using the
configuration on the EzVPN Spoke 1 location:
EzVPN-Spoke-1#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : VPN1

Inside interface list: FastEthernet0/0,
Outside interface: Dialer0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 10.1.1.3
Mask: 255.255.255.255
DNS Primary: 192.168.168.183
DNS Secondary: 192.168.226.120
NBMS/WINS Primary: 192.168.179.89
NBMS/WINS Secondary: 192.168.2.87
Default Domain: cisco.com
The following is sample output from the show crypto ipsec client ezvpn command, performed using the
configuration on the EzVPN Spoke 2 location:
EzVPN-Spoke-2#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : VPN1

Inside interface list: FastEthernet0/0,
Outside interface: Serial0/0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
DNS Primary: 192.168.168.183
DNS Secondary: 192.168.226.120
NBMS/WINS Primary: 192.168.179.89
NBMS/WINS Secondary: 192.168.2.87
Default Domain: cisco.com
Troubleshoot
This section provides information for troubleshooting your configuration.
See the following tech note:
OL-6340-01
15
Troubleshoot
The following debug commands must be running on both IPSec routers (peers). Security associations
must be cleared on both peers.
• debug crypto engine—Displays information pertaining to the crypto engine, such as when
Cisco IOS software is performing encryption or decryption operations.
• debug crypto ipsec—Displays the IPSec negotiations of phase 2.
• debug crypto ipsec client ezvpn—Displays the negotiation of the EzVPN client to the VPN
concentrator.
• debug crypto isakmp—Displays the ISAKMP negotiations of phase 1.
• clear crypto ipsec client ezvpn—Clears an existing EzVPN connection.
• clear crypto isakmp—Clears the security associations for phase 1.
• clear crypto sa—Clears the security associations for phase 2.
The following is an example of output for the debug crypto ipsec client ezvpn command:
EzVPN-Spoke-1# debug crypto ipsec client ezvpn
*May 24 03:04:51.923: EZVPN(VPN1): New State: CONNECT_REQUIRED

!
!--- The following line shows the connection going down, not part of the debug output.
!
*May 24 03:04:51.923: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer
10.32.152.26:500 Id: 10.32.152.26
!
!---Debug output resumes
!
*May 24 03:04:51.927: EZVPN(VPN1): Current State: CONNECT_REQUIRED
*May 24 03:04:51.927: EZVPN(VPN1): Event: CONNECT
*May 24 03:04:51.927: EZVPN(VPN1): ezvpn_connect_request
*May 24 03:04:51.927: EZVPN(VPN1): New State: READY
*May 24 03:04:51.999: EZVPN(VPN1): Current State: READY
*May 24 03:04:51.999: EZVPN(VPN1): Event: CONN_UP
*May 24 03:04:51.999: EZVPN(VPN1): ezvpn_conn_up 7F890E16 DB923EE3 67C9C0D2 7EE723AC
*May 24 03:04:51.999: EZVPN(VPN1): No state change
*May 24 03:04:52.007: EZVPN(VPN1): Event: XAUTH_REQUEST
*May 24 03:04:52.007: EZVPN(VPN1): ezvpn_xauth_request
*May 24 03:04:52.007: EZVPN(VPN1): ezvpn_parse_xauth_msg
*May 24 03:04:52.007: EZVPN: Attributes sent in xauth request message:
*May 24 03:04:52.007: XAUTH_USER_NAME_V2(VPN1):
*May 24 03:04:52.007: XAUTH_USER_PASSWORD_V2(VPN1):
*May 24 03:04:52.007: EZVPN(VPN1): send saved username ezvpn-spoke1 and password <omitted>
*May 24 03:04:52.007: EZVPN(VPN1): New State: XAUTH_REQ
*May 24 03:04:52.007: EZVPN(VPN1): Current State: XAUTH_REQ
*May 24 03:04:52.007: EZVPN(VPN1): Event: XAUTH_REQ_INFO_READY
*May 24 03:04:52.007: EZVPN(VPN1): ezvpn_xauth_reply
*May 24 03:04:52.007: XAUTH_USER_NAME_V2(VPN1): ezvpn-spoke1
*May 24 03:04:52.011: XAUTH_USER_PASSWORD_V2(VPN1): <omitted>
*May 24 03:04:52.011: EZVPN(VPN1): New State: XAUTH_REPLIED
*May 24 03:04:52.023: EZVPN(VPN1): Current State: XAUTH_REPLIED
*May 24 03:04:52.023: EZVPN(VPN1): Event: XAUTH_STATUS
*May 24 03:04:52.023: EZVPN(VPN1): New State: READY
OL-6340-01
16
Related Information

*May 24 03:04:52.039: EZVPN(VPN1): Event: MODE_CONFIG_REPLY
*May 24 03:04:52.039: EZVPN(VPN1): ezvpn_mode_config
*May 24 03:04:52.039: EZVPN(VPN1): ezvpn_parse_mode_config_msg
*May 24 03:04:52.039: EZVPN: Attributes sent in message:
*May 24 03:04:52.039: Address: 10.1.1.4
*May 24 03:04:52.039: DNS Primary: 192.168.168.183
*May 24 03:04:52.039: DNS Secondary: 192.168.226.120
*May 24 03:04:52.039: NBMS/WINS Primary: 192.168.179.89
*May 24 03:04:52.039: NBMS/WINS Secondary: 192.168.2.87
*May 24 03:04:52.039: Split Tunnel List: 1
*May 24 03:04:52.039: Address : 192.168.0.0
*May 24 03:04:52.039: Mask : 255.255.0.0
*May 24 03:04:52.039: Protocol : 0x0
*May 24 03:04:52.039: Source Port: 0
*May 24 03:04:52.039: Dest Port : 0
*May 24 03:04:52.039: EZVPN: Unknown/Unsupported Attr: SPLIT_DNS (0x7003)
*May 24 03:04:52.039: Default Domain: cisco.com
*May 24 03:04:52.039: Savepwd on
*May 24 03:04:52.039: EZVPN: Unknown/Unsupported Attr: BACKUP_SERVER (0x7009)
*May 24 03:04:52.039: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*May 24 03:04:52.039: EZVPN(VPN1): ezvpn_nat_config
*May 24 03:04:52.043: EZVPN(VPN1): New State: SS_OPEN
*May 24 03:04:52.047: EZVPN(VPN1): Current State: SS_OPEN
*May 24 03:04:52.047: EZVPN(VPN1): Event: SOCKET_READY
!
!--- The following line shows the connection coming up, not part of the debug output.
!
*May 24 03:04:52.075: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer
10.32.152.26:500 Id: 10.32.152.26
!
!---Debug output resumes
!
*May 24 03:04:52.079: EZVPN(VPN1): Event: MTU_CHANGED
*May 24 03:04:52.079: EZVPN(VPN1): Event: SOCKET_UP
*May 24 03:04:52.079: ezvpn_socket_up
*May 24 03:04:52.079: EZVPN(VPN1): New State: IPSEC_ACTIVE
Related Information
• Cisco IOS Wide-Area Networking Configuration Guide
• Cisco IOS Dial Technologies Configuration Guide
• Cisco IOS Security Configuration Guide
• Cisco IOS Interface and Hardware Component Configuration Guide
• Cisco Technical Assistance Center
OL-6340-01
17
Related Information
OL-6340-01
18
Related Information
OL-6340-01
19
Related Information
OL-6340-01
20
Hoot and Holler over V3PN Configuration
Example
This document provides a configuration example that illustrates a basic multicast-based voice
application over a Cisco Virtual Private Network (VPN).
Contents
• Prerequisites, page 2
• Verify, page 17
Introduction
This document provides a configuration example for Cisco Voice and Video over VPN (V3PN). The
voice application used in this example is Hoot and Holler, which is typically used in trading floor
financial institutions for communications to branch offices. The configuration scenario emphasizes
implementation of the quality of service (QoS) and VPN capabilities; the configuration has the following
characteristics:
• All traffic between two client branch sites and headquarters passes through a VPN of IPSec-
encrypted tunnels.
• This implementation of Cisco V3PN features the use of Protocol Independent Multicast (PIM) in
Sparse Mode and Auto-RP. The routing protocol used to transport traffic is Open Shortest Path First
(OSPF).
• The techniques used include Internet Key Exchange/Dead Peer Detection (IKE/DPD), split
tunneling, and group policy on the server with Domain Name System (DNS) information, Windows
Information Name Service (WINS) information, domain name, and an IP address pool for clients.
• Headquarters uses a Cisco 3800 series router with an ATM interface.

Hoot and Holler over V3PN Configuration Example
Prerequisites
• One branch uses a Cisco 2800 series router and employs a serial interface, while another branch with
a Cisco 2800 Series router uses a Symmetrical High-Speed Digital Subscriber Line (SHDSL)
interface.
• The various show commands demonstrate configurations for the Internet Security Association Key
Management Protocol (ISAKMP) and IP Security (IPSec) security associations (SA) on the
concentrator, as well as status on the clients.
Prerequisites
The following sections provide information important to understand this configuration example. Read
these sections before you continue with the configuration example:
• Conventions
• Requirements
• Related Products
• Components Used
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
• At Headquarters, a Cisco 3845 router with a Cisco CallManager cluster, with ATM access to the
Internet
• At Branch 1, a Cisco 2801 router with a WIC-SHDSL-V2 interface card installed, and with DSL
access to the Internet
• At Branch 2, a Cisco 2811 router with a serial interface connection to the Internet
• Cisco IOS Release 12.3(11)T or later releases
• Advanced Enterprise Services feature set
The information presented in this document was created from the devices in a specific lab environment.
All of the devices used in this document started with a cleared (default) configuration. If your network
is live, make sure that you understand the potential impact of any command.
Related Products
This configuration can also be used with the following hardware and software:
• For Cisco 2800 series routers, Cisco IOS Release 12.3(8)T4 or later releases. For Cisco 3800 series
routers, Cisco IOS Release 12.3(11)T and later releases.
OL-6573-01
2
Configure
Conventions
For information on document conventions, see the Cisco Technical Tips Conventions.
Configure
document.
Note For additional information on the commands used in this document, use the Cisco IOS Command
Configuration Tips
• Make sure that the tunnels work before you apply the crypto maps.
• Apply IPSec crypto maps to both the tunnel interface and the physical interface.
Network Diagram
This document uses the network setup shown in the diagram below.
1
6
3
IP IP IP
2
7 9
5
121225
IP IP IP
OL-6573-01
3
Configure
Following are the callout terms and definitions for the diagram, identified by number:
1 Headquarters location 6 DSL link from the Branch 1 router to the

Internet
2 ATM link from the Headquarters router to the 7 Serial link from the Branch 2 router to the
Internet Internet
3 VPN tunnel through the Internet to Branch 1 8 Branch 1 location
4 The Internet, as represented by the cloud 9 Branch 2 location
5 VPN tunnel through the Internet to Branch 2
The Headquarters location (callout 1) uses a Cisco 3845 router with these characteristics:
• ATM access to the Internet
• Operating in a Cisco CallManager cluster
• DSL access to the Internet
• WIC-SHDSL-V2 interface card installed
• Serial access to the Internet
• Public IP address: 10.32.150.46/30
Configurations
This document uses the following configurations:
• Headquarters Office Configuration (Cisco 3845 Router), page 4
Headquarters Office Configuration (Cisco 3845 Router)

HUB-R1# show running-config

!
version 12.3
no service pad
OL-6573-01
4
Configure

!
hostname HUB-R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$t8oN$hXmGodPh8ZM/ka6k/9aO51
!
username cisco secret 5 $1$cfjP$kKpBWe3pfKXfpK0RIqX/E.
aaa new-model
!
!
! ENABLE AAA AND USE LOCAL AUTHENTICATION FOR VPN CONNECTIONS
!
ip subnet-zero
ip cef
!
! CREATE DHCP POOL FOR INTERNAL CLIENTS ON VLAN 10
!
!
ip dhcp pool LOCAL
network 192.168.1.0 255.255.255.0
!
!
no ip domain lookup
! ENABLE MULTICAST ROUTING
voice-card 0
no dspfarm
!
!
!
signal timing oos timeout 65535
!
!
controller T1 0/2/0
framing sf
linecode ami
!
controller T1 0/2/1
framing sf
linecode ami
OL-6573-01
5
Configure
! CLASSIFY DIFFERENT QOS TRAFFIC, SETTING IP PRECEDENCE AND DSCP

!
class-map match-all data
match ip precedence 2
class-map match-all control-traffic
match ip dscp af31
class-map match-all video
class-map match-all voice
match ip dscp ef
!
!
! ALLOCATE AVAILABLE BANDWIDTH FOR EACH QOS CLASSIFICATION, DEPENDING ON EXPECTED NEED
! FOR EXAMPLE, DSCP VALUE EF (CLASS VOICE) WILL BE GIVEN 35% OF THE BANDWIDTH
!
policy-map LLQ
class control-traffic
bandwidth percent 5
class voice
priority percent 35
class video
bandwidth percent 15
class data
class class-default
fair-queue
!
!
! SET THE IKE POLICY TO USE 3DES
!
encr 3des
group 2
!
!SPECIFY THAT ISAKMP CLIENTS (SPOKE ROUTERS) WILL NOT NEED TO USE XAUTH (USERNAME AND
PASSWORD) WHEN CONNECTING
!
crypto isakmp key cisco address 10.32.150.46 no-xauth
!
!
crypto ipsec transform-set TRANSFORM_1 esp-3des esp-sha-hmac
!
! DEFINE THE REMOTE SPOKES, THEIR IP ADDRESSES AND ANY POLICIES THAT NEED TO BE
IMPLEMENTED
crypto map INT_CM 1 ipsec-isakmp
description === Peer device = Branch-2 ===
set peer 10.32.150.46
set transform-set TRANSFORM_1
match address IPSEC_ACL_1
set peer 10.32.153.34
!
!
!
OL-6573-01
6
Configure
! CREATE TUNNELS TO THE SPOKE ROUTERS. THE MTU IS LOWERED TO ALLOW THE GRE AND IP-SEC
HEADER
! PIM SD IS ENABLED SO AS TO ALLOW MULTICAST, AND THE TUNNEL SOURCE AND DESTINATION ARE
SPECIFIED
!
interface Tunnel0
bandwidth 10000
ip unnumbered Vlan10
ip mtu 1420
qos pre-classify
tunnel source ATM1/0
tunnel destination 10.32.150.46
crypto map INT_CM
!
interface Tunnel1
bandwidth 10000
ip unnumbered Vlan10
ip mtu 1420
qos pre-classify
tunnel source ATM1/0
crypto map INT_CM
!
! THIS LOOPBACK INTERFACE ACTS AS THE MULTICAST RP
!
interface Loopback100
ip address 192.168.4.1 255.255.255.255
!
! THIS VIF INTERFACE IS USED AS THE MULTICAST SOURCE FOR THE VOICE ENDPOINT
interface Vif1
ip address 192.168.6.1 255.255.255.0
!
! NOT USED
!
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
! NOT USED
!
no ip address
shutdown
duplex auto
speed auto
media-type rj45
no negotiation auto
!
! INTERFACE CONNECTING TO THE PUBLIC NETWORK IN OUR SCENARIO
! ATM PVC 10/100 IS USED IN THIS EXAMPLE. THE PREVIOUSLY DEFINED LLQ QOS POLICY IS USED
HERE
interface ATM1/0
description === Public interface ===
bandwidth 155000
OL-6573-01
7
Configure
ip address 10.32.152.26 255.255.255.252

crypto map INT_CM
pvc 10/100
protocol ip 10.32.152.25 broadcast
vbr-rt 100000 100000
service-policy output LLQ
!
! PLACE ALL SWITCHPORT INTERFACES INTO VLAN 10
!
no ip address
!
no ip address
!
! ... REDUNDANT FAST ETHERNET CONFIGURATION OMITTED.
!
no ip address
!
no ip address
shutdown
!
interface Vlan1
no ip address
!
! INTERFACE FOR CONNECTING INTERNAL HOSTS.
!
interface Vlan10
description === Private interface ===
ip address 192.168.1.1 255.255.255.0
!
! ENABLE ROUTING FOR ALL RELEVANT NETWORKS (INTERNAL USER SUBNET, LOOPBACK FOR RP AND VIF
FOR VOICE)
!
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 192.168.4.1 0.0.0.0 area 0
network 192.168.6.0 0.0.0.255 area 0
!
! DEFINE STATIC ROUTES SO THAT THE REMOTE NETWORKS STAY IN THE ROUTING TABLE, EVEN IF
CONNECTION IS LOST
! THIS PREVENTS ROUTING TABLE FLAPS
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.152.25
ip route 192.168.2.0 255.255.255.0 Null0 249
ip route 192.168.3.0 255.255.255.0 Null0 249
!
ip http server
!
! CONFIGURE AUTOMATIC DISCOVERY OF GROUP-TO-RENDEZVOUS POINT (AUTO-RP)
!
ip pim send-rp-announce Loopback100 scope 5
ip pim send-rp-discovery Loopback100 scope 5
OL-6573-01
8
Configure
! SPECIFY TRAFFIC TO BE ENCRYPTED (HERE IT'S ALL GRE TRAFFIC)

!
ip access-list extended IPSEC_ACL_1
permit gre host 10.32.152.26 host 10.32.150.46
!
!
control-plane
!
!CONFIGURE THE VOICE PORT AND LINK IT TO DIAL-PEER 100. THIS CONNECTION IS PERMANENT. THE
VOICE-CLASS WAS DEFINED EARLIER IN THE CONFIGURATION, AND ESTABLISHES AN 'ALWAYS ON'
CONNECTION
!
voice-port 0/1/0
!
voice-port 0/1/1
!
!
!
!THIS DIAL-PEER CONNECTS THE VOICE PORT TO MULTICAST GROUP 239.168.1.100. g711 CODEC (64k)
IS USED, AND VAD IS ENABLED
!
codec g711ulaw
vad aggressive
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end
!

Branch-1# show running-config

!
! Last configuration change at 03:11:55 UTC Sat Apr 17 2004
! NVRAM config last updated at 02:03:50 UTC Sat Apr 17 2004
!
version 12.3
!
!
OL-6573-01
9
Configure
hostname Branch-1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$b7.Q$Y2x1UXyRifSStbkR/YyrP.
!
username cisco password 7 0519050B234D5C0617
no mmi pvc
aaa new-model
!
!
ip subnet-zero
ip cef
!
!
!
ip dhcp pool LOCAL
network 192.168.2.0 255.255.255.0
!
!
no ip domain lookup
ip ssh time-out 30
voice-card 0
!
!
no virtual-template subinterface
!
!
!
!
!
!
controller T1 3/0
framing sf
linecode ami
OL-6573-01
10
Configure
controller T1 3/1
framing sf
linecode ami
!
! CLASSIFY DIFFERENT QOS TRAFFIC, SETTING IP PRECEDENCE AND DSCP
!
match ip dscp af31
match ip dscp ef
!
! ALLOCATE AVAILABLE BANDWIDTH FOR EACH QOS CLASSIFICATION, DEPENDING ON EXPECTED NEED
! FOR EXAMPLE, DSCP VALUE EF (CLASS VOICE) WILL BE GIVEN 35% OF THE BANDWIDTH
!
policy-map LLQ
bandwidth percent 5
class voice
priority percent 35
class video
class data
class class-default
fair-queue
!
!
! SET THE IKE POLICY TO USE 3DES
!
encr 3des
group 2
!
!
!
! SPECIFY REMOTE PEER
!
description === Peer device = HUB-R1 ===
set peer 10.32.152.26
!
!
! CREATE TUNNEL TO THE HUB ROUTERS. THE MTU IS LOWERED TO ALLOW THE GRE AND IPSEC HEADER
! PIM SD IS ENABLED SO AS TO ALLOW MULTICAST, AND THE TUNNEL SOURCE AND DESTINATION ARE
SPECIFIED
!
!
interface Tunnel0
bandwidth 10000
ip unnumbered FastEthernet0/0
ip mtu 1420
OL-6573-01
11
Configure
qos pre-classify
tunnel source 10.32.153.34
crypto map INT_CM
!
! VIF INTERFACE FOR MULTICAST SOURCE ADDRESS (USED FOR VOICE MULTICAST)
!
interface Vif1
ip address 192.168.7.1 255.255.255.0
!
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
no ip address
shutdown
duplex auto
speed auto
!
! DSL INTERFACE CONNECTING TO THE PUBLIC NETWORK IN OUR SCENARIO
! ATM PVC 8/35 IS USED IN THIS EXAMPLE.
!
interface ATM2/0
no ip address
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
pvc 0/35
encapsulation aal5snap
!
pvc 8/35
vbr-nrt 2000 1000
encapsulation aal5mux ppp Virtual-Template1
!
!
no ip address
!
no ip address
!
no ip address
!
no ip address
!
! LOGICAL INTERFACE FOR DSL LINK. THE PREVIOUSLY DEFINED LLQ QOS POLICY IS USED HERE
! PPP MULTILINK IS ENABLED SO INTERFACE CAN SUPPORT QOS
!
interface Virtual-Template1
ip address 10.32.153.34 255.255.255.252
ppp multilink
ppp multilink fragment delay 8
ppp multilink interleave
crypto map INT_CM
OL-6573-01
12
Configure
interface Vlan1
no ip address
!
router ospf 1
network 192.168.2.0 0.0.0.255 area 0
network 192.168.7.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.153.33
ip route 192.168.1.0 255.255.255.0 Null0 249
!
ip http server
!
! SPECIFY TRAFFIC TO BE ENCRYPTED (HERE IT'S ALL GRE TRAFFIC)
!
!
!
!
control-plane
!
!
!
! CONFIGURE THE VOICE PORT AND LINK IT TO DIAL-PEER 100. THIS CONNECTION IS PERMANENT. THE
VOICE-CLASS WAS DEFINED EARLIER IN
! THE CONFIGURATION, AND ESTABLISHES AN 'ALWAYS ON' CONNECTION
!
voice-port 1/0
!
voice-port 1/1
!
voice-port 1/2
!
voice-port 1/3
!
!
!THIS DIAL-PEER CONNECTS THE VOICE PORT TO MULTICAST GROUP 239.168.1.100. g711 CODEC (64k)
IS USED, AND VAD IS ENABLED
!
codec g711ulaw
vad aggressive
!
!
!
line con 0
line aux 0
line vty 0 4
!
end
OL-6573-01
13
Configure

Branch-2# show running-config

!
version 12.3
!
hostname Branch-2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9BB/$KP4mHUWzUxzpDEPg5s7ow/
!
username cisco password 7 10481A170C07
no mmi pvc
aaa new-model
!
!
ip subnet-zero
ip cef
!
!
!
ip dhcp pool LOCAL
network 192.168.3.0 255.255.255.0
!
!
no ip domain lookup
ip audit notify log
ip audit po max-events 100
!
voice-card 0
no dspfarm
!
!
!
!
!
encr 3des
group 2
OL-6573-01
14
Configure

!
!
!
set peer 10.32.152.26
!
!
!
match ip dscp af31
match ip dscp ef
!
!
policy-map LLQ
bandwidth percent 5
class voice
priority percent 35
class video
class data
class class-default
fair-queue
!
!
!
interface Tunnel0
bandwidth 10000
ip unnumbered FastEthernet0/0
ip mtu 1420
qos pre-classify
tunnel source Serial0/0/0
crypto map INT_CM
!
interface Vif1
ip address 192.168.5.1 255.255.255.0
!
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
no keepalive
!
!
!
OL-6573-01
15
Configure
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/3/0
no ip address
shutdown
!
no ip address
shutdown
!
no ip address
shutdown
!
no ip address
shutdown
!
ip address 10.32.150.46 255.255.255.252
crypto map INT_CM
!
interface Vlan1
no ip address
!
router ospf 1
network 192.168.3.0 0.0.0.255 area 0
network 192.168.5.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.32.150.45
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
!
!
!
!
control-plane
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
!
!
dial-peer cor custom
!
!
OL-6573-01
16
Verify

codec g711ulaw
vad aggressive
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password 7 0002000E0D4B
!
!
end
Verify
This section provides information you can use to confirm your configuration is working properly. The
verification process includes two parts:
• Verify Headquarters Connectivity, page 17
• Verify Remote Location Connectivity, page 27
Verify Headquarters Connectivity

which allows you to view an analysis of show command output.
In summary:
• show crypto isakmp sa—Shows whether the remote routers have successfully connected.
• show crypto ipsec sa—Shows information about each IPSec SA.
• show ip ospf neighbor—Shows whether the router has Open Shortest Path First (OSPF) neighbors.
• show ip route—Shows whether the remote networks and multicast subnets are accessible (assess
routing table).
• show ip pim neighbor—After a routing table is verified, shows whether a valid Protocol
Independent Multicast (PIM) neighbor exists.
• show ip pim rp map—Shows whether the rendezvous point (RP) (in this instance, the router) is
being correctly learned.
• show ip mroute active—Shows whether any active multicast streams exist (in this case, voice
streams).
• show voice trunk-conditioning supervisory—Shows whether the voice port connection is up.
• show voip rtp connections—Presents sources and destination of a RTP voice stream.
OL-6573-01
17
Verify
• show voice call summary—Shows information about a call (such as the codec being used or the
state of the phone).
• show class-map—Displays the QoS marking scheme (such as voice traffic that is marked up). This
defines it as a V3PN implementation.
• show policy-map interface atm 1/0 output—Shows how traffic has been queued on the ATM
interface. Note that different queues have different packet counts because traffic is assigned on the
basis of differentiated services code point (DCSP) and IP precedence values.
• show crypto engine brief—Shows the VPN engine currently being run.
Representative output from each of these commands is presented in the verification summaries that
follow.
Note Relevant display output is highlighted in bold text as appropriate.
The following is an output example for the show crypto isakmp sa command, performed using the
configuration on the Headquarters router:
HUB-R1# show crypto isakmp sa
dst src state conn-id slot

10.32.152.26 10.32.153.34 QM_IDLE 29 0
10.32.152.26 10.32.150.46 QM_IDLE 31 0
The following is an output example for the show crypto ipsec sa command, performed using the
HUB-R1# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: INT_CM, local addr. 10.32.152.26
protected vrf:
current_peer: 10.32.153.34:500
PERMIT, flags={origin_is_acl,}

current outbound spi: 69111392
inbound esp sas:

spi: 0xD5823DEF(3582082543)
transform: esp-3des esp-sha-hmac ,
slot: 0, conn id: 5213, flow_id: 93, crypto map: INT_CM
ike_cookies: DE2C7D5A FB6197B3 795753FB 41D07F6D
IV size: 8 bytes
inbound ah sas:
OL-6573-01
18
Verify
inbound pcp sas:
outbound esp sas:

spi: 0x69111392(1762726802)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
protected vrf:
current_peer: 10.32.150.46:500

current outbound spi: D3C362F0
inbound esp sas:

spi: 0x4589EBE8(1166666728)
ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD
IV size: 8 bytes
spi: 0xC172073D(3245475645)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x2A87D473(713544819)
OL-6573-01
19
Verify

IV size: 8 bytes
spi: 0xD3C362F0(3552797424)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
interface: Tunnel1
protected vrf:
current_peer: 10.32.153.34:500

inbound esp sas:

spi: 0xD5823DEF(3582082543)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x69111392(1762726802)
IV size: 8 bytes
outbound ah sas:
OL-6573-01
20
Verify
outbound pcp sas:
protected vrf:
current_peer: 10.32.150.46:500

inbound esp sas:

spi: 0x4589EBE8(1166666728)
IV size: 8 bytes
spi: 0xC172073D(3245475645)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x2A87D473(713544819)
IV size: 8 bytes
spi: 0xD3C362F0(3552797424)
IV size: 8 bytes
outbound ah sas:
OL-6573-01
21
Verify
outbound pcp sas:
interface: ATM1/0
protected vrf:
current_peer: 10.32.153.34:500

inbound esp sas:

spi: 0xD5823DEF(3582082543)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x69111392(1762726802)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
protected vrf:
current_peer: 10.32.150.46:500
OL-6573-01
22
Verify

inbound esp sas:

spi: 0x4589EBE8(1166666728)
IV size: 8 bytes
spi: 0xC172073D(3245475645)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x2A87D473(713544819)
IV size: 8 bytes
spi: 0xD3C362F0(3552797424)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
The following is an output example for the show ip ospf neighbors command, performed using the
HUB-R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface

192.168.7.1 0 FULL/ - 00:00:39 192.168.2.1 Tunnel1
192.168.5.1 0 FULL/ - 00:00:36 192.168.3.1 Tunnel0
OL-6573-01
23
Verify
The following is an output example for the show ip route command, performed using the configuration
on the Headquarters router:
HUB-R1# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
192.168.4.0/32 is subnetted, 1 subnets

C 192.168.4.1 is directly connected, Loopback100
O 192.168.5.0/24 [110/11] via 192.168.3.1, 00:12:48, Tunnel0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.32.152.24/30 is directly connected, ATM1/0
C 192.168.6.0/24 is directly connected, Vif1
O 192.168.7.0/24 [110/11] via 192.168.2.1, 00:12:48, Tunnel1
C 192.168.1.0/24 is directly connected, Vlan10
O 192.168.2.0/24 [110/11] via 192.168.2.1, 00:12:50, Tunnel1
O 192.168.3.0/24 [110/11] via 192.168.3.1, 00:12:50, Tunnel0
S* 0.0.0.0/0 [1/0] via 10.32.152.25
The following is an output example for the show ip pim neighbors command, performed using the
HUB-R1# show ip pim neighbor
PIM Neighbor Table

Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
192.168.3.1 Tunnel0 00:13:52/00:01:40 v2 1 / S
192.168.2.1 Tunnel1 00:13:44/00:01:18 v2 1 / S
The following is an output example for the show ip pim rp map command, performed using the
HUB-R1# show ip pim rp map
PIM Group-to-RP Mappings

This system is an RP (Auto-RP)
This system is an RP-mapping agent (Loopback100)
Group(s) 224.0.0.0/4
RP 192.168.4.1 (?), v2v1
Info source: 192.168.4.1 (?), elected via Auto-RP
Uptime: 2d02h, expires: 00:02:25
The following is an output example for the show ip mroute active command, performed using the
HUB-R1# show ip mroute active
Active IP Multicast Sources - sending >= 4 kbps
Group: 239.168.1.100, (?)

Source: 192.168.5.2 (?)
Rate: 0 pps/0 kbps(1sec), 0 kbps(last 0 secs), 2 kbps(life avg)
Source: 192.168.7.2 (?)
OL-6573-01
24
Verify
The following is an output example for the show voice trunk-conditioning supervisory command,
performed using the configuration on the Headquarters router:
HUB-R1# show voice trunk-conditioning supervisory
SLOW SCAN
0/1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master
status: trunk connected
sequence oos : no-action
pattern :
timing : idle = 0, restart = 0, standby = 0, timeout = 65535
supp_all = 0, supp_voice = 0, keep_alive = 0
timer: oos_ais_timer = 0, timer = 0
The following is an output example for the show voip rtp connections command, performed using the
HUB-R1# show voip rtp connections

1 16 15 20380 19890 192.168.6.2 239.168.1.100
The following is an output example for the show voice call summary command, performed using the
HUB-R1# show voice call summary

============== ======== === ==================== ======================
The following is an output example for the show class-map command, performed using the
HUB-R1# show class-map
Class Map match-all control-traffic (id 1)

Match ip dscp af31
Class Map match-any class-default (id 0)

Match any
Class Map match-all video (id 3)

Match ip precedence 4
Class Map match-all voice (id 2)

Match ip dscp ef
The following is an output example for the show policy-map interface atm 1/0 output command,
performed using the configuration on the Headquarters router:
HUB-R1# show policy-map interface atm 1/0 output
ATM1/0: VC 10/100 -
Service-policy output: LLQ
Class-map: control-traffic (match-all)

180010 packets, 43922248 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
OL-6573-01
25
Verify
Match: ip dscp af31

Queueing
Output Queue: Conversation 265
Bandwidth 5 (%)
Bandwidth 5000 (kbps) Max Threshold 64 (packets)
(pkts matched/bytes matched) 89887/21932300
(depth/total drops/no-buffer drops) 0/0/0
Class-map: voice (match-all)

6485132 packets, 1893649352 bytes
Match: ip dscp ef
Queueing
Strict Priority
Bandwidth 35 (%)
Bandwidth 35000 (kbps) Burst 875000 (Bytes)
(total drops/bytes drops) 48/14016
Class-map: video (match-all)

0 packets, 0 bytes
Match: ip precedence 4
Queueing
Bandwidth 15 (%)
Class-map: data (match-all)

0 packets, 0 bytes
Queueing
Bandwidth 20 (%)
Class-map: class-default (match-any)

Match: any
Queueing
Flow Based Fair Queueing
Maximum Number of Hashed Queues 256
(total queued/total drops/no-buffer drops) 0/0/0
The following is an output example for the show crypto engine brief command, performed using the
HUB-R1# show crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module

crypto engine type: hardware
State: Enabled
Product Name: Onboard-VPN
FW Version: 01100200
Time running: 479742 seconds
Compression: Yes
DES: Yes
OL-6573-01
26
Verify
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0500
Maximum SA index: 0500
Maximum Flow index: 1000
Maximum RSA key size: 2048
crypto engine name: Cisco VPN Software Implementation

crypto engine type: software
serial number: 77C943AD
crypto engine state: installed
crypto engine in slot: N/A
Verify Remote Location Connectivity

which allows you to view an analysis of show command output.
In general, the show commands that are used to verify remote location connectivity are the same as the
commands used for the Headquarters router. See the “Verify Headquarters Connectivity” section on
page 17 for summaries of the show commands that are common to both Headquarters and branch
verification. The following commands are used for the remote locations only:
• show policy-map interface virtual-access 4 output—Shows how traffic has been queued on the
DSL interface (Branch 1). Note that different queues have different packet counts because traffic is
assigned on the basis of DCSP and IP precedence values.
• show policy-map interface serial 0/0/0 output—Shows how traffic has been queued on the serial
interface (Branch 2). Note that different queues have different packet counts because traffic is
assigned on the basis of DCSP and IP precedence values.
Representative output for each of these commands is presented in the verification summaries that follow.
Note Relevant display output is highlighted in bold text.
Example output is split into two sections:

• Verifying Branch 1 Router, page 27
• Verifying Branch 2 Router, page 34
Verifying Branch 1 Router

configuration on the Branch 1 router (DSL):
Branch-1# show crypto isakmp sa

10.32.152.26 10.32.153.34 QM_IDLE 4 0
OL-6573-01
27
Verify
configuration on the Branch 1 router:
Branch-1# show crypto ipsec sa
interface: Tunnel0
protected vrf:
current_peer: 10.32.152.26:500

current outbound spi: D5823DEF
inbound esp sas:

spi: 0x69111392(1762726802)
ike_cookies: 795753FB 41D07F6D DE2C7D5A FB6197B3
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xD5823DEF(3582082543)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
interface: Virtual-Template1
protected vrf:
current_peer: 10.32.152.26:500
OL-6573-01
28
Verify


inbound esp sas:

spi: 0x69111392(1762726802)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xD5823DEF(3582082543)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
protected vrf:
current_peer: 10.32.152.26:500

inbound esp sas:

spi: 0x69111392(1762726802)
OL-6573-01
29
Verify

IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xD5823DEF(3582082543)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access4
protected vrf:
current_peer: 10.32.152.26:500

inbound esp sas:

spi: 0x69111392(1762726802)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0xD5823DEF(3582082543)
OL-6573-01
30
Verify

IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
The following is an output example for the show ip ospf neighbor command, performed using the
Branch-1# show ip ospf neighbor

192.168.1.1 0 FULL/ - 00:00:35 192.168.1.1 Tunnel0
The following is an output example from the show ip route command, performed using the
Branch-1# show ip route


O 192.168.4.1 [110/11] via 192.168.1.1, 00:33:28, Tunnel0
O 192.168.5.0/24 [110/21] via 192.168.1.1, 00:33:28, Tunnel0
C 10.32.153.33/32 is directly connected, Virtual-Access4
C 10.32.153.32/30 is directly connected, Virtual-Access3
is directly connected, Virtual-Access4
O 192.168.6.0/24 [110/11] via 192.168.1.1, 00:33:28, Tunnel0
O 192.168.1.0/24 [110/11] via 192.168.1.1, 00:33:28, Tunnel0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
O 192.168.3.0/24 [110/21] via 192.168.1.1, 00:33:28, Tunnel0
S* 0.0.0.0/0 [1/0] via 10.32.153.33
The following is an output example for the show ip pim neighbor command, performed using the
Branch-1# show ip pim neighbor
PIM Neighbor Table

Address Prio/Mode
192.168.1.1 Tunnel0 00:20:59/00:01:25 v2 1 / S
The following is an output example for the show ip pim rp mapping command, performed using the
Branch-1# show ip pim rp mapping
OL-6573-01
31
Verify
Group(s) 224.0.0.0/4
RP 192.168.4.1 (?), v2v1
Uptime: 00:20:28, expires: 00:02:23
Branch-1# show ip mroute active
Group: 239.168.1.100, (?)

Source: 192.168.5.2 (?)
Source: 192.168.7.2 (?)
performed using the configuration on the Branch 1 router:
Branch-1# show voice trunk-conditioning supervisory
SLOW SCAN
1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master
pattern :
Branch-1# show voip rtp connections

1 4 3 31156 19890 192.168.7.2 239.168.1.100
Branch-1# show voice call summary

============== ======== === ==================== ======================
1/0 g711ulaw y S_CONNECT S_TRUNKED
1/1 - - - FXSLS_ONHOOK
The following is an output example for the show class map command, performed using the
Branch-1# show class-map
Class Map match-all control-traffic (id 1)

Match ip dscp af31
OL-6573-01
32
Verify
Class Map match-any class-default (id 0)

Match any
Class Map match-all video (id 3)

Match ip precedence 4
Class Map match-all voice (id 2)

Match ip dscp ef
The following is an output example for the show policy-map interface virtual-access 4 output
command, performed using the configuration on the Branch 1 router:
Branch-1 #show policy-map interface virtual-access 4 output
Virtual-Access4

Match: ip dscp af31
Queueing
Bandwidth 5 (%)

3241999 packets, 920726516 bytes
Match: ip dscp ef
Queueing
Strict Priority
Bandwidth 35 (%)

0 packets, 0 bytes
Queueing
Bandwidth 15 (%)

0 packets, 0 bytes
Queueing
Bandwidth 20 (%)
OL-6573-01
33
Verify

Match: any
Queueing
Branch-1# show crypto engine brief

State: Enabled
VPN Module in slot: 0
Product Name: AIM-VPN/BPII
Software Serial #: 55AA
Device ID: 0014 - revision 0002
Vendor ID: 13A3
Revision No: 0x00140002
VSK revision: 0
Boot version: 255
DPU version: 0
HSP version: 2.2(21) (ALPHA)
Time running: 0 Seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No

serial number: 70107010
Verifying Branch 2 Router

configuration on the Branch 2 router (serial):
Branch-2# show crypto isakmp sa

10.32.152.26 10.32.150.46 QM_IDLE 3 0
Branch-2# show crypto ipsec sa
interface: Tunnel0
OL-6573-01
34
Verify
protected vrf:
current_peer: 10.32.152.26:500

current outbound spi: C172073D
inbound esp sas:

spi: 0x2A87D473(713544819)
ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553
IV size: 8 bytes
spi: 0xD3C362F0(3552797424)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x4589EBE8(1166666728)
IV size: 8 bytes
spi: 0xC172073D(3245475645)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:

interface: Serial0/0/0
OL-6573-01
35
Verify
protected vrf:
current_peer: 10.32.152.26:500

current outbound spi: C172073D
inbound esp sas:

spi: 0x2A87D473(713544819)
IV size: 8 bytes
spi: 0xD3C362F0(3552797424)
Branch-2# sa timing: remaining key lifetime (k/sec): (521045425/14360)
IV size: 8 bytes
inbound ah sas:
inbound pcp sas:
outbound esp sas:

spi: 0x4589EBE8(1166666728)
IV size: 8 bytes
spi: 0xC172073D(3245475645)
IV size: 8 bytes
outbound ah sas:
outbound pcp sas:
OL-6573-01
36
Verify
The following is an output example for the show ip ospf neighbor command, performed using the
Branch-2# show ip ospf neighbor

192.168.1.1 0 FULL/ - 00:00:37 192.168.1.1 Tunnel0
The following is an output example for the show ip route command, performed using the configuration
on the Branch 2 router:
Branch-2# show ip route


O 192.168.4.1 [110/11] via 192.168.1.1, 00:31:10, Tunnel0
C 10.32.150.44/30 is directly connected, Serial0/0/0
O 192.168.6.0/24 [110/11] via 192.168.1.1, 00:31:10, Tunnel0
O 192.168.7.0/24 [110/21] via 192.168.1.1, 00:31:10, Tunnel0
O 192.168.1.0/24 [110/11] via 192.168.1.1, 00:31:11, Tunnel0
O 192.168.2.0/24 [110/21] via 192.168.1.1, 00:31:11, Tunnel0
C 192.168.3.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.32.150.45
is directly connected, Serial0/0/0
The following is an output example for the show ip pim neighbor command, performed using the
Branch-2# show ip pim neighbor
PIM Neighbor Table

Address Prio/Mode
192.168.1.1 Tunnel0 00:31:52/00:01:26 v2 1 / S
The following is an output example for the show ip pim rp mapping command, performed using the
Branch-2# show ip pim rp mapping
Group(s) 224.0.0.0/4
RP 192.168.4.1 (?), v2v1
Uptime: 2d03h, expires: 00:02:47
Branch-2# show ip mroute active
OL-6573-01
37
Verify
Group: 239.168.1.100, (?)

Source: 192.168.5.2 (?)
Source: 192.168.7.2 (?)
Branch-2# show voice trunk-conditioning supervisory
SLOW SCAN
0/1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master
pattern :
Branch-2# show voip rtp connections

1 9 8 18618 19890 192.168.5.2 239.168.1.100
Branch-2# show voice call summary

============== ======== === ==================== ======================
The following is an output example for the show policy-map interface serial 0/0/0 output command,
Branch-2# show policy-map interface serial 0/0/0 output
Serial0/0/0

Match: ip dscp af31
Queueing
Bandwidth 5 (%)

3241968 packets, 920715872 bytes
OL-6573-01
38
Verify
Match: ip dscp ef
Queueing
Strict Priority
Bandwidth 35 (%)

0 packets, 0 bytes
Queueing
Bandwidth 15 (%)

0 packets, 0 bytes
Queueing
Bandwidth 20 (%)

Match: any
Queueing
Branch-2# show crypto engine brief

State: Enabled
Product Name: Onboard-VPN
NetGX Middleware Version: v1.2.0
NetGX Firmware Version: v2.2.0
Time running: 414404 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
OL-6573-01
39
Troubleshoot

serial number: FFFFFFFF
Troubleshoot
This section provides information you can use to confirm that your configuration is working properly.
The following debug commands must be running on both IPSec routers (peers). Security associations
must be cleared on both peers.
• debug crypto engine—Displays information pertaining to the crypto engine, such as when the
Cisco IOS software is performing encryption or decryption operations.
• debug crypto ipsec—Displays IPSec negotiations of phase 2.
• debug crypto isakmp—Displays ISAKMP negotiations of phase 1.
• debug ip pim auto-rp—Displays the contents of each PIM packet used in the automatic discovery
of group-to-rendezvous point (RP) mapping as well as the actions taken on the address-to-RP
mapping database.
• clear crypto isakmp—Clears the security associations related to phase 1.
• clear crypto sa—Clears the security associations related to phase 2.
The following is an example of output for the debug crypto isakmp and debug crypto ipsec commands.
Relevant display output is shown in bold text, and comments are preceded by an exclamation point and
shown in italics.
router# debug crypto isakmp

router# debug crypto ipsec
Jul 29 16:06:33.619 PDT: ISAKMP (0:134217730): received packet from 10.32.150.46 dport 500
sport 500 Global (I) MM_SA_SETUP
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
Jul 29 16:06:33.635 PDT: ISAKMP: Looking for a matching key for 10.32.150.46 in default :
success
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 10.32.150.46
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):SKEYID state generated
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payload
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): vendor ID is Unity
OL-6573-01
40
Troubleshoot
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): vendor ID is DPD

Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): speaking to another IOS box!
Jul 29 16:06:33.635 PDT: ISAKMP:received payload type 20
Jul 29 16:06:33.635 PDT: ISAKMP:received payload type 20
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):Send initial contact
Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using
id type ID_IPV4_ADDR
Jul 29 16:06:33.639 PDT: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 10.32.152.26
protocol : 17
port : 500
length : 12
Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):Total payload length: 12
Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1): sending packet to 10.32.150.46 my_port 500
peer_port 500 (I) MM_KEY_EXCH
Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
sport 500 Global (I) MM_KEY_EXCH
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
Jul 29 16:06:33.643 PDT: ISAKMP (0:134217730): ID payload
next-payload : 8
type : 1
address : 10.32.150.46
protocol : 17
port : 500
length : 12
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
! REMOTE PEER IS SHOWN TO BE AUTHENTICATED IN THE NEXT LINE.
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):SA authentication status:
authenticated
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):SA has been authenticated with 10.32.150.46
Jul 29 16:06:33.643 PDT: ISAKMP: Trying to insert a peer 10.32.152.26/10.32.150.46/500/,
and inserted successfully.
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
sport 500 Global (I) MM_KEY_EXCH
Jul 29 16:06:33.643 PDT: ISAKMP: set new node 2118711810 to QM_IDLE
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing HASH payload. message ID =
2118711810
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing DELETE payload. message ID =
2118711810
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):deleting node 2118711810 error FALSE reason
"Informational (in) state 1"
Jul 29 16:06:33.643 PDT: IPSEC(key_engine): got a queue event with 1 kei messages
Jul 29 16:06:33.643 PDT: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
! PHASE 1 IS SHOWN TO BE COMPLETED SUCCESSFULLY IN THE NEXT LINE.
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6 New State =
IKE_P1_COMPLETE
Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):beginning Quick Mode exchange, M-ID of
159862783
OL-6573-01
41
Troubleshoot

peer_port 500 (I) QM_IDLE
Jul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Node 159862783, Input = IKE_MESG_INTERNAL,
IKE_INIT_QM
Jul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State =
IKE_QM_I_QM1
Jul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
sport 500 Global (I) QM_IDLE
Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing HASH payload. message ID =
159862783
Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 159862783
Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1
Jul 29 16:06:33.923 PDT: ISAKMP: transform 1, ESP_3DES
Jul 29 16:06:33.923 PDT: ISAKMP: attributes in transform:
Jul 29 16:06:33.923 PDT: ISAKMP: encaps is 1 (Tunnel)
Jul 29 16:06:33.923 PDT: ISAKMP: SA life type in seconds
Jul 29 16:06:33.923 PDT: ISAKMP: SA life duration (basic) of 3600
Jul 29 16:06:33.923 PDT: ISAKMP: SA life type in kilobytes
Jul 29 16:06:33.923 PDT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Jul 29 16:06:33.923 PDT: ISAKMP: authenticator is HMAC-SHA
Jul 29 16:06:33.923 PDT: ISAKMP: group is 1
! A PROPOSAL IS FOUND THAT IS COMPATIBLE IN THE NEXT LINE.

Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1):atts are acceptable.
Jul 29 16:06:33.923 PDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.32.152.26, remote= 10.32.150.46,
local_proxy= 10.32.152.26/255.255.255.255/47/0 (type=1),
remote_proxy= 10.32.150.46/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12
Jul 29 16:06:33.923 PDT: Crypto mapdb : proxy_match
src addr : 10.32.152.26
dst addr : 10.32.150.46
protocol : 47
src port : 0
dst port : 0
Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID =
159862783
Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 159862783
Jul 29 16:06:33.931 PDT: ISAKMP: Locking peer struct 0x6635AA1C, IPSEC refcount 1 for for
stuff_ke
Jul 29 16:06:33.931 PDT: ISAKMP:(0:2:SW:1): Creating IPSec SAs
Jul 29 16:06:33.931 PDT: inbound SA from 10.32.150.46 to 10.32.152.26 (f/i) 0/ 0
(proxy 10.32.150.46 to 10.32.152.26)
Jul 29 16:06:33.931 PDT: has spi 0x1442EBFC and conn_id 0 and flags 13
Jul 29 16:06:33.931 PDT: lifetime of 3600 seconds
Jul 29 16:06:33.931 PDT: lifetime of 4608000 kilobytes
Jul 29 16:06:33.931 PDT: has client flags 0x0
Jul 29 16:06:33.931 PDT: outbound SA from 10.32.152.26 to 10.32.150.46 (f/i) 0/0
(proxy 10.32.152.26 to 10.32.150.46)
Jul 29 16:06:33.931 PDT: has spi -2093906224 and conn_id 0 and flags 1B
Jul 29 16:06:33.931 PDT: lifetime of 3600 seconds
Jul 29 16:06:33.931 PDT: lifetime of 4608000 kilobytes
Jul 29 16:06:33.931 PDT: has client flags 0x0
peer_port 500 (I) QM_IDLE
Jul 29 16:06:33.935 PDT: ISAKMP:(0:2:SW:1):deleting node 159862783 error FALSE reason "No
Error"
OL-6573-01
42
Related Information
Jul 29 16:06:33.935 PDT: ISAKMP:(0:2:SW:1):Node 159862783, Input = IKE_MESG_FROM_PEER,

IKE_QM_EXCH
! PHASE 2 IS SHOWN TO BE COMPLETED SUCCESSFULLY IN THE NEXT LINE.
Jul 29 16:06:33.935 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_QM_I_QM1 New State =
IKE_QM_PHASE2_COMPLETE
Jul 29 16:06:33.935 PDT: IPSEC(key_engine): got a queue event with 2 kei messages
Jul 29 16:06:33.935 PDT: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 10.32.152.26, remote= 10.32.150.46,
local_proxy= 10.32.152.26/0.0.0.0/47/0 (type=1),
spi= 0x1442EBFC(339930108), conn_id= 0, keysize= 0, flags= 0x13
Jul 29 16:06:33.935 PDT: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 10.32.152.26, remote= 10.32.150.46,
local_proxy= 10.32.152.26/0.0.0.0/47/0 (type=1),
spi= 0x833186D0(2201061072), conn_id= 0, keysize= 0, flags= 0x1B
Jul 29 16:06:33.935 PDT: Crypto mapdb : proxy_match
src addr : 10.32.152.26
dst addr : 10.32.150.46
protocol : 47
src port : 0
dst port : 0
Jul 29 16:06:33.935 PDT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the
same proxies and 101.253.249.204
Jul 29 16:06:33.935 PDT: IPSec: Flow_switching Allocated flow for sibling 80000003
Jul 29 16:06:33.935 PDT: IPSEC(policy_db_add_ident): src 10.32.152.26, dest 10.32.150.46,
dest_port 0
Jul 29 16:06:33.935 PDT: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.32.152.26, sa_proto= 50,
sa_spi= 0x1442EBFC(339930108),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4002
Jul 29 16:06:33.935 PDT: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.32.150.46, sa_proto= 50,
sa_spi= 0x833186D0(2201061072),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4001
Related Information
• Cisco IOS Quality of Service Configuration Guide, Release 12.3
• Cisco IOS Security Configuration Guide
• Cisco IOS Voice Command Reference, Release 12.3
• Cisco IOS Wide-Area Networking Configuration Guide
• Cisco Technical Assistance Center
OL-6573-01
43
Related Information
isco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
rvice marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Ce
k Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation,
olver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ
ss Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-
RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath
d trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
demarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relati
co and any other company. (0501R)
OL-6573-01
44
Finding Feature Documentation
Note We recommend that you use the Cisco Router and Security Device Manager (SDM) to configure your
router. To access SDM, see the quick start guide that you received with your router.
You can access Cisco IOS feature documentation in the following ways:
• Using Cisco.com Feature Resources, page 1
• Finding Documentation for a Specific Feature by Using Cisco Feature Navigator, page 2
• Finding Documentation for All Supported Features on Your Router by Using Cisco Feature
Navigator, page 3
• Finding Feature Documentation by Browsing Feature Modules by Cisco IOS Release, page 4
• Finding Feature Documentation by Browsing Cisco IOS Release Notes, page 4
For a list of key supported features, see the data sheet and other product literature for your router.
Additional IOS-related technical documentation can be found at this URL:
http://www.cisco.com/cisco/web/support/index.html
Using Cisco.com Feature Resources

Following are links to resources available on Cisco.com for voice, security, and dial configuration.
Voice Configuration Resources

The Cisco IOS Voice Configuration Library is available at this URL:
http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_voice_configuration_library_glossary
/vcl.htm

Finding Documentation for a Specific Feature by Using Cisco Feature Navigator
Security Configuration Resources

The Cisco IOS Security Configuration Guide is available at this URL:
http://www.cisco.com/en/US/docs/ios/12_3/featlist/sec_vcg.html
Dial Configuration Resources

The Cisco IOS Dial Technologies Configuration Guide is available at this URL:
http://www.cisco.com/en/US/docs/ios/12_3/featlist/dial_vcg.html
Finding Documentation for a Specific Feature by Using Cisco

Feature Navigator
Cisco Feature Navigator is the best tool for finding feature documentation.
Note Cisco Feature Navigator does not support all platforms and software releases, such as some older
releases and some limited-lifetime releases.
Step 1 Go to Cisco Feature Navigator at http://www.cisco.com/go/fn.

or password, click Cancel at the login dialog box, and follow the instructions that appear.
Step 2 Click Search by Feature.
Step 3 Enter the feature name, and click Search.
The search results appear in the Features Available box. You may have to scroll down to see the Features
Available box.
If the Features Available box displays “None Available,” then try searching for a variation of the feature
name. You may have to scroll up to see the search field.
If the Features Available box displays your feature, proceed to Step 4.
Step 4 Click the feature name in the Features Available box.
Step 5 Click Show Description(s), which is just below the Features Available box.
Cisco Feature Navigator displays a short description of the feature and, when the feature is complex or
involves user configuration, provides a “For More Information” link.
Step 6 Click For More Information, if it is available.
Cisco Feature Navigator displays the feature documentation, usually in the form of a feature module,
which includes information on configuring, verifying, and troubleshooting the feature.

2 OL-5994-01
Finding Documentation for All Supported Features on Your Router by Using Cisco Feature Navigator
Finding Documentation for All Supported Features on Your

Router by Using Cisco Feature Navigator
Cisco Feature Navigator is the best tool for finding documentation for all the features on your router.
Note Cisco Feature Navigator does not support all platforms and software releases, such as some older
releases and some limited-lifetime releases.
Step 1 Go to Cisco Feature Navigator at http://www.cisco.com/go/fn.

or password, click Cancel at the login dialog box, and follow the instructions that appear.
Step 2 Click Search by Release/Image Name/Product Code/Platform.
Step 3 In the drop-down menu next to “Platform,” choose your router.
Step 4 Click Continue.
Cisco Feature Navigator displays a list of features that are supported on your router. Do one of the
following, as appropriate:
• To access documentation for a specific feature on this list, proceed to Step 5.
• To display a list of features that are supported in a specific Cisco IOS release, use the “Major
Release” or “Release” pull-down menu to select the Cisco IOS release.
Cisco Feature Navigator displays a list of features that are supported by the selected Cisco IOS
release on your router.
To access documentation for a specific feature on this list, proceed to Step 5.
• To display a list of features that are supported in a specific feature set, use the “Feature Set”
pull-down menu to select the feature set.
Cisco Feature Navigator displays a list of features that are supported on the selected feature set and
Cisco IOS release on your router.
Step 5 Click the feature name.
Cisco Feature Navigator displays a short description of the feature and, when the feature involves user
configuration, provides a “For More Information” link.
Step 6 Click For More Information, if it is available.
Cisco Feature Navigator displays the feature documentation, usually in the form of a feature module,
which includes information on configuring, verifying, and troubleshooting the feature.

OL-5994-01 3
Finding Feature Documentation by Browsing Feature Modules by Cisco IOS Release
Finding Feature Documentation by Browsing Feature Modules

by Cisco IOS Release
If you know the specific feature name and the Cisco IOS release in which the feature was introduced,
you can browse the Cisco IOS feature modules by Cisco IOS release to find feature documentation.
Note Feature modules are not created for all features, such as uncomplicated features that do not involve any
user configuration. To access all feature descriptions and configuration information, go to Cisco Feature
Navigator, or read the Cisco IOS release notes in addition to browsing the Cisco IOS feature modules.
Step 1 Go to http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm.
Step 2 Select the appropriate release.
Step 3 Click New Feature Documentation.
Step 4 Navigate to your Cisco IOS software release.
Step 5 Select the feature module.
Finding Feature Documentation by Browsing Cisco IOS Release Notes

If you know the specific Cisco IOS release in which the feature was introduced, you can browse the
Cisco IOS release notes to find feature descriptions.
Note Cisco IOS release notes typically include descriptions only of uncomplicated features that were
introduced in the software release, but that do not involve any user configuration. To access all feature
descriptions and configuration information, go to Cisco Feature Navigator, or read the Cisco IOS release
notes in addition to browsing the Cisco IOS feature modules.
Step 1 Go to http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm.
Step 2 Select the appropriate release.
Step 3 Click Release Notes.
Step 4 Select your platform.
Step 5 Select the release notes for your Cisco IOS software release.
Step 6 Navigate to the “New and Changed Information” section. If you selected a “T” release, the section might
be called “New Features and Important Notes.”

4 OL-5994-01

OL-5994-01 5

6 OL-5994-01
Changing the Configuration Register Settings
This document describes the 16-bit configuration register in NVRAM and includes the following
sections:
• About the Configuration Register, page 1
• Changing the Configuration Register Settings, page 4
• Displaying the Configuration Register Settings, page 5
• Configuring the Console Line Speed (Cisco IOS CLI), page 5

About the Configuration Register

The router has a 16-bit configuration register in NVRAM. Each bit has value 1 (on or set) or value 0 (off
or clear), and each bit setting affects the router behavior upon the next reload power cycle.
You can use the configuration register to
• Force the router to boot into the ROM monitor (bootstrap program)
• Select a boot source and default boot filename
• Enable or disable the Break function
• Control broadcast addresses
• Recover a lost password
• Change the console line speed

Table 1 describes the configuration register bits.
Table 1 Configuration Register Bit Descriptions
Bit
Number Hexadecimal Meaning
00–03 0x0000–0x000F Boot field. The boot field setting determines whether the router loads an
operating system and where it obtains the system image.
See Table 2 for details.
06 0x0040 Causes the system software to ignore the contents of NVRAM.
07 0x0080 Original Equipment Manufacturer (OEM) bit enabled.
08 0x0100 Controls the console Break key:
• (Factory default) Setting bit 8 causes the processor to ignore the
console Break key.
• Clearing bit 8 causes the processor to interpret Break as a command
to force the router into the ROM monitor mode, halting normal
operation.
Break can always be sent in the first 60 seconds while the router is
rebooting, regardless of the configuration register settings.
09 0x0200 This bit controls the system boot:
• Setting bit 9 causes the system to use the secondary bootstrap.
• (Factory default) Clearing bit 9 causes the system to boot from flash
memory.
This bit is typically not modified.
10 0x0400 Controls the host portion of the IP broadcast address:
• Setting bit 10 causes the processer to use all zeros.
• (Factory default) Clearing bit 10 causes the processor to use all ones.
Bit 10 interacts with bit 14, which controls the network and subnet
portions of the IP broadcast address. See Table 3 for the combined effects
of bits 10 and 14.
05, 11, 0x0020, Controls the console line speed. See Table 4 for the eight available bit
12 0x0800, 0x1000 combinations and console line speeds.
Factory default is 9600 baud, where bits 5, 11, and 12 are all zero (clear).
Note You cannot change the console line speed configuration register
bits from the Cisco IOS command-line interface (CLI). You can,
however, change these bits from the ROM monitor (see “Using
the ROM Monitor”). Or, instead of changing the configuration
register settings, you can set the console line speed through other
Cisco IOS commands..
13 0x2000 Determines how the router responds to a network boot failure:
• Setting bit 13 causes the router to boot the default ROM software
after 6 unsuccessful network boot attempts.
• (Factory default) Clearing bit 13 causes the router to indefinitely
continue network boot attempts.

2 OL-5598-01
Table 1 Configuration Register Bit Descriptions (continued)
Bit
Number Hexadecimal Meaning
14 0x4000 Controls the network and subnet portions of the IP broadcast address:
• Setting bit 10 causes the processor to use all zeros.
• (Factory default) Clearing bit 10 causes the processor to use all ones.
Bit 14 interacts with bit 10, which controls the host portion of the IP
broadcast address. See Table 3 for the combined effect of bits 10 and 14.
15 0x8000 Enables diagnostic messages and ignores the contents of NVRAM.
Table 2 describes the boot field, which is the lowest four bits of the configuration register (bits 3, 2, 1,
and 0). The boot field setting determines whether the router loads an operating system and where the
router obtains the system image.
Table 2 Boot Field Configuration Register Bit Descriptions
Boot Field
(Bits 3, 2, 1, and 0) Meaning
0000 At the next power cycle or reload, the router boots to the ROM monitor (bootstrap
program). To use the ROM monitor, you must use a terminal or PC that is
(0x0)
connected to the router console port. For information about connecting the router
to a PC or terminal, see the hardware installation guide for your router.
In ROM monitor mode, you must manually boot the system image or any other
image by using the boot ROM monitor command. See the section “Booting an
Image (boot)” in “Using the ROM Monitor.”
0001 Boots the first image in flash memory as a system image.
(0x01)
0010 - 1111 At the next power cycle or reload, the router sequentially processes each boot
system command in global configuration mode that is stored in the configuration
(0x02 - 0xF)
file until the system boots successfully.
If no boot system commands are stored in the configuration file, or if executing
those commands is unsuccessful, then the router attempts to boot the first image
file in flash memory.
Table 3 shows how each setting combination of bits 10 and 14 affects the IP broadcast address.
Table 3 Broadcast Address Configuration Register Bit Combinations
Bit 10 Bit 14 Broadcast Address (<net> <host>)

0 0 <ones> <ones>
1 0 <ones> <zeros>
1 1 <zeros> <zeros>
0 1 <zeros> <ones>
Table 4 shows the console line speed for each setting combination of bits 5, 11, and 12.

OL-5598-01 3
Table 4 Console Line Speed Configuration Register Bit Combinations
Console Line Speed

Bit 5 Bit 11 Bit 12 (baud)
1 1 1 115200
1 0 1 57600
1 1 0 38400
1 0 0 19200
0 0 0 9600
0 1 0 4800
0 1 1 2400
0 0 1 1200

You can change the configuration register settings from either the ROM monitor or the Cisco IOS CLI.
This section describes how to modify the configuration register settings from the Cisco IOS CLI. To
change the configuration register from the ROM monitor, see ” Using the ROM Monitor.”
To change the configuration register settings from the Cisco IOS CLI, complete the following steps:
Step 1 Connect a terminal or PC to the router console port. If you need help, see the hardware installation guide
for your router.
Step 2 Configure your terminal or terminal emulation software for 9600 baud (default), 8 data bits, no parity,
and 2 stop bits.
Step 3 Power on the router.
Step 4 If you are asked whether you would like to enter the initial dialog, answer no:
Would you like to enter the initial dialog? [yes]: no
After a few seconds, the user EXEC prompt (Router>) appears.

Step 5 Enter privileged EXEC mode by typing enable and, if prompted, enter your password:
Router> enable
Password: password
Router#
Step 6 Enter global configuration mode:

Enter configuration commands, one per line.

Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
Step 7 To change the configuration register settings, enter the config-register value command, where value is
a hexadecimal number preceded by 0x:
Router(config)# config-register 0xvalue

4 OL-5598-01
Displaying the Configuration Register Settings
Note The Cisco IOS software does not allow you to change the console speed bits directly with the
config-register command. To change the console speed from the Cisco IOS CLI, see the
“Configuring the Console Line Speed (Cisco IOS CLI)” section on page 5.
Step 8 Exit global configuration mode:

Router(config)# end
Router#
Step 9 Save the configuration changes to NVRAM:

Router# copy run start
The new configuration register settings are saved to NVRAM, but they do not take effect until the next
router reload or power cycle.
Displaying the Configuration Register Settings

To display the configuration register settings that are currently in effect and the settings that will be used
at the next router reload, enter the show version command in privileged EXEC mode.
The configuration register settings are displayed in the last line of the show version command output:
Configuration register is 0x142 (will be 0x142 at next reload)
Configuring the Console Line Speed (Cisco IOS CLI)

The combined setting of bits 5, 11, and 12 determines the console line speed. You can modify these
particular configuration register bits only from the ROM monitor. See ” Using the ROM Monitor.”
To configure the console line speed from the Cisco IOS command-line interface, complete the following
steps:

Step 1 Router> enable Enables privileged EXEC mode. Enter your password if
Password: password prompted.
Router#
Step 2 Router# configure terminal Enters global configuration mode.
Router(config)#
Step 3 Router(config)# line console 0 Specifies the console line and enters line configuration
Router(config-line)# mode.
Step 4 Router(config-line)# speed baud Specifies the console line speed. Possible values (in
baud): 1200, 2400, 4800, 9600, 19200, 38400, 57600,
115200.

OL-5598-01 5
Configuring the Console Line Speed (Cisco IOS CLI)

6 OL-5598-01
Using the ROM Monitor
Many users do not use the ROM monitor at all, unless during power up or reload, the router does not
find a valid system image, the last digit of the boot field in the configuration register is 0, or you enter
the Break key sequence during the first 60 seconds after reloading the router.
This document describes how to use the ROM monitor to manually load a system image, upgrade the
system image when there are no TFTP servers or network connections, or for disaster recovery.
Contents
• Prerequisites for Using the ROM Monitor, page 1
• Information About the ROM Monitor, page 2
• How to Use the ROM Monitor—Typical Tasks, page 3

This document describes use of the ROM monitor with the following platforms:
Prerequisites for Using the ROM Monitor

Connect a terminal or PC to the router console port. For help, see the quick start guide or the hardware
installation guide for your router.
© 2006 Cisco Systems, Inc. All rights reserved.

Information About the ROM Monitor
Information About the ROM Monitor

Before using the ROM monitor, you should understand the following concepts:
• ROM Monitor Mode Command Prompt, page 2
• Why Is My Router in ROM Monitor Mode?, page 2
• When Would I Use the ROM Monitor?, page 2
• Tips for Using ROM Monitor Commands, page 3
• Accessibility, page 3
ROM Monitor Mode Command Prompt

The ROM monitor uses the rommon x > command prompt. The x variable begins at 1 and increments
each time you press Return or Enter in ROM monitor mode.
Why Is My Router in ROM Monitor Mode?

Your router boots to ROM monitor mode when one of the following occurs:
• During power up or reload, the router does not find a valid system image.
• The last digit of the boot field in the configuration register is 0 (for example, 0x100 or 0x0).
• You enter the Break key sequence during the first 60 seconds after reloading the router.
To exit ROM monitor mode, see the “Exiting ROM Monitor Mode” section on page 29.
When Would I Use the ROM Monitor?

Many users do not use the ROM monitor at all, except in the following uncommon situations:
• Manually loading a system image—You can load a system image without configuring the router to
attempt to load that image in future system reloads or power-cycles. This can be useful for testing
a new system image or for troubleshooting. See the “Loading a System Image (boot)” section on
page 10.
• Upgrading the system image when there are no TFTP servers or network connections, and a direct
PC connection to the router console is the only viable option—See information about upgrading the
system image in configuration documentation for your router.
• During troubleshooting if the router crashes and hangs—See the “Troubleshooting Crashes and
Hangs (stack, context, frame, sysret, meminfo)” section on page 24.
• Disaster recovery—Use one of the following methods for recovering the system image or
configuration file:
– Console download (xmodem)—Use this method if the computer that is attached to your console
has a terminal emulator that supports the Xmodem Protocol. See the “Downloading Files over
the Router Console Port (xmodem)” section on page 15.
For more information about using the Xmodem protocol, see the Xmodem Console Download
Procedure Using ROMmon at the following URL:
http://www.cisco.com/warp/public/130/xmodem_generic.html

2 OL-5997-02
How to Use the ROM Monitor—Typical Tasks
– TFTP download (tftpdnld)—Use this method if you can connect a TFTP server directly to the
fixed LAN port on your router. See the “Recovering the System Image (tftpdnld)” section on
page 20.
Note Recovering the system image is different from upgrading the system image. You need to
recover the system image if it becomes corrupt or if it is deleted because of a disaster that
affects the memory device severely enough to require deleting all data on the memory device
in order to load a system image.
Tips for Using ROM Monitor Commands

• ROM monitor commands are case sensitive.
• You can halt any ROM monitor command by entering the Break key sequence (Ctrl-Break) on the
PC or terminal. The Break key sequence varies, depending on the software on your PC or terminal.
If Ctrl-Break does not work, see the Standard Break Key Sequence Combinations During Password
Recovery tech note.
• To find out which commands are available on your router and to display command syntax options,
see the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)” section
on page 8.
Accessibility
This product can be configured using the Cisco command-line interface (CLI). The CLI conforms to
accessibility code 508 because it is text based and because it relies on a keyboard for navigation. All
functions of the router can be configured and monitored through the CLI.
For a complete list of guidelines and Cisco products adherence to accessibility, see Cisco Accessibility
Products at the following URL:
http://www.cisco.com/web/about/responsibility/accessibility/products

This section provides the following procedures:
• Entering ROM Monitor Mode, page 5
• Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?), page 8
• Displaying Files in a File System (dir), page 10
• Loading a System Image (boot), page 10
• Downloading Files over the Router Console Port (xmodem), page 15
• Modifying the Configuration Register (confreg), page 16
• Obtaining Information on USB Flash Devices, page 18
• Modifying the I/O Memory (iomemset), page 19
• Recovering the System Image (tftpdnld), page 20
• Troubleshooting Crashes and Hangs (stack, context, frame, sysret, meminfo), page 24

OL-5997-02 3
• Exiting ROM Monitor Mode, page 29
Note This section does not describe how to perform all possible ROM monitor tasks. Use the command help
to perform any tasks that are not described in this document. See the “Displaying Commands and
Command Syntax in ROM Monitor Mode (?, help, -?)” section on page 8.

4 OL-5997-02
Entering ROM Monitor Mode

This section provides two ways to enter ROM monitor mode:
• Using the Break Key Sequence to Interrupt the System Reload and Enter ROM Monitor Mode,
page 5
• Setting the Configuration Register to Boot to ROM Monitor Mode, page 6
Prerequisites
Connect a terminal or PC to the router console port. For help, see the quick start guide that shipped with
your router or see the hardware installation guide for your router.
Using the Break Key Sequence to Interrupt the System Reload and Enter ROM Monitor Mode
This section describes how to enter ROM monitor mode by reloading the router and entering the Break
key sequence.
SUMMARY STEPS
1. enable
2. reload
3. Press Ctrl-Break.
DETAILED STEPS

Example:
Router> enable
Step 2 reload Reloads the operating system.
Example:
Router# reload
Step 3 Press Ctrl-Break. Interrupts the router reload and enters ROM monitor mode.
• You must perform this step within 60 seconds after you
Example: enter the reload command.
Router# send break • The Break key sequence varies, depending on the
software on your PC or terminal. If Ctrl-Break does
not work, see the Standard Break Key Sequence
Combinations During Password Recovery tech note.

OL-5997-02 5
Examples
This section provides the following example:
Sample Output for the reload Command

Use break key sequence to enter rom monitor
Router# reload
Proceed with reload? [confirm]
*Sep 23 15:54:25.871: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload

command.
telnet> send break
*** System received an abort due to Break Key ***

signal= 0x3, code= 0x0, context= 0x431aaf40
PC = 0x4008b5dc, Cause = 0x20, Status Reg = 0x3400c102
rommon 1 >
The Break key sequence varies, depending on the software on your PC or terminal. See the Standard
Break Key Sequence Combinations During Password Recovery tech note.
What to Do Next
• Proceed to the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)”
section on page 8.
• If you use the Break key sequence to enter ROM monitor mode when the router would otherwise
have booted the system image, you can exit ROM monitor mode by doing one of the following:
– Enter the i or reset command, which restarts the booting process and loads the system image.
– Enter the cont command, which continues the booting process and loads the system image.
Setting the Configuration Register to Boot to ROM Monitor Mode

This section describes how to enter ROM monitor mode by setting the configuration register to boot to
ROM monitor mode at the next system reload or power-cycle.
Caution Do not set the configuration register by using the config-register 0x0 command after you have set the
baud rate. To set the configuration register without affecting the baud rate, use the the current
configuration register setting by entering the show ver | inc configuration command, and then replacing
the last (rightmost) number with a 0 in the configuration register command.

6 OL-5997-02
SUMMARY STEPS
1. enable
3. config-register 0x0
4. exit
5. write memory
6. reload
DETAILED STEPS

Example:
Router> enable
Example:
Step 3 config-register 0x0 Changes the configuration register settings.
• The 0x0 setting forces the router to boot to the ROM
Example: monitor at the next system reload.
Router(config)# config-register 0x0
Step 4 exit Exits global configuration mode.
Example:
Router(config)# exit
Step 5 write memory Sets to boot the system image from flash memory.
Example:
Router# write memory
Step 6 reload Reloads the operating system.
• Because of the 0x0 configuration register setting, the
Example: router boots to ROM monitor mode.
Router# reload
<output deleted>
rommon 1>

OL-5997-02 7
Examples
The following example shows how to set the configuration register to boot to ROM monitor mode:
Router>
Router> enable
Enter configuration commands, one per line. End with CNTL/Z.
Router#
*Sep 23 16:01:24.351: %SYS-5-CONFIG_I: Configured from console by console
Router# write memory
[OK]
Router# reload
Proceed with reload? [confirm]
*Sep 23 16:01:41.571: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload

command.
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
Initializing memory for ECC

.
Router platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled
Readonly ROMMON initialized

rommon 1 >
What to Do Next
Proceed to the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)”
section on page 8.
Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)
This section describes how to display ROM monitor commands and command syntax options.
SUMMARY STEPS
1. ?
or
help
2. command -?

8 OL-5997-02
DETAILED STEPS

Step 1 ? Displays a summary of all available ROM monitor
or commands.
help
Example:
rommon 1 > ?
Example:
rommon 1 > help
Step 2 command -? Displays syntax information for a ROM monitor command.
Example:
rommon 16 > display -?
Examples
This section provides the following examples:
• Sample Output for the ? or help ROM Monitor Command, page 9
• Sample Output for the xmodem -? ROM Monitor Command, page 10
Sample Output for the ? or help ROM Monitor Command

rommon 1 > ?
alias set and display aliases command

boot boot up an external process
break set/show/clear the breakpoint
confreg configuration register utility
cont continue executing a downloaded image
context display the context of a loaded image
cookie display contents of cookie PROM in hex
dev list the device table
dir list files in file system
dis display instruction stream
dnld serial download a program module
frame print out a selected stack frame
help monitor builtin command help
history monitor command history
iomemset set IO memory percent
meminfo main memory information
repeat repeat a monitor command
reset system reset
rommon-pref select ROMMON
set display the monitor variables
showmon display currently selected ROM monitor
stack produce a stack trace
sync write monitor environment to NVRAM
sysret print out info from last system return
tftpdnld tftp image download
unalias unset an alias
unset unset a monitor variable

OL-5997-02 9
xmodem x/ymodem image download
Sample Output for the xmodem -? ROM Monitor Command

rommon 11 > xmodem -?
xmodem: illegal option -- ?

usage: xmodem [-cyrx] destination filename
-c CRC-16
-y ymodem-batch protocol
-r copy image to dram for launch
-x do not launch on download completion
For more information about using Xmodem, see the Xmodem Console Download Procedure Using
ROMmon at the following URL:
Displaying Files in a File System (dir)

To display a list of the files and directories in the file system, use the dir command, as shown in the
following example:
rommon 4 > dir flash:
program load complete, entry point: 0x8000f000, size: 0xcb80
Directory of flash:
3934 14871760 -rw- c2800nm-ipbase-mz.124-3

7211 1447053 -rw- C2800NM_RM2.srec
rommon 5 > dir usbflash1:
program load complete, entry point: 0x8000f000, size: 0x3d240
Directory of usbflash1:
2 14871760 -rw- c2800nm-ipbase-mz.124-3
Loading a System Image (boot)

This section describes how to load a system image by using the boot ROM monitor command.
Prerequisites
Determine the filename and location of the system image that you want to load.
SUMMARY STEPS
1. boot
or
boot flash:[filename]
or
boot filename tftpserver
or
boot [filename]
or
boot usbflash<x>:[filename]

10 OL-5997-02
DETAILED STEPS

Step 1 boot In order, the examples here direct the router to:
or • Boot the first image in flash memory.

boot flash:[filename] • Boot the first image or a specified image in flash
memory.
or
• Boot the specified image over the network from the
boot filename tftpserver specified TFTP server (hostname or IP address).
or • Boot from the boothelper image because it does not
recognize the device ID. This form of the command is
boot [filename]
used to boot a specified image from a network (TFTP)
or server.
boot usbflash[x]:[filename]
• Boot the image stored on the USB flash device.
Note Platforms can boot from USB in ROM monitor with
Example: or without a compact flash device. It is not
ROMMON > boot
necessary to use a bootloader image from the
compact flash device. Partitions, such as
Example: usbflash0:2:image_name, are not supported on USB
ROMMON > boot flash: flash drives. The boot usbflash<x>: command will
boot the first file on the device, if it is a valid image.
Example: You can override the default boothelper image setting by
ROMMON > boot someimage 172.16.30.40 setting the BOOTLDR Monitor environment variable to
point to another image. Any system image can be used for
Example: this purpose.
ROMMON > boot someimage • Options for the boot command are -x (load image but
do not execute) and -v (verbose).
Example:
ROMMON > boot usbflash0:someimage
Examples
The following example shows how to load boot flash memory and USB boot flash memory:
rommon 7 > boot flash:[filename]
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xe2eb30

Self decompressing the image :
##########################################################################################
############################################################### [OK]
Smart Init is enabled

Smart init is sizing iomem
ID MEMORY_REQ TYPE
0003E9 0X003DA000 Router Mainboard
0X0014B430 DSP SIMM
0X000021B8 Onboard USB
0X002C29F0 public buffer pools
0X00211000 public particle pools

OL-5997-02 11
TOTAL: 0X009FAFD8
If any of the above Memory Requirements are

"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 10Mb.
Using 3 percent iomem. [10Mb/256Mb]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.

San Jose, California 95134-1706
Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE
(fc2)
Compiled Fri 22-Jul-05 11:37 by hqluong
Image text-base: 0x40098478, data-base: 0x41520000
Port Statistics for unclassified packets is not turned on.

Cisco Router (revision 48.46) with 251904K/10240K bytes of memory.
Processor board ID
2 Gigabit Ethernet interfaces
2 Serial(sync/async) interfaces
2 Channelized T1/PRI ports
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
253160K bytes of USB Flash usbflash1 (Read/Write)
127104K bytes of ATA CompactFlash (Read/Write)
*Sep 23 16:11:42.603: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB device has

been inserted in port 1.
*Sep 23 16:11:43.011: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Sep 23 16:11:43.943: %LINK-3-UPDOWN: Interface Serial0/3/0, changed state to down
*Sep 23 16:11:43.955: %USBFLASH-5-CHANGE: usbflash1 has been inserted!
*Sep 23 16:11:44.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0,
changed state to up
changed state to down
*Sep 23 16:11:44.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed
state to down
state to down
*Sep 23 16:11:46.115: %SYS-5-CONFIG_I: Configured from memory by console
*Sep 23 16:11:46.327: %SYS-5-RESTART: System restarted --

12 OL-5997-02
(fc2)
*Sep 23 16:11:46.331: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold
start
*Sep 23 16:11:46.539: %SYS-6-BOOTTIME: Time taken to reboot after reload = 605 seconds
*Sep 23 16:11:46.735: %CONTROLLER-5-UPDOWN: Controller T1 0/2/0, changed state to down
(LOS detected)
(LOS detected)
*Sep 23 16:11:48.055: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to
administratively down
*Sep 23 16:11:48.067: %LINK-5-CHANGED: Interface Serial0/3/0, changed state to
Router>
rommon 1 > boot usbflash1:image
program load complete, entry point: 0x8000f000, size: 0x3d240
program load complete, entry point: 0x8000f000, size: 0xe2eb30

Self decompressing the image :
##########################################################################################
############################################################### [OK]
Smart Init is enabled

Smart init is sizing iomem
ID MEMORY_REQ TYPE
0003E9 0X003DA000 Router Mainboard
0X0014B430 DSP SIMM
0X000021B8 Onboard USB
0X002C29F0 public buffer pools
0X00211000 public particle pools
TOTAL: 0X009FAFD8
If any of the above Memory Requirements are

"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Rounded IOMEM up to: 10Mb.
Using 3 percent iomem. [10Mb/256Mb]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.

San Jose, California 95134-1706
(fc2)

OL-5997-02 13
Image text-base: 0x40098478, data-base: 0x41520000
Port Statistics for unclassified packets is not turned on.

Cisco Router (revision 48.46) with 251904K/10240K bytes of memory.
Processor board ID
2 Serial(sync/async) interfaces
239K bytes of non-volatile configuration memory.
253160K bytes of USB Flash usbflash1 (Read/Write)
*Sep 23 16:19:56.611: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB device has

been inserted in port 1.
*Sep 23 16:19:57.963: %USBFLASH-5-CHANGE: usbflash1 has been inserted!
changed state to up
changed state to down
state to down
state to down
*Sep 23 16:20:00.139: %SYS-5-CONFIG_I: Configured from memory by console
*Sep 23 16:20:00.351: %SYS-5-RESTART: System restarted --
(fc2)
*Sep 23 16:20:00.355: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold
start
*Sep 23 16:20:00.567: %SYS-6-BOOTTIME: Time taken to reboot after reload = 87 seconds
(LOS detected)
(LOS detected)
*Sep 23 16:20:02.083: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to
Router>
What to Do Next
If you want to configure the router to load a specified image at the next system reload or power-cycle,
see the following documents:
• “Booting Commands” chapter of the Cisco IOS Configuration Fundamentals Command Reference
• Cisco IOS Configuration Fundamentals and Network Management Configuration Guide

14 OL-5997-02
Downloading Files over the Router Console Port (xmodem)

This section describes how to download a file over the router console port by using the Xmodem
Protocol. Use the console download function when you do not have access to a TFTP server but need to
download a system image or configuration file to the router. This procedure can also be used when there
are no TFTP servers or network connections, and a direct PC connection to the router console is the only
viable option.
For more information about using Xmodem, see the Xmodem Console Download Procedure Using
ROMmon at the following URL:
Prerequisites
• Download the file to your PC. Go to the Software Center at the following URL:
http://www.cisco.com/kobayashi/sw-center/index.shtml.
• Connect your PC to the router console port and launch a terminal emulator program. To see
examples for how to perform this task for similar routers, see the Xmodem Console Download
Procedure Using ROMmon tech note.
Restrictions
• If you use a PC to download a file over the router console port at 115,200 bps, make sure that the
PC serial port uses a 16550 universal asynchronous receiver/transmitter (UART).
• If the PC serial port does not use a 16550 UART, we recommend using a speed equal to or lower
than 38,400 bps for downloading a file over the console port.
• Transfer using the xmodem command works only on the console port.
• You can only download files to the router. You cannot use the xmodem command to retrieve files
from the router.
• Because the ROM monitor console download uses the console to perform the data transfer, error
messages are displayed on the console only after the data transfer is terminated. If an error occurs
during console download, the download is terminated, and an error message is displayed. If you
changed the baud rate from the default rate, the error message is followed by a message that tells
you to restore the terminal to the baud rate that is specified in the configuration register.
SUMMARY STEPS
1. xmodem [-[c][y][r][x]] destination-file-name
DETAILED STEPS
Step 1 xmodem [-[c][y][r][x]] destination-file-name

Use this command to download a file over the console port using the ROM monitor. For example:
rommon > xmodem -c c2801-is-mz.122-10a.bin
See Table 1 for xmodem command syntax descriptions.

OL-5997-02 15
Table 1 xmodem Command Syntax Descriptions
Keyword or Argument Description

-c (Optional) Performs the download using 16-bit cyclic redundancy check
(CRC) error checking to validate packets. The default setting is 8-bit CRC.
-y (Optional) Performs the download using Ymodem protocol. The default
setting is Xmodem protocol. The protocols differ as follows:
• The Xmodem protocol supports a 128-block transfer size, whereas the
ymodem protocol supports a 1024-block transfer size.
• The Ymodem protocol uses 16-bit CRC error checking to validate
each packet. Depending on the device that the software is being
downloaded from, the Xmodem protocol might not support this
function.
-r (Optional) Image is loaded into DRAM for execution. The default setting
is to load the image into flash memory.
-x (Optional) Image is loaded into DRAM without being executed.
destination-file-name The name of the system image file or the system configuration file. For the
router to recognize it, the name of the configuration file must be
router_confg.
What to Do Next
Modifying the Configuration Register (confreg)

This section describes how to modify the configuration register by using the confreg ROM monitor
command. You can also modify the configuration register setting from the Cisco IOS command-line
interface (CLI) by using the config-register command in global configuration mode. For more
information on the config-register command in global configuration mode and on using the confreg
command in ROM monitor mode, see the Cisco IOS Configuration Fundamentals Command Reference.
Caution Do not set the configuration register by using the config-register 0x0 command after setting the baud
rate. To set the configuration register without affecting the baud rate, use the the current configuration
register setting by entering the show ver | inc configuration command and then replacing the last
(rightmost) number with a 0 in the configuration register command.

16 OL-5997-02
Prerequisites
To learn about the configuration register and the function of each of the 16 bits, see the Changing the
Configuration Register Settings document.
Restrictions
The modified configuration register value is automatically written into NVRAM, but the new value does
not take effect until you reset or power-cycle the router.
SUMMARY STEPS
1. confreg [value]
DETAILED STEPS

Step 1 confreg [value] Changes the configuration register settings while in ROM
monitor mode.
Example: • Optionally, enter the new hexadecimal value for the
rommon > confreg 0x2102 configuration register. The value range is from 0x0 to
0xFFFF.
• If you do not enter the value, the router prompts for
each bit of the 16-bit configuration register.
Examples
In the following example, the configuration register is set to boot the system image from flash memory:
rommon 3 > confreg 0x2102
In the following example, no value is entered; therefore, the system prompts for each bit in the register:
rommon 7 > confreg
Configuration Summary
enabled are:
console baud: 9600
boot: the ROM Monitor
do you wish to change the configuration? y/n [n]: y
enable "diagnostic mode"? y/n [n]: y
enable "use net in IP bcast address"? y/n [n]: y
enable "load rom after netboot fails"? y/n [n]: y
enable "use all zero broadcast"? y/n [n]: y
enable "break/abort has effect"? y/n [n]: y
enable "ignore system config info"? y/n [n]: y
change console baud rate? y/n [n]: y
enter rate: 0 = 9600, 1 = 4800, 2 = 1200, 3 = 2400 [0]: 0
change the boot characteristics? y/n [n]: y
enter to boot:
0 = ROM Monitor
1 = the boot helper image
2-15 = boot system

OL-5997-02 17
[0]: 0
Configuration Summary
enabled are:
diagnostic mode
console baud: 9600
boot: the ROM Monitor
rommon 8>
Obtaining Information on USB Flash Devices

This section describes how to obtain information on USB devices that are installed in the router. For
instructions on booting from a USB flash device, see the “Loading a System Image (boot)” section on
page 10.
SUMMARY STEPS
1. dir usbflash [x]:

2. dev
DETAILED STEPS

Step 1 dir usbflash [x]: Displays the contents of the USB flash device, including
directories, files, permissions, and sizes.
Example: • 0—USB flash device inserted in port 0
rommon > dir usbflash1:
• 1—USB flash device inserted in port 1
Step 2 dev Shows the targeted USB flash devices that are inserted in
the router and the valid device names that may or may not
be currently inserted.
Example:
ROMMON > dev
Examples
Sample Output for the dir usbFlash Command
rommon > dir usbflash0:
Directory of usbflash0:
2 18978364 -rw- c3845-entbasek9-mz.124-0.5
Sample Output for the dev ROM Monitor Command

rommon 2 > dev
Devices in device table:
id name
flash: compact flash
bootflash: boot flash
usbflash0: usbflash0

18 OL-5997-02
usbflash1: usbflash1
eprom: eprom
Modifying the I/O Memory (iomemset)

This section describes how to modify the I/O memory by using the memory-size iomemset command.
Note Use the iomemset command only if it is needed for temporarily setting the I/O memory from ROM
monitor mode. Using this command improperly can adversely affect the functioning of the router.
The Cisco IOS software can override the I/O memory percentage if the memory-size iomem command
is set in the NVRAM configuration. If the Cisco IOS command is present in the NVRAM configuration,
the I/O memory percentage set in the ROM monitor with the iomemset command is used only the first
time the router is booted up. Subsequent reloads use the I/O memory percentage set by using the
memory-size iomem command that is saved in the NVRAM configuration.
If you need to set the router I/O memory permanently by using a manual method, use the memory-size
iomem Cisco IOS command. If you set the I/O memory from the Cisco IOS software, you must restart
the router for I/O memory to be set properly.
SUMMARY STEPS
1. iomemset i/o-memory percentage
DETAILED STEPS

Step 1 iomemset i/o-memory percentage • Reallocates the percentage of DRAM used for I/O
memory and processor memory.
Example:
rommon> iomemset 15
Examples
In the following example, the percentage of DRAM used for I/O memory is set to 15:
rommon 2 > iomemset
usage: iomemset [smartinit | 5 | 10 | 15 | 20 | 25 | 30 | 40 | 50 ]
rommon 3 >
rommon 3 > iomemset 15
Invoking this command will change the io memory percent

*****WARNING:IOS may not keep this value*****
Do you wish to continue? y/n: [n]: y
rommon 4 > meminfo

-------------------------------------------------
Current Memory configuration is:
Onboard SDRAM: Size = 128 MB : Start Addr = 0x10000000
-----Bank 0 128 MB
-----Bank 1 0 MB

OL-5997-02 19
Dimm 0: Size = 256 MB : Start Addr = 0x00000000

-----Bank 0 128 MB
-----Bank 1 128 MB
-------------------------------------------------
Main memory size: 384 MB in 64 bit mode.
Available main memory starts at 0xa0015000, size 393132KB
IO (packet) memory size: 10 percent of main memory.
NVRAM size: 191KB
Recovering the System Image (tftpdnld)

This section describes how to download a Cisco IOS software image from a remote TFTP server to the
router flash memory by using the tftpdnld command in ROM monitor mode.
Caution Use the tftpdnld command only for disaster recovery because it can erase all existing data in flash
memory before it downloads a new software image to the router.
Before you can enter the tftpdnld command, you must set the ROM monitor environment variables.
Prerequisites
Connect the TFTP server to a fixed network port on your router.
Restrictions
• LAN ports on network modules or interface cards are not active in ROM monitor mode. Therefore,
only a fixed port on your router can be used for TFTP download. This can be a fixed Ethernet port
on the router, that is either of the two Gigabit Ethernet ports on Cisco routers with those ports.
• You can only download files to the router. You cannot use the tftpdnld command to retrieve files
from the router.
SUMMARY STEPS
1. IP_ADDRESS=ip_address
2. IP_SUBNET_MASK=ip_address
3. DEFAULT_GATEWAY=ip_address
4. TFTP_SERVER=ip_address
5. TFTP_FILE=[directory-path/]filename
6. FE_PORT=[0 | 1]
7. FE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5]
8. GE_PORT=[0 | 1]
9. GE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5]
10. MEDIA_TYPE=[0 | 1]
11. TFTP_CHECKSUM=[0 | 1]
12. TFTP_DESTINATION=[flash: | usbflash0: | usbflash1:]

20 OL-5997-02
13. TFTP_MACADDR=MAC_address
14. TFTP_RETRY_COUNT=retry_times
15. TFTP_TIMEOUT=time
16. TFTP_VERBOSE=setting
17. set
18. tftpdnld [-hr]
19. y
DETAILED STEPS

Step 1 IP_ADDRESS=ip_address Sets the IP address of the router.
Example:
rommon > IP_ADDRESS=172.16.23.32
Step 2 IP_SUBNET_MASK=ip_address Sets the subnet mask of the router.
Example:
rommon > IP_SUBNET_MASK=255.255.255.224
Step 3 DEFAULT_GATEWAY=ip_address Sets the default gateway of the router.
Example:
rommon > DEFAULT_GATEWAY=172.16.23.40
Step 4 TFTP_SERVER=ip_address Sets the TFTP server from which the software will be
downloaded.
Example:
rommon > TFTP_SERVER=172.16.23.33
Step 5 TFTP_FILE=[directory-path/]filename Sets the name and location of the file that will be
downloaded to the router.
Example:
rommon > TFTP_FILE=archive/rel22/c2801-i-mz
Step 6 FE_PORT=[0 | 1] (Optional) Sets the input port to use one of the Fast Ethernet
ports.
Example:
rommon > FE_PORT=0
Step 7 FE_SPEED_MODE=[0 | 1 | 2 | 3 | 4] (Optional) Sets the Fast Ethernet port speed mode, with
these options:
Example: • 0—10 Mbps, half-duplex
rommon > FE_SPEED_MODE=3
• 1—10 Mbps, full-duplex
• 2—100 Mbps, half-duplex
• 4—Automatic selection (default)

OL-5997-02 21

Step 8 GE_PORT=[0 | 1] (Optional) Sets the input port to use one of the Gigabit
Ethernet ports (not available on Cisco 1800 series routers,
Cisco 2801 routers, or Cisco 2811 routers).
Example:
rommon > GE_PORT=0
Step 9 GE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5] (Optional) Sets the Gigabit Ethernet port speed mode, with
these options:
Example: • 0—10 Mbps, half-duplex
rommon > GE_SPEED_MODE=3
• 2—100 Mbps, half-duplex
• 4—1 Gbps, full-duplex
• 5—Automatic selection (default)
(This option is not available on Cisco 1800 series routers,
Cisco 2801 routers, or Cisco 2811 routers.)
Step 10 MEDIA_TYPE=[0 | 1] (Optional) Sets the Gigabit Ethernet connection media type,
RJ-45 (0) or SFP (1). Small form-factor pluggable (SFP)
mode is applicable only if GE_PORT=0 (gig 0/0); RJ-45
Example:
rommon > MEDIA_TYPE=1
mode is available on both gig 0/0 and gig 0/1 (GE_PORT =
0 or 1). (This option is not available on Cisco 1800 series
routers, Cisco 2801 routers, or Cisco 2811 routers.)
Step 11 TFTP_CHECKSUM=[0 | 1] (Optional) Determines whether the router performs a
checksum test on the downloaded image.
Example: • 1—Checksum test is performed (default).
rommon > TFTP_CHECKSUM=0
• 0—No checksum test is performed.
Step 12 TFTP_DESTINATION=[flash: | usbflash0: | (Optional) Designates the targeted flash device as compact
usbflash1:] flash or USB flash.
• flash:—Compact flash device (default).
Example:
rommon > TFTP_DESTINATION=usbflash0:
• usbflash0:—USB flash device inserted in port 0
• usbflash1:—USB flash device inserted in port 1
Step 13 TFTP_MACADDR=MAC_address (Optional) Sets the Media Access Controller (MAC)
address for this router.
Example:
rommon > TFTP_MACADDR=000e.8335.f360
Step 14 TFTP_RETRY_COUNT=retry_times (Optional) Sets the number of times that the router attempts
Address Resolution Protocol (ARP) and TFTP download.
The default is 7.
Example:
rommon > TFTP_RETRY_COUNT=10
Step 15 TFTP_TIMEOUT=time (Optional) Sets the amount of time, in seconds, before the
download process times out. The default is 2400 seconds
(40 minutes).
Example:
TFTP_TIMEOUT=1800

22 OL-5997-02

Step 16 TFTP_VERBOSE=setting (Optional) Configures how the router displays file
download progress, with these options:
Example: • 0—No progress is displayed.
rommon > TFTP_VERBOSE=2
• 1—Exclamation points (!!!) are displayed to indicate
file download progress. This is the default setting.
• 2—Detailed progress is displayed during the file
download process; for example:
Initializing interface.
Interface link state up.
ARPing for 1.4.0.1
ARP reply for 1.4.0.1 received.
MAC address 00:00:0c:07:ac:01
Step 17 set Displays the ROM monitor environment variables. Verify
that you correctly configured the ROM monitor
environment variables.
Example:
rommon > set
Step 18 tftpdnld [-h] [-r] Downloads the system image specified by the ROM
monitor environment variables.
Example: • Entering -h displays command syntax help text.
rommon > tftpdnld
• Entering -r downloads and boots the new software but
does not save the software to flash memory.
• Using no option (that is, using neither -h nor -r)
downloads the specified image and saves it in flash
memory.
Step 19 y Confirms that you want to continue with the TFTP
download.
Example:
Examples
Sample Output for Recovering the System Image (tftpdnld)
rommon 16 > IP_ADDRESS=171.68.171.0
rommon 17 > IP_SUBNET_MASK=255.255.254.0
rommon 18 > DEFAULT_GATEWAY=171.68.170.3
rommon 19 > TFTP_SERVER=171.69.1.129
rommon 20 > TFTP_FILE=c2801-is-mz.113-2.0.3.Q
rommon 21 > tftpdnld
IP_ADDRESS: 171.68.171.0
IP_SUBNET_MASK: 255.255.254.0
DEFAULT_GATEWAY: 171.68.170.3
TFTP_SERVER: 171.69.1.129
TFTP_FILE: c2801-is-mz.113-2.0.3.Q
Invoke this command for disaster recovery only.

WARNING: all existing data in all partitions on flash will be lost!

OL-5997-02 23
Receiving c2801-is-mz.113-2.0.3.Q from 171.69.1.129 !!!!!.!!!!!!!!!!!!!!!!!!!.!!

File reception completed.
Copying file c2801-is-mz.113-2.0.3.Q to flash.
Erasing flash at 0x607c0000
program flash location 0x60440000
rommon 22 >
Sample Output for the set ROM Monitor Command

rommon 3 > set
PS1=rommon ! >
IP_ADDRESS=172.18.16.76
IP_SUBNET_MASK=255.255.255.192
DEFAULT_GATEWAY=172.18.16.65
TFTP_SERVER=172.18.16.2
TFTP_FILE=anyname/rel22_Jan_16/c2801-i-mz
What to Do Next
Troubleshooting Crashes and Hangs (stack, context, frame, sysret, meminfo)

This section lists and describes some ROM monitor commands that can be used to troubleshoot router
crashes and hangs.
Most ROM monitor debug commands are functional only when the router crashes or hangs. If you enter
a debug command when crash information is not available, the following error message appears:
"xxx: kernel context state is invalid, can not proceed."
The ROM monitor commands in this section are all optional and can be entered in any order.
Router Crashes
A router or system crash is a situation in which the system detects an unrecoverable error and restarts
itself. The errors that cause crashes are typically detected by processor hardware, which automatically
branches to special error-handling code in the ROM monitor. The ROM monitor identifies the error,
prints a message, saves information about the failure, and restarts the system. For detailed information
about troubleshooting crashes, see the Troubleshooting Router Crashes and Understanding
Software-forced Crashes tech notes.
Router Hangs
A router or system hang is a situation in which the system does not respond to input at the console port
or to queries sent from the network, such as Telnet and Simple Network Management Protocol (SNMP).
Router hangs occur when:
• The console does not respond

24 OL-5997-02
• Traffic does not pass through the router

Router hangs are discussed in detail in the Troubleshooting Router Hangs tech note.
ROM Monitor Console Communication Failure

Under certain misconfiguration situations, it can be impossible to establish a console connection with
the router due to a speed mismatch or other incompatibility. The most obvious symptom is erroneous
characters in the console display.
If a ROM monitor failure of this type occurs, you may need to change a jumper setting on the
motherboard so that the router can boot for troubleshooting. Procedures for accessing the motherboard
and jumper locations are described in the installation of internal components section of the hardware
installation document for your router.
The jumper to be changed is DUART DFLT, which sets the console connection data rate to 9600
regardless of user configuration. The jumper forces the data rate to a known good value.
Restrictions
Do not manually reload or power-cycle the router unless reloading or power cycling is required for
troubleshooting a router crash. The system reload or power-cycle can cause important information to be
lost that is needed for determining the root cause of the problem.
SUMMARY STEPS
1. stack
or
k
2. context
3. frame [number]
4. sysret
5. meminfo
DETAILED STEPS

Step 1 stack (Optional) Obtains a stack trace.
or • For detailed information on how to effectively use this

command in ROM monitor mode, see the
k
Troubleshooting Router Hangs tech note.
Example:
rommon > stack
Step 2 context (Optional) Displays the CPU context at the time of the fault.
• If it is available, the context from kernel mode and
Example: process mode of a loaded image is displayed.
rommon > context

OL-5997-02 25

Step 3 frame [number] (Optional) Displays an entire individual stack frame.
• The default is 0 (zero), which is the most recent frame.
Example:
rommon > frame 4
Step 4 sysret (Optional) Displays return information from the last booted
system image.
Example: • The return information includes the reason for
rommon > sysret terminating the image, a stack dump of up to eight
frames, and, if an exception is involved, the address at
which the exception occurred.
Step 5 meminfo [-l] (Optional) Displays memory information, including:
• Main memory size, starting address, and available
Example: range
rommon > meminfo
• Packet memory size
• NVRAM size
Alternatively, using the meminfo -l command provides
information on supported DRAM configurations for the
router.
Examples
This section provides the following examples:
• Sample Output for the stack ROM Monitor Command, page 27
• Sample Output for the context ROM Monitor Command, page 27
• Sample Output for the frame ROM Monitor Command, page 28
• Sample Output for the sysret ROM Monitor Command, page 28
• Sample Output for the meminfo ROM Monitor Command, page 28

26 OL-5997-02
Sample Output for the stack ROM Monitor Command

rommon 6> stack
Kernel Level Stack Trace:

Initial SP = 0x642190b8, Initial PC = 0x607a0d44, RA = 0x61d839f8
Frame 0 : FP= 0x642190b8, PC= 0x607a0d44, 0 bytes
Frame 1 : FP= 0x642190b8, PC= 0x61d839f8, 24 bytes
Frame 2 : FP= 0x642190d0, PC= 0x6079b6c4, 40 bytes
Frame 3 : FP= 0x642190f8, PC= 0x6079ff70, 32 bytes
Frame 4 : FP= 0x64219118, PC= 0x6079eaec, 0 bytes
Process Level Stack Trace:

Initial SP = 0x64049cb0, Initial PC = 0x60e3b7f4, RA = 0x60e36fa8
Frame 0 : FP= 0x64049cb0, PC= 0x60e3b7f4, 24 bytes
Frame 1 : FP= 0x64049cc8, PC= 0x60e36fa8, 24 bytes
Frame 2 : FP= 0x64049ce0, PC= 0x607a5800, 432 bytes
Frame 3 : FP= 0x64049e90, PC= 0x607a8988, 56 bytes
Frame 4 : FP= 0x64049ec8, PC= 0x64049f14, 0 bytes
Sample Output for the context ROM Monitor Command

rommon 7> context
Kernel Level Context:

Reg MSW LSW | Reg MSW LSW
------ ---------- ---------- | ----- ---------- ----------
zero : 00000000 00000000 | s0 : 00000000 34018001
AT : 00000000 24100000 | s1 : 00000000 00000001
v0 : 00000000 00000003 | s2 : 00000000 00000003
v1 : 00000000 00000000 | s3 : 00000000 00000000
a0 : 00000000 0000002b | s4 : 00000000 64219118
a1 : 00000000 00000003 | s5 : 00000000 62ad0000
a2 : 00000000 00000000 | s6 : 00000000 63e10000
a3 : 00000000 64219118 | s7 : 00000000 63e10000
t0 : 00000000 00070808 | t8 : ffffffff e7400884
t1 : 00000000 00000000 | t9 : 00000000 00000000
t2 : 00000000 63e10000 | k0 : 00000000 00000000
t3 : 00000000 34018001 | k1 : 00000000 63ab871c
t4 : ffffffff ffff80fd | gp : 00000000 63c1c2d8
t5 : ffffffff fffffffe | sp : 00000000 642190b8
t6 : 00000000 3401ff02 | s8 : 00000000 6429274c
t7 : 00000000 6408d464 | ra : 00000000 61d839f8
HI : ffffffff e57fce22 | LO : ffffffff ea545255
EPC : 00000000 607a0d44 | ErrPC : ffffffff bfc05f2c
Stat : 34018002 | Cause : 00000020
Process Level Context:

Reg MSW LSW | Reg MSW LSW
------ ---------- ---------- | ----- ---------- ----------
zero : 00000000 00000000 | s0 : 00000000 6401a6f4
AT : 00000000 63e10000 | s1 : 00000000 00000000
v0 : 00000000 00000000 | s2 : 00000000 64049cf0
v1 : 00000000 00000440 | s3 : 00000000 63360000
a0 : 00000000 00000000 | s4 : 00000000 63360000
a1 : 00000000 00070804 | s5 : 00000000 62ad0000
a2 : 00000000 00000000 | s6 : 00000000 63e10000
a3 : 00000000 00000000 | s7 : 00000000 63e10000
t0 : 00000000 00000000 | t8 : ffffffff e7400884
t1 : 00000000 64928378 | t9 : 00000000 00000000
t2 : 00000000 00000001 | k0 : 00000000 644822e8
t3 : ffffffff ffff00ff | k1 : 00000000 61d86d84
t4 : 00000000 6079eee0 | gp : 00000000 63c1c2d8

OL-5997-02 27
t5 : 00000000 00000001 | sp : 00000000 64049cb0

t6 : 00000000 00000000 | s8 : 00000000 6429274c
t7 : 00000000 6408d464 | ra : 00000000 60e36fa8
HI : ffffffff e57fce22 | LO : ffffffff ea545255
EPC : 00000000 60e3b7f4 | ErrPC : ffffffff ffffffff
Stat : 3401ff03 | Cause : ffffffff
Sample Output for the frame ROM Monitor Command

rommon 6 > frame 2
Stack Frame 2, SP = 0x642190d0, Size = 40 bytes

[0x642190d0 : sp + 0x000] = 0xffffffff
[0x642190d4 : sp + 0x004] = 0xbfc05f2c
[0x642190d8 : sp + 0x008] = 0xffffffff
[0x642190dc : sp + 0x00c] = 0xffffffff
[0x642190e0 : sp + 0x010] = 0x6401a6f4
[0x642190e4 : sp + 0x014] = 0x00000000
[0x642190e8 : sp + 0x018] = 0x64049cf0
[0x642190ec : sp + 0x01c] = 0x63360000
[0x642190f0 : sp + 0x020] = 0x63360000
[0x642190f4 : sp + 0x024] = 0x6079ff70
Sample Output for the sysret ROM Monitor Command

rommon 8> sysret
System Return Info:

count: 19, reason: user break
pc:0x801111b0, error address: 0x801111b0
Stack Trace:
FP: 0x80005ea8, PC: 0x801111b0
FP: 0x80005eb4, PC: 0x80113694
FP: 0x80005f74, PC: 0x8010eb44
FP: 0x80005f9c, PC: 0x80008118
FP: 0x80005fac, PC: 0x80008064
FP: 0x80005fc4, PC: 0xfff03d70
FP: 0x80005ffc, PC: 0x00000000
FP: 0x00000000, PC: 0x00000000
Sample Output for the meminfo ROM Monitor Command

rommon 3> meminfo
-------------------------------------------------
Current Memory configuration is:
Onboard SDRAM: Size = 128 MB : Start Addr = 0x10000000
-----Bank 0 128 MB
-----Bank 1 0 MB
Dimm 0: Size = 256 MB : Start Addr = 0x00000000
-----Bank 0 128 MB
-----Bank 1 128 MB
-------------------------------------------------
Main memory size: 384 MB in 64 bit mode.
Available main memory starts at 0xa0015000, size 393132KB
IO (packet) memory size: 10 percent of main memory.
NVRAM size: 191KB

28 OL-5997-02
You can also use the meminfo -l command to show the supported DRAM configurations for the router.
The following is sample output for the command:
rommon 4 > meminfo -l
The following 64 bit memory configs are supported:

-------------------------------------------------
Onboard SDRAM DIMM SOCKET 0 TOTAL MEMORY
Bank 0 Bank1 Bank 0 Bank 1
------------- ------------- ------------
128 MB 0 MB 0 MB 0 MB 128 MB
128 MB 0 MB 64 MB 0 MB 192 MB
128 MB 0 MB 64 MB 64 MB 256 MB
128 MB 0 MB 128 MB 0 MB 256 MB
128 MB 0 MB 128 MB 128 MB 384 MB
128 MB 0 MB 256 MB 0 MB 384 MB
• Troubleshooting Router Crashes
• Understanding Software-forced Crashes
• Troubleshooting Router Hangs
Exiting ROM Monitor Mode

This section describes how to exit ROM monitor mode and enter the Cisco IOS command-line interface
(CLI). The method that you use to exit ROM monitor mode depends on how your router entered ROM
monitor mode:
• If you reload the router and enter the Break key sequence to enter ROM monitor mode when the
router would otherwise have booted the system image, you can exit ROM monitor mode by doing
either of the following:
– Enter the i command or the reset command, which restarts the booting process and loads the
system image.
– Enter the cont command, which continues the booting process and loads the system image.
• If your router entered ROM monitor mode because it could not locate and load the system image,
perform the steps in the following procedure.
SUMMARY STEPS
1. dir flash: [directory]

2. boot flash: [directory] [filename]
or
or
boot [filename]

OL-5997-02 29
DETAILED STEPS

Step 1 dir flash:[directory] Displays a list of the files and directories in flash memory.
• Locate the system image that you want the router to
Example: load.
rommon > dir flash:
• If the system image is not in flash memory, use the
second or third option in Step 2.
Step 2 boot flash:[directory] [filename] In order, the examples here direct the router to:
or • Boot the first image or a specified image in flash

memory.
• Boot the specified image over the network from the
or specified TFTP server (hostname or IP address).
boot [filename] • Boot from the boothelper image because it does not
recognize the device ID. This form of the command is
Example: used to netboot a specified image.
ROMMON > boot flash:myimage You can override the default boothelper image setting
by setting the BOOTLDR Monitor environment
variable to point to another image. Any system image
Example:
ROMMON > boot someimage 172.16.30.40 can be used for this purpose.
Note Options to the boot command are -x (load image but
do not execute) and -v (verbose).
Example:
ROMMON > boot
Examples
Sample Output for the dir flash: Command in ROM Monitor mode
rommon > dir flash:
File size Checksum File name

2229799 bytes (0x220627) 0x469e c2801-j-m2.113-4T
What to Do Next
Now that you have a system image running on your router, configure the router to load the correct image
at the next system reload or power-cycle. See the following documents:

30 OL-5997-02
The following sections provide references related to using the ROM monitor.
Related Documents
Related Topic Document Title

Connecting your PC to the router console port • Quick start guide for your router
• Hardware installation guide for your router
Break key sequence combinations for entering ROM Standard Break Key Sequence Combinations During Password
monitor mode within the first 60 seconds of rebooting Recovery
the router
Upgrading the ROM monitor ROM Monitor Download Procedures for Cisco 2691, Cisco, 3631,
Cisco 3725, and Cisco 3745 Routers
Note These procedures also apply to Cisco 1841 series,
Cisco 2800 series, and Cisco 3800 series routers.
Using the boot image (Rx-boot) to recover or upgrade How to Upgrade from ROMmon Using the Boot Image
the system image
Booting and configuration register commands Cisco IOS Configuration Fundamentals Command Reference
Loading and maintaining system images; rebooting Cisco IOS Configuration Fundamentals and Network Management
Configuration Guide
Choosing and downloading system images Software Center at
http://www.cisco.com/kobayashi/sw-center/index.shtml
Console download (xmodem) Xmodem Console Download Procedure Using ROMmon
Router crashes Troubleshooting Router Crashes
Understanding Software-forced Crashes
Router hangs Troubleshooting Router Hangs

OL-5997-02 31
Description Link
even more content.1
1. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.

32 OL-5997-02
Using CompactFlash Memory Cards
Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers use external
CompactFlash (CF) memory cards to store the system image, some software feature data, and
configuration files. The CF memory cards use the following file systems. The file system that is
supported depends on router model:
• Class B flash file system, also known as the low-end file system (LEFS)
• Class C flash file system, similar to the standard DOS file system
This document contains the following sections:
• Requirements and Restrictions, page 2
• Online Insertion and Removal, page 2
• How to Format CompactFlash Memory Cards, page 3
• File Operations on CompactFlash Memory Cards, page 5
• Directory Operations on a CompactFlash Memory Card, page 8


Requirements and Restrictions
Requirements and Restrictions

• Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers do not support
internal flash memory. Because the system image can be stored only on a CF memory card, you need
to have a CF memory card installed to boot the system image.
• We recommend that you erase (Class B) or format (Class C) new CF memory cards to initialize them
with either a Class B or Class C flash file system. This ensures proper formatting and enables the
ROM monitor to recognize and boot the flash memory.
• Only CF memory cards purchased from Cisco are supported on these platforms.
Cisco 1800 Series Routers and Cisco 2801 Routers

• Support only the Class C flash file system.
• Support only external CF memory cards.
• The CF memory card file system can be formatted on a Cisco 1800 series router or Cisco 2801
router. After the file system has been formatted, files on the CF memory card can be copied to or
from any PC that is equipped with a CF memory reader. If you use a PC to format the CF memory
card, use only the Microsoft 16-bit File Allocation Table (FAT16) file system.
Cisco 3800 Series Routers and Cisco 2800 Series Routers (Except for Cisco 2801 Routers)
• Support Class B and Class C flash file systems.
• Support only external CF memory cards.
• If you use a PC to format the CF memory cards, you can format the cards with the Microsoft 16-bit
File Allocation Table (FAT16), Microsoft 32-bit File Allocation Table (FAT32), or Microsoft
Windows NT file system (NTFS). Alternatively, you can format the CF memory card on the router.
Note When formatted on the router, flash memory cards are formatted with the DOSFS file system, a
platform-independent industry-standard file system that is supported on all Cisco 3800 series routers,
Cisco 2800 series routers, and Cisco 1800 series routers.
Online Insertion and Removal

Online insertion and removal (OIR) is a feature that allows you to replace CF memory cards without
turning off the router and without affecting the operation of other interfaces. OIR of CF memory cards
provides uninterrupted operation to network users, maintains routing information, and ensures session
preservation.
Caution The external CF memory card should not be removed if the flash memory busy “CF” LED on the router
is ON, because this indicates that the software is accessing the CF memory card. Removing the CF
memory card may disrupt the network, because some software features use the CF memory card to store
tables and other important data.
For instructions on inserting, removing, and replacing the external CF memory card, see the hardware
installation documentation that came with your router.

2 OL-5596-01
How to Format CompactFlash Memory Cards

This section contains the following procedures:
• Determining the File System on a CompactFlash Memory Card, page 3
• Formatting CompactFlash Memory as a Class B Flash File System, page 4
• Formatting CompactFlash Memory as a Class C File System, page 4
Determining the File System on a CompactFlash Memory Card

To determine the file system of a CF memory card, enter the show flash: all command in privileged
EXEC mode.
• If geometry and format information does not appear in the output, the card is formatted with a
Class B flash file system.
• If geometry and format information appears in the output, the card is formatted with a Class C flash
file system.
The following examples show sample outputs for Class B and Class C flash file systems.
External Card with Class B Flash File System: Example

The geometry and format information does not appear.
Router# show flash: all
Partition Size Used Free Bank-Size State Copy

Mode
1 125184K 20390K 104793K 0K Read/Write
Direct
System Compact Flash directory:

addr fcksum ccksum
1 6658376 c28xx-i-mz
0x40 0xE0FF 0xE0FF
2 14221136 c2800-telcoent-mz
0x6599C8 0x5C3D 0x5C3D
125184K bytes of ATA System Compact Flash (Read/Write)
Chip information NOT available.
External Card with Class C Flash File System: Example

The geometry and format information is displayed in this format.
Router# show flash: all
-#- --length-- -----date/time------ path

1 6658376 Mar 01 2004 04:27:46 c28xx-i-mz
25268224 bytes available (6664192 bytes used)
******** ATA Flash Card Geometry/Format Info ********

OL-5596-01 3
ATA CARD GEOMETRY

Number of Heads: 4
Number of Cylinders 490
Sectors per Cylinder 32
Sector Size 512
Total Sectors 62720
ATA CARD FORMAT

Number of FAT Sectors 31
Sectors Per Cluster 8
Number of Clusters 7796
Number of Data Sectors 62560
Base Root Sector 155
Base FAT Sector 93
Base Data Sector 187
Formatting CompactFlash Memory as a Class B Flash File System

Use the erase flash: command in privileged EXEC mode to
• Format CF memory cards with a Class B flash file system
• Remove the files from a CF memory card previously formatted with a Class B flash file system
Formatting CompactFlash Memory as a Class B Flash File System: Example

Router# erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Current DOS File System flash card in flash: will be formatted into Low
End File System flash card! Continue? [confirm]
Erasing device...
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
...erased
Erase of flash: complete
Formatting CompactFlash Memory as a Class C File System

Use the format flash: command in privileged EXEC mode to:
• Format CF memory cards with a Class C flash file system
• Remove the files from a CF memory card previously formatted with a Class C flash file system
Formatting CompactFlash Memory as a Class C Flash File System: Example
Router# format flash:
Format operation may take a while. Continue? [confirm]

Format operation will destroy all data in "flash:". Continue? [confirm]
Enter volume ID (up to 64 chars)[default flash]:
Current Low End File System flash card in flash will be formatted into DOS
File System flash card! Continue? [confirm]
Format:Drive communication & 1st Sector Write OK...
Writing Monlib sectors ..................................................................
Monlib write complete

4 OL-5596-01
File Operations on CompactFlash Memory Cards
Format:All system sectors written. OK...

Format:Total sectors in formatted partition:250592
Format:Total bytes in formatted partition:128303104
Format:Operation completed successfully.
Format of flash complete

File and directory operations vary according to the formatted file system—Class B or Class C.
This section describes the following file operations for external CF memory cards:
• Copying Files, page 5
• Displaying Files, page 5
• Displaying File Content, page 6
• Displaying Geometry and Format Information (Class C Only), page 6
• Deleting Files, page 7
• Renaming Files, page 8
Copying Files
To copy files, enter the copy command in privileged EXEC mode. To indicate a file that is stored in a
CF memory card, precede the filename with flash:.
Examples: Copying Files

In the following example, the file my-config1 on the CF memory card is copied into the startup-config
file in the system memory:
Router# copy flash:my-config1 startup-config
Destination filename [startup-config]?

[OK]
517 bytes copied in 4.188 secs (129 bytes/sec)
In the following example, the file my-config2 on the CF memory card is copied into the running-config
file in the system memory:
Router# copy flash:my-config2 running-config
Destination filename [running-config]?

709 bytes copied in 0.72 secs
Displaying Files
To display a list of files on a CF memory card, enter the dir flash: command in privileged EXEC mode:
Router# dir flash:
Directory of flash:/
1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata
3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz
63930368 bytes total (51007488 bytes free)

OL-5596-01 5
Displaying File Content

To display the content of a file that is stored in flash memory, enter the more flash: command in
privileged EXEC mode:
Router# more flash:c28xx-i-mz
00000000: 7F454C46 01020100 00000000 00000000 .ELF .... .... ....

00000010: 00020061 00000001 80008000 00000034 ...a .... .... ...4
00000020: 00000054 20000001 00340020 00010028 ...T ... .4. ...(
00000030: 00050008 00000001 0000011C 80008000 .... .... .... ....
00000040: 80008000 00628A44 00650EEC 00000007 .... .b.D .e.l ....
00000050: 0000011C 0000001B 00000001 00000006 .... .... .... ....
00000060: 80008000 0000011C 00004000 00000000 .... .... ..@. ....
00000070: 00000000 00000008 00000000 00000021 .... .... .... ...!
00000080: 00000001 00000002 8000C000 0000411C .... .... ..@. ..A.
00000090: 00000700 00000000 00000000 00000004 .... .... .... ....
000000A0: 00000000 00000029 00000001 00000003 .... ...) .... ....
000000B0: 8000C700 0000481C 00000380 00000000 ..G. ..H. .... ....
000000C0: 00000000 00000004 00000000 0000002F .... .... .... .../
000000D0: 00000001 10000003 8000CA80 00004B9C .... .... ..J. ..K.
000000E0: 00000020 00000000 00000000 00000008 ... .... .... ....
000000F0: 00000000 0000002F 00000001 10000003 .... .../ .... ....
00000100: 8000CAA0 00004BBC 00623FA4 00000000 ..J ..K< .b?$ ....
00000110: 00000000 00000008 00000000 3C1C8001 .... .... .... <...
00000120: 679C4A80 3C018001 AC3DC70C 3C018001 g.J. <... ,=G. <...
00000130: AC3FC710 3C018001 AC24C714 3C018001 ,?G. <... ,$G. <...
00000140: AC25C718 3C018001 AC26C71C 3C018001 ,%G. <... ,&G. <...
00000150: AC27C720 3C018001 AC30C724 3C018001 ,'G <... ,0G$ <...
00000160: AC31C728 3C018001 AC32C72C 3C018001 ,1G( <... ,2G, <...
--More-- q
Displaying Geometry and Format Information (Class C Only)

To display the geometry and format information of a CF memory card formatted with a Class C flash
file system, enter the show flash: filesys command in privileged EXEC mode:
Router# show flash: filesys
******** ATA Flash Card Geometry/Format Info ********
ATA CARD GEOMETRY

Number of Heads: 4
Number of Cylinders 490
Sectors per Cylinder 32
Sector Size 512
Total Sectors 62720
ATA CARD FORMAT

Number of FAT Sectors 31
Sectors Per Cluster 8
Number of Clusters 7796
Number of Data Sectors 62560
Base Root Sector 155
Base FAT Sector 93
Base Data Sector 187

6 OL-5596-01
Deleting Files
To delete a file from a CF memory card, enter the delete flash: command.
If you are using a Class B flash file system, after you enter the delete flash: command, the memory space
of the deleted file remains occupied, although the deleted file cannot be recovered. To reclaim the
memory space occupied by a deleted file, enter the squeeze flash: command, in privileged EXEC mode.
Note The squeeze flash command applies only to the Class B flash file system. This command is unnecessary
with Class C flash file systems, because unused file space is recovered automatically. Moreover, the
squeeze flash command is not supported on Cisco 1800 series routers or Cisco 2801 routers.
Note The dir flash: command does not display deleted files and files with errors. On Class B flash file
systems, to display all files, including files with errors and deleted files whose memory space have not
been reclaimed with the squeeze flash: command, enter the dir /all flash: command or the show flash:
command in privileged EXEC mode.
Deleting a File from a CompactFlash Memory Card with a Class B Flash File System: Example
In the following example, the file c28xx-i-mz.tmp is deleted from the external CF memory card:
Router# delete flash:c28xx-i-mz.tmp
Delete filename [c28xx-i-mz.tmp]?

Delete flash:c28xx-i-mz.tmp? [confirm]
Because the file was deleted, it does not appear when you enter the dir flash: command:
Router# dir flash:
1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata
3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz
However, if you are using a Class B file system, because the deleted file’s memory space has not yet
been reclaimed, the deleted file is listed when you enter the show flash: command:
Router# show flash:
Flash Compact Flash directory:

1 6458208 c28xx-i-mz.tmp [deleted]
2 6458208 c28xx-i-mz
15680K bytes of ATA Compact Flash (Read/Write)
To reclaim the memory space of deleted files, enter the squeeze flash: command:
Router# squeeze flash:
Squeeze operation may take a while. Continue? [confirm]

squeeze in progress...
sssssssssssssssssssssssseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Rebuild file system directory...
Squeeze complete

OL-5596-01 7
Directory Operations on a CompactFlash Memory Card
Renaming Files
To rename a file on a CF memory card, enter the rename command in privileged EXEC mode:
Router# dir flash:
3 -rw- 6458388 Mar 01 2004 00:00:58 c28xx-i-mz.tmp

1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata
Router# rename flash:c28xx-i-mz.tmp flash:c28xx-i-mz
Destination filename [c28xx-i-mz]?
Router# dir flash:
1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata

3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz

Directory operations vary according to the formatted file system—Class B or Class C.
The following sections describe directory operations for external CF memory cards on Cisco routers:
• Entering a Directory and Determining Which Directory You Are In, page 8
• Creating a New Directory, page 9
• Removing a Directory, page 10
Entering a Directory and Determining Which Directory You Are In

To enter a directory of a CF memory card, enter the cd command in privileged EXEC mode. The cd
command specifies or changes the default directory or file system. If you enter cd only, without
specifying a file system, the router enters the default home directory, which is flash.
Router# cd
To determine which directory you are in, enter the pwd command in privileged EXEC mode. The CLI
displays which directory or file system is specified as the default by the cd command.
Router# pwd
flash:

8 OL-5596-01
To display a list of files in the directory that you are in, enter the dir command in privileged EXEC
mode. The command-line interface will display the files in the file system that was specified as the
default by the cd command.
Router# dir
1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata

3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz
Entering a Directory: Example

To enter the /config directory:
Router# cd config
To verify that you are in the /config directory:

Router# pwd
flash:/config/
Router# dir
Directory of flash:/config/
380 -rw- 6462268 Mar 08 2004 06:14:02 myconfig1

203 -rw- 6458388 Mar 03 2004 00:01:24 myconfig2
Creating a New Directory

To create a directory in flash memory, enter the mkdir flash: command in privileged EXEC mode.
Creating a New Directory: Example

In the following example, a new directory named “config” is created; then a new subdirectory named
“test-config” is created within the “config” directory.
Router# dir flash:
1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata

3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz

Router# mkdir flash:/config
Create directory filename [config]?

Created dir flash:/config
Router# mkdir flash:/config/test-config
Create directory filename [/config/test-config]?

Created dir flash:/config/test-config

OL-5596-01 9
Router# dir flash:
3 -rw- 6458208 Mar 01 2004 00:04:08 c28xx-i-mz.tmp

1580 drw- 0 Mar 01 2004 23:48:36 config
Removing a Directory
To remove a directory in flash memory, enter the rmdir flash: command in privileged EXEC mode.
Before you can remove a directory, you must remove all files and subdirectories from the directory.
Example: Removing a Directory

In the following example, the subdirectory test-config is removed.
Router# dir
1581 drw- 0 Mar 01 2004 23:50:08 test-config

Router# rmdir flash:/config/test-config
Remove directory filename [/config/test-config]?

Delete flash:/config/test-config? [confirm]
Removed dir flash:/config/test-config
Router# dir
No files in directory

10 OL-5596-01
Upgrading the System Image
This document describes how to upgrade the Cisco IOS software system image on your router.
Contents
• Restrictions for Upgrading the System Image, page 1
• Information About Upgrading the System Image, page 2
• How to Upgrade the System Image, page 3

Restrictions for Upgrading the System Image

• Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers support only
external compact flash memory cards. Internal flash memory is not supported. For more details, see
Using CompactFlash Memory Cards.

Information About Upgrading the System Image
Information About Upgrading the System Image

To upgrade the system image on your router, you should understand the following concepts:
• Why Would I Upgrade the System Image?, page 2
• Which Cisco IOS Release Is Running on My Router Now?, page 2
• How Do I Choose the New Cisco IOS Release and Feature Set?, page 2
• Where Do I Download the System Image?, page 2
Why Would I Upgrade the System Image?

System images contain the Cisco IOS software. Your router already has an image on it when you receive
it. Nevertheless, you may want to load a different image onto the router at some point. For example, you
may want to upgrade your software to the latest release, or you may want to use the same Cisco IOS
release for all the routers in a network. Different system images contain different sets of Cisco IOS
features.
Which Cisco IOS Release Is Running on My Router Now?

To determine which Cisco IOS release is currently running on your system, and the filename of the
system image, enter the show version command in user EXEC or privileged EXEC mode.
How Do I Choose the New Cisco IOS Release and Feature Set?
To determine which Cisco IOS releases and feature sets support your platform and required features, go
to Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If
you do not have an account or have forgotten your username or password, click Cancel at the login
dialog box and follow the instructions that appear.
For more detailed information on choosing the new Cisco IOS release and feature set, see the How to
Choose a Cisco IOS Software Release tech note.
Where Do I Download the System Image?

You must have an account on Cisco.com to use the following websites. If you do not have an account or
have forgotten your username or password, click Cancel at the login dialog box, and follow the
instructions that appear.
If you know which Cisco IOS release and feature set you want to download, go to the Download Software
Area at http://www.cisco.com/kobayashi/sw-center/index.shtml.
If you want more information before selecting the Cisco IOS release and feature set, go to the Software
Center at http://www.cisco.com/kobayashi/sw-center/index.shtml.
OL-5595-01
2
How to Upgrade the System Image

This section provides information about performing the following tasks:
• Saving Backup Copies of Your Old System Image and Configuration, page 3
• Ensuring Adequate DRAM for the New System Image, page 4
• Ensuring Adequate Flash Memory for the New System Image, page 6
• Copying the System Image into Flash Memory, page 10
• Loading the New System Image, page 17
• Saving Backup Copies of Your New System Image and Configuration, page 22
Saving Backup Copies of Your Old System Image and Configuration

To avoid unexpected downtime if you encounter serious problems using your new system image or
startup configuration, we recommend that you save backup copies of your current startup configuration
file and Cisco IOS software system image file on a server.
To save backup copies of the startup configuration file and the system image file, complete the following
steps.
SUMMARY STEPS
1. enable
3. dir flash:
DETAILED STEPS

Example:
Router> enable
• The configuration file copy can serve as a backup copy.
OL-5595-01
3

Step 3 dir flash: Displays the layout and contents of a flash memory file
system.
Example: • Learn the name of the system image file.
Router# dir flash:
• Copy the system image file to a server. This file can
Example: serve as a backup copy.
• Enter the flash memory partition number if prompted.
prompted.
Examples
The following examples show how to copy a startup configuration to a TFTP server and how to copy
from flash memory to an FTP server.

Remote host[]? 192.0.0.1
Name of configuration file to write [rtr2-confg]? rtr2-config-b4upgrade

Write file rtr2-confg-b4upgrade on host 192.0.0.1?[confirm] <cr>
![OK]

The following example uses the dir flash: command in privileged EXEC mode to learn the name of the
system image file and the copy flash: tftp: command in privileged EXEC mode to copy the system
image (c2800-2is-mz) to a TFTP server. The router uses the default username and password.
Router# dir flash:

1 4137888 c2800-image-mz

filename to write on tftp host? c2800-image-mz
writing c2800-image-mz !!!!...
Ensuring Adequate DRAM for the New System Image

This section describes how to check whether your router has enough DRAM for upgrading to the new
system image.
OL-5595-01
4
Prerequisites
Choose the Cisco IOS release and system image to which you want to upgrade. See the “Information
About Upgrading the System Image” section on page 2.
SUMMARY STEPS
1. Select the system image in the Download Software Area at the following URL:
2. Write down the minimum memory requirements for the image, as displayed in the File Download
Information table.
3. show version
4. Add the memory sizes that are displayed in the show version command output to calculate your
router’s DRAM size.
5. Compare the calculated DRAM size with the minimum memory requirements from Step 2.
a. If the DRAM is equal to or greater than the new system image’s minimum memory
requirements, then proceed to the “Ensuring Adequate Flash Memory for the New System
Image” section on page 6.
b. If the DRAM is less than the new system image’s minimum flash requirements, then you must
upgrade your DRAM. See the hardware installation guide for your router.
DETAILED STEPS
Step 1 Select the system image in the Download Software Area at the following URL:
or password, click Cancel at the login dialog box and follow the instructions that appear.
Step 2 Write down the minimum memory requirements for the image, as displayed in the File Download
Information table.
Step 3 show version
Use this command to display the router processor and memory (shown in bold text in the following
sample output):
Router# show version
Cisco IOS Software, 2800 Software (C2800-IPBASE-M), Version 12.3(2), [fc3]

Copyright (c) 2004 by Cisco Systems, Inc.
Compiled Thu 11-Aug-04 18:15
ROM: System Bootstrap, Version 12.3(2)
Router1 uptime is 1 day, 23 hours, 15 minutes

System returned to ROM by reload at 13:11:44 UTC Fri Mar 12 2004
Running default software
Cisco 2800(revision 2.0) with 231424K/30720K bytes of memory.

Processor board ID FHH0746C042
2 Serial interfaces
2 Channelized E1/PRI ports
OL-5595-01
5

479K bytes of NVRAM.
125440K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x820
Router#
Step 4 Add the memory sizes that are displayed in the show version command output to calculate the amount
of DRAM in your router.
For example, in the sample show version command output shown in Step 3, you would add 231424 KB
and 30720 KB for a total of 262144 KB, or 256 MB, of DRAM.
Tip To convert from kilobytes (KB) to megabytes (MB), divide the number of kilobytes by 1024.
Step 5 Compare the amount of DRAM in the router to the minimum memory requirements from Step 2.
a. If the DRAM is equal to or greater than the new system image’s minimum memory requirements,
proceed to the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.
b. If the DRAM is less than the new system image’s minimum memory requirements, you must
upgrade your DRAM. See the hardware installation guide for your router.
What to Do Next
Proceed to the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.
Ensuring Adequate Flash Memory for the New System Image

This section describes how to check whether your router has enough flash memory to upgrade to the new
system image and, if necessary, how to properly delete files in flash memory to make room for the new
system image. For more information, see Using Compact Flash Memory Cards.
Prerequisites
• Choose the Cisco IOS release and system image to which you want to upgrade. See the “Information
About Upgrading the System Image” section on page 2.
• Select the system image in the Download Software Area at:
You must have an account on Cisco.com. If you do not have an account or have forgotten your
username or password, click Cancel at the login dialog box and follow the instructions that appear.
From the File Download Information table, write down the minimum flash requirements for the
image.
SUMMARY STEPS
1. enable
2. (Class B file systems only) squeeze flash:
OL-5595-01
6
3. dir flash:
4. From the displayed output of the dir flash: command, compare the number of bytes available to the
minimum flash requirements for the new system image.
a. If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on
page 10.
b. If the available memory is less than the new system image’s minimum flash requirements,
proceed to Step 5.
5. From the displayed output of the dir flash: command, compare the number of bytes total to the size
of the system image to which you want to upgrade.
a. If the total memory is less than the new system image’s minimum flash requirements, you must
upgrade your compact flash memory card. See the hardware installation guide for your router.
b. If the total memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to Step 6.
6. dir /all flash:
7. From the displayed output of the dir /all flash: command, write down the names and directory
locations of the files that you can delete.
8. (Optional) copy flash: {tftp | rcp}
9. (Optional) Repeat Step 8 for each file that you identified in Step 7.
10. delete flash:directory-path/filename
11. Repeat Step 10 for each file that you identified in Step 7.
12. (Class B file systems only) squeeze flash:
13. dir flash:[partition-number:]
14. From the displayed output of the dir flash: command, compare the number of bytes available to the
size of the system image to which you want to upgrade.
a. If the available memory is less than the new system image’s minimum flash requirements, then
you must upgrade your compact flash memory card to a size that can accommodate both the
existing files and the new system image. See the hardware installation guide for your router.
b. If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on
page 10.
OL-5595-01
7
DETAILED STEPS
Step 1 enable
Use this command to enter privileged EXEC mode. Enter your password if prompted. For example:
Router> enable
Password:
Router#
Step 2 (Class B file systems only) squeeze flash:
Note The squeeze command is only applicable for Class B flash file systems. It is not needed for
Class C flash file systems. For more details on supported flash file systems, see Using
CompactFlash Memory Cards.
Use this command to reclaim the memory space of previously deleted files:

Squeeze complete
Step 3 dir flash:

Use this command to display the layout and contents of flash memory:
Router# dir flash:
Flash CompactFlash directory:

2 6458208 c38xx-i-mz
Step 4 From the displayed output of the dir flash: command, compare the number of bytes available to the
minimum flash requirements for the new system image.
• If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.
• If the available memory is less than the new system image’s minimum flash requirements, proceed
to Step 5.
Step 5 From the displayed output of the dir flash: command, compare the number of bytes total to the size of
the system image to which you want to upgrade.
• If the total memory is less than the new system image’s minimum flash requirements, you must
upgrade your compact flash memory card. See the hardware installation guide for your router.
• If the total memory is equal to or greater than the new system image’s minimum flash requirements,
proceed to Step 6.
Step 6 dir /all flash:
Use this command to display a list of all files and directories in flash memory:
Router# dir /all flash:
OL-5595-01
8
3 -rw- 6458388 Mar 01 1993 00:00:58 c38xx-i-mz.tmp

1580 -rw- 6462268 Mar 06 1993 06:14:02 c38xx-i-mz.2800ata
Step 7 From the displayed output of the dir /all flash: command, write down the names and directory locations
of the files that you can delete. If you cannot delete any files, you must upgrade your compact flash
memory card. See the hardware installation guide for your router.
Note Do not delete the system image that the router already uses. If you are not sure which files can
be safely deleted, either consult your network administrator or upgrade your compact flash
memory card to a size that can accommodate both the existing files and the new system image.
See the hardware installation guide for your router.
Step 8 copy flash:{tftp | rcp}

(Optional) Copy a file to a server before deleting the file from flash memory. When prompted, enter the
filename and the server’s hostname or IP address:
Router# copy flash tftp
Step 9 (Optional) Repeat Step 8 for each file that you identified in Step 7.
Step 10 delete flash:directory-path/filename
Use this command to delete a file in flash memory:
Router# delete flash:c38xx-i-mz.tmp
Delete filename [c38xx-i-mz.tmp]? <cr>

Delete flash:c38xx-i-mz.tmp? [confirm] <cr>
Step 11 Repeat Step 10 for each file that you identified in Step 7.
Step 12 (Class B file systems only) squeeze flash:
Use this command to reclaim the memory space of previously deleted files, for example:

Squeeze complete
Step 13 dir flash:

Use this command to display the layout and contents of flash memory:
Router# dir flash:
Flash CompactFlash directory:

2 6458208 c38xx-i-mz
OL-5595-01
9
Step 14 From the displayed output of the dir flash: command, compare the number of bytes available to the size
of the system image to which you want to upgrade.
• If the available memory is less than the new system image’s minimum flash requirements, you must
upgrade your compact flash memory card to a size that can accommodate both the existing files and
the new system image. See the hardware installation guide for your router.
• If the available memory is equal to or greater than the new system image’s minimum flash
requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.
What to Do Next
Proceed to the “Copying the System Image into Flash Memory” section on page 10.
Copying the System Image into Flash Memory

This section describes how to copy the system image into the compact flash memory card for your router.
Choose one of the following methods:
• Using TFTP or Remote Copy Protocol to Copy the System Image into Flash Memory, page 10
• Using the ROM Monitor to Copy the System Image over a Network, page 12
• Using a PC with a CompactFlash Card Reader to Copy the System Image into Flash Memory,
page 15
• Using Console Download (xmodem) in ROM Monitor to Copy the System Image into Flash
Memory, page 16
Using TFTP or Remote Copy Protocol to Copy the System Image into Flash Memory
This section describes how to use TFTP or Remote Copy Protocol (RCP) to upgrade the system image.
This is the recommended and most common method of upgrading the system image.
Prerequisites
• Install a TFTP server or an RCP server application on a TCP/IP-ready workstation or PC. Many
third-party vendors provide free TFTP server software, which you can find by searching for “TFTP
server” in a web search engine.
If you use TFTP:
– Configure the TFTP application to operate as a TFTP server, not a TFTP client.
– Specify the outbound file directory to which you will download and store the system image.
• Download the new Cisco IOS software image into the workstation or PC. See the “Where Do I
Download the System Image?” section on page 2.
• Establish a console session to the router. We recommend that you connect your PC directly to the
router console port. See the quick start guide that shipped with your router.
OL-5595-01
10
• Verify that the TFTP or RCP server has IP connectivity to the router. If you cannot successfully ping
between the TFTP or RCP server and the router, do one of the following:
– Configure a default gateway on the router.
– Make sure that the server and the router each have an IP address in the same network or subnet.
See the tech note, Determining IP Addresses: Frequently Asked Questions.
Tip For more detailed information on how to perform the prerequisites, see the Software Installation and
Upgrade Procedure tech note.
SUMMARY STEPS
1. enable
2. copy tftp flash
or
copy rcp flash
3. When prompted, enter the IP address of the TFTP or RCP server.
4. When prompted, enter the filename of the Cisco IOS software image to be installed.
5. When prompted, enter the filename as you want it to appear on the router.
6. If an error message appears that says, “Not enough space on device,” do one of the following, as
appropriate:
• If you are certain that all the files in flash memory should be erased, enter y twice when prompted
to erase flash before copying.
• If you are not certain that all files in flash memory should be erased, press Ctrl-Z and follow the
instructions in the “Ensuring Adequate Flash Memory for the New System Image” section on
page 6.
Note Cisco 1841 and Cisco 2801 routers only support DOSFS (Class C) flash memory file
systems. If there is not enough space, you will not be prompted to erase flash memory.
Instead, the operation aborts and you will need to erase some files manually to make enough
space for the image.
7. If the error message does not appear, enter no when prompted to erase the flash memory before
copying.
DETAILED STEPS
Step 1 enable
Use this command to enter privileged EXEC mode. Enter your password if prompted:
Router> enable
Router#
OL-5595-01
11
Step 2 copy tftp flash

or
copy rcp flash
Use one of these commands to copy a file from a server to flash memory:
Router# copy tftp flash
Step 3 When prompted, enter the IP address of the TFTP or RCP server:
Address or name of remote host []? 10.10.10.2
Step 4 When prompted, enter the filename of the Cisco IOS software image to be installed:
Source filename []? c2600-i-mz.121-14.bin
Note The filename is case sensitive.
Step 5 When prompted, enter the filename as you want it to appear on the router. Typically, the same filename
is entered as was used in Step 4:
Destination filename []? c2600-i-mz.121-14.bin
Step 6 If an error message appears that says, “Not enough space on device,” do one of the following as
appropriate:
• If you are certain that all the files in flash memory should be erased, enter y when prompted twice
to confirm that flash memory will be erased before copying:
Accessing tftp://10.10.10.2/c2600-i-mz.121-14.bin...
Erase flash: before copying? [confirm] y
Erasing the flash filesystem will remove all files! Continue? [confirm] y
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
• If you are not certain that all the files in flash memory should be erased, press Ctrl-Z and follow
the instructions in the “Ensuring Adequate Flash Memory for the New System Image” section on
page 6.
Step 7 If the error message does not appear, enter no when prompted to erase the flash memory before copying:
Accessing tftp://10.10.10.2/c2600-i-mz.121-14.bin...
Erase flash: before copying? [confirm] no
See theCommon Problems in Installing Images Using TFTP or an RCP Server tech note.
What to Do Next
Proceed to the “Loading the New System Image” section on page 17.
Using the ROM Monitor to Copy the System Image over a Network
This section describes how to download a Cisco IOS software image from a remote TFTP server to the
router flash memory by using the tftpdnld ROM monitor command.
OL-5595-01
12
Before you can enter the tftpdnld ROM monitor command, you must set the ROM monitor environment
variables.
Prerequisites
Connect the TFTP server to a fixed network port on your router.
Restrictions
The LAN ports on network modules or interface cards are not active in ROM monitor mode. Therefore,
only a fixed port on your router can be used for TFTP download. This can be either a fixed Ethernet port
on the router or one of the Gigabit Ethernet ports on routers equipped with them.
Note You can use this command only to download files to the router. You cannot use tftpdnld to get files
from the router.
SUMMARY STEPS
1. Enter ROM monitor mode

2. Set the IP_ADDRESS=ip_address configuration variable.
3. Set the IP_SUBNET_MASK=ip_address configuration variable.
4. Set the DEFAULT_GATEWAY=ip_address configuration variable.
5. Set the TFTP_SERVER=ip_address configuration variable.
6. Set the TFTP_FILE=[directory-path/]filename configuration variable.
7. (Optional) Set the GE_PORT=[0 | 1 ] configuration variable.
8. (Optional) Set the MEDIA_TYPE=[0 | 1] configuration variable.
9. (Optional) Set the TFTP_CHECKSUM=[0 | 1] configuration variable.
10. (Optional) Set the TFTP_RETRY_COUNT=retry_times configuration variable.
11. (Optional) Set the TFTP_TIMEOUT=time configuration variable.
12. (Optional) Set the TFTP_VERBOSE=setting configuration variable.
13. Use the set command to verify that you have set the variables correctly.
14. Use the tftpdnld [-r] command to download the image.
DETAILED STEPS
Step 1 Enter ROM monitor mode.

Step 2 Set the IP address of the router. For example:
rommon > IP_ADDRESS=172.16.23.32
Step 3 Set the IP subnet mask. For example:

rommon > IP_SUBNET_MASK=255.255.255.224
Step 4 Set the default gateway address. For example:

rommon > DEFAULT_GATEWAY=172.16.23.40
OL-5595-01
13
Step 5 Set the TFTP server IP address, which is the location from which the software will be downloaded:
rommon > TFTP_SERVER=172.16.23.33
Step 6 Set the name and directory location to which the image file will be downloaded onto the router. For
example:
rommon > TFTP_FILE=archive/rel22/c2600-i-mz
Step 7 (Optional) Set the input port to use a Gigabit Ethernet port, available on Cisco 2800 series and
Cisco 3800 series routers. Usage is GE_PORT=[0 | 1], selecting either gig 0/0 or gig 0/1. For example:
rommon > GE_PORT=0
Step 8 (Optional) Set the Ethernet connection media type, RJ-45 or SFP. Usage is MEDIA_TYPE=[0 | 1],
where RJ-45=0 and SFP=1 (SFP is applicable only if GE_PORT=0 in the previous step):
rommon > MEDIA_TYPE=1
Step 9 (Optional) Decide whether the router will perform a checksum test on the downloaded image. Usage is
TFTP_CHECKSUM=[0|1], where 1=checksum test is performed (default) and 0=no checksum test. For
example:
rommon > TFTP_CHECKSUM=0
Step 10 (Optional) Set the number of times that the router will attempt Address Resolution Protocol (ARP) and
TFTP download. The default is 7 attempts. For example:
rommon > TFTP_RETRY_COUNT=10
Step 11 (Optional) Set the amount of time, in seconds, before the download process times out. The default is
2400 seconds (40 minutes). The following example shows 1800 seconds (30 minutes):
TFTP_TIMEOUT=1800
Step 12 (Optional) Configure how the router will display the file download progress. Usage is
TFTP_VERBOSE=[0 | 1 | 2], where:
0=No progress is displayed.
1=Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting.
2=Detailed progress is displayed during the file download process, for example:
Initializing interface.
Interface link state up.
ARPing for 1.4.0.1
ARP reply for 1.4.0.1 received.
MAC address 00:00:0c:07:ac:01
Step 13 Use the set command to display the ROM monitor environment variables to verify that you have
configured them correctly. For example:
rommon > set
Step 14 Download the system image, as specified by the ROM monitor environmental variables, using the
tftpdnld [-r] command. Without the -r option, the command downloads the specified image and saves
it in flash memory, deleting all existing data in all partitions in flash memory. Using the -r option
downloads and boots the new software but does not save the software to flash memory.
rommon> tftpdnld [-r]
OL-5595-01
14
A prompt is displayed:
Entering “y” confirms that you want to continue with the TFTP download.
What to Do Next
Using a PC with a CompactFlash Card Reader to Copy the System Image into Flash Memory
Because the system image is stored on an external CompactFlash memory card, you can use a PC with
a compact flash card reader to format the card and copy a new system image file onto the card. However,
this upgrade method is not commonly used.
For more information about using flash memory cards, see Using CompactFlash Memory Cards.
Prerequisites
• Download the new Cisco IOS Software image to the PC. See the “Where Do I Download the System
Image?” section on page 2.
• Locate the compact flash memory card slot on the router chassis. For help with locating the slot and
instructions for removing and inserting the card, see the hardware installation guide for your router.
Caution Removing the compact flash memory card may disrupt the network because some software features use
the compact flash memory card to store tables and other important data.
SUMMARY STEPS
1. Remove the compact flash memory card from the router.

2. Insert the card into the compact flash card reader on a PC.
3. Use the PC to copy the system image file to the compact flash memory card.
4. Remove the card from the compact flash card reader.
5. Insert the compact flash memory card into the router.
DETAILED STEPS
Step 1 Remove the compact flash memory card from the router.
Step 2 Insert the card into the compact flash card reader on a PC.
Step 3 Use the PC to copy the system image file to the compact flash memory card.
Step 4 Remove the card from the compact flash card reader.
Step 5 Insert the compact flash memory card into the router.
OL-5595-01
15
What to Do Next
Using Console Download (xmodem) in ROM Monitor to Copy the System Image into Flash Memory
Use console download, a ROM monitor function, when you do not have access to a TFTP server.
For detailed information about the console download function and the xmodem ROM monitor
command, see the Xmodem Console Download Procedure Using ROMmon tech note.
Prerequisites
• Download the new Cisco IOS software image to your PC. See the “Where Do I Download the
System Image?” section on page 2.
• Connect your PC to the router console port, and launch a terminal emulator program. For examples
of performing this task on similar routers, see the Xmodem Console Download Procedure Using
ROMmon tech note.
Restrictions
• If you use a PC to download a Cisco IOS image over the router console port at 115,200 bps, make
sure that the PC serial port uses a 16550 universal asynchronous receiver/transmitter (UART).
• If the PC serial port does not use a 16550 UART, we recommend using a speed of 38,400 bps or
lower when downloading a Cisco IOS image over the console port.
• The xmodem transfer works only on the console port.
• You can only use the xmodem command to download files to the router. You cannot use xmodem
to get files from the router.
• Because the ROM monitor console download uses the console to perform the data transfer, error
messages are displayed on the console only after the data transfer is terminated. If an error occurs
during console download, the download is terminated, and an error message is displayed. If you
changed the baud rate from the default rate, the error message is followed by a message that tells
you to restore the terminal to the baud rate specified in the configuration register.
SUMMARY STEPS
1. xmodem [-[c][y][r][x]] destination-file-name
OL-5595-01
16
DETAILED STEPS
Step 1 xmodem [-[c][y][r][x]] destination-file-name

Use this command to download the system image over the console port, using the ROM monitor. See
Table 1 for command syntax descriptions.
Table 1 xmodem Command Syntax Descriptions
Keyword or Argument Description

-c (Optional) Performs the download using 16-bit cyclic redundancy check
(CRC) error checking to validate packets. The default is 8-bit CRC.
-y (Optional) Performs the download using ymodem protocol. The default is
xmodem protocol. The protocols differ as follows:
• The xmodem protocol supports a 128-block transfer size, whereas the
ymodem protocol supports a 1024-block transfer size.
• The ymodem protocol uses 16-bit CRC error checking to validate each
packet. Depending on the device that the software is being
downloaded from, this function might not be supported by the
xmodem protocol.
-r (Optional) Image is loaded into DRAM for execution. The default is to
load the image into flash memory.
-x (Optional) Image is loaded into DRAM without being executed.
destination-file-name The name of the system image file or the system configuration file. For the
router to recognize it, the name of the configuration file must be
router_config.
What to Do Next
Loading the New System Image

This section describes how to load the new system image that you copied into flash memory. First,
determine whether you are in ROM monitor mode or in the Cisco IOS CLI. Then choose one of the
following methods of loading the new system image:
• Loading the New System Image from the Cisco IOS Software, page 17
• Loading the New System Image from ROM Monitor Mode, page 20
Loading the New System Image from the Cisco IOS Software
This section describes how to load the new system image from the Cisco IOS software.
OL-5595-01
17
SUMMARY STEPS
1. dir flash:
3. no boot system
4. (Optional) boot system flash: system-image-filename
5. (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
6. exit
7. show version
8. If the last digit in the configuration register is 0 or 1, proceed to Step 9. However, if the last digit in
the configuration register is between 2 and F, proceed to Step 12.
10. config-register 0x2102
11. exit
12. copy run start
13. reload
14. When prompted to save the system configuration, enter no.
15. When prompted to confirm the reload, enter y.
16. show version
DETAILED STEPS
Step 1 dir flash:

Use this command to display a list of all files and directories in flash memory:
Router# dir flash:
3 -rw- 6458388 Mar 01 1993 00:00:58 c38xx-i-mz.tmp

1580 -rw- 6462268 Mar 06 1993 06:14:02 c38xx-i-mz.2800ata
Note Determine whether the new system image is the first file or the only file listed in the dir flash
command output ( is not required if it is the first file or only file listed).
Step 2 configure terminal

Use this command to enter global configuration mode:
Router(config)#
OL-5595-01
18
Step 3 no boot system

Use this command to delete all entries in the bootable image list, which specifies the order in which the
router attempts to load the system images at the next system reload or power cycle:
Router(config)# no boot system
Step 4 If the new system image is the first file or the only file displayed in the dir flash: command output, you
do not need to perform the following step.
boot system flash: system-image-filename
Use this command to load the new system image after the next system reload or power cycle. For
example:
Router(config)# boot system flash: c2600-i-mz.121-14.bin
Step 5 (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
Step 6 exit
Use this command to exit global configuration mode:
Router#
Step 7 show version

Use this command to display the configuration register setting:
Cisco Internetwork Operating System Software

.
.
.
Configuration register is 0x0
Router#
Step 8 If the last digit in the configuration register is 0 or 1, proceed to Step 9. However, if the last digit in the
configuration register is between 2 and F, proceed to Step 12.
Router(config)#
Step 10 config-register 0x2102

Use this command to set the configuration register so that, after the next system reload or power cycle,
the router loads a system image from the boot system commands in the startup configuration file:
Step 11 exit
Router#
OL-5595-01
19
Step 12 copy run start

Use this command to copy the running configuration to the startup configuration:
Step 13 reload
Use this command to reload the operating system:
Router# reload
Step 14 When prompted to save the system configuration, enter no:

System configuration has been modified. Save? [yes/no]: no
Step 15 When prompted to confirm the reload, enter y:

Proceed with reload? [confirm] y
Step 16 show version

Use this command to verify that the router loaded the proper system image:
00:22:25: %SYS-5-CONFIG_I: Configured from console by console

Cisco Internetwork Operating System Software
.
.
.
System returned to ROM by reload
System image file is "flash:c2600-i-mz.121-14.bin"
What to Do Next
Proceed to the “Saving Backup Copies of Your New System Image and Configuration” section on
page 22.
Loading the New System Image from ROM Monitor Mode

This section describes how to load the new system image from ROM monitor mode.
SUMMARY STEPS
1. dir flash:[partition-number:]
2. confreg 0x2102
3. boot flash:[partition-number:]filename
4. After the system loads the new system image, press Return a few times to display the Cisco IOS
command-line interface (CLI) prompt.
5. enable
7. no boot system
8. boot system flash new-system-image-filename
OL-5595-01
20
9. (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
10. exit
11. copy run start
DETAILED STEPS
Step 1 dir flash:[partition-number:]

Use this command to list files in flash memory:
rommon > dir flash:
File size Checksum File name

2229799 bytes (0x220627) 0x469e C2600-j-m2.113-4T
Note whether the new system image is the first file or the only file listed in the dir flash command
output. ( is not required if the image is the first file or only file listed.)
Step 2 confreg 0x2102
Use this command to set the configuration register so that, after the next system reload or power cycle,
the router loads a system image from the boot system commands in the startup configuration file:
rommon > confreg 0x2102
Step 3 boot flash:[partition-number:]filename

Use this command to force the router to load the new system image:
rommon > boot flash:C2600-j-m2.113-4T
Step 4 After the system loads the new system image, press Return a few times to display the Cisco IOS CLI
prompt.
Step 5 enable
Use this command to enable privileged EXEC mode, and enter your password if prompted:
Router> enable
Router#

Router(config)#
Step 7 no boot system

Eliminate all entries in the bootable image list, which specifies the system image that the router loads at
startup:
Router(config)# no boot system
Step 8 If the new system image is the first file or only the file displayed in the dir flash: command output, this
step is not required.
boot system flash new-system-image-filename
OL-5595-01
21
Use this command to load the new system image after the next system reload or power cycle:
Router(config)# boot system flash c2600-i-mz.121-14.bin
Step 9 (Optional) Repeat to specify the order in which the router should attempt to load any backup system
images.
Step 10 exit
Router#
Step 11 copy run start

Use this command to copy the running configuration to the startup configuration:
What to Do Next
Proceed to the “Saving Backup Copies of Your New System Image and Configuration” section on
page 22.
Saving Backup Copies of Your New System Image and Configuration

To aid file recovery and to minimize downtime in the event of file corruption, we recommend that you
save backup copies of the startup configuration file and the Cisco IOS software system image file on a
server.
Tip Do not erase any existing backup copies of your configuration and system image that you saved before
upgrading your system image. If you encounter serious problems using your new system image or
startup configuration, you can quickly revert to the previous working configuration and system image,
if necessary.
To save backup copies of the startup configuration file and the system image file, complete the following
steps.
SUMMARY STEPS
1. enable
3. dir flash:
OL-5595-01
22
DETAILED STEPS

Example:
Router> enable
• The configuration file copy serves as a backup copy.
Step 3 dir flash: Displays the layout and contents of a flash memory file
system.
Example: • Write down the name of the system image file.
Router# dir flash:
• Copy the system image file to a server to serve as a
Example: backup copy.
• Enter the flash memory partition number if prompted.
prompted.
Examples
Remote host[]? 172.16.101.101
Name of configuration file to write [rtr2-confg]? <cr>

Write file rtr2-confg on host 172.16.101.101?[confirm] <cr>
![OK]

The following example uses the dir flash: privileged EXEC command to obtain the name of the system
image file and the copy flash: tftp: privileged EXEC command to copy the system image
(c2800-2is-mz) to a TFTP server. The router uses the default username and password.
Router# dir flash:

1 4137888 c2800-image-mz
OL-5595-01
23

filename to write on tftp host? c2800-image-mz
writing c2800-image-mz !!!!...
The following sections provide references related to upgrading the system image on your router.
Related Documents and Websites

Related Topic Document Title or Website
Matching Cisco IOS releases and features to hardware Cisco Feature Navigator at http://www.cisco.com/go/fn1
Choosing the Cisco IOS release and feature set How to Choose a Cisco IOS Software Release
Downloading system images Download Software Area at
http://www.cisco.com/kobayashi/sw-center/index.shtml1
Displaying minimum DRAM and flash memory
requirements
Choosing and downloading system images Software Center at
http://www.cisco.com/kobayashi/sw-center/index.shtml
Loading and maintaining system images Cisco IOS Configuration Fundamentals and Network Management
Configuration Guide
Using external compact flash memory cards Using Compact Flash Memory Cards
Removing, inserting, and upgrading compact flash hardware installation guide for your router
memory cards
Connecting your PC to the router console port quick start guide for your router
Upgrading the system image on similar routers Software Installation and Upgrade Procedure
Verifying that the router and the server are on the same Determining IP Addresses: Frequently Asked Questions
network
Troubleshooting while using TFTP or RCP to copy the Common Problems in Installing Images Using TFTP or an RCP
system image into flash memory Server
Using the ROM monitor Using the ROM Monitor
Using console download (xmodem) in the ROM Xmodem Console Download Procedure Using ROMmon
monitor to copy the system image into flash memory
Upgrading the system image from boot mode How to Upgrade from ROMmon Using the Boot Image
OL-5595-01
24
Description Link
even more content.1
OL-5595-01
25
OL-5595-01
26
Troubleshooting Links
• Password Recovery Procedures

• Troubleshooting Router Crashes
• Troubleshooting Router Hangs
• Troubleshooting Memory Problems
• Troubleshooting High CPU Utilization on Cisco Routers
• Technical Assistance Center (TAC) Website
You must have an account on Cisco.com to access the following tools. If you do not have an account or
have forgotten your username or password, click Cancel at the login dialog box, and follow the
instructions.
• TAC Case Collection
Troubleshooting Assistant
• Error Message Decoder
Research and resolve error messages
• Output Interpreter
Generate output analysis of show commands
• Bug Toolkit
Search for known caveats by software version, feature set, and keyword

Troubleshooting Links
2 OL-5999-01

2800 SW Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2800 SW Guide

Uploaded by

Copyright:

Available Formats

Preface

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

Table 1 Command Conventions

You can access the Cisco website at this URL:

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your

Obtaining Additional Publications and Information

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

Cisco 2800 Series Software Configuration Documentation

Performing Initial Configuration

For More Information About SDM and About Your Router

Obtaining the Latest Version of SDM

Press RETURN to get started.

Initial Configuration Using the Setup Command Facility

Would you like to enter the initial configuration dialog? [yes/no]:

Step 1 To proceed using the setup command facility, enter yes:

Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity

Would you like to enter basic management setup? [yes/no]: yes

Step 7 Respond to the following prompts as appropriate for your network:

A summary of the available interfaces is displayed.

Current interface summary

Controller Timeslots D-Channel Configurable modes Status

Interface IP-Address OK? Method Status Prol

Step 9 Respond to the following prompts as appropriate for your network:

Step 10 The configuration is displayed:

Enter your selection [2]: 2

Press RETURN to get started! RETURN

The user prompt is displayed.

Initial Configuration Using the Command-Line Interface

Would you like to enter the initial configuration dialog? [yes/no]:

Several messages appear, ending with a line similar to the following:

Step 3 Press Return to display the Router> prompt:

Step 4 Enter privileged EXEC mode:

Verifying the Initial Configuration

Using the Cisco IOS Startup Sequence

Step 5 Enter the erase startup-config command:

Step 6 Confirm the command by pressing Enter.

Step 8 Confirm the command by pressing Enter.

Enabling SDM on a Router Configured to Use the IOS Startup Sequence

Starting SDM on a Manually Configured Router

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

Platforms Supported by This Document

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

Information About the Setup Command Facility

Using the Setup Command Facility to Perform Basic

--- System Configuration Dialog ---

Step 2 To proceed using the setup command facility, enter yes.

Basic Software Configuration Using the Setup Command Facility

Basic management setup configures only enough connectivity

Would you like to enter basic management setup? [yes/no]: yes

Step 8 Respond to the following prompts as appropriate for your network:

A summary of the available interfaces is displayed.

Current interface summary

Controller Timeslots D-Channel Configurable modes Status

Interface IP-Address OK? Method Status Prol

Basic Software Configuration Using the Setup Command Facility

Step 10 Respond to the following prompts as appropriate for your network:

Enter your selection [2]: 2