Cisco Router 850 Series Software Configuration Guide

							 
12-3
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 12      Configuring Security Features
  Configuring a CBAC Firewall
Access Groups
A sequence of access list definitions bound together with a common name or number is called an access 
group. An access group is enabled for an interface during interface configuration with the following 
command:
ip access-group {access-list-number | access-list-name}{in | out} 
where in | out refers to the direction of travel of the packets being filtered.
Guidelines for Creating Access Groups
Use the following guidelines when creating access groups.
 The order of access list definitions is significant. A packet is compared against the first access list 
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is 
compared with the next access list, and so on.
 All parameters must match the access list before the packet is permitted or denied.
 There is an implicit “deny all” at the end of all sequences.
For more complete information on creating access lists, see the “Access Control Lists: Overview and 
Guidelines” section of the Cisco IOS Release 12.3 Security Configuration Guide. 
Configuring a CBAC Firewall
Context-Based Access Control (CBAC) lets you configure a stateful firewall where packets are inspected 
internally and the state of network connections is monitored. This is superior to static access lists, 
because access lists can only permit or deny traffic based on individual packets, not streams of packets. 
Also, because CBAC inspects the packets, decisions to permit or deny traffic can be made by examining 
application layer data, something static access lists cannot do.
To configure a CBAC firewall, specify which protocols to examine by using the following command in 
interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list 
is created to allow the passage of return traffic. The timeout parameter specifies the length of time the 
dynamic access list remains active without return traffic passing through the router. When the timeout 
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are 
not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules 
can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out 
command when you configure an interface at the firewall.
See Chapter 8, “Configuring a Simple Firewall,” for a sample configuration. For additional information 
about configuring a CBAC firewall, see the “Configuring Context-Based Access Control” section of the 
Cisco IOS Release 12.3 Security Configuration Guide. 
						

							 
12-4
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 12      Configuring Security Features
  Configuring Cisco IOS Firewall IDS
Configuring Cisco IOS Firewall IDS
Cisco IOS Firewall Intrusion Detection System (IDS) technology enhances perimeter firewall protection 
by taking appropriate action on packets and flows that violate the security policy or represent malicious 
network activity.
Cisco IOS Firewall IDS identifies 59 of the most common attacks using “signatures” to detect patterns 
of misuse in network traffic. It acts as an in-line intrusion detection sensor, watching packets and 
sessions as they flow through the router, scanning each to match any of the IDS signatures. When it 
detects suspicious activity, it responds before network security can be compromised, logs the event, and, 
depending on configuration, sends an alarm, drops suspicious packets, or resets the TCP connection.
For additional information about configuring Cisco IOS Firewall IDS, see the “Configuring Cisco IOS 
Firewall Intrusion Detection System” section of the Cisco IOS Release 12.3 Security Configuration 
Guide.
Configuring VPNs
A virtual private network (VPN) connection provides a secure connection between two networks over a 
public network such as the Internet. Cisco
 850 and Cisco 870 series access routers support site-to-site 
VPNs using IP security (IPSec) tunnels and generic routing encapsulation (GRE). Permanent VPN 
connections between two peers, or dynamic VPNs using EZVPN or DMVPN which create and tear down 
VPN connections as needed, can be configured. 
Chapter 6, “Configuring a VPN Using Easy VPN and 
an IPSec Tunnel,” and Chapter 7, “Configuring VPNs Using an IPSec Tunnel and Generic Routing 
Encapsulation,” show examples of how to configure your router with these features. For more 
information about IPSec and GRE configuration, see the “Configuring IPSec Network Security” chapter 
of the Cisco IOS Release 12.3 Security Configuration Guide.
For information about additional VPN configurations supported by Cisco 850 and Cisco 870 series 
access routers, see the following feature documents:
 EZVPN Server—Cisco 850 and Cisco 870 series routers can be configured to act as EZVPN servers, 
letting authorized EZVPN clients establish dynamic VPN tunnels to the connected network.
 Dynamic Multipoint VPN (DMVPN)—The DMVPN feature creates VPN tunnels between multiple 
routers in a multipoint configuration as needed, simplifying the configuration and eliminating the 
need for permanent, point-to-point VPN tunnels. 
						

							CH A P T E R
 
13-1
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
13
Configuring Dial Backup and Remote 
Management
The Cisco 800 series access routers support dial-in (for remote management) and dial-out (for dial 
backup) capabilities. By allowing you to configure a backup modem line connection, the Cisco
 800 
series access routers provide protection against WAN downtime. Dial backup is inactive by default, 
and
 must be configured to be active.
Dial backup functions can be configured as follows:
 Through the auxiliary port on any Cisco 870 series router
 Through the ISDN S/T port on a Cisco 876 with an advanced enterprise 
(c870-adventerprisek9-mz)
 image
Remote management functions can be configured as follows:
 Through the auxiliary port on any Cisco 850 or Cisco 870 series router
 Through the ISDN S/T port on the Cisco 876 and Cisco 878 routers
NoteThe console port and the auxiliary port in the Cisco IOS software configuration are on the same physical 
RJ-45 port; therefore, both ports cannot be activated simultaneously, and the command-line interface 
(CLI) must be used to enable the desired function.
This chapter contains the following topics:
 Dial Backup Feature Activation Methods
 Dial Backup Feature Limitations
 Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port
 Configuring Dial Backup and Remote Management Through the ISDN S/T Port
Dial Backup Feature Activation Methods
Three methods are available to activate the dial backup feature:
 Backup Interfaces
 Floating Static Routes
 Dialer Watch 
						

							
 
13-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Activation Methods
Backup Interfaces
When the router receives an indica tion that the primary line is down, a backup interface is brought up. 
You can configure the backup interface to go down once the primary connection has been restored for a 
specified period.
This is accomplished using dial-on-demand routing (DDR). When this is configured, a backup call is 
triggered by specified traffic. 
NoteEven if the backup interface comes out of standby mode (is brought up), the router does not trigger the 
backup call unless it receives the specif ied traffic for that backup interface.
Configuring Backup Interfaces
Perform these steps to configure your router with a backup interface, beginning in global configuration 
mode:
CommandPurpose
Step 1interface  type number
Example:
Router(config)#  interface atm 0
Router(config-if)#
Enters interface configuration mode for the 
interface for which you want to configure backup.
This can be a serial interface, ISDN interface, or 
asynchronous interface. 
The example shows the conf iguration of a backup 
interface for an ATM WAN connection.
Step 2backup interface  interface-type 
interface-number
Example:
Router(config-if)#  backup interface bri 0
Router(config-if)#
Assigns an interface as the secondary, or backup 
interface.
This can be a serial interface or asynchronous 
interface. For example, a serial 1 interface could 
be configured to back up a serial 0 interface. 
The example shows a Basic Rate Interface 
configured as the backup interface for the ATM 0 
interface.
Step 3exit
Example:
Router(config-if)#  exitRouter(config)#
Enters global configuration mode.
Floating Static Routes
Floating static routes provide alternative routes for tr affic. Floating static routes are not activated unless 
a DDR backup call has been triggered by sp ecified traffic for a backup interface. 
Floating static routes are independent of line protoc ol status. This is an important consideration for 
Frame Relay circuits because the line protocol may not  go down if the data-link connection identifier 
(DLCI) is inactive. Floating static routes are also encapsulation independent.  
						

							
 
13-3
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 13      Configuring Dial Backup and Remote Management   Dial Backup Feature Activation Methods
NoteWhen static routes are configured, the primary interface protocol must go down in order to activate the 
floating static route.
Configuring Floating Static Routes
Static and dynamic routes are the two components of  floating static routes. Perform these steps to 
configure the static and dynamic routes on your router, beginning in global configuration mode:
CommandPurpose
Step 1ip route  prefix mask  {ip-address  | interface-type  
interface-number  [ip-address ]}
Example:
Router(config)#  ip route 0.0.0.0 0.0.0.0 
22.0.0.2
Router(config)#
Assigns the primary static route.
Step 2ip route  prefix mask  { ip-address  | interface-type  
interface-number  [ip-address ]} [distance ]
Example:
Router(config)#  ip route 0.0.0.0 0.0.0.0 
192.168.2.2 150
Router(config)#
Assigns the lower routing administrative distance 
value for the backup interface route. 192.168.2.2 
is the peer IP address of the backup interface.
Step 3router rip
Example:
Router(config)#  router rip
Router(config)#
Enables RIP routing.
Step 4network ip-address
Example:
Router(config)#  network 22.0.0.0Router(config)#
Defines the primary interface network. 22.0.0.0 is 
the network value of the primary interface.
Step 5ip route prefix mask  { ip-address  | interface-type 
interface-number  [ip-address ]} [distance ]
Example:
Router(config)#  ip route 0.0.0.0 0.0.0.0 
192.168.2.2 150
Router(config)#
Assigns the lower routing administrative distance 
value for the backup interface route. 192.168.2.2 
is the peer IP address of the backup interface. 
						

							 
13-4
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Activation Methods
NoteWhen dynamic routes are being used, the time it takes to activate a floating static route depends on the 
routing protocol convergence times.
Dialer Watch
The dialer watch method only supports the Extended Interior Gateway Routing Protocol (EIGRP) 
link-state dynamic routing protocols.
Configuring Dialer Watch
Perform these steps to configure a dialer watch on your router, beginning in global configuration mode:
CommandPurpose
Step 1interface type number
Example:
Router(config)# interface dialer 2
Router(config-if)#
Enters configuration mode for the dial backup 
interface.
Step 2dialerwatch-group group-number
Example:
Router(config-if)# dialer watch-group 2Router(config-if)#
Specifies the group number for the watch list.
Step 3exit
Example:
Router(config-if)# exit
Router(config)#
Enters global configuration mode.
Step 4ip route prefix mask {ip-address | interface-type 
interface-number [ip-address]}
Example:
Router(config)# ip route 0.0.0.0 0.0.0.0 
22.0.0.2
Router(config)#
Assigns the primary route. 22.0.0.2 is the peer IP 
address of the primary interface. 
						

							 
13-5
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Limitations
Dial Backup Feature Limitations
The following limitations exist for the dial backup feature:
 Bridging is not supported over console or auxiliary port backup interfaces.
 For the Cisco 851 router, only dial-in capability is supported. 
 Dial backup support on the Cisco 871 router is limited because the Ethernet WAN interface is always 
up, even when ISP connectivity is down on the other side of the modem connected to the Cisco
 871 
router. The router must be in a PPPoE environment with the dialer watch feature running. The IP 
addresses of the peer must be specified in the dialer watch and the static route commands to enable 
dial backup when the primary line goes down. 
Ta b l e 13-1 summarizes dial backup support and limitations for the Cisco 800 series access routers.
Step 5ip route prefix mask {ip-address | interface-type 
interface-number [ip-address]} [distance]
Example:
Router(config)# ip route 0.0.0.0 0.0.0.0 
192.168.2.2 150
Router(config)#
Assigns the lower routing administrative distance 
value for the backup interface route. 192.168.2.2 
is the peer IP address of the backup interface.
Step 6dialerwatch-list group-number {ip ip-address 
address-mask | delay route-check initial 
seconds}
Example:
Router(config)# dialer watch-list 2 ip 
22.0.0.2 255.255.255.255
Router(config)#
Assigns an IP address to the watch list. 
If the connection on the primary interface is lost 
and the IP address is unavailable on the router, the 
dial-out feature on the backup interface is 
triggered. 22.0.0.2 is the peer IP address of the 
primary interface.
Command Purpose
Ta b l e 13-1 Dial Backup Feature Support and Limitations Summary 
WAN Encapsulation 
Ty p eDial Backup 
Possible?
Dial Backup MethodLimitations
Cisco 851 or 871
PPPoEYe sDialer watchBridging is not supported across a slow interface, for 
example, an auxiliary port. The peer IP address of the ISP is 
needed to configure the dialerwatch command and the IP 
static route.
Normal IP in cable 
modem scenarioNoDialer watchThe IP addresses of the peers are needed for dialer watch to 
work properly. If a lease time obtained by DHCP is not set 
short enough (1 or 2 minutes), dial backup will not be 
supported. 
						

							 
13-6
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Limitations
Configuration Example
The following three examples show sample configurations for the three dial backup methods.
Example 13-1 Configuring Dial Backup Using Backup Interfaces
!
vpdn enable!
vpdn-group 1
 accept-dialin protocol pppoe
!
! Specifies the ISDN switch typeisdn switch-type basic-net3
!
interface vlan 1 ip address 192.168.1.1 255.255.255.0
 hold-queue 100 out
!! ISDN interface to be used as a backup interface
interface BRI0
 no ip address encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3!
interface ATM0
 backup interface BRI0 no ip address
 no atm ilmi-keepalive
 pvc 1/40 encapsulation aal5snap
 pppoe-client dial-pool-number 2
Cisco 876, 877, or 878
PPP over ATM 
PPP over Ethernet
Ye sBackup interfaces
Floating static routes
Dialer watch
Floating static route and dialer watch need a routing protocol 
to run in the router. The dialer watch method brings up the 
backup interface as soon as the primary link goes down. The 
backup interface is brought down as soon as the dialer 
timeout is reached and the primary interface is up. The router 
checks the primary interface only when the dialer timeout 
expires. The backup interface remains up until the dialer 
timeout is reached, even though the primary interface is up.
For the dialer watch method, a routing protocol does not need 
to be running in the router, if the IP address of the peer is 
known.
RFC 1483 (AAL5, 
SNAP, and MUX)Ye sBackup interfaces
Floating static routes
Dialer watch
If bridging is done through the WAN interface, it is not 
supported across the auxiliary port.
Table 13-1 Dial Backup Feature Support and Limitations Summary (continued)
WAN Encapsulation 
Ty p eDial Backup 
Possible? Dial Backup Method Limitations 
						

							 
13-7
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Limitations
!dsl operating-mode auto
!
! Dial backup interface, associated with physical BRI0 interface. ! Dialer pool 1 associates it with BRI0’s dialer pool member 1.
interface Dialer0
 ip address negotiated encapsulation ppp
 dialer pool 1
 dialer idle-timeout 30 dialer string 384040
 dialer-group 1
!! Primary interface associated with physical ATM0’s interface. 
! Dialer pool 2 associates it with ATM0’s dial-pool-number2.
interface Dialer2 ip address negotiated
 ip mtu 1492
 encapsulation ppp dialer pool 2
 dialer-group 2
 no cdp enable!
ip classless
! Primary and backup interface are given route metric
ip route 0.0.0.0 0.0.0.0 22.0.0.2ip route 0.0.0.0 0.0.0.0 192.168.2.2 80
ip http server
!! Specifies interesting traffic to trigger backup ISDN traffic.
dialer-list 1 protocol ip permit
Example 13-2 Configuring Dial Backup Using Floating Static Routes
!
vpdn enable
!vpdn-group 1
 accept-dialin
 protocol pppoe!
! Specifies the ISDN switch type.
isdn switch-type basic-net3!
interface vlan 1
 ip address 192.168.1.1 255.255.255.0 hold-queue 100 out
!
! ISDN interface to be used as a backup interface.interface BRI0
 no ip address
 encapsulation ppp dialer pool-member 1
 isdn switch-type basic-net3
!interface ATM0
 no ip address
 no atm ilmi-keepalive pvc 1/40
 encapsulation aal5snap
 pppoe-client dial-pool-number 2 
						

							 
13-8
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Limitations
!dsl operating-mode auto
!
! Dial backup interface, associated with physical BRI0 interface. ! Dialer pool 1 associates it with BRI0’s dialer pool member 1
interface Dialer0
 ip address negotiated encapsulation ppp
 dialer pool 1
 dialer idle-timeout 30 dialer string 384040
 dialer-group 1
!! Primary interface associated with physical ATM0’s interface. 
! Dialer pool 2 associates it with ATM0’s dial-pool-number2.
interface Dialer2 ip address negotiated
 ip mtu 1492
 encapsulation ppp dialer pool 2
 dialer-group 2
!ip classless
no cdp enable
! Primary and backup interface are given route metric. (This example uses static routes, 
! thus atm0 line protocol must be brought down for backup interface to function.)ip route 0.0.0.0 0.0.0.0 22.0.0.2
ip route 0.0.0.0 0.0.0.0 192.168.2.2 150
ip http server!
! Specifies interesting traffic to trigger backup ISDN traffic.
dialer-list 1 protocol ip permit
Example 13-3 Configuring Dial Backup Using Dialer Watch
!
vpdn enable!
vpdn-group 1
 accept-dialin protocol pppoe
!
! Specifies the ISDN switch type.isdn switch-type basic-net3
!
interface Ethernet0 ip address 192.168.1.1 255.255.255.0
 hold-queue 100 out
!! ISDN interface to be used as a backup interface.
interface BRI0
 no ip address encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3!
interface ATM0
 no ip address no atm ilmi-keepalive
 pvc 1/40
 encapsulation aal5snap pppoe-client dial-pool-number 2