Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6-17
Book Title
OL-xxxxx-xx
Chapter 6 Configuring Security Features
Configuring VPN
Configuration Example
The following configuration example shows a portion of the configuration file for a VPN using a GRE
tunnel scenario described in the preceding sections.
!aaa new-model
!
aaa authentication login rtr-remote local
Step 4tunnel destination default-gateway-ip-address
Example:
Router(config-if)# tunnel destination
192.168.101.1
Router(config-if)#
Specifies the destination endpoint of the router for
the GRE tunnel.
Step 5crypto map map-name
Example:
Router(config-if)# crypto map static-mapRouter(config-if)#
Assigns a crypto map to the tunnel.
NoteDynamic routing or static routes to the
tunnel interface must be configured to
establish connectivity between the sites.
See the
Cisco IOS Security Configuration
Guide for details.
Step 6exit
Example:
Router(config-if)# exit
Router(config)#
Exits interface configuration mode, and returns to
global configuration mode.
Step 7ip access-list {standard | extended} ac-
cess-list-name
Example:
Router(config)# ip access-list extended
vpnstatic1
Router(config-acl)#
Enters ACL configuration mode for the named
ACL that is used by the crypto map.
Step 8permit protocol source source-wildcard destina-
tion destination-wildcard
Example:
Router(config-acl)# permit gre host
192.168.100.1 host 192.168.101.1
Router(config-acl)#
Specifies that only GRE traffic is permitted on the
outbound interface.
Step 9exit
Example:
Router(config-acl)# exitRouter(config)#
Returns to global configuration mode.
Command or Action Purpose
6-18 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN aaa authorization network rtr-remote localaaa session-id common ! username cisco password 0 cisco! interface tunnel 1 ip address 10.62.1.193 255.255.255.252 tunnel source fastethernet 0 tunnel destination interface 192.168.101.1 ip route 20.20.20.0 255.255.255.0 tunnel 1 crypto isakmp policy 1 encryption 3desauthentication pre-share group 2 !crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1domain company.com pool dynpool ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac! crypto ipsec security-association lifetime seconds 86400 !crypto dynamic-map dynmap 1 set transform-set vpn1 reverse-route! crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remotecrypto map dynmap client configuration address respond ! ! Defines the key association and authentication for IPsec tunnel.crypto isakmp policy 1 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 200.1.1.1 ! !! Defines encryption and transform set for the IPsec tunnel. crypto ipsec transform-set set1 esp-3des esp-md5-hmac !! Associates all crypto values and peering address for the IPsec tunnel. crypto map to_corporate 1 ipsec-isakmp set peer 200.1.1.1 set transform-set set1 match address 105 !! ! VLAN 1 is the internal home network. interface vlan 1 ip address 10.1.1.1 255.255.255.0 ip nat inside ip inspect firewall in ! Inspection examines outbound traffic.crypto map static-map no cdp enable !! FE4 is the outside or Internet-exposed interface interface fastethernet 4
6-19 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN ip address 210.110.101.21 255.255.255.0 ! acl 103 permits IPsec traffic from the corp. router as well as ! denies Internet-initiated traffic inbound. ip access-group 103 in ip nat outside no cdp enable crypto map to_corporate ! Applies the IPsec tunnel to the outside interface.! ! Utilize NAT overload in order to make best use of the ! single address provided by the ISP.ip nat inside source list 102 interface Ethernet1 overload ip classless ip route 0.0.0.0 0.0.0.0 210.110.101.1no ip http server ! !! acl 102 associated addresses used for NAT. access-list 102 permit ip 10.1.1.0 0.0.0.255 any ! acl 103 defines traffic allowed from the peer for the IPsec tunnel.access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any! Allow ICMP for debugging but should be disabled because of security implications. access-list 103 permit icmp any any access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound. ! acl 105 matches addresses for the IPsec tunnel to or from the corporate network.access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run
6-20 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN
CH A P T E R 7-1 Book Title OL-xxxxx-xx 7 Configuring the Ethernet Switches This chapter gives an overview of configuration tasks for the 4-port Fast Ethernet (FE) switch, and for the Gigabit Ethernet (GE) switch that services the embedded wireless access point on the Cisco 860 and Cisco 880 series Integrated Services Routers (ISRs). The FE switches are 10/100Base T Layer 2 Fast Ethernet switches. Traffic between different VLANs on a switch is routed through the router platform with the switched virtual interface (SVI). The GE switch is a 1000Base T Layer 2 Gigabit Ethernet switch, the internal interface between the router and its embedded wireless access point. Any switch port may be configured as a trunking port to connect to other Cisco Ethernet switches. An optional power module can be added to Cisco 880 series ISRs to provide inline power to two of the FE ports for IP telephones or external access points. This chapter contains the following sections: Switch Port Numbering and Naming, page 7-1 Restrictions for the FE Switch, page 7-1 Information About Ethernet Switches, page 7-2 How to Configure Ethernet Switches, page 7-4 Switch Port Numbering and Naming The ports on the FE switch are numbered FE0 through FE3. The port on the GE switch is named and numbered Wlan-GigabitEthernet0. Restrictions for the FE Switch The following restrictions apply to the FE switch: The ports of an FE switch must NOT be connected to any Fast Ethernet onboard port of the router. On Cisco 880 series ISRs, inline power is supported only on FE switch ports FE0 and FE1. Inline power is not supported on Cisco 860 series ISRs. VTP pruning is not supported. The FE switch can support up to 200 secure MAC addresses.
7-2 Book Title OL-xxxxx-xx Chapter 7 Configuring the Ethernet Switches Information About Ethernet Switches Information About Ethernet Switches To configure Ethernet switches, you should understand the following concepts: VLANs and VLAN Trunk Protocol, page 7-2 Inline Power, page 7-2 Layer 2 Ethernet Switching, page 7-2 802.1x Authentication, page 7-3 Spanning Tree Protocol, page 7-3 Cisco Discovery Protocol, page 7-3 Switched Port Analyzer, page 7-3 IGMP Snooping, page 7-3 Storm Control, page 7-4 Fallback Bridging, page 7-4 VLANs and VLAN Trunk Protocol For information on the concepts of VLANs and VLAN Trunk Protocol (VTP), see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1047027 Inline Power Inline power is not supported on the Cisco 860 series ISRs. On the Cisco_880 series ISRs, inline power can be supplied to Cisco IP phones or external access points on FE switch ports FE0 and FE1. A detection mechanism on the FE switch determines whether it is connected to a Cisco device. If the switch senses that there is no power on the circuit, the switch supplies the power. If there is power on the circuit, the switch does not supply it. You can configure the switch to never supply power to the Cisco device and to disable the detection mechanism. The FE switch also provides support for powered devices compliant with IEEE 802.3af. Layer 2 Ethernet Switching For information on the concept of Layer 2 Ethernet Switching, see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1048478
7-3 Book Title OL-xxxxx-xx Chapter 7 Configuring the Ethernet Switches Information About Ethernet Switches 802.1x Authentication For information on the concept of 802.1x Authentication, see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1051006 Spanning Tree Protocol For information on the concept of Spanning Tree Protocol, see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1048458 Cisco Discovery Protocol Cisco Discovery Protocol (CDP) runs over Layer 2 (the data link layer) on all Cisco routers, bridges, access servers, and switches. CDP allows network management applications to discover Cisco devices that are neighbors of already known devices, in particular, neighbors running lower-layer, transparent protocols. With CDP, network management applications can learn the device type and the SNMP agent address of neighboring devices. This feature enables applications to send SNMP queries to neighboring devices. CDP runs on all LAN and WAN media that support Subnetwork Access Protocol (SNAP). Each CDP-configured device sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain the time-to-live, or hold-time information, which indicates the length of time a receiving device should hold CDP information before discarding it. Switched Port Analyzer For information on the concept of Switched Port Analyzer, see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1053663 IGMP Snooping For information on the concept of IGMP Snooping, see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1053727 IGMP Version 3 The Cisco 880 series ISRs support Version 3 of IGMP snooping. IGMPv3 provides supports for source filtering, which enables a multicast receiver host to signal to a router which groups the receiver host wants to receive multicast traffic from, and from which sources this traffic is expected. Enabling the IGMPv3 feature with IGMP snooping on Cisco ISRs provides Basic IGMPv3 Snooping Support (BISS). BISS provides constrained flooding of multicast traffic in the presence of IGMPv3 hosts. This support constrains traffic to approximately the same set of ports as IGMPv2 snooping does with IGMPv2 hosts. The constrained flooding only considers the destination multicast address.
7-4 Book Title OL-xxxxx-xx Chapter 7 Configuring the Ethernet Switches How to Configure Ethernet Switches Storm Control For information on the concept of storm control, see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1051018 Fallback Bridging For information on the concept of fallback bridging, see the information at this URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt1636nm.html#wp1054833 How to Configure Ethernet Switches See the following sections for configuration tasks for Ethernet switches. Configuring VLANs, page 7-4 Configuring Layer 2 Interfaces, page 7-6 Configuring 802.1x Authentication, page 7-6 Configuring Spanning Tree Protocol, page 7-6 Configuring MAC Table Manipulation, page 7-7 Configuring Cisco Discovery Protocol, page 7-7 Configuring the Switched Port Analyzer, page 7-7 Configuring Power Management on the Interface, page 7-8 Configuring IP Multicast Layer 3 Switching, page 7-8 Configuring IGMP Snooping, page 7-8 Configuring Per-Port Storm Control, page 7-9 Configuring Fallback Bridging, page 7-9 Configuring Separate Voice and Data Subnets, page 7-9 Managing the Switch, page 7-10 Configuring VLANs This section provides information on how to configure VLANs. The Cisco 860 series ISRs support 2 VLANs. and the Cisco 880 series ISRs support 8 VLANs. VLANs on the FE Ports, page 7-4 VLANs on the GE Port, page 7-5 VLANs on the FE Ports Perform these steps to configure VLANs, beginning in configuration mode.
7-5 Book Title OL-xxxxx-xx Chapter 7 Configuring the Ethernet Switches How to Configure Ethernet Switches For additional information, see the information at the following URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/layer2.ht ml VLANs on the GE Port Because the GE port is an internal interface that services only the router’s embedded access point, it cannot be configured only with the command switchport access vlan X, where X is other than 1. It may, however, be configured in trunk mode. This may be done by performing the following steps, beginning in configuration mode. CommandPurpose Step 1interface fe portSelects the Fast Ethernet port to configure. Step 2shutdown(Optional) Shuts down the interface to prevent traffic flow until configuration is complete. Step 3switchportConfigures the Fast Ethernet port for Layer 2 switching. NoteYou must enter the switchport command once without any keywords to configure the Fast Ethernet port as a Layer 2 port before you can enter additional switchport commands with keywords. This command creats a Cisco default VLAN. This configuration sets the default trunking administrative mode to switchport mode dynamic desirable and the trunk encapsulation to negotiate. By default, all VLANs created are included in the default trunk. Step 4switchport access vlan vlan_idCreates instances of additional VLANs. Allowable values of vlan_id are 2 to 4094, except for reserved values of 1002 to 1005. Step 5no shutdownActivates the interface. Step 6endExits configuration mode. ComandPurpose Step 1interface Wlan-GigabitEthernet0Selects the Gigabit Ethernet port to configure. Step 1switchport mode trunkPlaces the port in trunk mode. Step 1switchport access vlan vlan_id(Optional) Once the port is in trunk mode, it may be assigned a VLAN number other than 1.
7-6 Book Title OL-xxxxx-xx Chapter 7 Configuring the Ethernet Switches How to Configure Ethernet Switches Configuring Layer 2 Interfaces For information on how to configure Layer 2 interfaces, see the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1047041 The URL contains information on the following topics: Configuring a range of interfaces Defining a range macro Configuring Layer 2 optional interface features Configuring 802.1x Authentication For information on how to configure 802.1x port-based authentication, see the following URL: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_8021x.html The URL contains information on the following topics: Understanding the default 802.1x configuration Enabling 802.1x Authentication Configuring the switch-to-RADIUS-server comunication Enabling periodic reauthentication Changing the quiet period Changing the switch-to-client retransmission time Setting the switch-to-client frame-retransmission number Enabling multiple hosts Resetting the 802.1x configuration to default values Displaying 802.1x statistics and status Configuring Spanning Tree Protocol For information on how to configure Spanning Tree Protocol, see the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/esw_cfg.html#wp1047906 The URL contains information on the following topics: Enabling spanning tree Configuring spanning tree port priority Configuring spanning tree port cost Configuring the bridge priority of a VLAN Configuring the Hello Time Configuring the forward-delay time for a VLAN Configuring the maximum aging time for a VLAN Disabling spanning tree