Home > Cisco Systems > Router > Cisco Systems Router 1800 Series User Manual

Cisco Systems Router 1800 Series User Manual

Download as PDF Print this page Share this page

Have a look at the manual Cisco Systems Router 1800 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 3 Cisco Systems manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

View all the pages

Add page 101 to Favourites

image text

Enable zoom

							
 
8-3
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 8      Config uring a Simple Firewall
  Configure Access Lists
Configure Access Lists
Perform these steps to create access lists for use by the firewall, beginning in global configuration mode:
CommandPurpose
Step 1access-list access-list-number  {deny  | permit } 
protocol source source-wildcard  [operator  [port ]] 
destination
Example:
Router(config)#  access-list 103 permit host 
200.1.1.1 eq isakmp any
Router(config)# 
Creates an access list which prevents Internet- 
initiated traffic from reac hing the local (inside) 
network of the router, and which compares 
source and destination ports.
See the  Cisco IOS IP Command Reference, 
Volume 1 of 4: Addressing and Services for 
details about this command.
Step 2access-list  access-list-number  {deny  | permit } 
protocol source source-wildcard destination 
destination-wildcard
Example:
Router(config)#  access-list 105 permit ip 
10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
Router(config)# 
Creates an access list that allows network traffic 
to pass freely between the corporate network 
and the local networks through the configured 
VPN tunnel.
Configure Inspection Rules
Perform these steps to configure firewall inspection rule s for all TCP and UDP traffic, as well as specific 
application protocols as defined by the security  policy, beginning in global configuration mode:
Command or ActionPurpose
Step 1ip inspect name inspection-name protocol  
Example:
Router(config)# ip inspect name firewall tcpRouter(config)# 
Defines an inspection rule for a particular 
protocol.
Step 2ip inspect name inspection-name protocol  
Example:
Router(config)# ip inspect name firewall rtsp
Router(config)# ip inspect name firewall h323Router(config)# ip inspect name firewall 
netshow
Router(config)#  ip inspect name firewall ftpRouter(config)# ip inspect name firewall 
sqlnet
Router(config)# 
Repeat this command for each inspection rule 
that you wish to use.

Add page 102 to Favourites

image text

Enable zoom

							
 
8-4
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 8      Configuring a Simple Firewall
  Apply Access Lists and Inspection Rules to Interfaces
Apply Access Lists and Insp ection Rules to Interfaces
Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in global 
configuration mode:
CommandPurpose
Step 1interface type number
Example:
Router(config)#  interface vlan 1Router(config-if)# 
Enters interface configuration mode for the 
inside network interface on your router.
Step 2ip inspect inspection-name  {in  | out }
Example:
Router(config-if)#  ip inspect firewall in
Router(config-if)# 
Assigns the set of firewall inspection rules to the 
inside interface on the router.
Step 3exit
Example:
Router(config-if)#  exitRouter(config)# 
Returns to global configuration mode.
Step 4interface type number
Example:
Router(config)#  interface fastethernet 0
Router(config-if)# 
Enters interface configuration mode for the 
outside network interface on your router.
Step 5ip access-group {access-list-number  | 
access-list-name } {in | out } 
Example:
Router(config-if)#  ip access-group 103 in
Router(config-if)# 
Assigns the defined ACLs to the outside 
interface on the router.
Step 6exit
Example:
Router(config-if)# exitRouter(config)# 
Returns to global configuration mode.

Add page 103 to Favourites

image text

Enable zoom

8-5
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 8 Configuring a Simple Firewall
Configuration Example
Configuration Example
A telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the
home network is accomplished through firewall inspection. The protocols that are allowed are all TCP,
UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore,
no traffic is allowed that is initiated from outside. IPSec tunneling secures the connection from the Home
LAN to the corporate network.
Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary.
Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is
specified for DNS.
The following configuration example shows a portion of the configuration file for the simple firewall
scenario described in the preceding sections.
! Firewall inspection is setup for all tcp and udp traffic as well as specific application
protocols as defined by the security policy.
ip inspect name firewall tcpip inspect name firewall udp
ip inspect name firewall rtsp
ip inspect name firewall h323ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet
!interface vlan 1! This is the internal home network
ip inspect firewall in ! inspection examines outbound traffic
no cdp enable!
interface fastethernet 0! FE0 is the outside or internet exposed interface.
ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as denies internet initiated traffic inbound.
ip nat outside
no cdp enable!
! acl 103 defines traffic allowed from the peer for the ipsec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmpaccess-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due to security implications.
access-list 103 deny ip any any ! prevents internet initiated traffic inbound.
! acl 105 matches addresses for the ipsec tunnel to/from the corporate network.access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
no cdp run
!

Add page 104 to Favourites

image text

Enable zoom

							 
8-6
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 8      Configuring a Simple Firewall
  Configuration Example

Add page 105 to Favourites

image text

Enable zoom

CH A P T E R

9-1
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
9
Configuring a Wireless LAN Connection
The Cisco 1800 series integrated services fixed-configuration routers support a secure, affordable, and
easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class
features required by networking professionals. With a management system based on Cisco IOS software,
the Cisco routers act as access points, and are Wi -Fi certified, IEEE 802.11a/b/g-compliant wireless
LAN transceivers.
You can configure and monitor the routers using th e command-line interface (CLI), the browser-based
management system, or Simple Ne twork Management Protocol (SNMP) . This chapter describes how to
configure the router us ing the CLI. Use the interface dot11radio global configuration CLI command to
place the device into radio configuration mode.
See the Cisco Access Router Wireless Configuration Guide for more detailed information about
configuring these Cisco routers in a wireless LAN application.
Figure 9-1 shows a wireless network deployment.
Figure 9-1 Sample Wireless LAN
129282
1
2
3
4
1Wireless LAN (with multiple networked devices)
2Cisco 1800 series integrated services router connected to the Internet
3VLAN 1
4VLAN 2
In the configuration example that follows, a remote user is accessing the Cisco 1800 series integrated
services router using a wireless connecti on. Each remote user has his own VLAN.

Add page 106 to Favourites

image text

Enable zoom

							 
9-2
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 9      Configuring a Wireless LAN Connection
  Configure the Root Radio Station
Configuration Tasks
Perform the following tasks to configure this network scenario:
 Configure the Root Radio Station
 Configure Bridging on VLANs
 Configure Radio Station Subinterfaces
An example showing the results of these configuration tasks is shown in the section “Configuration 
Example.”
NoteThe procedures in this chapter assume that you have already configured basic router features as well as 
PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see 
Chapter 1, “Basic 
Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, 
“Configuring PPP over ATM with NAT,” as appropriate for your router. You may have also configured 
DHCP, VLANs, and secure tunnels.
Configure the Root Radio Station
Perform these steps to create and configure the root radio station for your wireless LAN, beginning in 
global configuration mode:
CommandPurpose
Step 1interface name number
Example:
Router(config)# interface dot11radio 0Router(config-if)# 
Enters interface configuration mode for the 
specified wireless interface.
Step 2broadcast-key [[vlan vlan-id] change secs] 
[membership-termination] [capability-change]
Example:
Router(config-if)# broadcast-key vlan 1 
change 45
Router(config-if)# 
Specifies the time interval (in seconds) between 
rotations of the broadcast encryption key used 
for clients.
NoteClient devices using static Wired 
Equivalent Privacy (WEP) cannot use 
the access point when you enable 
broadcast key rotation—only wireless 
client devices using 802.1x 
authentication (such as Light Extensible 
Authentication Protocol [LEAP], 
Extensible Authentication 
Protocol-Transport Layer Security 
[EAP-TLS], or Protected Extensible 
Authentication Protocol [PEAP]) can 
use the access point.
NoteThis command is not supported on 
bridges.
See the Cisco IOS Commands for Access Points 
and Bridges document for more details.

Add page 107 to Favourites

image text

Enable zoom

							 
9-3
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 9      Configuring a Wireless LAN Connection
  Configure the Root Radio Station
Step 3encryption method algorithm key
Example:
Router(config-if)# encryption vlan 1 mode 
ciphers tkip
Router(config-if)# 
Specifies the encryption method, algorithm, and 
key used to access the wireless interface.
The example uses the VLAN with optional 
encryption method of data ciphers.
Step 4ssid name 
Example:
Router(config-if)# ssid ciscoRouter(config-if-ssid)# 
Creates a Service Set ID (SSID), the public 
name of a wireless network.
NoteAll of the wireless devices on a WLAN 
must employ the same SSID to 
communicate with each other.
Step 5vlan number
Example:
Router(config-if-ssid)# vlan 1
Router(config-if-ssid)# 
Binds the SSID with a VLAN.
Step 6authentication type
Example:
Router(config-if-ssid)# authentication openRouter(config-if-ssid)# authentication 
network-eap eap_methods
Router(config-if-ssid)# authentication 
key-management wpa
Sets the permitted authentication methods for a 
user attempting access to the wireless LAN.
More than one method can be specified, as 
shown in the example.
Step 7exit
Example:
Router(config-if-ssid)# exit
Router(config-if)# 
Exits SSID configuration mode, and enters 
interface configuration mode for the wireless 
interface.
Step 8speed rate
Example:
Router(config-if)# basic-1.0 basic-2.0 
basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 
36.0 48.0 54.0
Router(config-if)# 
(Optional) Specifies the required and allowed 
rates, in Mbps, for traffic over the wireless 
connection.
Step 9rts [retries | threshold]
Example:
Router(config-if)# rts threshold 2312
Router(config-if)# 
(Optional) Specifies the Request to Send (RTS) 
threshold or the number of times to send a 
request before determining the wireless LAN is 
unreachable.
Command Purpose

Add page 108 to Favourites

image text

Enable zoom

							 
9-4
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 9      Configuring a Wireless LAN Connection
  Configure Bridging on VLANs
Configure Bridging on VLANs
Perform these steps to configure integrated routing and bridging on VLANs, beginning in global 
configuration mode:
Step 10power [client | local] [cck [number | maximum] | 
ofdm [number | maximum]]
Example:
Router(config-if)# power local cck 50Router(config-if)# power local ofdm 30
Router(config-if)# 
(Optional) Specifies the radio transmitter power 
level.
See the Cisco Access Router Wireless 
Configuration Guide for available power level 
values.
Step 11channel [number | least-congested]
Example:
Router(config-if)# channel 2462Router(config-if)# 
(Optional) Specifies the channel on which 
communication occurs.
See the Cisco Access Router Wireless 
Configuration Guide for available channel 
numbers.
Step 12station-role [repeater | root]
Example:
Router(config-if)# station-role root
Router(config-if)# 
(Optional) Specifies the role of this wireless 
interface. 
You must specify at least one root interface.
Step 13exit
Example:
Router(config-if)# exitRouter(config)# 
Exits interface configuration mode, and enters 
global configuration mode.
Command Purpose
Command or ActionPurpose
Step 1bridge [number | crb | irb |mac-address-table]
Example:
Router(config)# bridge irbRouter(config)# 
Specifies the type of bridging.
The example specifies integrated routing and 
bridging.
Step 2interface name number 
Example:
Router(config)# interface vlan 1
Router(config)# 
Enters interface configuration mode. 
We want to set up bridging on the VLANs, so the 
example enters the VLAN interface 
configuration mode.

Add page 109 to Favourites

image text

Enable zoom

							 
9-5
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 9      Configuring a Wireless LAN Connection
  Configure Radio Station Subinterfaces
Repeat Step 2 through Step 6 above for each VLAN that requires a wireless interface.
Configure Radio Station Subinterfaces
Perform these steps to configure subinterfaces for each root station, beginning in global configuration 
mode:
Step 3bridge-group number
Example:
Router(config)# bridge-group 1Router(config)# 
Assigns a bridge group to the interface.
Step 4bridge-group parameter
Example:
Router(config)# bridge-group 
spanning-disabled
Router(config)# 
Sets other bridge parameters for the bridging 
interface.
Step 5interface name number
Example:
Router(config)# interface bvi 1
Router(config)# 
Enters configuration mode for the virtual bridge 
interface.
Step 6ip address address mask
Example:
Router(config)# ip address 10.0.1.1 
255.255.255.0
Router(config)# 
Specifies the address for the virtual bridge 
interface.
Command or Action Purpose
CommandPurpose
Step 1interface type number
Example:
Router(config)# interface dot11radio 0.1
Router(config-subif)# 
Enters subinterface configuration mode for the 
root station interface.
Step 2description string
Example:
Router(config-subif)# description Cisco open
Router(config-subif)# 
Provides a description of the subinterface for the 
administrative user.

Add page 110 to Favourites

image text

Enable zoom

							 
9-6
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 9      Configuring a Wireless LAN Connection
  Configuration Example
Repeat these steps to configure more subinterfaces, as needed.
Configuration Example
The following configuration example shows a portion of the configuration file for the wireless LAN 
scenario described in the preceding sections.
!
bridge irb
!interface Dot11Radio0
 no ip address
 ! broadcast-key vlan 1 change 45
 !
 ! encryption vlan 1 mode ciphers tkip 
 !
 ssid cisco    vlan 1
    authentication open 
    authentication network-eap eap_methods     authentication key-management wpa
 !
 ssid ciscowep    vlan 2
Step 3encapsulation dot1q vlanID [native | 
second-dot1q]
Example:
Router(config-subif)# encapsulation dot1q 1 
native
Router(config-subif)# 
Enables IEEE 802.1q encapsulation on the 
specified subinterface.
Step 4no cdp enable
Example:
Router(config-subif)# no cdp enableRouter(config-subif)# 
Disables the Cisco Discovery Protocol (CDP) on 
the wireless interface.
Step 5bridge-group number
Example:
Router(config-subif)# bridge-group 1
Router(config-subif)# 
Assigns a bridge group to the subinterface.
Step 6exit
Example:
Router(config-subif)# exitRouter(config)# 
Exits subinterface configuration mode, and 
enters global configuration mode.
Command Purpose

All Cisco Systems manuals Comments (0)