Cisco Systems Router 1800 Series User Manual

							
REVIEW DRAFT—CISCO CONFIDENTIAL
5-7
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-03
Chapter 5      Configuring a LAN with DHCP and VLANs   Switch Port Configurations
Switch Port Configurations
The 8 high speed Ethernet ports on the Cisco 1800 (fixed) integrated router supports 8 VLANs per port. 
To configure and verify VLANs on the switch ports see the the 
“Configure VLANs” section on page 5-5 
and the “Verify Your VLAN Configuration” section on page 5-5.
Figure 5-1 VLAN Configuration on the Cisco 1800 (Fixed) Router Showing Three VLAN 
Segments
Other procedures for configuring the switch ports,  including configuration examples and information on 
the features and in terfaces are in the 
Cisco HWIC-4ESW and HWIC-9ESW  EtherSwitch Interface Cards 
document on Cisco.com. See this document to confi gure the switch ports. The configuration procedures 
described in this document are listed below. 
						

							REVIEW DRAFT—CISCO CONFIDENTIAL
5-8
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-03
Chapter 5      Configuring a LAN with DHCP and VLANs
  Switch Port Configurations
 Configuring VLANs (required)
 Configuring VLAN Trunking Protocol (optional)
 Configuring 802.1x Authentication (required)
 Configuring Spanning Tree on a VLAN (required)
 Configuring Layer 2 Interfaces (required)
 Configuring MAC Table Manipulation (required)
 Configuring the Switched Port Analyzer (required)
 Configuring Power Management on the Interfaces (optional)
 IP Multicast Layer 3 Switching (required)
 Configuring Per-Port Storm Control (optional)
 Configuring Fallback Bridging (optional)
 Configuring Separate Voice and Data Submits (optional)
 Configuring IGMP Snooping (optional)
This section briefly describes the features and interfaces that can be configured on the VLANs assigned 
to the switch ports and any differences between the configurations for the HWIC-4ESW and 
HWIC-9ESW and the configuration of the switch ports.
VLAN Trunking Protocol (VTP)
VLAN Trunking Protocol(VTP) supports three types of VTP modes – server, client and transparent 
modes. In VTP server mode, you create, modify and delete VLANs and specify other configuration 
parameters such as the VTP version for the entire VTP domain. VTP clients behave the same way as 
VTP servers, but you cannot create, change or delete VLANs on a VTP client. A VTP transparent switch 
does not advertise its’ VLAN configuration, and does not synchronize its VLAN configuration based on 
received advertisements. 
802.1x Authentication 
The switch port determines whether a client is granted access to the network. In the default setting, the 
port is in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except 
for 802.1x packets. When a client has successfully authenticated, the port changes to the authorized 
state, allowing all traffic for the client to flow normally. 
If a client that does not support 802.1x is connected to an unauthorized 802.1x port, the switch requests 
the client’s identity. In this situation, the client does not respond to the request, the port remains in the 
unauthorized state, and the client is not granted access to the network.
The 802.1x protocol supports authentication and full authentication, authorization, and accounting 
[AAA] and RADIUS modes with port VLAN ID (PVID) and voice VLAN ID (VVID); and with VLAN 
assignment with guest VLAN single and multi-host support on the Cisco 1800 (fixed) Configuration 
Series.
NoteThese security features are not supported on the switch ports: Security Access Control Lists, IP Access 
Control Lists (IP- ACLs) for Layer 2 ports, and VLAN ACLs Virtual ACLs.  
						

							REVIEW DRAFT—CISCO CONFIDENTIAL
5-9
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-03
Chapter 5      Configuring a LAN with DHCP and VLANs
  Switch Port Configurations
Layer 2 Interfaces
The integrated switch ports support Layer 2 switching across Ethernet ports based on Cisco IOS Catalyst 
Software. They support simultaneous, parallel connections between Layer 2 Ethernet segments. 
Switched connections between Ethernet segments last only for the duration of the packet. Different 
connections can be made for different segments for the next packet. You can configure a range of Layer 
2 interfaces, define a range macro, set the interface speed, set the duplex mode, and add a description for 
the interface.
MAC Table Manipulation
The MAC table is configured to provide port security. The switch ports use the MAC address tables to 
forward traffic between the ports. All MAC addresses in the address table are associated with one or 
more ports. The MAC tables include the following types of addresses:
 Dynamic address–the source MAC address that the switch learns and then drops when not in use.
 Secure address–manually entered unicast address that is usually associated with a secured port. 
Secure addresses do not age. 
 Static address–manually entered unicast or multicast address that does not age and that is not lost 
when the switch resets.
The Cisco 1800 (Fixed) Configuration Series supports 100 secure and static MAC addresses. General 
MAC addresses are supported for 50 users.
Maximum Switched Virtual Interfaces (SVIs)
A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or 
bridging function in the router. Only one SVI can be associated with a VLAN; it is necessary to configure 
an SVI for a VLAN only when you wish to route between VLANs, when you wish to configure 
fallback-bridge nonroutable protocols between VLANs, or when you wish to provide IP host 
connectivity. Eight SVI interfaces are supported on each port of the fixed router
Switched Port Analyzer (SPAN)
You can configure SPAN sessions using parameters that specify the type of network traffic to monitor. 
SPAN sessions allow you to monitor traffic in one or more interfaces and allow you to send ingress 
traffic, egress traffic or both to one destination interface.
You can enable spanning tree on a per-VLAN basis and configure various spanning tree features. All 
frames have 802.1q tags.
IP Multicast Switching
Multicast switching is Layer 3 switching. To configure Multicast switching, the maximum number of 
configured VLANs must be less than or equal to 242. The maximum number of multicast groups is equal 
to to the maximum number of VLANs.
You can configure your router to enable multi-cast switching globally, enable IP Protocol Independent 
Multicast (PIM) on a Layer 3 interface, and verify the Multicast Layer 3 switching information. 
						

							REVIEW DRAFT—CISCO CONFIDENTIAL
5-10
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-03
Chapter 5      Configuring a LAN with DHCP and VLANs
  Switch Port Configurations
NotePer-Port enabling and disabling of unknown multicast and unicast packets is not supported on the Cisco 
1800 (Fixed) configuration router.
Per-Port Storm Control
You can use these per-port storm control techniques to block the forwarding of unnecessary, flooded 
traffic.
Fallback Bridging
With Fallback Bridging, the switch bridges together two or more VLANs or routed ports, essentially 
connecting multiple VLANs within one bridge domain.
To configure Fallback Bridging for a set of SVIs, the SVIs must be assigned to bridge groups. All bridges 
in the same group belong to the same bridge domain. Each SVI can be assigned to only one bridge group.
Separate Voice and Data Subnets
For ease of network administration and increased scalability, network managers can configure the switch 
ports to support Cisco IP phones such that the voice and data traffic reside on separate subnets.
IGMP Snooping
By default, IGMP Snooping is globally enabled on the switch ports. When globally enabled or disabled, 
it is also enabled or disabled on all VLAN interfaces. It can be enabled and disabled on a per-VLAN 
basis.
NoteAll of the procedures for configuring the switch ports, including configuration examples and information 
on the features and interfaces are in the 
Cisco HWIC-4ESW and HWIC-9ESW EtherSwitch Interface 
Cards document on Cisco.com. See this document to configure the switch ports. 
						

							
CH A P T E R
 
6-1
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
6
Configuring a VPN Using Easy VPN and an IPSec 
Tunnel
The Cisco 1800 series integrated services fixed-configuration routers support the creation of Virtual 
Private Networks (VPNs). 
Cisco routers and other broadband devices provide high-performance connections to the Internet, but 
many applications also require  the security of VPN connections which perform a high level of 
authentication and which encrypt the data between two particular endpoints. 
Two types of VPNs are supported—site-to-site and remo te access. Site-to-site VPNs are used to connect 
branch offices to corporate offices,  for example. Remote access VPNs are used by remote clients to log 
in to a corporate network.
The example in this chapter illustrates the configura tion of a remote access VPN that uses the Cisco Easy 
VPN and an IPSec tunnel to configure and secure  the connection between the remote client and the 
corporate network. 
Figure 6-1 shows a typical deployment scenario. 
Figure 6-1 Remote Access VPN Using IPSec Tunnel
2
1
121782
Internet
34
5
6 
						

							
1Remote, networked users
2VPN client—Cisco 1800 series integrated services router
3Router—Providing the corporate office network access
4VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside 
interface address 192.168.101.1
5Corporate office with a network address of 10.1.1.1
6IPSec tunnel
 
6-2
Cisco 1800 Series Integrated Services Rout ers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  
Cisco Easy VPN
The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing 
the Cisco Unity Client protocol. This protocol a llows most VPN parameters, such as internal IP 
addresses, internal subnet masks,  DHCP server addresses, WINS serv er addresses, and split-tunneling 
flags, to be defined at a VPN server, such as a Cisc o VPN 3000 series concentrator that is acting as an 
IPSec server. 
An Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote workers 
who are running Cisco Easy VPN Remote software on PCs. Easy VPN server–enabled devices allow 
remote routers to act as Easy VPN Remote nodes.
The Cisco Easy VPN client feature can be configur ed in one of two modes—client mode or network 
extension mode. Client mode is the default configura tion and allows only devices at the client site to 
access resources at the central site. Resources at th e client site are unavailable to the central site. 
Network extension mode allows users at the central  site (where the VPN 3000 series concentrator is 
located) to access network resources on the client site.
After the IPSec server has been configured, a VPN co nnection can be created with minimal configuration 
on an IPSec client, such as a supported Cisco
 1800 integrated services ro uter. When the IPSec client 
initiates the VPN tunnel connection, the IPSec server  pushes the IPSec policies to the IPSec client and 
creates the corresponding  VPN tunnel connection. 
NoteThe Cisco Easy VPN client feature supports conf iguration of only one destination peer. If your 
application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and 
Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the 
server. 
Configuration Tasks 
Perform the following tasks to configure your router for this network scenario:
 Configure the IKE Policy
 Configure Group Policy Information
 Apply Mode Configuration to the Crypto Map
 Enable Policy Lookup
 Configure IPSec Transforms and Protocols
 Configure the IPSec Crypto Method and Parameters
 Apply the Crypto Map to the Physical Interface
 Create an Easy VPN Remote Configuration 
						

							 
6-3
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configure the IKE Policy
An example showing the results of these configuration tasks is shown in the section “Configuration 
Example.”
NoteThe procedures in this chapter assume that you have already configured basic router features as well as 
PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks, 
see 
Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” 
Chapter 4, “Configuring PPP over ATM with NAT,” and Chapter 5, “Configuring a LAN with DHCP and 
VLANs” as appropriate for your router.
Configure the IKE Policy
Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global 
configuration mode:
Command or ActionPurpose
Step 1crypto isakmp policy priority 
Example:
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# 
Creates an IKE policy that is used during IKE 
negotiation. The priority is a number from 1 to 
10000, with 1 being the highest.
Also enters the Internet Security Association Key 
and Management Protocol (ISAKMP) policy 
configuration mode.
Step 2encryption {des | 3des | aes | aes 192 | aes 256}
Example:
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# 
Specifies the encryption algorithm used in the IKE 
policy. 
The example specifies 168-bit data encryption 
standard (DES).
Step 3hash {md5 | sha}
Example:
Router(config-isakmp)# hash md5
Router(config-isakmp)# 
Specifies the hash algorithm used in the IKE 
policy. 
The example specifies the Message Digest 5 
(MD5) algorithm. The default is Secure Hash 
standard (SHA-1).
Step 4authentication {rsa-sig | rsa-encr | pre-share} 
Example:
Router(config-isakmp)# authentication 
pre-share
Router(config-isakmp)# 
Specifies the authentication method used in the 
IKE policy. 
The example specifies a pre-shared key.
Step 5group {1 | 2 | 5}
Example:
Router(config-isakmp)# group 2Router(config-isakmp)# 
Specifies the Diffie-Hellman group to be used in 
an IKE policy. 
						

							 
6-4
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configure Group Policy Information
Configure Group Policy Information
Perform these steps to configure the group policy, beginning in global configuration mode:
Step 6lifetime seconds
Example:
Router(config-isakmp)# lifetime 480Router(config-isakmp)# 
Specifies the lifetime, 60–86400 seconds, for an 
IKE security association (SA).
Step 7exit
Example:
Router(config-isakmp)# exit
Router(config)# 
Exits IKE policy configuration mode, and enters 
global configuration mode.
Command or Action Purpose
Command or ActionPurpose
Step 1crypto isakmp client configuration group 
{group-name | default}
Example:
Router(config)# crypto isakmp client 
configuration group rtr-remote
Router(config-isakmp-group)# 
Creates an IKE policy group containing attributes 
to be downloaded to the remote client.
Also enters the Internet Security Association Key 
and Management Protocol (ISAKMP) group 
policy configuration mode.
Step 2key name 
Example:
Router(config-isakmp-group)# key 
secret-password
Router(config-isakmp-group)# 
Specifies the IKE pre-shared key for the group 
policy.
Step 3dns primary-server
Example:
Router(config-isakmp-group)# dns 10.50.10.1Router(config-isakmp-group)# 
Specifies the primary Domain Name System 
(DNS) server for the group.
NoteYou may also want to specify Windows 
Internet Naming Service (WINS) servers 
for the group by using the wins command.
Step 4domain name
Example:
Router(config-isakmp-group)# domain 
company.com
Router(config-isakmp-group)# 
Specifies group domain membership. 
						

							
 
6-5
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel   Apply Mode Configuration to the Crypto Map
Apply Mode Configuration to the Crypto Map
Perform these steps to apply mode configuration to  the crypto map, beginning in global configuration 
mode:
Command or ActionPurpose
Step 1crypto map  map-name isakmp authorization list 
list-name
Example:
Router(config)#  crypto map dynmap isakmp 
authorization list rtr-remote
Router(config)# 
Applies mode configuration to the crypto map and 
enables key lookup (IKE queries) for the group 
policy from an authentication, authorization, and 
accounting (AAA) server.
Step 2crypto map  tag client configuration address 
[ initiate  | respond ] 
Example:
Router(config)#  crypto map dynmap client 
configuration address respond
Router(config)# 
Configures the router to reply to mode 
configuration requests from remote clients.
Step 5exit
Example:
Router(config-isakmp-group)#  exitRouter(config)# 
Exits IKE group policy configuration mode, and 
enters global configuration mode.
Step 6ip local pool {default  | poolname } 
[ low-ip-address  [high-ip-address ]]
Example:
Router(config)#  ip local pool dynpool 
30.30.30.20 30.30.30.30
Router(config)# 
Specifies a local address pool for the group.
For details about this command and additional 
parameters that can be set, see the
 Cisco IOS Dial 
Technologies Command Reference.
Command or Action Purpose 
						

							
 
6-6
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Enable Policy Lookup
Enable Policy Lookup
Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:
Command or ActionPurpose
Step 1aaa new-model
Example:
Router(config)#  aaa new-modelRouter(config)# 
Enables the AAA access control model.
Step 2aaa authentication login  {default  |  list-name } 
method1  [ method2... ] 
Example:
Router(config)#  aaa authentication login 
rtr-remote local
Router(config)# 
Specifies AAA authentication of selected users at 
login, and specifies the method used.
This example uses a local  authentication database. 
You could also use a RADIUS server for this. For 
details, see the
 Cisco IOS Security Configuration 
Guide and Cisco IOS Security Command 
Reference.
Step 3aaa authorization  {network  | exec  | commands 
level  | reverse-access  | configuration } {default  | 
list-name } [method1  [ method2... ]]
Example:
Router(config)#  aaa authorization network 
rtr-remote local
Router(config)# 
Specifies AAA authorization of all 
network-related service requests, including PPP, 
and specifies the method of authorization.
This example uses a loca l authorization database. 
You could also use a RADIUS server for this. For 
details, see the
 Cisco IOS Security Configuration 
Guide and Cisco IOS Security Command 
Reference.
Step 4username  name  {nopassword  | password  
password  | password  encryption-type  
encrypted-password }
Example:
Router(config)#  username Cisco password 0 
Cisco
Router(config)# 
Establishes a username-b ased authentication 
system.
This example implements a username of  Cisco 
with an encrypted password of  Cisco.
Configure IPSec Transforms and Protocols
A transform set represents a certain combination of  security protocols and algorithms. During IKE 
negotiation, the peers agree to use a particular transform set for protecting data flow. 
During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at 
both peers. When such a transform set is found, it is  selected and applied to the protected traffic as a part 
of both peers’ configurations.