cisco 2800 series software configuration · pdf file4 preface ol-5591-01 obtaining technical...

Preface

This preface describes the objectives, audience, organization, and conventions of the software configuration documentation for your router. It contains the following sections:

• Objectives, page 1

• Audience, page 1

• Conventions, page 1

• Obtaining Documentation, page 2

• Documentation Feedback, page 3

• Obtaining Technical Assistance, page 3

• Obtaining Additional Publications and Information, page 5

ObjectivesThese documents explains how to configure and maintain your Cisco router.

AudienceThese documents are designed for the person installing, configuring, and maintaining the Cisco router, who should be familiar with networking technology and terminology.

ConventionsThese documents use the conventions listed in Table 1 to convey instructions and information.

Corporate Headquarters:

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Obtaining Documentation

Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Timesaver Means the described action saves time. You can save time by performing the action described in the paragraph.

Tip Means the following information will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information, similar to a Timesaver.

Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Obtaining DocumentationCisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.comYou can access the most current Cisco documentation at this URL:

http://www.cisco.com/cisco/web/support/index.html

Table 1 Command Conventions

Convention Description

boldface font Commands and keywords.

italic font Variables for which you supply values.

[ ] Optional keywords or arguments appear in square brackets.

{x | y | z} A choice of required keywords appears in braces separated by vertical bars. You must select one.

screen font Examples of information displayed on the screen.

boldface screen font

Examples of information you must enter.

< > Nonprinting characters, for example passwords, appear in angle brackets in contexts where italics are not available.

[ ] Default responses to system prompts appear in square brackets.

2Preface

OL-5591-01


Documentation Feedback

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering DocumentationFor information on obtaining documentationsee the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/web/ordering/root/index.html

• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation FeedbackFor your convenience a documentation feedback form is located at the bottom of every online document.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

3Preface

OL-5591-01

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

http://www.cisco.com

http://www.cisco.com/public/countries_languages.shtml

http://www.cisco.com/web/ordering/root/index.html

Obtaining Technical Assistance

Cisco Technical Support WebsiteThe Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service RequestUsing the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request SeverityTo ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

4Preface

OL-5591-01

http://www.cisco.com/techsupport

http://tools.cisco.com/RPF/register/register.do

http://www.cisco.com/techsupport/servicerequest

http://www.cisco.com/techsupport/contacts

Obtaining Additional Publications and Information

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• The Cisco Products and Services Index describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Products and Services Index at this URL:

http://www.cisco.com/en/US/products/index.html

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html

5Preface

OL-5591-01

http://www.cisco.com/go/marketplace/

http://www.cisco.com/en/US/products/index.html

http://www.ciscopress.com

http://www.cisco.com/ipj

http://www.cisco.com/en/US/learning/index.html

Obtaining Additional Publications and Information


CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn isa service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the CiscoCertified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient,and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (0711R)

6Preface

OL-5591-01

Overview

Cisco 2800 series integrated service routers provide a range of models in which you can install a variety of modules. The number and type of modules vary by platform. Examples of these modules include WAN interface cards (WICs), voice interface cards (VICs), voice/WAN interface cards (VWICs), high-speed WAN interface cards (HWICs.), packet voice data modules (PVDMs), network modules enhanced (NME), advanced integration modules (AIMs), and extension voice modules (EVMs).

These routers feature the following:

• The Cisco 2801 router supports two HWIC/WIC/VIC/VWIC slots, capable of supporting both single-wide and double-wide HWICs, one WIC/VIC/VWIC slot, one VIC/VWIC (voice only) slot, two Fast Ethernet connections, optional inline power output of up to 120 Watts, and two advanced integration module (AIM) slots.

• The Cisco 2811 router, in addition to the features in the Cisco 2801, supports one single-wide network module enhanced (NME), four single-width or two double-wide HWICs, and optional inline power output of up to 160 Watts.

• In Cisco 2821 routers, in addition to the features in the Cisco 2811, the network module slot adds support for a single-wide network module enhanced extended (NME-X), and an additional slot supports an extension voice module (EVM). Three PVDMs are supported, the LAN ports support Gigabit Ethernet, and optional inline power output of up to 240 Watts is provided.

• In Cisco 2851 routers, in addition to the features in the Cisco 2821, the network module slot adds support for network module double-wide (NMDs) and network module enhanced extended double-wide (NME-XDs), and optional inline power output of up to 360 Watts is provided.

Note The interface numbering and asynchronous line numbering on Cisco 2800 series routers are different from the numbering schemes used on other Cisco modular routers. For details, see the hardware installation documentation for your router.




Cisco 2800 Series Software Configuration Documentation

Cisco 2800 Series Software Configuration DocumentationUnlike traditional documentation, wherein all of the information appears within one printed book, the Cisco 2800 series routers software configuration documentation takes advantage of the capabilities inherent in web-based presentation. This includes extensive hyperlinking to other information, tools, and many other resources on Cisco.com.

Instead of chapters, each topic area can be accessed independently. At the top level, available at “Cisco 2800 Series Software Configuration,” the main software configuration topics include:

• Basic Software Configuration

– Basic Software Configuration Using the Setup Command Facility

– Basic Software Configuration Using the Cisco IOS Command-Line Interface

• Finding Feature Documentation

• Configuration Examples

• Troubleshooting and Maintenance

– Upgrading the System Image

– Using CompactFlash Memory Cards

– Using the ROM Monitor

– Changing the Configuration Register Settings

– Troubleshooting Links

Note Besides the setup facility and the IOS command-line interface, a third way of configuring Cisco routers is through the Cisco Router and Security Device Manager. Additional information about SDM features, is available at this URL: http://www.cisco.com/go/sdm

Note You must have an account on Cisco.com to access many of the available tools. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions.

ContentsFollowing is a list of the main topics covered in the remainder of this overview:

• Performing Initial Configuration, page 3

• Using the Cisco IOS Startup Sequence, page 8

2Overview

OL-6154-01

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/iosfeat.html

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/2800/sw/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/2800/sw/basic/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/2800/sw/tac_tsa/index.htm

http://www.cisco.com/go/sdm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/2800/sw/examples/index.htm

Performing Initial Configuration

Performing Initial ConfigurationYou can configure your router by using one of the following methods:

• Initial Configuration Using the Cisco Router and Security Device Manager, page 3

• Initial Configuration Using the Setup Command Facility, page 4

• Initial Configuration Using the Command-Line Interface, page 7

Initial Configuration Using the Cisco Router and Security Device Manager

Note We recommend that you use the Cisco Router and Security Device Manager to configure your router. Built-in verification systems and sanity checks help to ensure both correct configurations and robust security practices.

The Cisco Router and Security Device Manager (SDM) is an easy-to-use device management tool that allows you to configure Cisco IOS security features and network connections through an intuitive web-based graphical user interface.You can use SDM wizards to:

• Configure additional LAN and WAN connections

• Create firewalls

• Configure Virtual Private Network (VPN) connections

• Perform security audits

SDM also provides an advanced mode, through which you can configure advanced features, such as Firewall Policy, Network Address Translation (NAT), VPNs, routing protocols, and other options.

For More Information About SDM and About Your Router

For additional information about SDM features, refer to the SDM online help. Additional information about SDM is also available at this URL:


Here you can find detailed information about SDM, including an SDM FAQ, data sheet, customer presentation, Flash demo, and links to technical documentation and product updates.

Refer to the quick start guide for your router for other procedures, such as connecting a PC to the router console port so that you can use the CLI when you need to, and using the router LEDs to verify installation. The quick start guide may also contain important warranty information.

Obtaining the Latest Version of SDM

SDM is regularly enhanced to provide new features. If you are already running SDM on the router, you can update SDM automatically by clicking on the Tools menu and selecting Update SDM. SDM will determine whether there is a more recent version available and enables you to download and install it on the router.

If you have a supported router that does not have SDM installed, you can download the latest version of SDM free of charge. Instructions for installing it on your router can be found at this URL:

http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm

3Overview

OL-6154-01




You should consult the SDM release notes to determine if SDM is supported for the router on which you want to install it.

If the following messages appear at the end of the startup sequence, Cisco Router and Security Device Manager (SDM) is installed on your router:

yourname con0 is now available

Press RETURN to get started.

Tip If these messages do not appear, SDM was not shipped with your router. If you want to use SDM, you can download the latest version of SDM and instructions for installing it on your router from the following URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm To obtain the SDM quick start guide, SDM release notes, and other SDM documentation, go to http://www.cisco.com/go/sdm and click the Technical Documentation link.

For instructions on configuring your router by using SDM, refer to the Cisco Router and Security Device Manager (SDM) Quick Start Guide that shipped with your router.

Initial Configuration Using the Setup Command FacilityThis section shows how to use the setup command facility to configure a host name for the router, set passwords, and configure an interface for communication with the management network.

If the following messages appear at the end of the startup sequence, the setup command facility has been invoked automatically:

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.Use ctrl-c to abort configuration dialog at any prompt.Default settings are in square brackets '[]'.

Would you like to enter the initial configuration dialog? [yes/no]:

The setup command facility prompts you for basic information about your router and network, and it creates an initial configuration file. After the configuration file is created, you can use the CLI or Security Device Manager to perform additional configuration.

The prompts in the setup command facility vary, depending on your router model, the installed interface modules, and the software image. The following example and the user entries (in bold) are shown as examples only.

Note If you make a mistake while using the setup command facility, you can exit and run the setup command facility again. Press Ctrl-C, and enter the setup command at the privileged EXEC mode prompt (Router#).

Step 1 To proceed using the setup command facility, enter yes:

Would you like to enter the initial configuration dialog? [yes/no]: yes

4Overview

OL-6154-01




Step 2 When the following messages appear, enter yes to enter basic management setup:

At any point you may enter a question mark '?' for help.Use ctrl-c to abort configuration dialog at any prompt.

Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivityfor management of the system, extended setup will ask youto configure each interface on the system

Would you like to enter basic management setup? [yes/no]: yes

Step 3 Enter a hostname for the router (this example uses Router):

Configuring global parameters:Enter host name [Router]: Router

Step 4 Enter an enable secret password. This password is encrypted (more secure) and cannot be seen when viewing the configuration:

The enable secret is a password used to protect access toprivileged EXEC and configuration modes. This password, afterentered, becomes encrypted in the configuration.Enter enable secret: xxxxxx

Step 5 Enter an enable password that is different from the enable secret password. This password is not encrypted (less secure) and can be seen when viewing the configuration:

The enable password is used when you do not specify anenable secret password, with some older software versions, andsome boot images.Enter enable password: xxxxxx

Step 6 Enter the virtual terminal password, which prevents unauthenticated access to the router through ports other than the console port:

The virtual terminal password is used to protectaccess to the router over a network interface.Enter virtual terminal password: xxxxxx

Step 7 Respond to the following prompts as appropriate for your network:

Configure SNMP Network Management? [yes]: Community string [public]:

A summary of the available interfaces is displayed.

Note The interface numbering that appears depends on the type of Cisco modular router platform and on the installed interface modules and cards.

Current interface summary

Controller Timeslots D-Channel Configurable modes StatusT1 0/0 24 23 pri/channelized Administratively up

Any interface listed with OK? value "NO" does not have a valid configuration

Interface IP-Address OK? Method Status ProlFastEthernet0/0 unassigned NO unset up up FastEthernet0/1 unassigned NO unset up dow

5Overview

OL-6154-01


Step 8 Select one of the available interfaces for connecting the router to the management network:

Enter interface name used to connect to themanagement network from the above interface summary: fastethernet0/0


Configuring interface FastEthernet0/0:Use the 100 Base-TX (RJ-45) connector? [yes]: yesOperate in full-duplex mode? [no]: noConfigure IP on this interface? [yes]: yes IP address for this interface: 172.1.2.3 Subnet mask for this interface [255.255.0.0] : 255.255.0.0 Class B network is 172.1.0.0, 26 subnet bits; mask is /16

Step 10 The configuration is displayed:

The following configuration command script was created:

hostname Routerenable secret 5 $1$D5P6$PYx41/lQIASK.HcSbfO5q1enable password xxxxxxline vty 0 4password xxxxxxsnmp-server community public!no ip routing!interface FastEthernet0/0no shutdownspeed 100duplex halfip address 172.1.2.3 255.255.0.0!interface FastEthernet0/1shutdownno ip addressend

Step 11 Respond to the following prompts. Select [2] to save the initial configuration.

[0] Go to the IOS command prompt without saving this config.[1] Return back to the setup without saving this config.[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2Building configuration...Use the enabled mode 'configure' command to modify this configuration.

Press RETURN to get started! RETURN

The user prompt is displayed.Router>

Step 12 Verify the initial configuration. See the “Verifying the Initial Configuration” section on page 8 for verification procedures.

For more information, see the Basic Software Configuration Using the Setup Command Facility section, available at this URL:

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/b_setup.html

6Overview

OL-6154-01





Initial Configuration Using the Command-Line InterfaceThis section describes briefly how to display a command-line interface (CLI) prompt for configuration using the CLI.

You can use the CLI if the following messages appear at the end of the startup sequence:

--- System Configuration Dialog ---



If these messages do not appear, SDM and a default configuration file were installed on the router at the factory. To use SDM to configure the router, see the “Initial Configuration Using the Cisco Router and Security Device Manager” section on page 3.

Note Be sure to save your configuration changes occasionally so that they are not lost during resets, power cycles, or power outages. Use the copy running-config startup-config command at the privileged EXEC mode prompt (Router#) to save the configuration to NVRAM.

Step 1 To proceed with manual configuration using the CLI, enter no when the power-up messages end:

Would you like to enter the initial configuration dialog? [yes/no]: no

Step 2 Press Return to terminate autoinstall and continue with manual configuration:

Would you like to terminate autoinstall? [yes] Return

Several messages appear, ending with a line similar to the following:Copyright (c) 1986-2004 by cisco Systems, Inc.Compiled <date> <time> by <person>

Step 3 Press Return to display the Router> prompt:

...flashfs[4]: Initialization complete.Router>

Step 4 Enter privileged EXEC mode:

Router> enable Router#

Step 5 Verify the initial configuration. See the “Verifying the Initial Configuration” section on page 8 for verification procedures.

For more information on using the CLI for router configuration, see the Basic Software Configuration Using the Cisco IOS Command-Line Interface section, available at this URL:

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/b_cli.html

7Overview

OL-6154-01




Using the Cisco IOS Startup Sequence

Verifying the Initial ConfigurationTo verify that the new interfaces are operating correctly, perform the following tests:

• To verify that the interfaces are operating correctly and that the interfaces and line protocol are in the correct state—up or down—enter the show interfaces command.

• To display a summary status of the interfaces configured for IP, enter the show ip interface brief command.

• To verify that you configured the correct host name and password, enter the show configuration command.

When you have completed and verified the initial configuration, your Cisco router is ready to configure for specific functions.

Using the Cisco IOS Startup SequenceThis section explains how to use the IOS Startup sequence to configure your router, as an alternative to using SDM.

Note Because SDM uses a default configuration file, if you have used SDM to configure your router, it will not execute the standard Cisco IOS startup sequence.

Using the Cisco IOS setup utility enables you to use TFTP or BOOTP configuration download, or use other features available through the standard Cisco IOS startup sequence.

The configuration file shipped with your router does the following:

• Provides an IP address for your Fast Ethernet interface, enabling an interface to your LAN

• Enables your router’s HTTP/HTTPS server, allowing HTTP access from your LAN

• Creates a default username (cisco) and password (cisco) with privilege level 15

• Enables Telnet/SSM access to the router from your LAN

To erase the existing configuration and use the Cisco IOS startup sequence, perform the following steps.

Note SDM remains installed on the router. See the “Enabling SDM on a Router Configured to Use the IOS Startup Sequence” section on page 9 for instructions to reenable it.

Step 1 Connect the light blue console cable, included with your router, from the blue console port on your router to a serial port on your PC. Refer to the hardware installation guide that came with your router for instructions.

Step 2 Connect the power supply to your router, plug the power supply into a power outlet, and turn on your router. Refer to the quick start guide that came with your router for instructions.

Step 3 Use Hyperterminal or a similar terminal emulation program on your PC, with the terminal emulation settings of 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control, to connect to your router.

8Overview

OL-6154-01


Step 4 At the prompt, enter the enable command. The default configuration file does not configure an enable password:

yourname> enable

yourname#

Step 5 Enter the erase startup-config command:

yourname# erase startup-config

Step 6 Confirm the command by pressing Enter.

Step 7 Enter the reload command:

yourname# reload

Step 8 Confirm the command by pressing Enter.

The router begins executing the standard startup sequence. If you want to use SDM to perform subsequent configurations for the router, you must reconfigure the router manually to support web-based applications, and the Telnet and Secure Shell (SSH) protocols. You must also create a user account with a privilege level of 15. See the “Enabling SDM on a Router Configured to Use the IOS Startup Sequence” section on page 9 for information on doing this.

Enabling SDM on a Router Configured to Use the IOS Startup SequenceIf you erased the factory startup configuration to use the IOS startup sequence, you can still use SDM. To do so, you must configure the router to support web-based applications, configure it with a user account defined with privilege level 15, and then configure it to support the Telnet and SSH protocols. These changes can be made using a telnet session or using a console connection.

Configuring the Router to Support Web-Based Applications, a User with Priv 15, and Telnet/SSH

Step 1 Enable the HTTP/HTTPS server on the router, using the following Cisco IOS commands in the global configuration mode:

Router(config)#ip http serverRouter(config)#ip http secure-serverRouter(config)#ip http authentication local

If the router uses an IPSec IOS image, the HTTPS server is enabled. Otherwise only the HTTP server is enabled.

Step 2 Create a user account with privilege level 15 (enable privileges, if necessary).

Router(config)#username <username> privilege 15 password 0 <password>

Replace <username> and <password> with the username and password of your choosing.

Step 3 Configure SSH and Telnet for local login and privilege level 15:

line vty 0 4 privilege level 15 login local transport input telnet transport input telnet ssh

9Overview

OL-6154-01


Step 4 (Optional) Enable local logging to support the log monitoring function:

Router(config)#logging buffered 51200 warning

To use SDM on a router that has received a manual configuration, see the “Starting SDM on a Manually Configured Router” section on page 10.

Starting SDM on a Manually Configured Router

Note By default, the DHCP server is turned off on the Cisco 28xx series routers.

SDM is a web-based application that must be run from a PC that is connected to the router over a LAN. If the router is configured as a DHCP server, the PC must be configured to receive an IP address automatically. If the router is not configured as a DHCP server, you must configure the PC with a static IP address on the same subnet as the router interface to which you are connecting the PC. For example, if the router has the IP address 172.16.30.1, and the subnet mask is 255.255.255.248, you must configure the PC to use a network address in the range 172.16.30.2 through 172.16.30.6, and use the same subnet mask as the router.

Step 1 Open a web browser on the PC, and enter the IP address for the router.

https://IP-address

The https://... specifies that the Secure Socket Layer (SSL) protocol will be used for a secure connection. You can use http://... if SSL is not available.

Step 2 Enter the username and password that you specified in Step 2 of “Configuring the Router to Support Web-Based Applications, a User with Priv 15, and Telnet/SSH.”

To continue configuring your router, see the “Initial Configuration Using the Cisco Router and Security Device Manager” section on page 3.




10Overview

OL-6154-01

Basic Software Configuration Using the Setup Command Facility

You can configure your router by using the Cisco Router and Security Device Manager (SDM), the Cisco IOS setup command facility, or the Cisco IOS command-line interface (CLI).

Note Wherever possible, we recommend that you use SDM to configure your router. For information on the availability and use of SDM, see the quick start guide that shipped with your router.

The software configuration documentation describes how to perform configuration tasks by using the CLI. However, this specific document describes how to perform basic configurations by using the Cisco IOS setup command facility.

Contents • Platforms Supported by This Document, page 1

• Information About the Setup Command Facility, page 2

• Using the Setup Command Facility to Perform Basic Configuration, page 2

• Examples of Using the Setup Command Facility to Configure Interface Parameters, page 5

• Completing the Configuration, page 25

Platforms Supported by This DocumentUse this document with the following platforms:

• Cisco 1800 series routers






Information About the Setup Command Facility

Information About the Setup Command FacilityThe setup command facility prompts you to enter the information that is needed to configure a router quickly. The facility steps you through a basic configuration, including LAN and WAN interfaces. For more general information about the setup command facility, see the following document:

Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2: Part 1: Cisco IOS User Interfaces: Using AutoInstall and Setup http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/ffcprt1/fcf002.htm

Using the Setup Command Facility to Perform Basic Configuration

This section shows how to configure a hostname for the router, set passwords, and configure an interface for communication with the management network.

Note The messages that will be displayed will vary, depending on your router model, the installed interface modules, and the software image. The following example and the user entries (in bold) are shown as examples only.

Note If you make a mistake while using the setup command facility, you can exit and run the setup command facility again. Press Ctrl-C, and enter the setup command in privileged EXEC mode (Router#).

Step 1 Enter the setup command facility by using one of the following methods:

• From the Cisco IOS CLI, enter the setup command in privileged EXEC mode:

Router> enable Password: <password> Router# setup

--- System Configuration Dialog ---Continue with configuration dialog? [yes/no]:

• If your router reloads and does not already have a configuration file, you are prompted to enter the setup command facility:


Step 2 To proceed using the setup command facility, enter yes.

2Basic Software Configuration Using the Setup Command Facility

OL-5992-01

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/ffcprt1/fcf002.htm


Step 3 When the following messages appear, enter yes to enter basic management setup:


Basic management setup configures only enough connectivityfor management of the system, extended setup will ask youto configure each interface on the system

Would you like to enter basic management setup? [yes/no]: yes

Step 4 Enter a hostname for the router (this example uses myrouter):

Configuring global parameters:Enter host name [Router]: myrouter

Step 5 Enter an enable secret password. This password is encrypted (for more security) and cannot be seen when viewing the configuration.

The enable secret is a password used to protect access toprivileged EXEC and configuration modes. This password, afterentered, becomes encrypted in the configuration.Enter enable secret: xxxxxx

Step 6 Enter an enable password that is different from the enable secret password. This password is not encrypted (and is less secure) and can be seen when viewing the configuration.

The enable password is used when you do not specify anenable secret password, with some older software versions, andsome boot images.Enter enable password: xxxxxx

Step 7 Enter the virtual terminal password, which prevents unauthenticated access to the router through ports other than the console port:

The virtual terminal password is used to protectaccess to the router over a network interface.Enter virtual terminal password: xxxxxx


Configure SNMP Network Management? [yes]: Community string [public]:

A summary of the available interfaces is displayed.

Note The interface numbering that appears is dependent on the type of Cisco modular router platform and on the installed interface modules and cards.

Current interface summary

Controller Timeslots D-Channel Configurable modes StatusT1 0/0 24 23 pri/channelized Administratively up

Any interface listed with OK? value "NO" does not have a valid configuration

Interface IP-Address OK? Method Status ProlFastEthernet0/0 unassigned NO unset up up FastEthernet0/1 unassigned NO unset up dow


OL-5992-01


Step 9 Select one of the available interfaces for connecting the router to the management network:

Enter interface name used to connect to themanagement network from the above interface summary: fastethernet0/0


Configuring interface FastEthernet0/0:Use the 100 Base-TX (RJ-45) connector? [yes]: yesOperate in full-duplex mode? [no]: noConfigure IP on this interface? [yes]: yes IP address for this interface: 172.1.2.3 Subnet mask for this interface [255.255.0.0] : 255.255.0.0 Class B network is 172.1.0.0, 16 subnet bits; mask is /16

The configuration is displayed:

The following configuration command script was created:

hostname myrouterenable secret 5 $1$D5P6$PYx41/lQIASK.HcSbfO5q1enable password xxxxxxline vty 0 4password xxxxxxsnmp-server community public!no ip routing

!interface FastEthernet0/0no shutdownmedia-type 100BaseXhalf-duplexip address 172.1.2.3 255.255.0.0!interface FastEthernet0/1shutdownno ip address!end

Step 11 Respond to the following prompts. Select [2] to save the initial configuration:

[0] Go to the IOS command prompt without saving this config.[1] Return back to the setup without saving this config.[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2Building configuration...Use the enabled mode 'configure' command to modify this configuration.

Press RETURN to get started! RETURN

The user prompt is displayed:

myrouter>

After you complete the initial configuration tasks, you can start configuring your Cisco router for specific functions.


OL-5992-01

Examples of Using the Setup Command Facility to Configure Interface Parameters


The setup command facility prompts vary and depend on which fixed or modular interfaces are in your router. This section provides examples that use the setup command facility to perform the following operations:

• Fast Ethernet Interface Configuration, page 5

• Gigabit Ethernet Interface Configuration, page 6

• 1- or 2-Port Serial Interface Configuration, page 8

• Asynchronous/Synchronous Serial Interface—Asynchronous Configuration, page 11

• Asynchronous/Synchronous Serial Interface—Synchronous Configuration, page 11

• ISDN Basic Rate Interface Configuration, page 13

• Channelized E1/T1 ISDN PRI Interface Configuration, page 19

• 1-Port, 4-Wire, 56-kbps DSU/CSU Configuration, page 24

Note The messages that will be displayed will vary, depending on your router model, the installed interface modules, and the software image. The following example and the user entries (in bold) are shown as examples only.

Fast Ethernet Interface ConfigurationThe following is a brief example of configuring a Fast Ethernet interface by using the setup command facility:

Do you want to configure FastEthernet0/0 interface [yes]: Use the 100 Base-TX (RJ-45) connector? [yes]: Operate in full-duplex mode? [no]: Configure IP on this interface? [no]: yes IP address for this interface: 6.0.0.1 Number of bits in subnet field [0]: Class A network is 6.0.0.0, 0 subnet bits, mask is /8Configure IPX on this interface? [yes]: IPX network number [1]: Need to select encapsulation type [0] sap (IEEE 802.2) [1] snap (IEEE 802.2 SNAP) [2] arpa (Ethernet_II) [3] novell-ether (Novell Ethernet_802.3) Enter the encapsulation type [2]:

Note Cisco 1841 and Cisco 2801 routers have a hardware limitation on the Fast Ethernet ports FE0/0 and FE0/1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than 5 Mbps in each direction), the interface will experience excessive collisions and reset once per second. To avoid this problem, traffic must be limited to less than 100% of capacity.


OL-5992-01


Gigabit Ethernet Interface ConfigurationThe following is a brief example of configuring a Gigabit Ethernet interface by using the setup command facility:

Note The Gigabit Ethernet interface is not supported on Cisco 1841, Cisco 2801, or Cisco 2811 routers.

Configuring interface GigabitEthernet0/0: Configure IP on this interface? [yes]: IP address for this interface [192.168.200.215]: 1.0.0.1 Subnet mask for this interface [255.255.255.0] : 255.0.0.0 Class A network is 1.0.0.0, 8 subnet bits; mask is /8

Note On Cisco 3800 series routers, the port gig 0/0 supports both the small form-factor pluggable Gigabit Ethernet Interface Converter (SFP GBIC) and RJ-45 media types. The port gig 0/1 supports only RJ-45. To select between SFP or RJ-45 for port gig 0/0, use the media-type command. More details follow in the “Selecting the Port for the Gigabit Ethernet Interface” section on page 6.

The following are two examples of configurations for the Gigabit Ethernet (GE) interface. The first example shows a sample configuration for RJ-45 mode, applicable to either port gig 0/0 or port gig 0/1:

interface GigabitEthernet0/0 ip address 1.3.153.13 255.0.0.0 duplex auto speed auto media-type RJ-45

SFP mode (on Cisco 3800 seriers routers only) is available only on port gig 0/0:

interface GigabitEthernet0/0 ip address 1.3.153.13 255.0.0.0 duplex auto speed auto media-type sfp

Selecting the Port for the Gigabit Ethernet Interface

The SFP port is supported for the GE port 0 only. GE port 1 supports only RJ-45 (or copper mode) operation.

To select SFP type for GE port 0, use the following commands from the command-line interface (CLI):

router(config)# int gigabitEthernet 0/0

router(config-if)# media-type sfp

GigabitEthernet0/0: Changing media to SFP.

Note The SFP port can only be set to 1000-Mbps or automatic speed. Duplex can be set to full-duplex or automatic mode. Half-duplex communication is not supported.


OL-5992-01


The following is a typical show running config command output for gig 0/0:

router# show run int gigabitEthernet 0/0

Building configuration...

Current configuration : 156 bytes!interface GigabitEthernet0/0 no ip address load-interval 30 shutdown duplex auto speed auto media-type sfp no cdp enableend

Flow Control Capabilities

Both the RJ-45 (copper) and SFP (fiber) modes of operations suppot flow control. This means that during congestion conditions, pause frames are sent to the far end by the Media Access Control (MAC) hardware. Also, the MAC hardware will react to the pause frames received. There is no way in current MAC hardware to track the number of pause frames received or sent.

Flow control is on by default

Currently, there is no command to turn off the flow control capability for any of the Gigabit Ethernet ports in any of the RJ45 or SFP modes.

Speed/Duplex Settings for the Gigabit Ethernet Ports

Typically, speed and/or duplex communications are configured manually using the speed and/or duplex CLI commands.

Note For the SFP port, the speed settings can be set to 1000 Mbps or auto only, and duplex can be set to full or auto only.

The following examples show the available options:

interface gigabitEthernet 0/[0-1]router(config-if)# speed ?

10 Force 10 Mbps operation 100 Force 100 Mbps operation 1000 Force 1000 Mbps operation auto Enable AUTO speed configuration

router(config-if)# duplex ?

auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation


OL-5992-01


If the speed is set to 1000 Mbps, the CLI duplex options change as follows:

router(config-if)# speed 1000router(config-if)# duplex ?

auto Enable AUTO duplex configuration full Force full duplex operation

Similarly, when duplex is set to half, the supported speeds are 10 Mbps, 100 Mbps, or “auto” as shown here:

router(config-if)# speed ?

10 Force 10 Mbps operation 100 Force 100 Mbps operation auto Enable AUTO speed configuration

If the media type is SFP, the available speed and duplex settings are as follows:

router(config-if)# media-type sfp

GigabitEthernet0/0: Changing media to SFP.You may need to update the speed and duplex settings for this interface.router(config-if)# speed ?

1000 Force 1000 Mbps operation auto Enable AUTO speed configuration

router(config-if)# duplex ?

auto Enable AUTO duplex configuration full Force full duplex operation

Note If the speed and duplex setting for g0/0 in SFP mode is speed=1000 and duplex=full, autonegotiation is in forced mode and autonegotation is turned off. For all other mode settings of speed or duplex for SFP, autonegotiation is turned on. If speed=1000 and duplex=full modes are specified for both g0/0 and g0/1 interfaces in copper mode (RJ-45), autonegotiation is still turned on. This is considered to be in forced mode for speed=1000. This occurence is per the Annex 28D.5 extensions required for clause 40 (1000-BASE-T) IEEE 802.3. When the speed and duplex modes are forced for 10/100, and full or half modes are forced for g0/0 and g0/1 interfaces, autonegotiation is turned off. If the interfaces are not in forced mode for 10/100 speeds, then autonegotation will be turned on.

1- or 2-Port Serial Interface ConfigurationThe following is a sample configuration for a 1- or 2-port serial interface:

Do you want to configure Serial0/0/0 interface? [yes]:

Some encapsulations supported are ppp/hdlc/frame-relay/lapb/atm-dxi/smds/x25 Choose encapsulation type [ppp]:


OL-5992-01


Note The following sections describe the prompts for each encapsulation type. For PPP and High-Level Data Link Control (HDLC) encapsulation, no further configuration is needed.

No serial cable seen.Choose mode from (dce/dte) [dte]:

If no cable is plugged in to your router, you must indicate whether the interface is to be used as DTE or DCE. If a cable is present, the setup command facility determines the DTE/DCE status. If the serial cable is DCE, you see the following prompt:

Serial interface needs clock rate to be set in dce mode. The following clock rates are supported on the serial interface. 0 1200, 2400, 4800, 9600, 19200, 38400 56000, 64000, 72000, 125000, 148000, 500000 800000, 1000000, 1300000, 2000000, 4000000, 8000000 Choose clock rate from above: [2000000]: Configure IP on this interface? [yes]: IP address for this interface: 192.0.0.1 Subnet mask for this interface [255.0.0.0]: Class A network is 2.0.0.0, 8 subnet bits; mask is /8Configure IPX on this interface? [no]: yes IPX network number [8]:

Frame Relay Encapsulation

The following is a sample configuration for Frame Relay encapsulation:

The following lmi-types are available to be set, when connected to a frame relay switch [0] none [1] ansi [2] cisco [3] q933a Enter lmi-type [2]:

Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if you specify none for the Local Management Interface (LMI) type. If you accept the default or specify another LMI type, the DLCI number is provided by the specified protocol.

Enter the DLCI number for this interface [16]:

Do you want to map a remote machine’s IP address to dlci? [yes]: IP address for the remote interface: 192.0.0.2Do you want to map a remote machine’s IPX address to dlci? [yes]: IPX address for the remote interface: 40.1234.5678

Serial interface needs clock rate to be set in dce mode.The following clock rates are supported on the serial interface. 0 1200, 2400, 4800, 9600, 19200, 38400 56000, 64000, 72000, 125000, 148000, 500000 800000, 1000000, 1300000, 2000000, 4000000, 8000000

choose speed from above: [2000000]: 1200Configure IP on this interface? [yes]: IP address for this interface: 192.0.0.1 Subnet mask for this interface [255.0.0.0]:


OL-5992-01


Class A network is 2.0.0.0, 8 subnet bits; mask is /8

If Internetwork Packet Exchange (IPX) is configured on the router, the setup command facility prompts you for the IPX map:

Do you want to map a remote machine's IPX address to dlci? [yes]: IPX address for the remote interface: 40.0060.34c6.90ed

Link Access Procedure, Balanced Encapsulation

The following is a sample of configuration for Link Access Procedure, Balanced (LAPB) encapsulation, selecting either DCE or DTE mode, with DTE as the default:

lapb circuit can be either in dce/dte mode. Choose either from (dce/dte) [dte]:

X.25 Encapsulation

The following is an example of X.25 encapsulation:

x25 circuit can be either in dce/dte mode. Choose from either dce/dte [dte]: Enter local x25 address: 1234

We will need to map the remote x.25 station’s x25 address to the remote station’s IP/IPX addressEnter remote x25 address: 4321

Do you want to map the remote machine’s x25 address to IP address? [yes]: IP address for the remote interface: 192.0.0.2Do you want to map the remote machine’s x25 address to IPX address? [yes]: IPX address for the remote interface: 40.1234.5678

Enter lowest 2-way channel [1]: Enter highest 2-way channel [64]: Enter frame window (K) [7]: Enter Packet window (W) [2]: Enter Packet size (must be powers of 2) [128]:

ATM Data Exchange Interface Encapsulation

The following is an example of asynchronous transfer mode data exchange interface (ATM-DXI) encapsulation:

Enter VPI number [1]:Enter VCI number [1]:

Do you want to map the remote machine’s IP address to vpi and vci? [yes]: IP address for the remote interface: 192.0.0.2Do you want to map the remote machine’s IPX address to vpi and vci? [yes]: IPX address for the remote interface: 40.1234.5678

Switched Multimegabit Data Service Encapsulation

The following is a sample configuration for switched multimegabit data service (SMDS) encapsulation:

Enter smds address for the local interface: c141.5556.1415

We will need to map the remote smds station’s address to the remote station’s IP/IPX addressEnter smds address for the remote interface: c141.5556.1414


OL-5992-01


Do you want to map the remote machine’s smds address to IP address? [yes]: IP address for the remote interface: 192.0.0.2Do you want to map the remote machine’s smds address to IPX address? [yes]: IPX address for the remote interface: 40.1234.5678

Asynchronous/Synchronous Serial Interface—Asynchronous ConfigurationThe following is a sample configuration for asynchronous configuration for an asynchronous/synchronous serial interface:

Do you want to configure Serial1/1 interface? [yes]:Enter mode (async/sync) [sync]: asyncConfigure IP on this interface? [yes]:Configure IP unnumbered on this interface? [no]: IP address for this interface: 192.0.0.0 Subnet mask for this interface [255.0.0.0]: Class A network is 2.0.0.0, 0 subnet bits; mask is /8Configure LAT on this interface? [no]: Configure AppleTalk on this interface? [no]:Configure DECnet on this interface? [no]:Configure CLNS on this interface? [no]:Configure IPX on this interface? [no]: yes IPX network number [8]:Configure Vines on this interface? [no]:Configure XNS on this interface? [no]:Configure Apollo on this interface? [no]:

Asynchronous/Synchronous Serial Interface—Synchronous ConfigurationThe following is a sample configuration for synchronous configuration for an asynchronous/synchronous serial interface:

Do you want to configure Serial1/0 interface? [yes]:Enter mode (async/sync) [sync]:

Some supported encapsulations are ppp/hdlc/frame-relay/lapb/x25/atm-dxi/smds Choose encapsulation type [hdlc]:

Note The following sections describe the prompts for each encapsulation type. For PPP and High-Level Data Link Control (HDLC) encapsulation, no further configuration is needed.

No serial cable seen.Choose mode from (dce/dte) [dte]:

If no cable is plugged in to your router, you must indicate whether the interface is to be used as DTE or DCE. If a cable is present, the setup command facility determines the DTE/DCE status. If the serial cable is DCE, you see the following prompt:

Configure IP on this interface? [no]: yesConfigure IP unnumbered on this interface? [no]: IP address for this interface: 192.0.0.0 Subnet mask for this interface [255.0.0.0]: Class A network is 2.0.0.0, 0 subnet bits; mask is /8Configure LAT on this interface? [no]:


OL-5992-01




The following lmi-types are available to be set,when connected to a frame relay switch: [0] none [1] ansi [2] cisco [3] q933a Enter lmi-type [2]:

Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if you specify none for the Link Management Interface (LMI) type. If you accept the default or specify another LMI type, the DLCI number is provided by the specified protocol.




choose speed from above: [2000000]: 1200Configure IP on this interface? [yes]: IP address for this interface: 192.0.0.1 Subnet mask for this interface [255.0.0.0]: Class A network is 2.0.0.0, 8 subnet bits; mask is /8



LAPB Encapsulation

The following is an example of configuration for LAPB encapsulation, selecting either DCE or DTE mode, with DTE as the default:

lapb circuit can be either in dce/dte mode. Choose either from (dce/dte) [dte]:

X.25 Encapsulation

The following is a sample configuration for X.25 encapsulation:

x25 circuit can be either in dce/dte mode. Choose from either dce/dte [dte]: Enter local x25 address: 1234

We will need to map the remote x.25 station’s x25 address to the remote station’s IP/IPX address Enter remote x25 address: 4321


OL-5992-01


Do you want to map the remote machine’s x25 address to IP address? [yes]: IP address for the remote interface: 2.0.0.2 Do you want to map the remote machine’s x25 address to IPX address? [yes]: IPX address for the remote interface: 40.1234.5678

Enter lowest 2-way channel [1]: Enter highest 2-way channel [64]: Enter frame window (K) [7]: Enter Packet window (W) [2]: Enter Packet size (must be powers of 2) [128]:

ATM-DXI Encapsulation

The following is a sample configuration for asynchronous transfer mode, data exchange interface (ATM-DXI) encapsulation:

Enter VPI number [1]:Enter VCI number [1]:

Do you want to map the remote machine’s IP address to vpi and vci? [yes]: IP address for the remote interface: 2.0.0.2Do you want to map the remote machine’s IPX address to vpi and vci? [yes]: IPX address for the remote interface: 40.1234.5678

SMDS Encapsulation



We will need to map the remote smds station’s address to the remote station’s IP/IPX addressEnter smds address for the remote interface: c141.5556.1414

Do you want to map the remote machine’s smds address to IP address? [yes]: IP address for the remote interface: 2.0.0.2Do you want to map the remote machine’s smds address to IPX address? [yes]: IPX address for the remote interface: 40.1234.5678

ISDN Basic Rate Interface ConfigurationValid Integrated Services Digital Network (ISDN) switch types are shown in Table 1.

Table 1 ISDN Switch Types

Country ISDN Switch Type Description

Australia basic-ts013 Australian TS013 switches

Europe basic-1tr6 German 1TR6 ISDN switches

basic-nwnet3 Norwegian NET3 ISDN switches (phase 1)

basic-net3 NET3 ISDN switches (UK and others)

basic-net5 NET5 switches (UK and others)

vn2 French VN2 ISDN switches

vn3 French VN3 ISDN switches

Japan ntt Japanese NTT ISDN switches


OL-5992-01


The following is a sample configuration for ISDN basic rate communication:

BRI interface needs isdn switch-type to be configured Valid switch types are: [0] none..........Only if you don't want to configure BRI. [1] basic-1tr6....1TR6 switch type for Germany [2] basic-5ess....AT&T 5ESS switch type for the US/Canada [3] basic-dms100..Northern DMS-100 switch type for US/Canada [4] basic-net3....NET3 switch type for UK and Europe [5] basic-ni......National ISDN switch type [6] basic-ts013...TS013 switch type for Australia [7] ntt...........NTT switch type for Japan [8] vn3...........VN3 and VN4 switch types for France

Choose ISDN BRI Switch Type [2]:

Do you want to configure BRI0/0/0 interface? [yes]:

Some encapsulations supported are ppp/hdlc/frame-relay/lapb/x25 Choose encapsulation type [ppp]:

Note The following sections describe the prompts for each encapsulation type. No further configuration is needed for HDLC encapsulation.

Do you have service profile identifiers (SPIDs) assigned? [no]: y Enter SPID1: 12345 Enter SPID2: 12345

Note The setup command facility prompts you for the service profile identifier (SPID) number only if you specify basic-5ess, basic-ni1, or basic-dms100 for the switch type.

Do you want to map the remote machine's IP address in dialer map? [yes]: IP address for the remote interface: 192.0.0.1Do you want to map the remote machine's IP address in dialer map? [yes]: IPX address of the remote interface: 40.0060.34c6.90ed

To get to 192.0.0.1 we will need to make a phone call.Please enter the phone number to call: 1234567890Configure IP on this interface? [yes]:

Note If your router has at least one configured LAN interface, you can choose to use an unnumbered IP address on the interface.

Configure IP unnumbered on this interface? [no]: y Assign to which interface [Ethernet0/0]:

New Zealand basic-nznet3 New Zealand NET3 switches

North America basic-5ess AT&T basic rate switches

basic-dms100 NT DMS-100 basic rate switches

basic-ni1 National ISDN-1 switches

Table 1 ISDN Switch Types (continued)

Country ISDN Switch Type Description


OL-5992-01


Note If your router does not have a configured LAN interface, you must use a numbered IP address.

IP address for this interface: 192.0.0.1 Enter the subnet mask [255.0.0.0]:

Point-to-Point Protocol Encapsulation

The following is a sample configuration for point-to-point protocol (PPP) encapsulation:

Would you like to enable multilink PPP [yes]:

Enter a username for CHAP authentication [Router]:remote_routerEnter a password for CHAP authentication: secret

Note The password, which is used by the Challenge Handshake Authentication Protocol (CHAP) authentication process, is case sensitive and must exactly match the password for the remote router.




Note The setup command facility prompts you for the DLCI number only if you specify none for the LMI type. If you accept the default or specify another LMI type, the DLCI number is provided by the specified protocol.





Note If IPX is configured on the router, the setup command facility prompts you for the IPX map:

Do you want to map a remote machine's IPX address to dlci? [yes]:


OL-5992-01


IPX address for the remote interface: 40.0060.34c6.90ed

Link Access Procedure, Balanced Encapsulation

The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation, with DTE mode as the default:

lapb circuit can be either in dce/dte modeChoose either from (dce/dte) [dte]:


The following is a sample configuration for asynchronous transfer mode data exchange interface (ATM-DXI) encapsulation:

Enter VPI number [1]:Enter VCI number [1]: Do you want to map the remote machine's IP address to vpi and vci? [yes]: IP address for the remote interface: 6.0.0.1 Do you want to map the remote machine's IPX address to vpi and vci? [yes]: IPX address for the remote interface: 40.0060.34c6.90ed

SMDS Encapsulation



We will need to map the remote smds station's address to the remote station’s IP address Enter smds address for the remote interface: c141.5556.1414

Do you want to map the remote machine's smds address to IP address? [yes]: IP address for the remote interface: 192.0.0.1 Do you want to map the remote machine's smds address to IP address? [yes]: IPX address for the remote interface: 40.0060.34c6.90ed

X.25 Encapsulation

The following is a sample configuration for X.25 encapsulation:

x25 circuit can be either in dce/dte mode.Choose from either dce/dte [dte]:Enter local x25 address: 1234

We will need to map the remote x.25 station's x25 address to the remote station’s IP/IPX addressDo you want to map the remote machine's x25 address to IP address? [yes]: IP address for the remote interface: 6.0.0.1Do you want to map the remote machine's x25 address to IPX address? [yes]: IPX address for the remote interface: 40.0060.34c6.90edEnter remote x25 address: 4321Enter lowest 2-way channel [1]:Enter highest 2-way channel [64]:Enter frame window (K) [7]:Enter Packet window (W) [2]:Enter Packet size (must be powers of 2) [128]:


OL-5992-01


ISDN BRI Line Configuration

Before using a router with an ISDN basic rate interface (BRI) interface, you must order a correctly configured ISDN BRI line from your local telecommunications service provider.

The ordering process varies from provider to provider and from country to country. However, some general guidelines apply:

• Ask for two channels to be called by one number.

• Ask for delivery of calling line identification, also known as Caller ID or automated number identification (ANI).

• If the router will be the only device attached to the ISDN BRI line, ask for point-to-point service and a data-only line.

• If you plan to connect another ISDN device (such as an ISDN telephone) to the ISDN BRI line through the router, ask for point-to-multipoint service (subaddressing is required) and a voice-and-data line.

ISDN BRI Provisioning by Switch Type

ISDN BRI provisioning refers to the types of services provided by the ISDN BRI line. Although provisioning is performed by your ISDN BRI service provider, you must tell the provider what you want.

Table 2 lists the provisioning you that should order for the router, based on switch type.

Table 2 ISDN Provisioning by Switch Type

Switch Type Provisioning

5ESS Custom BRI For data only

2 B channels for data. Point to point. Terminal type = E. 1 directory number (DN) assigned by service provider. MiniTerm (MTERM) = 1. Request delivery of calling line ID on Centrex lines. Set speed for ISDN calls to 56 kbps outside local exchange.

5ESS Custom BRI For voice and data

(Use these values only if you have an ISDN telephone connected.) 2 B channels for voice or data. Multipoint. Terminal type = D. 2 directory numbers assigned by service provider. 2 service profile identifiers (SPIDs) required, assigned by service provider. MTERM = 2. Number of call appearances = 1. Display = No. Ringing/idle call appearances = idle. Autohold= no. Onetouch = no. Request delivery of calling line ID on Centrex lines. Set speed for ISDN calls to 56 kbps outside local exchange. Directory number 1 can hunt to directory number 2.


OL-5992-01


Defining ISDN Service Profile Identifiers

Some service providers assign service profile identifiers (SPIDs) to define the services subscribed to by an ISDN device. If your service provider requires SPIDs, your ISDN device cannot place or receive calls until it sends a valid SPID to the service provider when initializing the connection. A SPID is usually a seven-digit telephone number plus some optional numbers, but service providers may use different numbering schemes. SPIDs have significance at the local access ISDN interface only; the SPID is never sent to remote routers.

At present, only DMS-100 and NI-1 switch types require SPIDs. Two SPIDs are assigned for the DMS-100 switch type, one for each B channel. The AT&T 5ESS switch type may support SPIDs, but we recommend that you set up that ISDN service without SPIDs.

If your service provider assigns you SPIDs, you must define these SPIDs on the router. To define SPIDs and the local directory number (LDN) on the router for both ISDN BRI B channels, use the following isdn spid command in privileged EXEC mode:

Router(config-if)# isdn spid1 spid-number [ldn]

Router(config-if)# isdn spid2 spid-number [ldn]

Note Although the LDN is an optional parameter in the command, you may need to enter it so that the router can answer calls made to the second directory number.

5ESS National ISDN (NI-1) BRI

For voice and data

Terminal type = A. 2 B channels for voice and data. 2 directory numbers assigned by service provider. 2 SPIDs required; assigned by service provider. Set speed for ISDN calls to 56 kbps outside local exchange. Directory number 1 can hunt to directory number 2.

DMS-100 BRI For voice and data

2 B channels for voice and data. 2 directory numbers assigned by service provider. 2 SPIDs required; assigned by service provider. Functional signaling. Dynamic terminal endpoint identifier (TEID) assignment. Maximum number of keys = 64. Release key = no, or key number = no. Ringing indicator = no. Electronic Key Telephone Set (EKTS) = no. Permanent Virtual Circuit (PVC) = 2. Request delivery of calling line ID on Centrex lines. Set speed for ISDN calls to 56 kbps outside local exchange. Directory number 1 can hunt to directory number 2.

Table 2 ISDN Provisioning by Switch Type (continued)

Switch Type Provisioning


OL-5992-01


Channelized E1/T1 ISDN PRI Interface Configuration

Note Channelized E1/T1 ISDN PRI interfaces are not supported on Cisco 1841 routers.

The following is a sample configuration for a channelized E1/T1 ISDN PRI interface:

The following ISDN switch types are available: [0] none............If you do not want to configure ISDN [1] primary-4ess....AT&T 4ESS switch type for US and Canada [2] primary-5ess....AT&T 5ESS switch type for US and Canada [3] primary-dms100..Northern Telecom switch type for US and Canada [4] primary-net5....European switch type for NET5 [5] primary-ni......National ISDN Switch type for the U.S [6] primary-ntt.....Japan switch type [7] primary-ts014...Australian switch type Choose ISDN PRI Switch Type [2]:

Configuring controller T1 1/0 in pri or channelized mode Do you want to configure this interface controller? [no]: Will you be using PRI on this controller? [yes]:

E1/T1 PRI Mode

The following is a sample configuration for E1/T1 PRI mode:

The following framing types are available: esf | sfEnter the framing type [esf]:

The following linecode types are available: ami | b8zsEnter the line code type [b8zs]:Enter number of time slots [24]:

Do you want to configure Serial1/0:23 interface? [yes]:

Configuring the PRI D-channel Would you like to enable multilink PPP? [yes]: Configure IP on this interface? [no]: y Configure IP unnumbered on this interface? [no]: y Assign to which interface [Ethernet0/0]:

All users dialing in through the PRI will need to be authenticated using CHAP. The username and password are case sensitive.Enter more username and passwords for PPP authentication? [no]: yEnter the username used for dial-in CHAP authentication [Router]: Enter the PPP password of the user dialing in on PRI:Enter more username and passwords for PPP authentication? [no]:

E1 Channelized Mode

The following is a sample configuration for E1 channelized mode:

The following framing types are available: no-crc4 | crc4 Enter the framing type [crc4]:


OL-5992-01


The following linecode types are available: ami | hdb3 Enter the line code type [hdb3]:

Do you want to configure Serial1/1:0 interface?: [Yes]:

Configuring the Channelized E1/T1 serial channels

Some encapsulations supported are ppp/hdlc/frame-relay/lapb/atm-dxi/smds/x25Choose encapsulation type [ppp]:Configure IP on this interface? [no]: yConfigure IP unnumbered on this interface? [no]: IP address for this interface: 3.0.0.1 Subnet mask for this interface [255.0.0.0]: Class A network is 3.0.0.0, 8 subnet bits; mask is /8

Note The following sections describe the prompts you for each encapsulation type. No further configuration is needed for HDLC encapsulation.

PPP Encapsulation

The following is a sample configuration for PPP encapsulation:


Enter a username for CHAP authentication [Router]:remote_routerEnter a password for CHAP authentication: secret





Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if you specify none for the LMI type. If you accept the default or specify another Local Management Interface (LMI) type, the DLCI number is provided by the specified protocol.



Serial interface needs clock rate to be set in dce mode.The following clock rates are supported on the serial interface. 0


OL-5992-01


1200, 2400, 4800, 9600, 19200, 38400 56000, 64000, 72000, 125000, 148000, 500000 800000, 1000000, 1300000, 2000000, 4000000, 8000000




LAPB Encapsulation

The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation:





SMDS Encapsulation




Do you want to map the remote machine's smds address to IP address? [yes]: IP address for the remote interface: 192.0.0.1 Do you want to map the remote machine's smds address to IP address? [yes]: IPX address for the remote interface: 40.0060.34c6.90ed

X.25 Encapsulation

The following is an example configuration for X.25 encapsulation:

x25 circuit can be either in dce/dte mode.Choose from either dce/dte [dte]:Enter local x25 address: 1234

We will need to map the remote x.25 station's x25 address to the remote station’s IP/IPX addressDo you want to map the remote machine's x25 address to IP address? [yes]: IP address for the remote interface: 6.0.0.1Do you want to map the remote machine's x25 address to IPX address? [yes]: IPX address for the remote interface: 40.0060.34c6.90ed


OL-5992-01


Enter remote x25 address: 4321Enter lowest 2-way channel [1]:Enter highest 2-way channel [64]:Enter frame window (K) [7]:Enter Packet window (W) [2]:Enter Packet size (must be powers of 2) [128]:

T1 Channelized Mode

The following is a sample configuration for T1 channelized mode:

The following framing types are available: esf | sf Enter the framing type [esf]:

The following linecode types are available: ami | b8zs Enter the line code type [b8zs]:

T1 is capable of being configured for channel 1-24 Enter number of time slots [24]: 3 Configure more channel groups? [no]: y Enter number of time slots [21]: 3 Configure more channel groups? [no]: y Enter number of time slots [18]: 3 Configure more channel groups? [no]: y Enter number of time slots [15]: Configure more channel groups? [no]:

Note The following sections describe the prompts for each encapsulation type. No further configuration is needed for High-Level Data Link Control (HDLC) encapsulation.

PPP Encapsulation

The following is a sample configuration for PPP encapsulation:


Enter a remote hostname for PPP authentication [Router]:Enter a password for PPP authentication:






OL-5992-01


Note The setup command facility prompts you for the data-link connection identifier (DLCI) number only if you specify none for the LMI type. If you accept the default or specify another Local Management Interface (LMI) type, the DLCI number is provided by the specified protocol.







LAPB Encapsulation

The following is a sample configuration for Link Access Procedure, Balanced (LAPB) encapsulation:





SMDS Encapsulation




Do you want to map the remote machine's smds address to IP address? [yes]: IP address for the remote interface: 192.0.0.1


OL-5992-01


Do you want to map the remote machine's smds address to IP address? [yes]: IPX address for the remote interface: 40.0060.34c6.90ed

1-Port, 4-Wire, 56-kbps DSU/CSU ConfigurationThe switched-56 WAN interface card is configured for dedicated or leased-line service by default, but it can also be configured for circuit-switched service, here known as 1-port, 4-wire 56-kbps DSU/CSU configuration. Depending on the type of data transmissions you typically use, you can configure the switched-56 WAN interface card for either circuit-switched service or dedicated-line service.

Generally, circuit-switched service is ideal for short-duration data transmissions or as an alternative route if a dedicated line fails. For example, circuit-switched service is ideal for sending electronic mail messages or doing such tasks as updating inventory and ordering records from one network database to another at the end of each day.

Dedicated service is ideal for heavy network traffic. Dedicated service is ideal if you need a constant network connection or you need connection for more than eight hours per day.

Switched Mode

The following is a sample configuration for a switched mode interface:

Do you want to configure Serial0/0/0 interface? [yes]: Some encapsulations supported are ppp/hdlc/frame-relay/lapb/atm-dxi/smds/x25 Choose encapsulation type [ppp]:

Switched 56k interface may either be in switched/Dedicated mode Choose from either (switched/dedicated) [switched]:

The following switched carrier types are to be set when in switched mode(at&t, sprint or other) Choose carrier (at&t/sprint/other) [other]:

Do you want to map the remote machine's ip address in dialer map? [yes]: IP address for the remote interface : 1.0.0.2Do you want to map the remote machine's ipx address in dialer map? [yes]: IPX address for the remote interface : 40.0060.34c6.90ed

Note The setup command facility asks for only one telephone number for both IP and Internetwork Packet Exchange (IPX) (if enabled).

Please enter the phone number to call : 1234567890 Configure IP on this interface? [yes]: IP address for this interface: 1.0.0.1 Subnet mask for this interface [255.0.0.0] : Class A network is 1.0.0.0, 8 subnet bits; mask is /8

Dedicated Mode

The following is a sample configuration for a dedicated mode interface:

Do you want to configure Serial0/0/0 interface? [yes]:

Some encapsulations supported are ppp/hdlc/frame-relay/lapb/atm-dxi/smds/x25 Choose encapsulation type [ppp]:


OL-5992-01

Completing the Configuration

Switched 56k interface may either be in switched/Dedicated mode Choose from either (switched/dedicated) [switched]: dedi

When in dds mode, the clock for sw56 module can either from line/internal. Choose clock from (line/internal) [line]:

Note If the internal clock is selected, speed cannot be set to “auto.” Autosensing is allowed only when the clock source is line.

When in dds mode, the clock for the sw56 module can either be line or internal. Choose clock from (line/internal) [line]: internal Warning: internal can be chosen only when connected back-to-back.

Serial interface needs clock rate to be set in dce mode. The following clock rates are supported on the serial interface.

auto, 2.4, 4.8, 9.6, 19.2, 38.4 56, 64

choose clock rate from above [56]: Configure IP on this interface? [yes]: IP address for this interface: 1.0.0.1 Subnet mask for this interface [255.0.0.0] : Class A network is 1.0.0.0, 8 subnet bits; mask is /8

Completing the ConfigurationWhen you have provided all the information requested by the setup command facility, the configuration appears. To complete your router configuration, follow these steps:

Step 1 A setup command facility prompt asks if you want to save this configuration.

If you answer no, the configuration information you entered is not saved, and you return to the router enable prompt (Router#). Enter setup to return to the System Configuration Dialog.

If you answer yes, the configuration is saved, and you are returned to the user EXEC prompt (Router>).

Use this configuration? {yes/no} : yesBuilding configuration...Use the enabled mode 'configure' command to modify this configuration.

Press RETURN to get started!

%LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up%LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up%LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up%LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down%LINK-3-UPDOWN: Interface Serial0/2, changed state to down%LINK-3-UPDOWN: Interface Serial1/0, changed state to up%LINK-3-UPDOWN: Interface Serial1/1, changed state to down%LINK-3-UPDOWN: Interface Serial1/2, changed state to down

<Additional messages omitted.>


OL-5992-01

Completing the Configuration

Step 2 When the messages stop appearing on your screen, press Return to get the Router> prompt.

Note If you see the next message, it means that no other AppleTalk routers were found on the network attached to the port.

%AT-6-ONLYROUTER: Ethernet0/0: AppleTalk port enabled; no neighbors found

Step 3 The Router> prompt indicates that you are now at the command-line interface (CLI) and you have just completed a basic router configuration. Nevertheless, this is not a complete configuration. At this point, you have two choices:

• Run the setup command facility again, and create another configuration.

Router> enablePassword: passwordRouter# setup

• Modify the existing configuration or configure additional features by using the CLI:

Router> enablePassword: passwordRouter# configure terminalRouter(config)#





OL-5992-01

Basic Software Configuration Using the Cisco IOS Command-Line Interface

This document describes how to use the Cisco IOS command-line interface (CLI) to perform a basic software configuration for your router.


• Prerequisites for Basic Software Configuration Using the Cisco IOS CLI, page 2

• Restrictions for Basic Software Configuration Using the Cisco IOS CLI, page 2

• How to Perform a Basic Software Configuration Using the Cisco IOS CLI, page 2

• Where to Go Next, page 19

• Additional References, page 19








Prerequisites for Basic Software Configuration Using the Cisco IOS CLI

Prerequisites for Basic Software Configuration Using the Cisco IOS CLI

Follow the instructions in the quick start guide that shipped with your router to install the chassis, connect cables, and power up the router.

Timesaver Before powering up the router, disconnect all WAN cables from the router to keep it from trying to run the AutoInstall process. The router may try to run AutoInstall if you power it on while there is a WAN connection on both ends and the router does not have a valid configuration file stored in NVRAM (for instance, when you add a new interface). It can take several minutes for the router to determine that AutoInstall is not connected to a remote TCP/IP host.

Restrictions for Basic Software Configuration Using the Cisco IOS CLI

If Cisco Router and Security Device Manager (SDM) is installed on your router, we recommend that you use Cisco SDM instead of the Cisco IOS CLI to perform the initial software configuration. To access SDM, see the quick start guide that shipped with your router.

How to Perform a Basic Software Configuration Using the Cisco IOS CLI

This section contains the following procedures:

• Configuring the Router Hostname, page 3 (Optional)

• Configuring the Enable and Enable Secret Passwords, page 4 (Required)

• Configuring the Console Idle Privileged EXEC Timeout, page 5 (Optional)

• Configuring Fast Ethernet and Gigabit Ethernet Interfaces, page 7 (Required)

• Specifying a Default Route or Gateway of Last Resort, page 9 (Required)

• Configuring Virtual Terminal Lines for Remote Console Access, page 12 (Required)

• Configuring the Auxiliary Line, page 14 (Optional)

• Verifying Network Connectivity, page 15 (Required)

• Saving Your Router Configuration, page 17 (Required)

• Saving Backup Copies of Your Configuration and System Image, page 17 (Optional)

2Basic Software Configuration Using the Cisco IOS Command-Line Interface

OL-5593-01


Configuring the Router HostnameThe hostname is used in CLI prompts and default configuration filenames. If you do not configure the router hostname, the router uses the factory-assigned default hostname “Router.”

Do not expect capitalization and lowercasing to be preserved in the hostname. Uppercase and lowercase characters are treated as identical by many Internet software applications. It may seem appropriate to capitalize a name as you would ordinarily do, but conventions dictate that computer names appear in all lowercase characters. For more information, see RFC 1178, Choosing a Name for Your Computer.

The name must also follow the rules for Advanced Research Projects Agency Network (ARPANET) hostnames. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names must be 63 characters or fewer. For more information, see RFC 1035, Domain Names—Implementation and Specification.

SUMMARY STEPS

1. enable

2. configure terminal

3. hostname name

4. Verify that the router prompt displays your new hostname.

5. end

DETAILED STEPS

Command or Action Purpose

Step 1 enable

Example:Router> enable

Enables privileged EXEC mode.

• Enter your password if prompted.

Step 2 configure terminal

Example:Router# configure terminal

Enters global configuration mode.

Step 3 hostname name

Example:Router(config)# hostname myrouter

Specifies or modifies the hostname for the network server.

Step 4 Verify that the router prompt displays your new hostname.

Example:myrouter(config)#

—

Step 5 end

Example:myrouter# end

(Optional) Returns to privileged EXEC mode.


OL-5593-01


What to Do Next

Proceed to the “Configuring the Enable and Enable Secret Passwords” section on page 4.

Configuring the Enable and Enable Secret PasswordsTo provide an additional layer of security, particularly for passwords that cross the network or are stored on a TFTP server, you can use either the enable password command or enable secret command. Both commands accomplish the same thing—they allow you to establish an encrypted password that users must enter to access privileged EXEC (enable) mode.

We recommend that you use the enable secret command because it uses an improved encryption algorithm. Use the enable password command only if you boot an older image of the Cisco IOS software or if you boot older boot ROMs that do not recognize the enable secret command.

For more information, see the “Configuring Passwords and Privileges” chapter in the Cisco IOS Security Configuration Guide. Also see the Improving Security on Cisco Routers tech note.

Restrictions

If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.

SUMMARY STEPS

1. enable


3. enable password password

4. enable secret password

5. end

6. enable

7. end

DETAILED STEPS


Step 1 enable








OL-5593-01

http://www.cisco.com/warp/public/707/21.html


Troubleshooting Tips

If you forget the password that you configured, or if you cannot access privileged EXEC (enable) mode, see the Password Recovery Procedures for your router, available at http://www.cisco.com/warp/public/474.

What to Do Next

If you want to set the console interface privileged EXEC timeout to a value other than 10 minutes (the default), proceed to the “Configuring the Console Idle Privileged EXEC Timeout” section on page 5.

If you do not wish to change the privileged EXEC timeout, proceed to the “Specifying a Default Route or Gateway of Last Resort” section on page 9.

Configuring the Console Idle Privileged EXEC TimeoutThis section describes how to configure the console line’s idle privileged EXEC timeout. By default, the privileged EXEC command interpreter waits 10 minutes to detect user input before timing out.

When you configure the console line, you can also set communication parameters, specify autobaud connections, and configure terminal operating parameters for the terminal that you are using. For more information on configuring the console line, see the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide. In particular, see the “Configuring Operating Characteristics for Terminals” and “Troubleshooting and Fault Management” chapters.

Step 3 enable password password

Example:Router(config)# enable password pswd2

(Optional) Sets a local password to control access to various privilege levels.

• We recommend that you perform this step only if you boot an older image of the Cisco IOS software or if you boot older boot ROMs that do not recognize the enable secret command.

Step 4 enable secret password

Example:Router(config)# enable secret greentree

Specifies an additional layer of security over the enable password command.

• Do not use the same password that you entered in Step 3.

Step 5 end

Example:Router(config)# end

Returns to privileged EXEC mode.

Step 6 enable



• Verify that your new enable or enable secret password works.

Step 7 end


(Optional) Returns to privileged EXEC mode.



OL-5593-01

http://www.cisco.com/warp/public/474/


SUMMARY STEPS

1. enable


3. line console 0

4. exec-timeout minutes [seconds]

5. end

6. show running-config

7. exit

Note The exec-timeout command or any changes to the exec-command value is triggered only after you exit from the EXEC mode and login again.

DETAILED STEPS


Step 1 enable







Step 3 line console 0

Example:Router(config)# line console 0

Configures the console line and starts the line configuration command collection mode.

Step 4 exec-timeout minutes [seconds]

Example:Router(config-line)# exec-timeout 0 0

Sets the idle privileged EXEC timeout, which is the interval that the privileged EXEC command interpreter waits until user input is detected.

• The example shows how to specify no timeout.

Step 5 end

Example:Router(config-line)# end



OL-5593-01


Examples

The following example shows how to set the console idle privileged EXEC timeout to 2 minutes 30 seconds:

line console exec-timeout 2 30

The following example shows how to set the console idle privileged EXEC timeout to 10 seconds:

line console exec-timeout 0 10

What to Do Next

Proceed to the “Configuring Fast Ethernet and Gigabit Ethernet Interfaces” section on page 7.

Configuring Fast Ethernet and Gigabit Ethernet InterfacesThis sections shows how to assign an IP address and interface description to an Ethernet interface on your router.

For comprehensive configuration information on Fast Ethernet and Gigabit Ethernet interfaces, see the “Configuring LAN Interfaces” chapter of the Cisco IOS Interface and Hardware Component Configuration Guide.

For information on interface numbering, see the quick start guide that shipped with your router.

Note Cisco 1841 and Cisco 2801 routers have a hardware limitation on the Fast Ethernet ports FE0/0 and FE0/1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than 5 Mbps in each direction), the interface will experience excessive collisions and reset once per second. To avoid this problem, traffic must be limited to less than 100% of capacity.

SUMMARY STEPS

1. enable

2. show ip interface brief


4. interface {fastethernet | gigabitethernet} 0/port

Step 6 show running-config

Example:Router# show running-config

Displays the running configuration file.

• Verify that you properly configured the idle privileged EXEC timeout.

Step 7 exit

Example:Router# exit

Exits privileged EXEC mode.

Note For the exec-timeout command to take effect, you must exit from the EXEC mode and login again.



OL-5593-01


5. description string

6. ip address ip-address mask

7. no shutdown

8. end

9. show ip interface brief

DETAILED STEPS


Step 1 enable




Step 2 show ip interface brief

Example:Router# show ip interface brief

Displays a brief status of the interfaces that are configured for IP.

• Learn which type of Ethernet interface is on your router: Fast Ethernet or Gigabit Ethernet.




Step 4 interface {fastethernet | gigabitethernet} 0/port

Example:Router(config)# interface fastethernet 0/1

Example:Router(config)# interface gigabitethernet 0/0

Specifies the Ethernet interface and enters interface configuration mode.

Note For information on interface numbering, see the quick start guide that shipped with your router.

Step 5 description string

Example:Router(config-if)# description FE int to 2nd floor south wing

(Optional) Adds a description to an interface configuration.

• The description helps you remember what is attached to this interface. The description can be useful for troubleshooting.

Step 6 ip address ip-address mask

Example:Router(config-if)# ip address 172.16.74.3 255.255.255.0

Sets a primary IP address for an interface.

Step 7 no shutdown

Example:Router(config-if)# no shutdown

Enables an interface.


OL-5593-01


Examples

Configuring the Fast Ethernet Interface: Example! interface FastEthernet0/0 description FE int to HR group ip address 172.16.3.3 255.255.255.0 duplex auto speed auto no shutdown!

Sample Output for the show ip interface brief CommandRouter# show ip interface brief

Interface IP-Address OK? Method Status ProtocolFastEthernet0/0 172.16.3.3 YES NVRAM up upFastEthernet0/1 unassigned YES NVRAM administratively down downRouter#

What to Do Next

Proceed to the “Specifying a Default Route or Gateway of Last Resort” section on page 9.

Specifying a Default Route or Gateway of Last ResortThis section describes how to specify a default route with IP routing enabled. For alternative methods of specifying a default route, see the Configuring a Gateway of Last Resort Using IP Commands tech note.

The Cisco IOS software uses the gateway (router) of last resort if it does not have a better route for a packet and if the destination is not a connected network. This section describes how to select a network as a default route (a candidate route for computing the gateway of last resort). The way in which routing protocols propagate the default route information varies for each protocol.

For comprehensive configuration information about IP routing and IP routing protocols, see the Cisco IOS IP Configuration Guide. In particular, see the “Configuring IP Addressing” chapter and all “Part 2: IP Routing Protocols” chapters.

Step 8 end



Step 9 show ip interface brief

Example:Router# show ip interface brief

Displays a brief status of the interfaces that are configured for IP.

• Verify that the Ethernet interfaces are up and configured correctly.



OL-5593-01

http://www.cisco.com/warp/public/105/default.html


SUMMARY STEPS

1. enable


3. ip routing

4. ip route dest-prefix mask next-hop-ip-address [admin-distance] [permanent]

5. ip default-network network-number or ip route dest-prefix mask next-hop-ip-address

6. end

7. show ip route

DETAILED STEPS


Step 1 enable







Step 3 ip routing

Example:Router(config)# ip routing

Enables IP routing.

Step 4 ip route dest-prefix mask next-hop-ip-address [admin-distance] [permanent]

Example:Router(config)# ip route 192.168.24.0 255.255.255.0 172.28.99.2

Establishes a static route.

Step 5 ip default-network network-number orip route dest-prefix mask next-hop-ip-address

Example:Router(config)# ip default-network 192.168.24.0

Example:Router(config)# ip route 0.0.0.0 0.0.0.0 172.28.99.1

Selects a network as a candidate route for computing the gateway of last resort.

Creates a static route to network 0.0.0.0 0.0.0.0 for computing the gateway of last resort.


OL-5593-01


Step 6 end



Step 7 show ip route

Example:Router# show ip route

Displays the current routing table information.

• Verify that the gateway of last resort is set.



OL-5593-01


Examples

Specifying a Default Route: Example!ip routing!ip route 192.168.24.0 255.255.255.0 172.28.99.2!ip default-network 192.168.24.0!

Sample Output for the show ip route CommandRouter# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default Gateway of last resort is 172.28.99.2 to network 192.168.24.0 172.24.0.0 255.255.255.0 is subnetted, 1 subnetsC 172.24.192.0 is directly connected, FastEthernet0S 172.24.0.0 255.255.0.0 [1/0] via 172.28.99.0 S* 192.168.24.0 [1/0] via 172.28.99.2 172.16.0.0 255.255.255.0 is subnetted, 1 subnetsC 172.16.99.0 is directly connected, FastEthernet1Router#

What to Do Next

Proceed to the “Configuring Virtual Terminal Lines for Remote Console Access” section on page 12.

Configuring Virtual Terminal Lines for Remote Console AccessVirtual terminal (vty) lines are used to allow remote access to the router. This section shows you how to configure the virtual terminal lines with a password, so that only authorized users can remotely access the router.

The router has five virtual terminal lines by default. However, you can create additional virtual terminal lines as described in the chapter “Configuring Protocol Translation and Virtual Asynchronous Devices” in the Cisco IOS Terminal Services Configuration Guide.

For more information on line passwords and password encryption, see the “Configuring Passwords and Privileges” chapter in the Cisco IOS Security Configuration Guide. Also see the Cisco IOS Password Encryption Facts tech note.

If you want to secure the vty lines with an access list, see “Traffic Filtering and Virus Protection” chapter in the Cisco IOS Security Configuration Guide.

SUMMARY STEPS

1. enable


3. line vty line-number [ending-line-number]


OL-5593-01


4. password password

5. login

6. end

7. show running-config

8. From another network device, attempt to open a Telnet session to the router.

DETAILED STEPS


Step 1 enable







Step 3 line vty line-number [ending-line-number]

Example:Router(config)# line vty 0 4

Starts the line configuration command collection mode for the virtual terminal lines (vty) for remote console access.

• Make sure that you configure all vty lines on your router.

Note To verify the number of vty lines on your router, use the line vty ? command.

Step 4 password password

Example:Router(config-line)# password guessagain

Specifies a password on a line.

Step 5 login

Example:Router(config-line)# login

Enables password checking at login.

Step 6 end

Example:Router(config-line)# end



OL-5593-01


Examples

The following example shows how to configure virtual terminal lines with a password:

!line vty 0 4 password guessagain login !

What to Do Next

After you configure the vty lines, follow these steps:

• (Optional) To encrypt the virtual terminal line password, see the “Configuring Passwords and Privileges” chapter in the Cisco IOS Security Configuration Guide. Also see the Cisco IOS Password Encryption Facts tech note.

• (Optional) To secure the VTY lines with an access list, see “Part 3: Traffic Filtering and Firewalls” in the Cisco IOS Security Configuration Guide.

• To continue with the basic software configuration for your router, proceed to the “Configuring the Auxiliary Line” section on page 14.

Configuring the Auxiliary LineThis section describes how to enter line configuration mode for the auxiliary line. How you configure the auxiliary line depends on your particular implementation of the auxiliary (AUX) port. See the following documents for information on configuring the auxiliary line:

Configuring a Modem on the AUX Port for EXEC Dialin Connectivity, tech note http://www.cisco.com/warp/public/471/mod-aux-exec.html

Configuring Dialout Using a Modem on the AUX Port, sample configuration http://www.cisco.com/warp/public/471/mod-aux-dialout.html

Connecting a SLIP/PPP Device to a Router’s AUX Port, tech note http://www.cisco.com/warp/public/701/6.html

Step 7 show running-config

Example:Router# show running-config

Displays the running configuration file.

• Verify that you properly configured the virtual terminal lines for remote access.

Step 8 From another network device, attempt to open a Telnet session to the router.

Example:Router# 172.16.74.3 Password:

Verifies that you can remotely access the router and that the virtual terminal line password is correctly configured.



OL-5593-01

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml

http://www.cisco.com/warp/public/471/mod-aux-exec.html

http://www.cisco.com/warp/public/471/mod-aux-dialout.html



Configuring AUX-to-AUX Port Async Backup with Dialer Watch, sample configuration http://www.cisco.com/warp/public/471/aux-aux-watch.html

Modem-Router Connection Guide, tech note http://www.cisco.com/warp/public/76/9.html

SUMMARY STEPS

1. enable


3. line aux 0

4. See the tech notes and sample configurations to configure the line for your particular implementation of the AUX port.

DETAILED STEPS

What to Do Next

Proceed to the “Verifying Network Connectivity” section on page 15.

Verifying Network ConnectivityThis section describes how to verify network connectivity for your router.


Step 1 enable







Step 3 line aux 0

Example:Router(config)# line aux 0

Starts the line configuration command collection mode for the auxiliary line.

Step 4 See the tech notes and sample configurations to configure the line for your particular implementation of the AUX port.

—


OL-5593-01

http://www.cisco.com/warp/public/471/aux-aux-watch.html



Prerequisites

• Complete all previous configuration tasks in this document.

• The router must be connected to a properly configured network host.

SUMMARY STEPS

1. enable

2. ping [ip-address | hostname]

3. telnet {ip-address | hostname}

DETAILED STEPS

Examples

The following display shows sample output for the ping command when you ping the IP address 192.168.7.27:

Router# ping

Protocol [ip]:Target IP address: 192.168.7.27 Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.7.27, timeout is 2 seconds:!!!!!Success rate is 100 percent, round-trip min/avg/max = 1/2/4 ms


Step 1 enable




Step 2 ping [ip-address | hostname]

Example:Router# ping 172.16.74.5

Diagnoses basic network connectivity.

• To verify connectivity, ping the next hop router or connected host for each configured interface to.

Step 3 telnet {ip-address | hostname}

Example:Router# telnet 10.20.30.40

Logs in to a host that supports Telnet.

• If you want to test the vty line password, perform this step from a different network device, and use your router’s IP address.


OL-5593-01


The following display shows sample output for the ping command when you ping the IP hostname donald:

Router# ping donald

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.7.27, timeout is 2 seconds:!!!!!Success rate is 100 percent, round-trip min/avg/max = 1/3/4 ms

What to Do Next

Proceed to the “Saving Your Router Configuration” section on page 17.

Saving Your Router ConfigurationThis section describes how to avoid losing your configuration at the next system reload or power cycle by saving the running configuration to the startup configuration in NVRAM.

SUMMARY STEPS

1. enable

2. copy running-config startup-config

DETAILED STEPS

What to Do Next

Proceed to the “Saving Backup Copies of Your Configuration and System Image” section on page 17.

Saving Backup Copies of Your Configuration and System ImageTo aid file recovery and minimize downtime in case of file corruption, we recommend that you save backup copies of the startup configuration file and the Cisco IOS software system image file on a server.

For more detailed information, see the “Managing Configuration Files” chapter and the “Loading and Maintaining System Images” chapter of the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide.


Step 1 enable




Step 2 copy running-config startup-config

Example:Router# copy running-config startup-config

Saves the running configuration to the startup configuration.


OL-5593-01


SUMMARY STEPS

1. enable

2. copy nvram:startup-config {ftp: | rcp: | tftp:}

3. show flash:

4. copy flash: {ftp: | rcp: | tftp:}

DETAILED STEPS

Examples

Copying the Startup Configuration to a TFTP Server: Example

The following example shows the startup configuration being copied to a TFTP server:

Router# copy nvram:startup-config tftp:

Remote host[]? 172.16.101.101

Name of configuration file to write [rtr2-confg]? <cr> Write file rtr2-confg on host 172.16.101.101?[confirm] <cr> ![OK]

Copying from Flash Memory to a TFTP Server: Example

The following example shows the use of the show flash: command in privileged EXEC to learn the name of the system image file and the use of the copy flash: tftp: privileged EXEC command to copy the system image (c3640-2is-mz) to a TFTP server. The router uses the default username and password.


Step 1 enable




Step 2 copy nvram:startup-config {ftp: | rcp: | tftp:}

Example:Router# copy nvram:startup-config ftp:

Copies the startup configuration file to a server.

• The configuration file copy can serve as a backup copy.

• Enter the destination URL when prompted.

Step 3 show flash:

Example:Router# show flash:

Displays the layout and contents of a flash memory file system.

• Learn the name of the system image file.

Step 4 copy flash: {ftp: | rcp: | tftp:}

Example:Router# copy flash: ftp:

Copies a file from flash memory to a server.

• Copy the system image file to a server to serve as a backup copy.

• Enter the filename and destination URL when prompted.


OL-5593-01

Where to Go Next

Router# show flash:

System flash directory:File Length Name/status1 4137888 c3640-c2is-mz[4137952 bytes used, 12639264 available, 16777216 total]16384K bytes of processor board System flash (Read/Write)\

Router# copy flash: tftp:

IP address of remote host [255.255.255.255]? 172.16.13.110 filename to write on tftp host? c3600-c2is-mz writing c3640-c2is-mz !!!!...successful ftp write.

Where to Go Next • When you complete the basic software configuration, consider implementing routing protocols or

access lists and other security-improving methods to protect your router. See the documents listed in the “Related Documents—Additional Configuration” section on page 20.

• To configure features on your router, see Finding Feature Documentation.

Additional ReferencesThe following sections provide references related to basic software configuration using the Cisco IOS CLI.

Related Documents—Basic Software Configuration

Topic Related Document Title or Link

Chassis installation, cable connections, power-up procedures, and interface numbering

Quick start guide for your router

Cisco Security Device Manager (SDM) http://www.cisco.com/go/sdm

Guidelines for assigning the router hostname RFC 1035, Domain Names—Implementation and Specification

RFC 1178, Choosing a Name for Your Computer

Access lists, passwords, and privileges Cisco IOS Security Configuration Guide

Password recovery procedures for Cisco products Password Recovery Procedures

Configuring the console line, managing configuration files, and loading and maintaining system images

Cisco IOS Configuration Fundamentals and Network Management Configuration Guide

Configuring interfaces Cisco IOS Interface and Hardware Component Configuration Guide

IP routing and IP routing protocols Cisco IOS IP Configuration Guide

Configuring default routes or a gateway of last resort Configuring a Gateway of Last Resort Using IP Commands tech note


OL-5593-01

http://www.cisco.com/go/sdm/

http://www.cisco.com/warp/public/474/

http://www.cisco.com/warp/public/105/default.html

Additional References

Related Documents—Additional Configuration

Technical Assistance

Configuring virtual terminal lines Cisco IOS Terminal Services Configuration Guide

Configuring the auxiliary (AUX) port Configuring a Modem on the AUX Port for EXEC Dialin Connectivity, tech note

Configuring Dialout Using a Modem on the AUX Port, sample configuration

Connecting a SLIP/PPP Device to a Router’s AUX Port, tech note

Configuring AUX-to-AUX Port Async Backup with Dialer Watch, sample configuration

Modem-Router Connection Guide, tech note


Cisco configuration settings that network administrators should consider changing on their routers, especially on their border routers, to improve security

Improving Security on Cisco Routers tech note

Note To view this document, you must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

IP routing and IP routing protocols Cisco IOS IP Configuration Guide

Access lists Cisco IOS Security Configuration Guide

Description Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml



OL-5593-01






http://www.cisco.com/warp/public/471/aux-aux-watch.html


http://www.cisco.com/warp/public/471/mod-aux-dialout.html






OL-5593-01

Secured Branch Router Configuration Example

Contents

• Introduction, page 1

• Before You Begin, page 2

• Configure, page 3

• Verify, page 6

• Troubleshoot, page 10

• Related Information, page 11

IntroductionThis document provides a sample configuration for securing a branch router by implementing the following features:

• Context-Based Access Control (CBAC)—CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if the traffic is part of the same session as the original traffic that triggered CBAC when exiting through the firewall.

• Cisco IOS Intrusion Prevention System (IPS)—The Cisco IOS IPS feature restructures the existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the default, built-in signatures or to load a Signature Definition File (SDF) called attack-drop.sdf onto the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS) signatures, providing customers with the latest available detection of security threats.

• Cisco IOS Firewall Authentication Proxy—Authentication proxy provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Per-user authentication and authorization of connections provide more robust protection against network attacks.




Secured Branch Router Configuration ExampleBefore You Begin

• Firewall Websense URL Filtering—The Firewall Websense URL Filtering feature enables your Cisco IOS firewall (also known as Cisco Secure Integrated Software) to interact with the Websense URL filtering software, thereby allowing you to prevent users from accessing specified websites on the basis of some policy. The Cisco IOS firewall works with the Websense server to know whether a particular URL should be allowed or denied (blocked).

Before You Begin

ConventionsFor more information on document conventions, see Conventions Used in Cisco Technical Tips.

Components UsedThe information in this document is based on the software and hardware versions below.

• Cisco 2801 router

• Cisco IOS Release 12.3(8)T4

• Advanced IP Services feature set

Note The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related ProductsThis configuration can also be used with the following hardware:

• Cisco 1800 series integrated services router (modular)

• Cisco 2800 series integrated services router

• Cisco 3800 series integrated services router

A similar configuration can also be used with a Cisco 3800 series integrated services router that is equipped with a Cisco Content Engine network module (NM-CE-BP), which has an embedded Websense URL filtering server (UFS).

2OL-6329-01

http://www.cisco.com/warp/public/459/techtip_conventions.html

Secured Branch Router Configuration ExampleConfigure

ConfigureIn this section, you are presented with the information to configure the features described in this document.

Tip To find additional information on the commands used in this document, use the Command Lookup Tool. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Network Diagram This document uses the network setup shown in the diagram below.

Not shown in the diagram is an HTTP server with IP address 192.168.102.119/24. The HTTP server may be located anywhere in the network. In this case, it is on the Fast Ethernet 0/1 side of the secured branch router.

ConfigurationsThis document uses the configuration shown below.

router# show running-config Building configuration......!---Enable the authentication, authorization, and accounting (AAA) access control model. aaa new-model!!---Identify the Cisco Secure Authentication Control Server (ACS) as a member of a !---AAA server group. In this example, the AAA server group is called “SJ.” aaa group server tacacs+ SJ server 192.168.101.119!!---Enable AAA authentication at login and specify the authentication methods to try. aaa authentication login default local group SJ none

Websense URLFiltering Server (UFS)

192.168.1.116/24

Secured branchrouter

Cisco SecureAuthentication

Control Server (ACS)192.168.101.119/24

Branch officePC

192.168.1.118/24

1212

39

192.168.1.2/24

FE 0/0 FE 0/1

192.168.101.2/24

3OL-6329-01

http://www.cisco.com/cgi-bin/Support/Cmdlookup/home.pl


!---Restrict user access to the network: !---(a) Run authorization to determine if the user is allowed to run an EXEC shell. !---(b) Enable authorization that applies specific security policies on a per-user basis. !---You must use the “aaa authorization auth-proxy” command together with the !---”ip auth-proxy <name>” command (later in this configuration). Together, these !---commands set up the authorization policy to be retrieved by the firewall. aaa authorization exec default group SJ none aaa authorization auth-proxy default group SJ !---Make sure that the same session ID is used for each AAA accounting service type !---within a call. aaa session-id common...!---Define a set of inspection rules. In this example, the set is called “myfw.” !---Include each protocol that you want the Cisco IOS firewall to inspect. ip inspect name myfw cuseeme timeout 3600ip inspect name myfw ftp timeout 3600ip inspect name myfw http urlfilter timeout 3600ip inspect name myfw rcmd timeout 3600ip inspect name myfw realaudio timeout 3600ip inspect name myfw smtp timeout 3600ip inspect name myfw sqlnet timeout 3600ip inspect name myfw streamworks timeout 3600ip inspect name myfw tftp timeout 30ip inspect name myfw udp timeout 15ip inspect name myfw tcp timeout 3600ip inspect name myfw vdolive!!---(Optional) Set the length of time an authentication cache entry, along with its !---associated dynamic user access control list, is managed after a period of inactivity. ip auth-proxy inactivity-timer 120!---Create an authentication proxy rule; in this example it is named “aprule.” !---Set HTTP to trigger the authentication proxy. ip auth-proxy name aprule http!!---Configure the Cisco IOS Intrusion Protection System (IPS) feature: !---Specify the location from which the router loads the Signature Definition File (SDF). !---(Optional) Specify the maximum number of event notifications that are placed !---in the router's event queue. !---Disable the audit of any signatures that your deployment scenario deems unnecessary. !---Name the IPS rule, so that you can apply the rule to an interface. !---Later in this example, this rule (named “ids-policy”) is applied to FE 0/0. ip ips sdf location tftp://192.168.1.3/attack-drop.sdfip ips po max-events 100ip ips signature 1107 0 disableip ips signature 3301 0 disableip ips name ids-policy!!---Configure the Firewall Websense URL Filtering feature: !---(Optional) Set the maximum number of destination IP addresses that can be cached !---into the cache table, which consists of the most recently requested IP addresses !---and respective authorization status for each IP address. !---Specify domains for which the firewall should permit or deny all traffic !---without sending lookup requests to the Firewall Websense URL filtering server (UFS). !---Specify the IP address of the Firewall Websense UFS. ip urlfilter cache 0ip urlfilter exclusive-domain permit www.cisco.comip urlfilter server vendor websense 192.168.1.116...

4OL-6329-01


!---Configure the firewall interface that connects to the branch office PCs !---and the Firewall Websense UFS: !---Apply access lists and inspection rules to control access to the interface. !---In this example, access list 116 is used to filter outbound packets, and !---the inspection rule named “myfw” is used to filter inbound packets. !---Enable the authentication proxy rule for dynamic, per-user authentication !---and authorization. See the previous “aaa authorization auth-proxy default group SJ” !---and “ip auth-proxy name aprule http” command entries. !---Apply the Cisco IPS rule to outbound traffic. interface FastEthernet0/0 ip address 192.168.1.2 255.255.255.0 ip access-group 116 out ip inspect myfw in ip auth-proxy aprule ip ips ids-policy out...!---Configure the interface that connects to the !---Cisco Secure Authentication Control Server (Cisco Secure ACS). !---Apply access lists to control access to the interface. !---In this example, access list 111 is used to filter inbound packets. interface FastEthernet0/1 ip address 192.168.101.2 255.255.255.0 ip access-group 111 in...ip classless!---The following command establishes a static route to the HTTP server, !---which in this example has an IP address of 192.168.102.119. ip route 192.168.102.0 255.255.255.0 FastEthernet0/1!!---Enable the HTTP server on your system. !---Also, specify that the authentication method used for AAA login service !---should be used for authenticating HTTP server users. ip http serverip http authentication aaano ip http secure-server!!---Configure the access list for the interface that connects to the !---Cisco Secure ACS. access-list 111 permit tcp host 192.168.101.119 eq tacacs host 192.168.101.2access-list 111 permit udp host 192.168.101.119 eq tacacs host 192.168.101.2access-list 111 permit icmp any anyaccess-list 111 deny ip any any!!---Configure the access list for the firewall interface that connects to the !---branch office PCs and the Websense URL Filtering Server (UFS). access-list 116 permit tcp host 192.168.1.118 host 192.168.1.2 eq wwwaccess-list 116 deny tcp host 192.168.1.118 anyaccess-list 116 deny udp host 192.168.1.118 anyaccess-list 116 deny icmp host 192.168.1.118 anyaccess-list 116 permit tcp 192.168.1.0 0.0.0.255 anyaccess-list 116 permit udp 192.168.1.0 0.0.0.255 anyaccess-list 116 permit icmp 192.168.1.0 0.0.0.255 any!!

5OL-6329-01

Secured Branch Router Configuration ExampleVerify

!---Specify the Cisco Secure ACS, in this case a TACACS+ server. !---Set the authentication encryption key used for all TACACS+ communications !---between the access server and the TACACS+ daemon. This key must match the key !---used on the TACACS+ daemon. tacacs-server host 192.168.101.119tacacs-server directed-requesttacacs-server key cisco!...end

VerifyThis section provides information you can use to confirm your configuration is working properly:

• Commands for Verifying Firewall Websense URL Filtering, page 6

• Commands for Verifying Cisco IOS Firewall Authentication Proxy, page 7

• Commands for Verifying Context-Based Access Control, page 7

• Commands for Verifying Cisco IOS Intrusion Prevention System, page 8

Tip Certain show commands are supported by the Output Interpreter Tool, which allows you to view an analysis of show command output. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Commands for Verifying Firewall Websense URL Filtering

• show ip urlfilter cache—Displays the maximum number of entries that can be cached into the cache table and the number of entries and the destination IP addresses that are cached into the cache table.

Router# show ip urlfilter cache

Maximum number of cache entries: 0Number of entries cached: 0-------------------------------------------------------- IP address Age Time since last hit (In seconds) (In seconds)--------------------------------------------------------

• show ip urlfilter config—Displays the configured vendor servers, including the size of the cache, the maximum number of outstanding requests, and the allow mode state.

Router# show ip urlfilter config Websense URL Filtering is ENABLED

Primary Websense server configurations=========================================Websense server IP address Or Host Name: 192.168.1.116Websense server port: 15868Websense retransmission time out: 6 (in seconds)Websense number of retransmission: 2

6OL-6329-01

https://www.cisco.com/pcgi-bin/Support/OutputInterpreter/home.pl


Secondary Websense servers configurations============================================Other configurations=====================Allow Mode: OFFSystem Alert: ENABLEDAudit Trail: DISABLEDLog message on Websense server: DISABLEDMaximum number of cache entries: 0Maximum number of packet buffers: 200Maximum outstanding requests: 1000

• show ip urlfilter statistics—Displays URL filtering statistics, such as the number of requests that are sent to the Websense server, the number of responses received from the Websense server, the number of pending requests in the system, the number of failed requests, and the number of blocked URLs.

Router# show ip urlfilter statistics

URL filtering statistics=========================Current requests count: 0Current packet buffer count(in use): 0Current cache entry count: 0

Maxever request count: 0Maxever packet buffer count: 0Maxever cache entry count: 0

Total requests sent to URL Filter Server :13Total responses received from URL Filter Server :13Total requests allowed: 9Total requests blocked: 4

Commands for Verifying Cisco IOS Firewall Authentication Proxy

• show ip auth-proxy—Displays the authentication proxy entries or configuration.

Router# show ip auth-proxy cache

Authentication Proxy Cache Client Name admin, Client IP 192.168.1.118, Port 1902, timeout 120, Time Remaining 120, state INIT

Router# show ip auth-proxy statistics

configurationAuthentication global cache time is 120 minutesAuthentication global absolute time is 0 minutesAuthentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration Auth-proxy name aprule http list not specified auth-cache-time 120 minutes

Commands for Verifying Context-Based Access Control

• show ip access-list—Displays the contents of current IP access lists.

• show ip inspect session—Displays CBAC session information.

7OL-6329-01


Commands for Verifying Cisco IOS Intrusion Prevention System

• show ip ips signature—Displays Cisco IPS signature information, including which signatures are disabled and marked for deletion.

Router# show ip ips signature

Signatures were last loaded from tftp://192.168.1.3/attack-drop.sdf

SDF release version not available

*=Marked for Deletion Action=(A)larm,(D)rop,(R)eset Trait=AlarmTraitsMH=MinHits AI=AlarmInterval CT=ChokeThresholdTI=ThrottleInterval AT=AlarmThrottle FA=FlipAddrWF=WantFrag Ver=Signature Version

Signature Micro-Engine: SERVICE.SMTP (1 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Ver ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- --- 3129:0 Y ADR MED 0 0 0 0 15 FA N S59

Signature Micro-Engine: SERVICE.RPC (29 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Ver ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- --- 6100:0 Y AD HIGH 0 0 0 100 30 FA N 1.0 6100:1 Y ADR HIGH 0 0 0 100 30 FA N 1.0 6101:0 Y AD HIGH 0 0 0 100 30 FA N 1.0 6101:1 Y ADR HIGH 0 0 0 100 30 FA N 1.0 6104:0 Y AD HIGH 0 0 0 100 30 FA N 2.2 6104:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2 6105:0 Y AD HIGH 0 0 0 100 30 FA N 2.2 6105:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2 6188:0 Y AD HIGH 0 0 0 100 30 FA N S43 6189:0 Y AD HIGH 0 0 0 100 30 FA N S43 6189:1 Y ADR HIGH 0 0 0 100 30 FA N S43 6190:0 Y AD HIGH 0 0 0 100 30 FA N 2.1 6190:1 Y ADR HIGH 0 0 0 100 30 FA N 2.1 6191:0 Y AD HIGH 0 0 0 100 30 FA N 2.1 6191:1 Y ADR HIGH 0 0 0 100 30 FA N 2.1 6192:0 Y AD HIGH 0 0 0 100 30 FA N 2.1 6192:1 Y ADR HIGH 0 0 0 100 30 FA N 2.1 6193:0 Y AD HIGH 0 0 0 100 30 FA N 2.2 6193:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2 6194:0 Y AD HIGH 0 0 0 100 30 FA N 2.2 6194:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2 6195:0 Y AD HIGH 0 0 0 100 30 FA N 2.2 6195:1 Y ADR HIGH 0 0 0 100 30 FA N 2.2 6196:0 Y AD HIGH 0 0 0 100 30 FA N S4 6196:1 Y ADR HIGH 0 0 0 100 30 FA N S4 6197:0 Y ADR HIGH 0 0 0 100 30 FA N S9 6197:1 Y AD HIGH 0 0 0 100 30 FA N S9 6276:0 Y AD HIGH 0 0 0 100 30 FA N S30 6276:1 Y ADR HIGH 0 0 0 100 30 FA N S30

Signature Micro-Engine: SERVICE.HTTP (23 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Ver ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- --- 3140:3 Y ADR HIGH 0 1 0 0 15 FA N S80 3140:4 Y ADR HIGH 0 1 0 0 15 FA N S80 5045:0 Y ADR HIGH 0 1 0 0 15 FA N 2.2 5047:0 Y ADR HIGH 0 1 0 0 15 FA N 2.2 5055:0 Y AD HIGH 0 1 0 0 15 FA N 2.2 5071:0 Y ADR HIGH 0 1 0 0 15 FA N 2.2

8OL-6329-01


5081:0 Y ADR MED 0 1 0 0 15 FA N 2.2 5114:0 Y ADR MED 0 1 0 0 15 FA N 2.2 5114:1 Y ADR MED 0 1 0 0 15 FA N 2.2 5114:2 Y ADR MED 0 1 0 0 15 FA N 2.2 5126:0 Y ADR MED 0 1 0 0 15 FA N S5 5159:0 Y ADR HIGH 0 1 0 0 15 FA N S7 5184:0 Y ADR HIGH 0 1 0 0 15 FA N S12 5188:0 Y ADR HIGH 0 1 0 0 15 FA N S12 5188:1 Y ADR HIGH 0 1 0 0 15 FA N S12 5188:2 Y ADR HIGH 0 1 0 0 15 FA N S12 5188:3 Y ADR HIGH 0 1 0 0 15 FA N S12 5245:0 Y ADR MED 0 1 0 0 15 FA N S21 5326:0 Y ADR HIGH 0 1 0 0 15 FA N S30 5329:0 Y ADR HIGH 0 1 0 0 15 FA N 1.0 5364:0 Y ADR HIGH 0 1 0 0 15 FA N S43 5390:0 Y ADR MED 0 1 0 0 15 FA N S54 5400:0 Y ADR HIGH 0 1 0 0 15 FA N S71

Signature Micro-Engine: ATOMIC.TCP (42 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Ver ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- --- 3038:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2 3039:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2 3040:0 Y AD HIGH 0 0 0 100 30 FA N N 2.2 3041:0 Y AD HIGH 0 0 0 100 30 FA N N 2.2 3043:0 Y AD HIGH 0 0 0 100 30 FA N Y 2.2 3300:0 Y AD HIGH 0 0 0 100 30 FA N 2.1 9200:0 Y AD HIGH 0 0 0 100 30 FA N S40 9201:0 Y AD HIGH 0 0 0 100 30 FA N S40 9202:0 Y AD HIGH 0 0 0 100 30 FA N S40 9203:0 Y AD HIGH 0 0 0 100 30 FA N S40 9204:0 Y AD HIGH 0 0 0 100 30 FA N S40 9205:0 Y AD HIGH 0 0 0 100 30 FA N S40 9206:0 Y AD HIGH 0 0 0 100 30 FA N S40 9207:0 Y AD HIGH 0 0 0 100 30 FA N S40 9208:0 Y AD HIGH 0 0 0 100 30 FA N S40 9209:0 Y AD HIGH 0 0 0 100 30 FA N S40 9210:0 Y AD HIGH 0 0 0 100 30 FA N S40 9211:0 Y AD HIGH 0 0 0 100 30 FA N S40 9212:0 Y AD HIGH 0 0 0 100 30 FA N S40 9213:0 Y AD HIGH 0 0 0 100 30 FA N S40 9214:0 Y AD HIGH 0 0 0 100 30 FA N S40 9215:0 Y AD HIGH 0 0 0 100 30 FA N S40 9216:0 Y AD HIGH 0 0 0 100 30 FA N S40 9217:0 Y AD HIGH 0 0 0 100 30 FA N S40 9218:0 Y AD HIGH 0 0 0 100 30 FA N S40 9223:0 Y AD HIGH 0 0 0 100 30 FA N S40 9224:0 Y AD MED 0 0 0 100 30 FA N S44 9225:0 Y AD HIGH 0 0 0 100 30 FA N S46 9226:0 Y AD HIGH 0 0 0 100 30 FA N S46 9227:0 Y AD HIGH 0 0 0 100 30 FA N S46 9228:0 Y AD HIGH 0 0 0 100 30 FA N S46 9229:0 Y AD HIGH 0 0 0 100 30 FA N S46 9230:0 Y AD HIGH 0 0 0 100 30 FA N S46 9231:0 Y AD HIGH 0 0 0 100 30 FA N S66 9232:0 Y AD HIGH 0 0 0 100 30 FA N S69 9233:0 Y AD HIGH 0 0 0 100 30 FA N S67 9236:0 Y AD HIGH 0 0 0 100 30 FA N S71 9237:0 Y AD HIGH 0 0 0 100 30 FA N S71 9238:0 Y AD HIGH 0 0 0 100 30 FA N S71 9239:0 Y AD HIGH 0 0 0 100 30 FA N S76 9240:0 Y AD HIGH 0 0 0 100 30 FA N S79 9241:0 Y AD HIGH 0 0 0 100 30 FA N S82

9OL-6329-01

Secured Branch Router Configuration ExampleTroubleshoot

Signature Micro-Engine: ATOMIC.IPOPTIONS (1 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Ver ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- --- 1006:0 Y AD HIGH 0 0 0 100 30 FA N 2.1

Signature Micro-Engine: ATOMIC.L3.IP (4 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Ver ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- --- 1102:0 Y AD HIGH 0 0 0 100 30 FA N 2.1 1104:0 Y AD HIGH 0 0 0 100 30 FA N 2.2 1108:0 Y AD HIGH 0 0 0 100 30 GS N S27 2154:0 Y AD HIGH 0 0 0 100 30 FA N Y 1.0Total Active Signatures: 118Total Inactive Signatures: 0

TroubleshootThis section provides information you can use to troubleshoot your configuration.

See the following documents:

• Troubleshooting CBAC Configurations, tech note

• Troubleshooting Authentication Proxy, tech note

Troubleshooting Commands

Note Before issuing debug commands, please see Important Information on Debug Commands.

• debug ip inspect—Displays messages about Cisco IOS firewall events.

• debug ip urlfilter—Enables debug information of URL filter subsystems.

Router# debug ip urlfilter detailed

Urlfilter Detailed Debugs debugging is onRouter#*Aug 26 20:11:58.538: URLF: got cache idle timer event...*Aug 26 20:11:58.538: URLF: cache table is about to overflow, delete idle entries*Aug 26 20:12:00.962: URLF: creating uis 0x64EF00A0, pending request 1*Aug 26 20:12:00.962: URLF: domain name not found in the exclusive list*Aug 26 20:12:00.962: URLF: got an cbac queue event...*Aug 26 20:12:00.962: URLF: websns making a lookup request.*Aug 26 20:12:00.962: URLF: socket send successful...*Aug 26 20:12:00.962: URLF: holding pak 0x64823210 (192.168.101.119:80) -> 192.168.1.118:1087 seq 3905567052 wnd 17238*Aug 26 20:12:00.966: URLF: got a socket read event...*Aug 26 20:12:00.966: URLF: socket recv (header) successful.*Aug 26 20:12:00.966: URLF: socket recv (data) successful.*Aug 26 20:12:00.966: URLF: websns lookup code = 1*Aug 26 20:12:00.966: URLF: websns lookup description code = 1027*Aug 26 20:12:00.966: URLF: websns category number = 67*Aug 26 20:12:00.966: URLF: websns cache command = 0*Aug 26 20:12:00.966: URLF: websns cached entry type = 0*Aug 26 20:12:00.966: URLF: Site/URL Blocked: sis 0x64A57D50, uis 0x64EF00A0*Aug 26 20:12:00.966: URLF: Sent Deny page with FIN to client and RST to server

10OL-6329-01

http://www.cisco.com/warp/public/793/access_dial/debug.html

http://www.cisco.com/warp/public/793/ios_fw/trouble_cbac.html

http://www.cisco.com/warp/public/793/ios_fw/trouble_auth.shtml

Secured Branch Router Configuration ExampleRelated Information

*Aug 26 20:12:00.966: URLF: urlf_release_http_resp_for_url_block - Discarding the pak 0x64823210 held in resp Q (count 1 : thrld 200)*Aug 26 20:12:00.966: URLF: deleting uis 0x64EF00A0, pending requests 0

• debug ip auth-proxy—Displays authentication proxy activity.

Router# debug ip auth-proxy detailed

*Aug 30 23:16:07.680: AUTH-PROXY:proto_flag=4, dstport_index=4*Aug 30 23:16:07.680: SYN SEQ 24350097 LEN 0*Aug 30 23:16:07.680: dst_addr 192.168.102.119 src_addr 192.168.1.118 dst_port 80 src_port 1900*Aug 30 23:16:07.680: AUTH-PROXY:auth_proxy_half_open_count++ 1*Aug 30 23:16:07.684: AUTH-PROXY:proto_flag=4, dstport_index=4*Aug 30 23:16:07.684: ACK 2787182962 SEQ 24350098 LEN 0*Aug 30 23:16:07.684: dst_addr 192.168.102.119 src_addr 192.168.1.118 dst_port 80 src_port 1900*Aug 30 23:16:07.684: clientport 1900 state 0*Aug 30 23:16:07.684: AUTH-PROXY:proto_flag=4, dstport_index=4*Aug 30 23:16:07.684: PSH ACK 2787182962 SEQ 24350098 LEN 282*Aug 30 23:16:07.684: dst_addr 192.168.102.119 src_addr 192.168.1.118 dst_port 80 src_port 1900*Aug 30 23:16:07.684: clientport 1900 state 0*Aug 30 23:16:07.688: AUTH-PROXY:proto_flag=4, dstport_index=4*Aug 30 23:16:07.688: ACK 2787184131 SEQ 24350380 LEN 0

Related Information • Cisco IOS Security Configuration Guide, Release 12.3:

– “Configuring Context-Based Access Control” chapter

– “Configuring Authentication Proxy” chapter

• Cisco IOS Intrusion Prevention System (IPS), Cisco IOS Release 12.3(8)T feature module

• Firewall Websense URL Filtering, Cisco IOS Releases 12.2(11)YU and 12.2(15)T feature module

• Troubleshooting CBAC Configurations, tech note

• Troubleshooting Authentication Proxy, tech note

• Technical Support—Cisco Systems

11OL-6329-01

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_8/gt_fwids.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122yu11/ftwebsen.htm

http://www.cisco.com/warp/public/793/ios_fw/trouble_auth.shtml

http://cisco.com/en/US/support/index.html

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfcbac.htm

http://www.cisco.com/warp/public/793/ios_fw/trouble_cbac.html

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/sec_vcg.htm

http://cisco.com/en/US/support/index.html

Secured Branch Router Configuration ExampleRelated Information




12OL-6329-01

IP Communication Solution for Group Applications Configuration Example

Contents


• Prerequisites, page 2


• Verify, page 19



IntroductionThis document provides a configuration example in which:

• A small branch office uses both analog and IP phones. The small branch office implementation addressed in this document requires IP Telephony services and may also use other full-service branch (FSB) features of Cisco access routers. These features include Cisco Content Engines (CEs), Voice over IP (VoIP) services and integration with back-end VoIP call control devices. The small branch office requires a robust and integrated voice-mail solution. The integrated services routers also support various options for WAN uplink and integrated LAN switching modules.

• Land Mobile Radio (LMR) is used by an enterprise for several reasons which include loss prevention (premise safety and security) and Push–to–Talk (PTT) communication for mobile workers within range of the radio system. LMR base stations can be connected to an E&M port for integration with an IP network and can be accessed via VoIP. The LMR feature also allows connecting walkie-talkies to the radios using multicast.

• Multicast is dial-plan enabled so that IP phones and public switched telephone network (PSTN) phones can dial in to the LMR by using E.164 numbers. Traditionally, the E&M ports were used to connect to PSTN or Hoot-and-Holler networks. The E&M ports connected to the LMR can be multicast–to–VoIP enabled. This configuration permits desktop clients and IP-Phone clients on the




IP Communication Solution for Group Applications Configuration ExamplePrerequisites

LAN that are using XML services to directly connect to the radio via the multicast features on Cisco IOS. The LMR can be integrated with the E&M port on the gateway; the commands on the gateway support this router-to-radio adaptation.

• This document provides a workaround method that bridges the multicast VoIP to unicast VoIP using a physical T1 loopback. This is not an essential configuration. It is documented to demonstrate how you can integrate multicast VoIP audio into standards-based VoIP call-control schemes such as Skinny, H.323, or SIP. IP–to–IP gateway is the preferred and recommended option to use for bridging between standards-based VoIP protocols. The VoIP-to-multicast bridge using a physical loopback can also be used for local multi-party conferencing via Cisco CallManager Express (Cisco CME) phones or PSTN phones.

• Onboard DSPs are used for the voice modules on the WAN interface car (WIC) slots

• Cisco CallManager seamlessly connects to Cisco CME over an H.323 trunk defined on the Cisco CallManager [Release 3.3 (3) or later].

• Cisco CME (Release 3.2) manages the local phone network. Cisco CME and Cisco Unity Express enable users to use a gateway as though it were a PBX coupled to a voice-mail system.

• Cisco Unity Express (with Cisco Service Engine 1.1) on the NM-CUE provides voice-mail and auto-attendant services.

• Cisco CME seamlessly integrates with the Cisco CallManager at the headquarters site and supports all supplementary services.

• Content Engine (CE) modules support web caching, video–on–demand and live-splitting applications.

• Cisco Access Control Network Server (ACNS) on CE (ce2636-sw-5.1.3) saves WAN bandwidth by web-caching and splitting streaming video over unicast and multicast.

PrerequisitesPrerequisites included in this section:

• Requirements, page 2

• Components Used, page 2

• Related Products, page 3

• Conventions, page 3

RequirementsThere are no specific requirements for this document.

Components UsedThe information in this document is based on the following software and Cisco 3845 router hardware and software:

• 16 FastEthernet interfaces (NM-ESW-16)

• 1 serial interface

• 3 terminal lines

2OL-6574-01

IP Communication Solution for Group Applications Configuration ExamplePrerequisites

• 2 channelized T1/PRI ports

• 4 voice FXS interfaces (VIC-4FXS-DID)

• 2 voice E&M interfaces (VIC2-2E&M)

• 1 Cisco service engine (NM-CUE)

• 1 Cisco Content Engine (NM-CE-BP)

• A VIC2-4FS in slot 0

• A VIC2-2FXS in slot 1

• An HWICD-9ESW with inline power card in slots 2-3 (double-wide)

• Cisco CallManager Release 3.3(3)

• Cisco IOS Release 12.3(11)T or later

• Enterprise Services feature set

The information in this document reflects use of devices in a specific lab environment. All devices used in this configuration example started with a cleared (default) configuration. If you are working with a live network, ensure that you understand the potential effects of any command before you use it. The configuration example presented in this document depicts a combination of features on a single branch office router. Users of this document should review the documents listed under the“Related Information” section on page 43.

Related ProductsThis configuration can also be used with any Cisco 2800 and Cisco 3800 series routers.

ConventionsFor more information on document conventions, see the Cisco Technical Tips Conventions.

3OL-6574-01


IP Communication Solution for Group Applications Configuration ExampleConfigure


Note To find additional information on the commands used in this document, use the Cisco IOS Command Lookup tool. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Configuration Tips

• The gigabit port on the router does not provide inline power.

• Routing should be enabled and assumed to be configured.

• The external flash card on the integrated services routers holds the router image, VLAN database, graphical user interface (GUI) files for Cisco CME and Cisco Unity Express. It should not be removed during the normal operation of the router.

• The LMR integration to the router might require radio frequency (RF)/radio skills (typically a non-IP and proprietary implementation). The radio–to–router physical cable might not be available off–the–shelf.

Network DiagramThis document uses the network setup shown in the following diagram.

IP IP IP

1213

78

9

10

11

2

1

3

4

8

5

6

7

4OL-6574-01




ConfigurationsThis example presents configuration for the Cisco 3845 router.

Cisco 3845 Router

3845-gw#show running-config Building configuration... Current configuration : 17622 bytes ! !---Last configuration change at 23:07:46 PDT Wed Jul 7 2004 by cisco ! version 12.3 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal ! hostname 3845-gw ! boot-start-marker boot-end-marker ! logging buffered 4096 informational enable secret 5 $1$3do1$SDp9TOK4YaZ7XguJYD2MD1!!---Local Database of username and passwords for Web server and local!---authentication ! username cisco password 7 1511021F0725! clock timezone PST -8 clock summer-time PDT recurring no network-clock-participate slot 1 no network-clock-participate slot 2 no network-clock-participate slot 3 no network-clock-participate slot 4 no network-clock-participate wic 0 no network-clock-participate wic 1 network-clock-participate wic 2 no network-clock-participate wic 3 no network-clock-participate aim 0

1 Stream encoder, original source 7 LMR (LMR integration to the router)

2 TDM 8 T1 Loopback (unicast to multicast bridge); a workaround to integrate a multicast audio–to–standards based VoIP

3 NM-CE multicasting and live splitting on ACNS

9 PSTN

4 Cisco CME/Cisco Unity Express 10 Headquarters

5 Local multicast on LAN from gateway 11 Cisco CallManager

6 PC client, multicast RTP client, Media Player (streaming)

5OL-6574-01


no network-clock-participate aim 1 aaa new-model ! ! aaa group server tacacs+ admin server 192.x or 10.x server 192.x or 10.x ! aaa group server radius vpn server 192.x or 10.x auth-port 1645 acct-port 1646 !!---AAA configuration used for local authentication! aaa authentication login admin group tacacs+ enable aaa authentication login remote group vpn aaa authentication login NOTACACS line aaa authentication login LOCAL local aaa authentication login WEB none aaa authentication ppp LOCAL local aaa authentication dot1x default group vpn aaa authorization console aaa authorization exec default local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ! ip cef ! !!---Configure a DHCP address pool for each IP phone: ip dhcp excluded-address 192.168.10.1 192.168.10.99 ! ip dhcp pool NONAT network 10.1.153.0 255.255.255.248 default-router 10.1.153.1 dns-server 10.1.162.183 10.1.156.120 option 150 ip 10.1.152.9 domain-name cisco.com !ip dhcp pool NAT network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 10.1.162.183 1010.1.156.120 option 150 ip 10.1.152.9 domain-name cisco.com

! ip domain name cisco.com ip name-server 10.1.162.183 ip name-server 10.1.156.120 ip multicast-routing ip sap cache-timeout 30 ip ssh time-out 30 ip ssh version 1 ip ids po max-events 100 no ip rcmd domain-lookup ip rcmd rcp-enable ip rcmd rsh-enable ! voice-card 0

6OL-6574-01


no dspfarm ! ! !!---Configuration to enable “H.323 to H.323” and “H.323 to SIP” calls between Cisco !---CallManager-Cisco CME-Cisco Unity Express. The “allow connections h323 to h323” & !---“allow-connections h323 to sip” enable an easy configuration on gateway without the !---need for loopback-dn for incoming calls from Cisco CallManager or for call flow from !---Cisco CallManager to SIP for Voice Mail. ! voice service voip allow-connections h323 to h323 allow-connections h323 to sip no supplementary-service h450.2 no supplementary-service h450.3 supplementary-service h450.12 advertise-only h323 ! ! !!---Configuration to support LMR(Land Mobile Radio) integration through E&M port on the !---router (similar to Hoot and Holler configuration) ! voice class permanent 1 signal timing oos restart 50000 signal timing oos timeout disabled signal keepalive disabled signal sequence oos no-action ! !!---Two T1 ports connected back-to-back to bridge VoIP to multicast audio bridging. This!---is required to enable dialing into multicast. Connecting the TDM T1 port back-to-back !---offers the possibility of using E.164 number as a conference ID, or for using the !---multicast stream for application such as Hoot and Holler. !---!---Cisco CME offers 3-party conference calling and is the recommended method for a !---small branch office, the following T1 loopback cable is not required for configuring !---the conferencing features.!---!---Cisco IOS supports audio mixing of loudest three streams. The TDM back to !---back connection enables the bridging of 23 channels of VoIP to one or !---more multicast connections (one side with multicast configuration and the !---other side with VoIP configuration)

!---This method provides a way to connect the standards-based VoIP call control to!---the multicast audio streams that do not have any associated call control. ! controller T1 0/2/0 framing esf linecode b8zs ds0-group 1 timeslots 1 type e&m-immediate-start ds0-group 2 timeslots 2 type e&m-immediate-start ds0-group 3 timeslots 3 type e&m-immediate-start ds0-group 4 timeslots 4 type e&m-immediate-start ds0-group 5 timeslots 5 type e&m-immediate-start ds0-group 6 timeslots 6 type e&m-immediate-start ! controller T1 0/2/1 framing esf clock source internal linecode b8zs ds0-group 1 timeslots 1 type e&m-immediate-start ds0-group 2 timeslots 2 type e&m-immediate-start ds0-group 3 timeslots 3 type e&m-immediate-start

7OL-6574-01


ds0-group 4 timeslots 4 type e&m-immediate-start ds0-group 5 timeslots 5 type e&m-immediate-start ds0-group 6 timeslots 6 type e&m-immediate-start ! no crypto isakmp enable ! !!---Loopback0 used to bind H323 to the Loopback0 interface. RTP Packets !---originate/terminate on the router using this IP address. ! interface Loopback0 ip address 10.1.152.9 255.255.255.255 h323-gateway voip interface h323-gateway voip bind srcaddr 10.1.152.9 ! interface Loopback2 ip address 10.1.152.241 255.255.255.252 ip ospf network point-to-point ! interface Loopback3 ip address 10.1.152.249 255.255.255.252 ip virtual-reassembly ip ospf network point-to-point !!---Configuration to enable Hoot and Holler using multicast on router. The multicast !---streaming of packets from the local router uses the VIF interface to derive the local !---ip address and the port of the packets. This can be verified by the show command “show !---voip rtp connection” ! interface Vif1 ip address 10.1.153.41 255.255.255.252 ip pim sparse-dense-mode !!!---WAN uplink! interface Serial0/0/0 ip address 10.1.152.30 255.255.255.252 ip pim sparse-dense-mode ip nat outside ip virtual-reassembly no fair-queue !!--- Content Engine connected as a Network Module. !interface Content-Engine1/0 ip unnumbered Loopback3 ip pim sparse-dense-mode service-module ip address 10.1.152.250 255.255.255.252 service-module ip default-gateway 10.1.152.249!! interface FastEthernet3/0 switchport access vlan 110 switchport trunk native vlan 100 switchport mode trunk switchport voice vlan 110 no ip address ! interface FastEthernet3/1 switchport access vlan 100 switchport trunk native vlan 100 switchport mode trunk

8OL-6574-01


switchport voice vlan 110 no ip address ! interface FastEthernet3/2 switchport access vlan 100 switchport trunk native vlan 100 switchport mode trunk switchport voice vlan 110 no ip address ! interface FastEthernet3/3 switchport access vlan 100 switchport trunk native vlan 100 switchport mode trunk switchport voice vlan 110 no ip address ! !!---Cisco Unity Express used for local voice-mail storage! interface Service-Engine4/0 ip unnumbered Loopback2 service-module ip address 10.1.152.242 255.255.255.252 service-module ip default-gateway 10.1.152.241 !!--- Data VLAN, used for the desktops at the branch! interface Vlan100 ip address 192.168.10.1 255.255.255.0 ip pim sparse-dense-mode ip nat inside ip virtual-reassembly ! interface Vlan110 ip address 10.1.153.1 255.255.255.248 ip pim sparse-dense-mode ip virtual-reassembly !!---OSPF used as the routing protocol for scenario! router ospf 1 router-id 10.1.152.9 log-adjacency-changes network 10.1.152.9 0.0.0.0 area 0 network 10.1.152.10 0.0.0.0 area 0 network 10.1.152.28 0.0.0.3 area 0 network 10.1.152.140 0.0.0.3 area 0 network 10.1.152.240 0.0.0.3 area 0 network 10.1.152.248 0.0.0.3 area 0 network 10.1.153.0 0.0.0.3 area 0 !!---Static routes defined for routing to Service-Engine and Content-Engine network Module ip classless ip route 10.1.152.242 255.255.255.255 Service-Engine4/0 ip route 10.1.152.250 255.255.255.255 Content-Engine1/0! ip http server ip http authentication aaa login-authentication LOCAL no ip http secure-server ip http path flash:!!---PAT (Port address translation used for the Data VLAN. ip nat inside source list 11 interface Serial0/0/0 overload

9OL-6574-01


! ! access-list 11 permit 192.168.11.0 0.0.0.255 access-list 11 permit 192.168.20.0 0.0.0.255 access-list 11 permit 192.168.10.0 0.0.0.255 !!!---Router serves as TFTP server for Signed Image for 7960 phone on Local LAN.! tftp-server flash:P00306000300.bin tftp-server flash:P00306000300.loads tftp-server flash:P00306000300.sb2 ! control-plane ! !!---VoIP side of the Back-to-Back T1 used for bridging VoIP to multicast streams defined !---by the dial-peer with “ session protocol multicast” ! voice-port 0/2/0:1 auto-cut-through ! voice-port 0/2/0:2 auto-cut-through ! voice-port 0/2/0:3 auto-cut-through ! voice-port 0/2/0:4 auto-cut-through !voice-port 0/2/0:3auto-cut-through!voice-port 0/2/0:4auto-cut-through!voice-port 0/2/0:5auto-cut-through!voice-port 0/2/0:6auto-cut-through!!---E&M ports connected to the LMR (Land Mobile Radio). Each radio may have a different !---radio frequency (such as VHF or UHF)! voice-port 0/1/0 auto-cut-through voice-class permanent 1 operation 4-wire signal lmr lmr e-lead voice timeouts call-disconnect 3 connection trunk 20480 ! voice-port 0/1/1 auto-cut-through voice-class permanent 1 operation 4-wire signal lmr lmr m-lead audio-gate-in lmr e-lead voice timeouts call-disconnect 3

10OL-6574-01


connection trunk 20481 !!---Multicast side of the back-to-back T1 used for bridging VoIP to multicast connection !---trunk points to the dial-peer that is used for streaming into multicast! voice-port 0/2/1:1 auto-cut-through timeouts call-disconnect 3 connection trunk 20480 ! voice-port 0/2/1:2 auto-cut-through timeouts call-disconnect 3 connection trunk 20481 !!---Multicast side of the back-to-back T1 used for bridging VoIP to multicast connection !---trunk points to the dial-peer that is used for streaming into multicast for local !---conferencing. 2111 dialed from the network side is looped back to the other side of !---the T1 that is connected to the multicast dial-peer to convert it into a multicast !---stream. The 3-party mixing algorithm takes care of conferencing between the dialed !---parties!voice-port 0/2/1:3 auto-cut-through timeouts call-disconnect 3 connection trunk 21111!voice-port 0/2/1:4 auto-cut-through timeouts call-disconnect 3 connection trunk 21111!voice-port 0/2/1:5 auto-cut-through timeouts call-disconnect 3 connection trunk 21111!voice-port 0/2/1:6 auto-cut-through timeouts call-disconnect 3 connection trunk 21111 voice-port 0/3/0 ! voice-port 0/3/1 ! voice-port 0/3/2 !!---FXS ports tied to multicast Hoot and Holler! voice-port 0/3/3 !!---Dial peers pointing toward the NM-CUE for auto attendant and voice mail! dial-peer voice 27749 voip description Towards CUE-Auto-Attendant destination-pattern 27749 session protocol sipv2 session target ipv4:10.1.152.242 dtmf-relay sip-notify codec g711ulaw no vad ! dial-peer voice 27748 voip description Towards CUE-Voice-Mail

11OL-6574-01


destination-pattern 27748 session protocol sipv2 session target ipv4:10.1.152.242 dtmf-relay sip-notify codec g711ulaw no vad !!---Dial peers for dialing out; pointing to Cisco CallManager Release 3.3(3)! dial-peer voice 101 voip description CCM-IT-Cisco destination-pattern .T session target ipv4:10.1.148.178 dtmf-relay h245-alphanumeric codec g711ulaw ! dial-peer voice 9 voip preference 1 destination-pattern 91.......... session target ipv4:10.1.148.178 ! dial-peer voice 2 voip destination-pattern 2.... session target ipv4:10.1.148.178 !!---Dial Peers for multicast streaming from TDM port! dial-peer voice 20480 voipdescription VoIP to multicast bridging for LMR integration destination-pattern 20480 voice-class permanent 1 session protocol multicast session target ipv4:239.192.17.191:20480 codec g711ulaw vad aggressive ! dial-peer voice 20481 voipdescription VoIP to multicast bridging for LMR integration destination-pattern 20481 voice-class permanent 1 session protocol multicast session target ipv4:239.192.17.192:20480 codec g711ulaw vad aggressive !dial-peer voice 21111 voipdescription VoIP to multicast bridging for Local Conferencing destination-pattern 21111 voice-class permanent 1 session protocol multicast session target ipv4:239.192.17.195:20480 dtmf-relay cisco-rtp codec g711ulaw vad aggressive!---Dial Peers for the T1 physical loopback used for bridging multicast to VoIP !---(VoIP Side)! dial-peer voice 1 potsdescription VoIP to multicast bridging for LMR destination-pattern 27737 port 0/2/0:1 ! dial-peer voice 3 pots

12OL-6574-01


description VoIP to multicast bridging for LMR destination-pattern 4089027737 port 0/2/0:1 ! dial-peer voice 4 potsdescription VoIP to multicast bridging for LMR destination-pattern 27738 port 0/2/0:2 ! dial-peer voice 5 potsdescription VoIP to multicast bridging for LMR destination-pattern 4089027738 port 0/2/0:2 !dial-peer voice 6 pots description VoIP to local multicast conference bridge destination-pattern 2111 port 0/2/0:3 ! dial-peer voice 7 potsdescription VoIP to local multicast conference bridge destination-pattern 2111 port 0/2/0:4 ! dial-peer voice 8 potsdescription VoIP to local multicast conference bridge destination-pattern 2111 port 0/2/0:5 ! dial-peer voice 9 potsdescription VoIP to local multicast conference bridge destination-pattern 2111 port 0/2/0:6 ! !!---Dial Cisco CME Configuration with services configuration ! ! telephony-service fxo hook-flash load 7910 P00403020214 load 7960-7940 P00306000300 max-ephones 27 max-dn 40 ip source-address 10.1.152.9 port 2000 auto assign 1 to 27 timeouts interdigit 5 system message Next GEN Branch Documentation url services http://phone-xml.berbee.com/menu.xml create cnf-files version-stamp 7960 Jun 24 2004 14:00:45 dialplan-pattern 1 408902.... extension-length 5 voicemail 27749 mwi relay mwi expires 99999 max-conferences 8 call-forward pattern ..... web admin customer name cisco password admin dn-webedit time-webedit transfer-system full-consult transfer-pattern ..... secondary-dialtone 9 !

13OL-6574-01


! ephone-dn 1 dual-line number 27725 description Ross name Ross call-forward busy 27749 call-forward noan 27749 timeout 10 ! ! ephone-dn 2 dual-line number 27726 description Rachel name Rachel call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 3 dual-line number 27727 description Chandler name Chandler call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 4 dual-line number 27728 description Monica name Monica call-forward busy 27749 call-forward noan 27749 timeout 10 ! ! ephone-dn 5 dual-line number 27729 description Jen-Shue Shih name Jen-Shue Shih call-forward busy 27749 call-forward noan 27749 timeout 10 ! ! ephone-dn 6 dual-line number 27730 description Mike name Mike call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 7 dual-line number 27731 description Phoebe name Phoebe call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 8 dual-line number 27732 description Cosmo name Cosmo call-forward busy 27749 call-forward noan 27749 timeout 18

14OL-6574-01


! ! ephone-dn 9 dual-line number 27733 description Jerry name Jerry call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 10 dual-line number 27734 description George name George call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 11 dual-line number 27735 description Frank name Frank call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 12 dual-line number 27736 description Estelle name Estelle call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 13 dual-line ! ! ephone-dn 14 dual-line ! ! ephone-dn 15 dual-line number 27739 call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 16 dual-line number 27740 call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 17 dual-line number 27741 call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 18 dual-line number 27742 call-forward busy 27749 call-forward noan 27749 timeout 18 !

15OL-6574-01


! ephone-dn 19 dual-line number 27743 call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 20 dual-line number 27744 call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 21 dual-line number 27745 call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 25 ! ! ephone-dn 27 number 27749 call-forward busy 27749 call-forward noan 27749 timeout 18 ! ! ephone-dn 39 number 8000..... mwi off ! ! ephone-dn 40 number 8001..... mwi on ! ! ephone 1 mac-address 0003.4713.5554 type CIPC button 1:1 ! ! ! ephone 2 mac-address 0002.8A3E.6606 type CIPC button 1:2 ! ! ! ephone 3 mac-address 0001.022C.88A1 type CIPC button 1:3 ! ! ! ephone 4 mac-address 0009.6B10.494D type CIPC button 1:4

16OL-6574-01


! ! ! ephone 5 mac-address 0002.8A4B.000B type CIPC button 1:5 ! ! ! ephone 6 mac-address 0009.6B53.44C6 type CIPC button 1:6 ! ! ! ephone 7 mac-address 0009.6B30.E399 type CIPC button 1:7 ! ! ! ephone 8 mac-address 000B.BE37.1AB1 type 7960 button 1:8 ! ! ! ephone 9 mac-address 0006.D74B.15B3 type 7960 button 1:9 ! ! ! ephone 10 mac-address 000B.5F92.5784 type 7960 button 1:10 ! ! ! ephone 11 mac-address 000C.CE3A.87FA type 7960 button 1:11 ! ! ! ephone 12 mac-address 000C.CE35.1B23 type 7960 button 1:12 ! ! ! ephone 13 mac-address 0002.8A9B.0CE5 type CIPC button 1:13

17OL-6574-01


! ! ! ephone 14 mac-address 0003.47D8.C236 type CIPC button 1:14 ! ! ! ephone 15 mac-address 000C.CE35.1935 type 7960 button 1:15 ! ! ! ephone 16 mac-address 0030.94C3.BE45 type 7960 button 1:16 ! ! ! ephone 17 ! ! ! ephone 18 ! ! ! ephone 19 ! ! ! ephone 20 ! ! ! ephone 21 ! ! ! line con 0 authorization exec LOCAL stopbits 1 line aux 0 stopbits 1 line 66 no activation-character no exec transport preferred none transport input all transport output all line 130 no activation-character no exec transport preferred none transport input all transport output all line 258 no activation-character

18OL-6574-01

IP Communication Solution for Group Applications Configuration ExampleVerify

no exec transport preferred none transport input all transport output all line vty 0 4 exec-timeout 0 0 password 7 04490E020D205E4107 line vty 5 8 exec-timeout 0 0 password 7 03165E0F040E334340 ! scheduler allocate 20000 1000 ntp clock-period 1079741 ntp master ntp update-calendar ntp server 10.68.10.80 ntp server 10.68.10.150 end

VerifyThis section provides information you can use to confirm that your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output. In summary, use these commands:

• show telephony-service—Shows the IP telephony services available for Cisco CallManager server

• show ephone registered—Verifies IP phone registration occurring and lists information associated with each registered IP phone

• show commands for the voice gateway

– show voice port summary—Displays a summary of all voice ports

– show voip rtp connections—Displays VoIP RTP active connections

– show voip dsp—Displays DSP information

– show voice trace—Displays voice-channel configuration information for all DSP channels

– show voice call summary—Displays the call status for all voice ports

– show running-config—Displays the contents of the currently running configuration file

• show commands for CE

– show version—Displays information about the currently loaded CE software version along with hardware and device information


– show processes cpu—Displays detailed CPU utilization statistics (CPU use per process)

– show statistics wmt streamstat—Displays statistics for Windows Media Technologies (WMT) streaming connections

– show statistics wmt all—Display all WMT statistics

• show and service commands on Cisco CME for Cisco Unity Express

– show interface service-engine—Displays the status of the service-engine interface

– service-module service-engine 4/0 status—Displays status of Cisco Unity Express

19OL-6574-01


– service-module service-engine 4/0 session—Opens session with Cisco Unity Express

• show commands for Cisco Unity Express


– show voicemail mailboxes—Displays summary of mailbox owners and status

– show voicemail usage—Displays snapshot of voicemail system use

– show voicemail limits—Displays system limits for voicemail system

– show ccn application—Displays details about each configured application

– show ccn trigger—Displays the parameter values for all configured triggers

Representative output for each of these commands is presented in the verification summaries that follow.

Note Relevant display output is highlighted as appropriate.

The following is an example of output for the show telephony-service command on the Cisco CME:

CCME-CUE-SJC# show telephony-service

CONFIG (Version=3.2)===================== Version 3.2Cisco CallManager ExpressFor on-line documentation please see:www.cisco.com/univercd/cc/td/doc/product/access/ip_ph/ip_ks/index.htm

ip source-address 10.1.152.9 port 2000load 7910 P00403020214load 7960-7940 P00303020214max-ephones 27max-dn 40max-conferences 8dspfarm units 0dspfarm transcode sessions 0max-redirect 5dialplan-pattern 1 408902.... extension-length 5voicemail 27749mwi relaymwi expires 99999time-format 12date-format mm-dd-yytimezone 0 Greenwich Standard Timesecondary-dialtone 9url services http://phone-xml.berbee.com/menu.xmlcall-forward pattern .....transfer-pattern .....keepalive 30timeout interdigit 5timeout busy 10timeout ringing 180caller-id name-only: enablesystem message CCME2 Cisco (MCEBU) Bldg 22web admin system name cisco password 3800web admin customer name cisco1 password 38001edit DN through Web: enabled.edit TIME through web: enabled.Log (table parameters): max-size: 150

20OL-6574-01


retain-timer: 15create cnf-files version-stamp 7960 Apr 12 2004 12:16:53transfer-system full-consult auto assign 1 to 27fxo hook-flashlocal directory service: enabled.

The following example illustrates output using the show ephone registered command:

CCME-CUE-SJC# show ephone registered

ephone-1 Mac:0003.4713.5554 TCP socket:[6] activeLine:0 REGISTEREDmediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0IP:172.19.150.31 1649 CIPC keepalive 10410 max_line 8button 1: dn 1 number 27725 CH1 IDLE CH2 IDLE

ephone-9 Mac:0006.D74B.15B3 TCP socket:[1] activeLine:0 REGISTEREDmediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0IP:192.168.20.4 50475 Telecaster 7960 keepalive 39556 max_line 6button 1: dn 9 number 27733 CH1 IDLE CH2 IDLE

ephone-15 Mac:000C.CE35.1935 TCP socket:[3] activeLine:0 REGISTEREDmediaActive:0 offhook:0 ringing:0 reset:0 reset_sent:0 paging 0 debug:0IP:192.168.20.2 51961 Telecaster 7960 keepalive 39556 max_line 6 button 1: dn 15 number 27739 CH1 IDLE CH2 IDLE

The following is an example of output for the show voice port summary command on the branch office router:

3845-gw# show voice port summary

IN OUTPORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC========= == ============ ===== ==== ======== ======== ==0/2/0:1 01 e&m-imd up dorm idle idle y0/2/0:2 02 e&m-imd up dorm idle idle y0/2/0:3 03 e&m-imd up dorm idle idle y0/2/0:4 04 e&m-imd up dorm idle idle y0/2/0:5 05 e&m-imd up dorm idle idle y0/2/0:6 06 e&m-imd up dorm idle idle y0/1/0 -- e&m-lmr up up trunked trunked y0/1/1 -- e&m-lmr up up trunked trunked y0/2/1:1 01 e&m-imd up up trunked trunked y0/2/1:2 02 e&m-imd up up trunked trunked y0/2/1:3 03 e&m-imd up up trunked trunked y0/2/1:4 04 e&m-imd up up trunked trunked y0/2/1:5 05 e&m-imd up up trunked trunked y0/2/1:6 06 e&m-imd up up trunked trunked y0/3/0 -- fxs-ls up dorm on-hook idle y0/3/1 -- fxs-ls up dorm on-hook idle y0/3/2 -- fxs-ls up dorm on-hook idle y0/3/3 -- fxs-ls up dorm on-hook idle y50/0/1 1 efxs up up on-hook idle y50/0/1 2 efxs up up on-hook idle y50/0/2 1 efxs up up on-hook idle y50/0/2 2 efxs up up on-hook idle y50/0/3 1 efxs up up on-hook idle y.50/0/40 1 efxs up dorm on-hook idle y

21OL-6574-01


The following is an example of output for the show voice rtp connections command on the branch office router:

3845-gw# show voip rtp connections

VoIP RTP active connections :No. CallId dstCallId LocalRTP RmtRTP LocalIP RemoteIP1 2 1 32414 20480 10.1.153.42 239.192.17.1912 4 3 28764 20480 10.1.153.42 239.192.17.1923 6 5 16416 20480 10.1.153.42 239.192.17.1914 8 7 27572 20480 10.1.153.42 239.192.17.1925 1754 1753 16446 20480 10.1.153.42 239.192.17.1956 1756 1755 31552 20480 10.1.153.42 239.192.17.1957 1758 1757 16454 20480 10.1.153.42 239.192.17.1958 1761 1760 16496 20480 10.1.153.42 239.192.17.195Found 8 active RTP connections

The following is an example of output for the show voip dsp command on the branch office router:

3845-gw# show voip dsp

----------------------------FLEX VOICE CARD 0 ------------------------------ *DSP VOICE CHANNELS*DSP DSP DSPWARE CURR BOOT PAK TX/RXTYPE NUM CH CODEC VERSION STATE STATE RST AI VOICEPORT TS ABRT PACK COUNT===== === == ======== ======= ===== ======= === == ========= == ==== ============C5510 013 01 g711ulaw 4.4.1 busy idle 0 0 0/1/0 00 0 1/419970C5510 013 02 g711ulaw 4.4.1 busy idle 0 0 0/2/1:2 02 0 15/420330C5510 013 03 g711ulaw 4.4.1 busy idle 0 0 0/2/1:1 01 0 16/420130C5510 013 04 g711ulaw 4.4.1 busy idle 0 0 0/1/1 01 0 0/419879C5510 013 05 None 4.4.1 busy idle 0 0 0/2/0:3 03 0 0/14C5510 013 06 g711ulaw 4.4.1 busy idle 0 0 0/2/1:3 03 0 1873/1655C5510 014 01 None 4.4.1 busy idle 0 0 0/2/0:4 04 0 0/14C5510 014 02 g711ulaw 4.4.1 busy idle 0 0 0/2/1:6 06 0 1833/5379C5510 014 03 None 4.4.1 busy idle 0 0 0/2/0:5 05 0 0/14C5510 014 04 None 4.4.1 busy idle 0 0 0/2/0:6 06 0 0/14C5510 014 05 g711ulaw 4.4.1 busy idle 0 0 0/2/1:5 05 0 1424/5334C5510 014 06 g711ulaw 4.4.1 busy idle 0 0 0/2/1:4 04 0 1402/5057 *DSP SIGNALING CHANNELS*DSP DSP DSPWARE CURR BOOT PAK TX/RXTYPE NUM CH CODEC VERSION STATE STATE RST AI VOICEPORT TS ABRT PACK COUNT===== === == ======== ======= ===== ======= === == ========= == ==== ============C5510 013 01 {flex} 4.4.1 alloc idle 0 0 0/1/0 02 0 34/0C5510 013 02 {flex} 4.4.1 alloc idle 0 0 0/1/1 02 0 35/0C5510 013 03 {flex} 4.4.1 alloc idle 0 0 0/3/1 06 0 14/0C5510 013 04 {flex} 4.4.1 alloc idle 0 0 0/3/0 06 0 14/0C5510 013 05 {flex} 4.4.1 alloc idle 0 0 0/3/3 02 0 14/0C5510 013 06 {flex} 4.4.1 alloc idle 0 0 0/3/2 02 0 14/0C5510 013 07 {flex} 4.4.1 alloc idle 0 0 0/2/0:1 01 0 4/18C5510 013 08 {flex} 4.4.1 alloc idle 0 0 0/2/0:2 02 0 4/18C5510 013 09 {flex} 4.4.1 alloc idle 0 0 0/2/1:1 01 0 27/23C5510 013 10 {flex} 4.4.1 alloc idle 0 0 0/2/1:2 02 0 27/23C5510 013 11 {flex} 4.4.1 alloc idle 0 0 0/2/0:3 03 0 454/335C5510 013 12 {flex} 4.4.1 alloc idle 0 0 0/2/0:4 04 0 465/341C5510 013 13 {flex} 4.4.1 alloc idle 0 0 0/2/0:5 05 0 433/315C5510 013 14 {flex} 4.4.1 alloc idle 0 0 0/2/0:6 06 0 421/307C5510 013 15 {flex} 4.4.1 alloc idle 0 0 0/2/1:3 03 0 3969/3831C5510 013 16 {flex} 4.4.1 alloc idle 0 0 0/2/1:4 04 0 4050/3933C5510 014 01 {flex} 4.4.1 alloc idle 0 0 0/2/1:5 05 0 3819/3657C5510 014 02 {flex} 4.4.1 alloc idle 0 0 0/2/1:6 06 0 3724/3553------------------------END OF FLEX VOICE CARD 0 ----------------------------

The following is an example of output for the show voice trace command on the branch office router:

22OL-6574-01


3845-gw# show voice trace 0/2/1:1

0/2/1:1 1 State Transitions: timestamp (state, event) -> (state, event) ...42.808 (S_SETUP_INDICATED, E_CC_PROCEEDING) ->42.808 (S_PROCEEDING, E_CC_CONNECT) ->

State Transitions: timestamp (state, event) -> (state, event) ...42.808 (S_TRUNK_PEND, E_HTSP_EVENT_TIMER) ->42.808 (S_TRUNK_PROC, E_HTSP_SETUP_ACK) ->42.808 (S_TRUNK_PROC, E_HTSP_PROCEEDING) ->42.808 (S_TRUNK_PROC, E_HTSP_VOICE_CUT_THROUGH) ->42.808 (S_TRUNK_W_CONNECT, E_HTSP_CONNECT) ->

The following is an example of output for the show voice call summary command on the branch office router:

3845-gw# show voice call summary

PORT CODEC VAD VTSP STATE VPM STATE============== ======== === ==================== ======================0/2/0:1.1 - - - EM_ONHOOK0/2/0:2.2 - - - EM_ONHOOK0/2/0:3.3 - - - EM_ONHOOK0/2/0:4.4 - - - EM_ONHOOK0/2/0:5.5 - - - EM_ONHOOK0/2/0:6.6 - - - EM_ONHOOK0/1/0 g711ulaw y S_CONNECT S_TRUNKED0/1/1 g711ulaw y S_CONNECT S_TRUNKED0/2/1:1.1 g711ulaw y S_CONNECT S_TRUNKED0/2/1:2.2 g711ulaw y S_CONNECT S_TRUNKED0/2/1:3.3 g711ulaw y S_CONNECT S_TRUNKED0/2/1:4.4 g711ulaw y S_CONNECT S_TRUNKED0/2/1:5.5 g711ulaw y S_CONNECT S_TRUNKED0/2/1:6.6 g711ulaw y S_CONNECT S_TRUNKED0/3/0 - - - FXSLS_ONHOOK0/3/1 - - - FXSLS_ONHOOK0/3/2 - - - FXSLS_ONHOOK0/3/3 - - - FXSLS_ONHOOK50/0/1 .1 - - - EFXS_ONHOOK50/0/9 .1 - - - EFXS_ONHOOK50/0/9 .2 - - - EFXS_ONHOOK

The following is an example of output for the show version command on the CE:

sjc22-13a-rb-CE3# show version

Application and Content Networking System Software (ACNS)Copyright (c) 1999-2003 by Cisco Systems, Inc.Application and Content Networking System Software Release 5.1.3 (build b15 Feb13 2004)Version: ce2636-sw-5.1.3

Compiled 17:52:07 Feb 13 2004 by testCompile Time Options: PP SS

System was restarted on Tue Jan 1 00:01:12 1980.The system has been up for 16 hours, 8 seconds.

The following is an example of output for the show running-config command on the CE:

sjc22-13a-rb-CE3# show running-config

hostname sjc22-13a-rb-CE3!

23OL-6574-01


http dns-cache serial-lookup!!ip domain-name cisco.com!!gui-server secure port 8002!!interface FastEthernet external shutdown exitinterface FastEthernet internal exit!!primary-interface FastEthernet 0/1!wmt license-key 92W5SNNNSULWCXN78wmt accept-license-agreementwmt max-concurrent-sessions 9wmt mms allow extension asf none nsc wma wmv mp3wmt broadcast alias-name lanka source mms://24.6.215.172/AAA

wmt enable!!multicast accept-license-agreement!! ip name-server 10.68.162.183 ip name-server 10.72.156.120!!wccp router-list 1 10.1.152.249wccp web-cache router-list-num 1wccp version 2!!!!!!

!!username admin password 1 bVmDmMMmZAPjYusername admin privilege 15!!authentication login local enable primaryauthentication configuration local enable primary!!cdm ip 10.86.46.81cms enable!!! End of ACNS configuration

The following is an example of output for the show processes cpu command on the CE:

sjc22-13a-rb-CE3# show processes cpu

24OL-6574-01


CPU usage: Current Peak cpu: 96 % 100 %CPU average usage since last reboot: cpu: 0.03% User, 7.28% System, 1.80% User(nice), 90.90% Idle cpu0: 0.03% User, 7.28% System, 1.80% User(nice), 90.90% Idle-------------------------------------------------------------------- PID STATE PRI User T SYS T COMMAND----- ----- --- ------ ------ -------------------- 1 S 0 744 4839 (init) 2 R 0 0 0 (keventd) 3 S 19 0 0 (ksoftirqd_CPU0) 4 S 0 0 0 (kswapd) 5 S 0 0 0 (bdflush) 6 S 0 0 0 (kupdated) 157 S 0 0 0 (streamd) 197 S 10 30143 3926 (nodemgr) 201 S 10 0 0 (syslogd) 202 R 10 396 150 (dataserver) 298 S 0 0 0 (kjournald) 902 S 10 108 23 (ruby_disk) 1494 S 10 2 1 (parser_server) 1544 S 10 3 1 (su)

The following is an example of output for the show statistics xmt streamstat command on the CE:

sjc22-13a-rb-CE3# show statistics wmt streamstat

Detailed Stream Statistics==========================

Incoming Streams:=================Bandwidth in Kbps, Duration in seconds

Type Transport Source Pkts_Recd Bytes_Recd Duration BW Server-IP Filename Stream-IdLIVE MMS(TCP) RMT_MMS 807995 1165556557 44531 216 24.6.215.172 AAA 5878

Outgoing Streams:=================Client-IP Type Transport Source State Pkts_sent Bytes_sent Duration BW Server-IP Filename Stream-Id10.21.96.174 LIVE HTTP RMT_MMS Play 216441 312540804 11946 216 24.6.215.172 lanka 1383010.21.81.206 LIVE MMS(UDP) RMT_MMS Play 59505 85925220 3283 216 24.6.215.172 lanka 1563910.21.88.96 LIVE HTTP RMT_MMS Play 165227 238587788 9129 216 24.6.215.172 lanka 1440210.21.113.252 LIVE MMS(UDP) RMT_MMS Play 596188 860895472 32961 216 24.6.215.172 lanka 864410.21.116.124 LIVE HTTP RMT_MMS Play 53848 77756512 3033 216 24.6.215.172 lanka 1568210.21.115.95 LIVE MMS(UDP) RMT_MMS Play 481970 695964680 26584 216 24.6.215.172 lanka 1069410.21.65.223 LIVE MMS(UDP) RMT_MMS Play 15883 22935052 878 216 24.6.215.172 lanka 16161sjc22-13a-rb-CE3#

The following is an example of output for the show statistics xmt all command on the CE:

25OL-6574-01


sjc22-13a-rb-CE3# show statistics wmt all

Unicast Requests Statistics===========================Total unicast requests received: 79-------------------------------------

Total % of Total Unicast Requests --------------------------------------------

Streaming Requests served: 75 94.94% Mcast nsc file Request: 0 0.00% Requests error: 0 0.00%

Total % of Total Streaming Requests ---------------------------------------------

By Type of Content------------------ Live content: 75 100.00% On-Demand Content: 0 0.00%

By Transport Protocol--------------------- MMSU: 32 42.67% MMST: 1 1.33% HTTP: 42 56.00%

By Source of Content-------------------- Local: 0 0.00% Remote MMS: 75 100.00% Remote HTTP: 0 0.00% Multicast: 0 0.00%

CDN-Related WMT Requests-------------------- CDN Content Hits: 0 0.00% CDN Content Misses: 0 0.00% CDN Content Live: 0 0.00% CDN Content Errors: 0 0.00%Unicast Bytes Statistics========================Total unicast incoming bytes: 1178064843--------------------------------- Total % of Total Unicast Incoming Bytes --------------------------------------------



Unicast Bytes Statistics

26OL-6574-01


========================Total unicast outgoing bytes: 4698135144--------------------------------- Total % of Total Unicast Outgoing Bytes --------------------------------------------



Unicast Savings Statistics==========================Total bytes saved: 3520070301-------------------------- Total % of Total Bytes Saved --------------------------------------------By Pre-positioned content: 0 0.00% By Live-splitting: 3520070301 100.00% By Cache-hit: 0 0.00%

Total % of Total Live Outgoing Bytes --------------------------------------------Live Splitting-------------- Incoming bytes: 1178064843 25.08% Outgoing bytes: 4698135144 100.00% Bytes saved: 3520070301 74.92%

Total % of Bytes Cache Total --------------------------------------------Caching------- Bytes cache-miss: 0 0.00% Bytes cache-hit: 0 0.00% Bytes cache-total: 0 0.00%

Bytes cache-bypassed: 0

Total % of Req Cache Total --------------------------------------------

Cacheable requests------------------ Req cache-miss: 0 0.00% Req cache-hit: 0 0.00% Req cache-partial-hit: 0 0.00% Req cache-total: 0 0.00%

Req cache-bypassed: 81

Objects not cached

27OL-6574-01


------------------ Cache bypassed: 81 Exceed max-size: 0

Usage Summary=============Concurrent Unicast Client Sessions---------------------------------- Current: 8 Max: 8

Concurrent Active Multicast Sessions------------------------------------ Current: 0 Max: 0

Concurrent Remote Server Sessions--------------------------------- Current: 1 Max: 1

Concurrent Unicast Bandwidth (Kbps)----------------------------------- Current: 1734.120 Max: 1734.120

Concurrent Multicast Out Bandwidth (Kbps)----------------------------------------- Current: 0.000 Max: 0.000

Concurrent Bandwidth to Remote Servers (Kbps)--------------------------------------------- Current: 216.765 Max: 216.765

Error Statistics================ Total request errors: 0

Errors generated by this box Reach MAX connections: 0 Reach MAX incoming bandwidth: 0 Reach MAX outgoing bandwidth: 0 Reach MAX incoming bit rate: 0 Reach MAX outgoing bit rate: 0 MMSU under wccp: 0 MMSU not allowed: 0 MMST not allowed: 0 MMSU/T not allowed: 0 HTTP not allowed: 0 1st tcp pkt error, possible port scan: 0 Illegal url: 0 No socket: 0 Cannot connect: 0 Authentication fail: 0 Remote server error: 0 Client error: 0 Internal error: 0 Local vod file not found: 0 Local vod file header corrupted: 0

28OL-6574-01


Local vod file data corrupted: 0 Unknown error: 0

Errors generated by remote servers Reach MAX connections: 0 Reach MAX bandwidth: 0 Reach MAX bit rate: 0 Illegal url: 0 Invalid request: 0 No socket: 0 Cannot connect: 0 Conection refused: 0 Access deny: 0 Invalid stream type: 0 Remote server error: 0 Remote timeout: 0 Remote proxy error: 0 File not found: 0 File header corrupted: 0 File data corrupted: 0 Remote unknown error: 0

Authentication Retries from Clients: 0

WMT Rule Template Statistics================ URL Rewrite: 0 Connection Reset: 0 URL Block: 0 No-Auth: 0 No-Cache: 0 Selective Cache: 0 Allow: 0

WMT URL Filter Statistics================ URL Allowed: 0 URL Filtered: 0

The following is an example of output for the show interface service-engine 4/0 command on the Cisco CME for Cisco Unity Express:

3845-gw# show interface service-engine 4/0

Service-Engine4/0 is up, line protocol is up Hardware is I82559FE, address is 000e.8335.7c30 (bia 000e.8335.7c30) Interface is unnumbered. Using address of Loopback2 (10.1.152.241) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:14, output 00:00:02, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 138507 packets input, 21920546 bytes, 0 no buffer Received 2237 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

29OL-6574-01


0 input packets with dribble condition detected 421216 packets output, 53661814 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

The following is an example of output for the service-module service-engine 4/0 status command on the Cisco CME for Cisco Unity Express:

3845-gw# service-module service-Engine 4/0 status

Service Module is Cisco Service-Engine4/0Service Module supports session via TTY line 258Service Module is in Steady stateGetting status from the Service Module, please wait..cisco service engine 1.1

The following is an example of output for the service-module service-engine 4/0 status session command on the Cisco CME for Cisco Unity Express:

3845-gw# service-module service-engine 4/0 session

Trying 10.1.152.241, 2258 ... Open

User Access Verification

Username: ciscoPassword: se-10-32-152-242# se-10-32-152-242#

30OL-6574-01


The following is an example of output for the show running-config command on Cisco Unity Express:

se-10-32-152-242# show running-config

Generating configuration:

clock timezone America/Los_Angeles

hostname se-10-32-152-242

ip domain-name cisco.comip name-server 10.64.2.113 10.64.11.48

ntp server 10.1.152.241

groupname Administrators create

username Ross createusername Rachel createusername Chandler createusername Monica createusername Jeshih createusername Mike createusername Phoebe createusername Cosmo createusername Jerry createusername George createusername Frank createusername Estelle createusername Ross phonenumber "27725"username Rachel phonenumber "27726"username chandler phonenumber "27727"username Monica phonenumber "27728"username Jeshih phonenumber "27729"username Mike phonenumber "27730"username Phoebe phonenumber "27731"username Cosmo phonenumber "27732"username Jerry phonenumber "27733"username George phonenumber "27734"username Frank phonenumber "27735"username Estelle phonenumber "27736"

groupname Administrators member ciscogroupname Administrators privilege superusergroupname Administrators privilege ManagePrompts

backup server url "ftp://127.0.0.1/ftp" credentials hidden "EWlTygcMhYmjazXhE/VNXHCkplVV4KjescbDaLa4fl4WLSPFvv1rWUnfGWTYHfmPSd8ZZNgd+Y9J3xlk2B35jwAAAAA="

ccn application autoattendant description "autoattendant" enabled maxsessions 8 script "aa.aef" parameter "MaxRetry" "3" parameter "operExtn" "0" parameter "welcomePrompt" "AAWelcome.wav" end application

ccn application ciscomwiapplication description "ciscomwiapplication" enabled maxsessions 8 script "setmwi.aef"

31OL-6574-01


parameter "strMWI_OFF_DN" "8000" parameter "strMWI_ON_DN" "8001" parameter "CallControlGroupID" "0" end application

ccn application promptmgmt description "promptmgmt" enabled maxsessions 1 script "promptmgmt.aef" end application

ccn application voicemail description "voicemail" enabled maxsessions 8 script "voicebrowser.aef" parameter "logoutUri" "http://localhost/voicemail/vxmlscripts/mbxLogout.jsp" parameter "uri" "http://localhost/voicemail/vxmlscripts/login.vxml" end application

ccn engine end engine

ccn subsystem jtapi ccm-manager address end subsystem

ccn subsystem sip gateway address "10.1.152.241" end subsystem

ccn trigger sip phonenumber 27748 application "autoattendant" enabled locale "en_US" maxsessions 8 end trigger

ccn trigger sip phonenumber 27749 application "voicemail" enabled locale "en_US" maxsessions 8 end trigger

ccn trigger sip phonenumber 27751 application "promptmgmt" enabled locale "en_US" maxsessions 1 end trigger

voicemail default expiration time 30voicemail default language en_USvoicemail default mailboxsize 3000voicemail recording time 900voicemail default messagesize 60voicemail operator telephone 0voicemail capacity time 6000voicemail mailbox owner "Ross" size 3000 description "Ross mailbox" end mailbox

32OL-6574-01


voicemail mailbox owner "Rachel" size 3000 description "Rachel mailbox" end mailbox

voicemail mailbox owner "Chandler" size 3000 description "Chandler mailbox" end mailbox

voicemail mailbox owner "Monica" size 3000 description "Monica mailbox" end mailbox voicemail mailbox owner "Jeshih" size 3000 description "Jeshih mailbox" end mailbox

voicemail mailbox owner "Mike" size 3000 description "Mike mailbox" end mailbox

voicemail mailbox owner "Phoebe" size 3000 description "Phoebe mailbox" end mailbox

voicemail mailbox owner "Cosmo" size 3000 description "Cosmo mailbox" end mailbox

voicemail mailbox owner "Jerry" size 3000 description "Jerry mailbox" end mailbox

voicemail mailbox owner "George" size 3000 description "George mailbox" end mailbox

voicemail mailbox owner "Frank" size 3000 description "Frank mailbox" end mailbox voicemail mailbox owner "Estelle" size 3000 description "Estelle mailbox" end mailbox

end

The following is an example of output for the show voicemail mailboxes command on Cisco Unity Express:

se-10-32-152-242# show voicemail mailboxes

OWNER MSGS NEW SAVED MSGTIME MBXSIZE USED"Ross" 0 0 0 0 3000 0 %"Rachel" 0 0 0 0 3000 0 %"Chandler" 0 0 0 0 3000 0 %"Monica" 3 3 0 142 3000 5 %"Jeshih" 0 0 0 0 3000 0 %"Mike" 0 0 0 0 3000 0 %"Phoebe" 0 0 0 0 3000 0 %"Cosmo" 0 0 0 0 3000 0 %"Jerry" 0 0 0 0 3000 0 %"George" 0 0 0 0 3000 0 %"Frank" 0 0 0 0 3000 0 %"Estelle" 0 0 0 0 3000 0 %

33OL-6574-01


The following is an example of output for the show voicemail usage command on Cisco Unity Express:

se-10-32-152-242# show voicemail usage

personal mailboxes: 12general delivery mailboxes: 0orphaned mailboxes: 0capacity of voicemail (minutes): 6000allocated capacity (minutes): 600.0message time used (seconds): 141message count: 3average message length (seconds): 47.0greeting time used (seconds): 0greeting count: 0average greeting length (seconds): 0.0total time used (seconds): 141total time used (minutes): 2.3499999046325684percentage used time (%): 1

The following is an example of output for the show voicemail limits command on Cisco Unity Express:

se-10-32-152-242# show voicemail limits

Default Mailbox Size (seconds): 3000Default Caller Message Size (seconds): 60Maximum Recording Size (seconds): 900Default Message Age (days): 30System Capacity (minutes): 6000Default Prompt Language: en_USOperator Telephone: 0

The following is an example of output for the show ccn application command on Cisco Unity Express:

se-10-32-152-242# show ccn application

Name: ciscomwiapplicationDescription: ciscomwiapplicationScript: setmwi.aefID number: 0Enabled: yesMaximum number of sessions: 8strMWI_OFF_DN: 8000strMWI_ON_DN: 8001CallControlGroupID: 0

Name: voicemailDescription: voicemailScript: voicebrowser.aefID number: 1Enabled: yesMaximum number of sessions: 8logoutUri: http://localhost/voicemail/vxmlscripts/mbxLogout.jspuri: http://localhost/voicemail/vxmlscripts/login.vxml

Name: autoattendantDescription: autoattendantScript: aa.aefID number: 2Enabled: yesMaximum number of sessions: 8MaxRetry: 3operExtn: 0welcomePrompt: AAWelcome.wav

34OL-6574-01


Name: promptmgmtDescription: promptmgmtScript: promptmgmt.aefID number: 3Enabled: yesMaximum number of sessions: 1

The following is an example of output for the show ccn trigger command on Cisco Unity Express:

se-10-32-152-242# show ccn trigger

Name: 27749Type: SIPApplication: voicemailLocale: en_USIdle Timeout: 10000Enabled: yesMaximum number of sessions: 8

Name: 27751Type: SIPApplication: promptmgmtLocale: en_USIdle Timeout: 10000Enabled: yesMaximum number of sessions: 1

Name: 27748Type: SIPApplication: autoattendantLocale: en_USIdle Timeout: 10000Enabled: yesMaximum number of sessions: 8se-10-32-152-242#

Verification Screens: ExamplesThe following display screen examples depict the graphical user interface for Cisco CallManager, Cisco CallManager Express (Cisco CME) and Cisco Unity Express for verification purposes. These screen examples are shown for your reference are presented in the following sections:

• Cisco CallManager Screen Examples, page 36

• Cisco CME Screen Examples, page 38

• Cisco Unity Express Screen Examples, page 40

35OL-6574-01


Cisco CallManager Screen Examples

The screen display example below shows Cisco CallManager Release 3.3(3) trunk configuration for a Cisco CME.

36OL-6574-01


The screen display example below depicts media termination point (MTP) software configuration.

37OL-6574-01


Cisco CME Screen Examples

The screen display example below identifies Cisco CallManager extensions.

38OL-6574-01


The screen display example below provides details about Cisco CME phones.

39OL-6574-01


Cisco Unity Express Screen Examples

The screen display example below lists voice mailboxes on Cisco Unity Express user configuration.

40OL-6574-01


The screen display example below provides details about voice mailboxes on Cisco Unity Express.

41OL-6574-01

IP Communication Solution for Group Applications Configuration ExampleTroubleshoot

The screen display example below depicts the Group Profile-Administrator display.

TroubleshootThis section provides information you can use to troubleshoot your configuration.

See the following tech notes:

• IP Security Troubleshooting - Understanding and Using debug Commands

Troubleshooting Reference Documents and CommandsThe following references and command recommendations offer guidance for troubleshooting Cisco CME-based Cisco Unity Express implementations.

Note Before issuing debug commands, see Important Information on Debug Commands.

For troubleshooting and debugging VoIP call basics, see the following document:

• http://www.cisco.com/warp/public/788/voip/voip_debugcalls.html

42OL-6574-01


http://www.cisco.com/warp/public/707/ipsec_debug.html

http://www.cisco.com/warp/public/788/voip/voip_debugcalls.html

IP Communication Solution for Group Applications Configuration ExampleRelated Information

The following specific commands related to troubleshooting VoIP calls:

• show dialplan number—This command is used to show which dial peer is reached when a particular telephone number is dialed.

• debug vtsp session—This command displays information to help you trace how the router interacts with the DSP based on the signalling indications from the signalling stack and requests from the application.

• debug vtsp dsp—This command displays the digits as they are received by the voice port.

• debug vtsp all—This command enables the following debug voice telephony service provider (VTSP) commands: debug vtsp session, debug vtsp error, and debug vtsp dsp.

• debug vpm signal—This command collects debug information only for signaling events. This command can also be useful in resolving problems with signaling to a PBX.

• debug voip ccapi—This command traces the execution path through the call control application programming interface (API),, which serves as the interface between the call session application and the underlying network-specific software. You can use the output from this command to understand how calls are being handled by the router.

• debug vpm port—This command is to limit the debug output to a particular port. The debug output can be quite voluminous for a single port. A six-port chassis might create problems. Use this debug command with any or all of the other debug modes

Related Information

For additional information about Cisco CallManager Express, go to:

• http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html

For additional information about Cisco Unity Express, go to:

• http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html

43OL-6574-01

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html

http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html

IP Communication Solution for Group Applications Configuration ExampleRelated Information




44OL-6574-01

Easy VPN Configuration Example

This document provides a Easy VPN (EzVPN) sample configuration, using Cisco 1800 series, Cisco 2800 series, and Cisco 3800 series routers.

Contents • Introduction, page 1

• Before You Begin, page 2


• Verify, page 12



IntroductionThis document provides a sample Easy VPN (or EzVPN) configuration with the following characteristics:

• All traffic between two client branch sites and headquarters passes through a Virtual Private Network (VPN) of IP Security (IPSec) encrypted tunnels.

• Techniques used include Internet Key Exchange (IKE) dead peer detection (DPD), split tunneling, and group policy on the server with Domain Name Server (DNS) information, Windows Information Name Service (WINS) information, domain name, and an IP address pool for clients.

• Headquarters uses an EzVPN concentrator, a Cisco 3800 series router, with an ATM interface.

• One branch uses a Cisco 2800 series router and employs a network-mode EzVPN client with a serial interface, while another branch uses a Cisco 1800 series router and uses client mode EzVPN with an SHDSL interface.

• The various show commands demonstrate configurations for the Internet Security Association Key Management Protocol (ISAKMP) and IPSec Security Associations (SAs) on the EzVPN concentrator, as well as IPSec client EzVPN status on the clients.




Easy VPN Configuration ExampleBefore You Begin

List of Terms

ATM—Asynchronous Transfer Mode. A connection switching protocol that organizes data into 53-byte cell units, transmitting them via digital signals. Each cell is processed asynchronously (hence the name) relative to the transmission or arrival of other cells within a single message. Cells are also queued before being transmitted in a multiplexing fashion. ATM can be used for many different services, including voice, video, or data.

DNS—Domain Name Server. Maps names to Internet Protocol (IP) addresses and addresses to names. Domain Name Servers maintain lists of domain name and IP address mappings.

DPD—Dead peer detection. An implementation of a client keepalive functionality, to check the availability of the VPN device on the other end of an IPSec tunnel.

IKE—Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router/firewall/host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or can be done by a certification authority (CA) service.

IPSec—IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

ISAKMP—Internet Security Association Key Management Protocol. A protocol for key exchange encryption and authentication. ISAKMP requires at least one pair of messages to be exchanged between two VPN-connected peers before a secure link can be established.

NETBEUI—NetBIOS extended user interface. A transport protocol associated with Microsoft-based networks. Unlike TCP/IP, NETBEUI is not a routable network protocol.

NetBIOS—Network Basic Input/Output System. A peer-to-peer low-level networking protocol dating back to the 1980s, NetBIOS links network operating systems with network hardware. NetBIOS is not routable and must be encapsulated with TCP/IP to pass through routers.

SA—Security association. This is a unidirectional channel negotiated by IPSec, with a pair of SAs required for two-way communication. SAs are used to index session keys and initialization vectors.

SHDSL—Symmetrical High-Speed Digital Subscriber Line. An implementation of DSL that operates at equal speeds in both transmission directions, at rates from 192 kbps to 2.3 Mbps.

WINS—Windows Internet Naming Service. A service in Microsoft-based networks that translates hostnames into IP addresses. Using NETBEUI protocol, it is also compatible with NetBIOS.

Before You BeginThe following are the requirements for using this configuration example.

ConventionsFor more information on document conventions, see the Cisco Technical Tips Conventions.

2OL-6340-01


Easy VPN Configuration ExampleConfigure

Components UsedThe information in this document is based on these software and hardware versions:

• At Headquarters, a Cisco 3845 router with a Cisco CallManager cluster, and with ATM access to the Internet

• At Branch 1, a Cisco 1841 router with a WIC-1SHDSL interface card installed, and with DSL access to the Internet

• At Branch 2, a Cisco 2811 router with a serial interface connection to the Internet

• For Cisco 1800 series routers and Cisco 2800 series routers: Cisco IOS Release 12.3(8)T4

• For Cisco 3800 series routers: Cisco IOS Release 12.3(11)T

• Advanced Enterprise Services feature set

The information presented in this document resulted from the use of devices in a specific lab setup and environment. All the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before you use it.

Note When configuring stateful failover for IPSec on the Cisco 2811 router, you may get the following message if there is no AIM-VPN module installed: %crypto_ha_ipsec-4-crypto_ha_not_supported_by_hw 2811 Once an AIM-VPN module is installed in the Cisco 2811 router, this error message will no longer appear.

Related ProductsThis configuration can also be used with the following hardware:




ConfigureThis section presents the information for configuring the features described in this document.

Note For additional information on the commands used in this document, use the Cisco IOS Command Lookup tool. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Configuration Tips • Make sure that the tunnels work before you apply the crypto maps.

3OL-6340-01




• Apply IPSec crypto maps to both the tunnel interface and the physical interface

Network DiagramThis document uses the network setup shown in the following illustration:

Following are the callout terms and definitions for the diagram, identified by number:

The Headquarters location (callout 1) uses a Cisco 3845 router with these characteristics:

• EzVPN server

• ATM access to the Internet

• Operating in a Cisco CallManager cluster

• Public IP address: 10.32.152.26

• Private IP address pool: 192.168.1.0/24

The Branch 1 location (callout 8) uses a Cisco 1841 router with these characteristics:

• EzVPN client using client mode

• DSL access to the Internet

• WIC-1SHDSL interface card installed


1178

61

IP IP IP

IP IP IP

IP IP IP

1 2

3

4

5

7

8

9

6

1. Headquarters location 6. DSL link from the Branch 1 router to the Internet

2. ATM link from the Headquarters router to the Internet

7. Serial link from the Branch 2 router to the Internet

3. VPN tunnel through the Internet to Branch 1 8. Branch 1 location

4. VPN tunnel through the Internet to Branch 2 9. Branch 2 location

5. The Internet, represented by the cloud

4OL-6340-01



5OL-6340-01



• EzVPN client using network mode

• Serial access to the Internet



ConfigurationsThis example uses these configurations:

• Headquarters Office Configuration (Cisco 3845 Router), page 5

• Branch 1 Router Configuration (Cisco 1841 Router), page 8


Headquarters Office Configuration (Cisco 3845 Router)

EzVPN-Hub# show running-config

Building configuration...Current configuration : 6824 bytes!version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname EzVPN-Hub!boot-start-markerboot-end-marker!enable secret 5 $1$t8oN$hXnGodPh8ZM/ka6k/9aO51!username admin secret 5 $1$cfjP$kKpB7e3pfKXfpK0RIqX/E.username ezvpn-spoke2 secret 5 $1$vrSS$AhSPxEUnPOsSpJkGdzjXg/username ezvpn-spoke1 secret 5 $1$VK0p$4D0YXNOtC6K7MR4/vinUL.

mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180aaa new-model!!aaa authentication login USER_AAA localaaa authentication login USERLIST localaaa authorization network GROUP_AAA localaaa session-id commonip subnet-zero!ip cefno ip domain lookupip domain name cisco.comip audit notify logip audit po max-events 100

6OL-6340-01


no ftp-server write-enablevoice-card 0 no dspfarm!!--- IKE configuration!crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp keepalive 90 12!crypto isakmp client configuration group VPN1 acl SPLIT_T ip access-list extended SPLIT_T permit ip 192.168.0.0 0.0.255.255 any key cisco123 dns 192.168.168.183 192.168.226.120 wins 192.168.179.89 192.168.2.87 domain cisco.com pool VPN-POOL save-password!!--- IPSec configuration!crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac!crypto dynamic-map INT_MAP 1 set security-association lifetime kilobytes 530000000 set security-association lifetime seconds 14400 set transform-set TRANSFORM-1!!crypto map INT_MAP client authentication list USER_AAAcrypto map INT_MAP isakmp authorization list GROUP_AAAcrypto map INT_MAP client configuration address respondcrypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP!!!interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto!interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto!interface ATM0/0/0 description === public interface === ip address 10.32.152.26 255.255.255.252 ip pim sparse-dense-mode ip ospf network point-to-point no atm ilmi-keepalive pvc 10/100

7OL-6340-01


protocol ip 10.32.152.25 broadcast ! crypto map INT_MAP!interface FastEthernet4/0 no ip address shutdown!interface FastEthernet4/1 switchport access vlan 10 no ip address!interface FastEthernet4/2 switchport access vlan 10 no ip address!interface FastEthernet4/3 switchport access vlan 10 no ip address!interface FastEthernet4/4 switchport access vlan 10 no ip address!interface FastEthernet4/5 switchport access vlan 10 no ip address!interface FastEthernet4/6 switchport access vlan 10 no ip address!interface FastEthernet4/7 switchport access vlan 10 no ip address!interface FastEthernet4/8 switchport access vlan 10 no ip address!interface FastEthernet4/9 switchport access vlan 10 no ip address!interface FastEthernet4/10 switchport access vlan 10 no ip address!interface FastEthernet4/11 switchport access vlan 10 no ip address!interface FastEthernet4/12 switchport access vlan 10 no ip address!interface FastEthernet4/13 switchport access vlan 10 no ip address!interface FastEthernet4/14 switchport access vlan 10 no ip address!

8OL-6340-01


interface FastEthernet4/15 switchport access vlan 10 no ip address!!-- Entries for FastEthernet 4/16 through 4/35 omitted for redundancy!interface GigabitEthernet4/0 no ip address shutdown!interface GigabitEthernet4/1 no ip address shutdown!interface Vlan1 no ip address!interface Vlan10 ip address 192.168.1.1 255.255.255.0!!ip local pool VPN-POOL 10.1.1.1 10.1.1.10ip classlessip route 0.0.0.0 0.0.0.0 10.32.152.25!ip http serverno ip http secure-server!!control-plane!!line con 0line aux 0line vty 0 4 login authentication USERLIST!!end!

Branch 1 Router Configuration (Cisco 1841 Router)

EzVPN-Spoke-1# show running-config

Building configuration.....Current configuration : 4252 bytes!version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname EzVPN-Spoke-1!boot-start-markerboot-end-marker!logging buffered 4096 informational

9OL-6340-01


enable secret 5 $1$b7.Q$Y2x1UXyRifSStbkH/YyrP.!username admin password 7 0519030B234D5C0617memory-size iomem 20mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180aaa new-model!!aaa authentication login USERLIST localaaa session-id commonip subnet-zeroip cef!!ip dhcp excluded-address 192.168.2.1!ip dhcp pool PRIVATE_DHCP import all network 192.168.2.0 255.255.255.0 default-router 192.168.2.1!!no ip domain lookupip domain name cisco.comip sap cache-timeout 30ip ssh time-out 30ip ids po max-events 100no ftp-server write-enable!!--- IPSec configuration!crypto ipsec client ezvpn VPN1 connect auto group VPN1 key cisco123 mode client peer 10.32.152.26 username ezvpn-spoke1 password cisco1!interface FastEthernet0/0 description === private interface === ip address 192.168.2.1 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn VPN1 inside!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface ATM0/1/0 no ip address no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO pvc 0/35 encapsulation aal5snap ! pvc 8/35

10OL-6340-01


encapsulation aal5mux ppp dialer dialer pool-member 1 !!interface Dialer0 description === public interface === ip address 10.32.152.46 255.255.255.252 ip pim sparse-dense-mode encapsulation ppp dialer pool 1 dialer-group 1 crypto ipsec client ezvpn VPN1!ip classlessip route 0.0.0.0 0.0.0.0 10.32.152.45!ip http serverno ip http secure-server!control-plane!line con 0line aux 0line vty 0 4 login authentication USERLIST!!end


EzVPN-Spoke-2# show running-config

Building configuration....Current configuration : 4068 bytes!version 12.3no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname EzVPN-Spoke-2!boot-start-markerboot-end-marker!enable secret 5 $1$9BB/$KP4mHUWzUxzpuEPg5s7ow/!username admin password 7 10481A110C07memory-size iomem 25aaa new-model!!aaa authentication login USERLIST localaaa session-id commonip subnet-zero!!ip cefip dhcp excluded-address 192.168.3.1

11OL-6340-01


!ip dhcp pool PRIVATE_DHCP import all network 192.168.3.0 255.255.255.0 default-router 192.168.3.1!!no ip domain lookupip multicast-routingip ids po max-events 100!no ftp-server write-enablevoice-card 0 no dspfarm!!--- IPSec configuration!crypto ipsec client ezvpn VPN1 connect auto group VPN1 key cisco123 mode network-extension peer 10.32.152.26 username ezvpn-spoke2 password cisco2!interface FastEthernet0/0 description === private interface === ip address 192.168.3.1 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn VPN1 inside!interface FastEthernet0/1 no ip address duplex auto speed auto shutdown!interface Serial0/0/0 description === public interface === ip address 10.32.150.46 255.255.255.252 crypto ipsec client ezvpn VPN1!ip classlessip route 0.0.0.0 0.0.0.0 10.32.150.45!ip http serverno ip http secure-server!control-plane!dial-peer cor custom!line con 0 exec-timeout 0 0line aux 0line vty 0 4 login authentication USERLIST!end

12OL-6340-01

Easy VPN Configuration ExampleVerify

VerifyThis section provides instructions for verifying that your configuration works properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output. In summary:

• show crypto engine connections active—Shows the encrypted and decrypted packets.

• show crypto ipsec sa—Shows the phase 2 IPSec security associations for the hub.

• show crypto ipsec client ezvpn—Shows the phase 2 IPSec security associations for the EzVPN client.

• show crypto isakmp sa—Shows the phase 1 ISAKMP security associations.

One of the first indications of successful IPSec negotiation is a message displayed on the Virtual Private Network (VPN) concentrator console. Upon successful IPSec negotiation by the EzVPN clients, a message similar to the following is displayed on the VPN concentrator console, indicating the establishment of crypto connections to the remote EzVPN clients.

EzVPN-Hub#

*Feb 23 10:33:10.663: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.32.150.46:500 Id: VPN1*Feb 23 10:33:37.439: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.32.152.46:500 Id: VPN1

The following examples show sample output for the show crypto ipsec sa and show crypto ipsec client ezvpn commands.

The following is sample output from the show crypto ipsec sa command, performed using the configuration on the EzVPN Hub location:

EzVPN-Hub# show crypto ipsec sa

interface: ATM0/0/0 Crypto map tag: INT_MAP, local addr. 10.32.152.26

protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.1.1.3/255.255.255.255/0/0) current_peer: 10.32.152.46:500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 10.32.152.26, remote crypto endpt.: 10.32.152.46 path mtu 4470, media mtu 4470 current outbound spi: EBA2AC93

13OL-6340-01

Easy VPN Configuration ExampleVerify

inbound esp sas: spi: 0xDBEB20(14412576) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5131, flow_id: 11, crypto map: INT_MAP crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (4570368/14331) ike_cookies: 787F69F1 41C7488D 92A37C71 AE8FEC38 IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xEBA2AC93(3953306771) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5132, flow_id: 12, crypto map: INT_MAP crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (4570368/14331) ike_cookies: 787F69F1 41C7488D 92A37C71 AE8FEC38 IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer: 10.32.150.46:500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 10.32.152.26, remote crypto endpt.: 10.32.150.46 path mtu 4470, media mtu 4470 current outbound spi: 59C46762

inbound esp sas: spi: 0xA9344358(2838774616) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5129, flow_id: 9, crypto map: INT_MAP crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (4574224/14292) ike_cookies: A479BC19 B6199FB9 E043AE83 9DECB0E8 IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

14OL-6340-01

Easy VPN Configuration ExampleTroubleshoot

outbound esp sas: spi: 0x59C46762(1506043746) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5130, flow_id: 10, crypto map: INT_MAP crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (4574224/14292) ike_cookies: A479BC19 B6199FB9 E043AE83 9DECB0E8 IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

The following is sample output from the show crypto ipsec client ezvpn command, performed using the configuration on the EzVPN Spoke 1 location:

EzVPN-Spoke-1#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 2

Tunnel name : VPN1Inside interface list: FastEthernet0/0,Outside interface: Dialer0Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 10.1.1.3Mask: 255.255.255.255DNS Primary: 192.168.168.183DNS Secondary: 192.168.226.120NBMS/WINS Primary: 192.168.179.89NBMS/WINS Secondary: 192.168.2.87Default Domain: cisco.com

The following is sample output from the show crypto ipsec client ezvpn command, performed using the configuration on the EzVPN Spoke 2 location:

EzVPN-Spoke-2#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 2

Tunnel name : VPN1Inside interface list: FastEthernet0/0,Outside interface: Serial0/0/0Current State: IPSEC_ACTIVELast Event: SOCKET_UPDNS Primary: 192.168.168.183DNS Secondary: 192.168.226.120NBMS/WINS Primary: 192.168.179.89NBMS/WINS Secondary: 192.168.2.87Default Domain: cisco.com

TroubleshootThis section provides information for troubleshooting your configuration.

See the following tech note:


15OL-6340-01


Easy VPN Configuration ExampleTroubleshoot



The following debug commands must be running on both IPSec routers (peers). Security associations must be cleared on both peers.

• debug crypto engine—Displays information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations.

• debug crypto ipsec—Displays the IPSec negotiations of phase 2.

• debug crypto ipsec client ezvpn—Displays the negotiation of the EzVPN client to the VPN concentrator.

• debug crypto isakmp—Displays the ISAKMP negotiations of phase 1.

• clear crypto ipsec client ezvpn—Clears an existing EzVPN connection.

• clear crypto isakmp—Clears the security associations for phase 1.

• clear crypto sa—Clears the security associations for phase 2.

The following is an example of output for the debug crypto ipsec client ezvpn command:

EzVPN-Spoke-1# debug crypto ipsec client ezvpn

*May 24 03:04:51.923: EZVPN(VPN1): New State: CONNECT_REQUIRED!!--- The following line shows the connection going down, not part of the debug output.!*May 24 03:04:51.923: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 10.32.152.26:500 Id: 10.32.152.26!!---Debug output resumes!*May 24 03:04:51.927: EZVPN(VPN1): Current State: CONNECT_REQUIRED*May 24 03:04:51.927: EZVPN(VPN1): Event: CONNECT*May 24 03:04:51.927: EZVPN(VPN1): ezvpn_connect_request*May 24 03:04:51.927: EZVPN(VPN1): New State: READY*May 24 03:04:51.999: EZVPN(VPN1): Current State: READY*May 24 03:04:51.999: EZVPN(VPN1): Event: CONN_UP*May 24 03:04:51.999: EZVPN(VPN1): ezvpn_conn_up 7F890E16 DB923EE3 67C9C0D2 7EE723AC*May 24 03:04:51.999: EZVPN(VPN1): No state change*May 24 03:04:52.007: EZVPN(VPN1): Current State: READY*May 24 03:04:52.007: EZVPN(VPN1): Event: XAUTH_REQUEST*May 24 03:04:52.007: EZVPN(VPN1): ezvpn_xauth_request*May 24 03:04:52.007: EZVPN(VPN1): ezvpn_parse_xauth_msg*May 24 03:04:52.007: EZVPN: Attributes sent in xauth request message:*May 24 03:04:52.007: XAUTH_USER_NAME_V2(VPN1):*May 24 03:04:52.007: XAUTH_USER_PASSWORD_V2(VPN1):*May 24 03:04:52.007: EZVPN(VPN1): send saved username ezvpn-spoke1 and password <omitted>*May 24 03:04:52.007: EZVPN(VPN1): New State: XAUTH_REQ*May 24 03:04:52.007: EZVPN(VPN1): Current State: XAUTH_REQ*May 24 03:04:52.007: EZVPN(VPN1): Event: XAUTH_REQ_INFO_READY*May 24 03:04:52.007: EZVPN(VPN1): ezvpn_xauth_reply*May 24 03:04:52.007: XAUTH_USER_NAME_V2(VPN1): ezvpn-spoke1*May 24 03:04:52.011: XAUTH_USER_PASSWORD_V2(VPN1): <omitted>*May 24 03:04:52.011: EZVPN(VPN1): New State: XAUTH_REPLIED*May 24 03:04:52.023: EZVPN(VPN1): Current State: XAUTH_REPLIED*May 24 03:04:52.023: EZVPN(VPN1): Event: XAUTH_STATUS*May 24 03:04:52.023: EZVPN(VPN1): New State: READY

16OL-6340-01


Easy VPN Configuration ExampleRelated Information

*May 24 03:04:52.039: EZVPN(VPN1): Current State: READY*May 24 03:04:52.039: EZVPN(VPN1): Event: MODE_CONFIG_REPLY*May 24 03:04:52.039: EZVPN(VPN1): ezvpn_mode_config*May 24 03:04:52.039: EZVPN(VPN1): ezvpn_parse_mode_config_msg*May 24 03:04:52.039: EZVPN: Attributes sent in message:*May 24 03:04:52.039: Address: 10.1.1.4*May 24 03:04:52.039: DNS Primary: 192.168.168.183*May 24 03:04:52.039: DNS Secondary: 192.168.226.120*May 24 03:04:52.039: NBMS/WINS Primary: 192.168.179.89*May 24 03:04:52.039: NBMS/WINS Secondary: 192.168.2.87*May 24 03:04:52.039: Split Tunnel List: 1*May 24 03:04:52.039: Address : 192.168.0.0*May 24 03:04:52.039: Mask : 255.255.0.0*May 24 03:04:52.039: Protocol : 0x0*May 24 03:04:52.039: Source Port: 0*May 24 03:04:52.039: Dest Port : 0*May 24 03:04:52.039: EZVPN: Unknown/Unsupported Attr: SPLIT_DNS (0x7003)*May 24 03:04:52.039: Default Domain: cisco.com*May 24 03:04:52.039: Savepwd on*May 24 03:04:52.039: EZVPN: Unknown/Unsupported Attr: BACKUP_SERVER (0x7009)*May 24 03:04:52.039: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)*May 24 03:04:52.039: EZVPN(VPN1): ezvpn_nat_config*May 24 03:04:52.043: EZVPN(VPN1): New State: SS_OPEN*May 24 03:04:52.047: EZVPN(VPN1): Current State: SS_OPEN*May 24 03:04:52.047: EZVPN(VPN1): Event: SOCKET_READY*May 24 03:04:52.047: EZVPN(VPN1): No state change!!--- The following line shows the connection coming up, not part of the debug output.!*May 24 03:04:52.075: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 10.32.152.26:500 Id: 10.32.152.26!!---Debug output resumes!*May 24 03:04:52.079: EZVPN(VPN1): Current State: SS_OPEN*May 24 03:04:52.079: EZVPN(VPN1): Event: MTU_CHANGED*May 24 03:04:52.079: EZVPN(VPN1): No state change*May 24 03:04:52.079: EZVPN(VPN1): Current State: SS_OPEN*May 24 03:04:52.079: EZVPN(VPN1): Event: SOCKET_UP*May 24 03:04:52.079: ezvpn_socket_up*May 24 03:04:52.079: EZVPN(VPN1): New State: IPSEC_ACTIVE

Related Information • Cisco IOS Wide-Area Networking Configuration Guide

• Cisco IOS Dial Technologies Configuration Guide

• Cisco IOS Security Configuration Guide

• Cisco IOS Interface and Hardware Component Configuration Guide

• Cisco Technical Assistance Center

17OL-6340-01

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/wan_vcg.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/dial_vcg.htm


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/intf_vcg.htm

http://www.cisco.com/en/US/support/index.html


18OL-6340-01





19OL-6340-01


20OL-6340-01

Hoot and Holler over V3PN Configuration Example

This document provides a configuration example that illustrates a basic multicast-based voice application over a Cisco Virtual Private Network (VPN).

Contents


• Prerequisites, page 2


• Verify, page 17



IntroductionThis document provides a configuration example for Cisco Voice and Video over VPN (V3PN). The voice application used in this example is Hoot and Holler, which is typically used in trading floor financial institutions for communications to branch offices. The configuration scenario emphasizes implementation of the quality of service (QoS) and VPN capabilities; the configuration has the following characteristics:

• All traffic between two client branch sites and headquarters passes through a VPN of IPSec- encrypted tunnels.

• This implementation of Cisco V3PN features the use of Protocol Independent Multicast (PIM) in Sparse Mode and Auto-RP. The routing protocol used to transport traffic is Open Shortest Path First (OSPF).

• The techniques used include Internet Key Exchange/Dead Peer Detection (IKE/DPD), split tunneling, and group policy on the server with Domain Name System (DNS) information, Windows Information Name Service (WINS) information, domain name, and an IP address pool for clients.

• Headquarters uses a Cisco 3800 series router with an ATM interface.




Hoot and Holler over V3PN Configuration ExamplePrerequisites

• One branch uses a Cisco 2800 series router and employs a serial interface, while another branch with a Cisco 2800 Series router uses a Symmetrical High-Speed Digital Subscriber Line (SHDSL) interface.

• The various show commands demonstrate configurations for the Internet Security Association Key Management Protocol (ISAKMP) and IP Security (IPSec) security associations (SA) on the concentrator, as well as status on the clients.

PrerequisitesThe following sections provide information important to understand this configuration example. Read these sections before you continue with the configuration example:

• Conventions

• Requirements

• Related Products

• Components Used

RequirementsThere are no specific requirements for this document.

Components UsedThe information in this document is based on these software and hardware versions:

• At Headquarters, a Cisco 3845 router with a Cisco CallManager cluster, with ATM access to the Internet

• At Branch 1, a Cisco 2801 router with a WIC-SHDSL-V2 interface card installed, and with DSL access to the Internet

• At Branch 2, a Cisco 2811 router with a serial interface connection to the Internet

• Cisco IOS Release 12.3(11)T or later releases

• Advanced Enterprise Services feature set

The information presented in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related ProductsThis configuration can also be used with the following hardware and software:



• For Cisco 2800 series routers, Cisco IOS Release 12.3(8)T4 or later releases. For Cisco 3800 series routers, Cisco IOS Release 12.3(11)T and later releases.

2OL-6573-01

Hoot and Holler over V3PN Configuration ExampleConfigure

ConventionsFor information on document conventions, see the Cisco Technical Tips Conventions.


Note For additional information on the commands used in this document, use the Cisco IOS Command Lookup tool. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Configuration Tips

• Make sure that the tunnels work before you apply the crypto maps.

• Apply IPSec crypto maps to both the tunnel interface and the physical interface.

Network DiagramThis document uses the network setup shown in the diagram below.

1212

25

IP IP IP

IP IP IP

1

2

4

7

6

8

9

3

5

3OL-6573-01





Following are the callout terms and definitions for the diagram, identified by number:

The Headquarters location (callout 1) uses a Cisco 3845 router with these characteristics:

• ATM access to the Internet

• Operating in a Cisco CallManager cluster




• DSL access to the Internet

• WIC-SHDSL-V2 interface card installed




• Serial access to the Internet

• Public IP address: 10.32.150.46/30


ConfigurationsThis document uses the following configurations:

• Headquarters Office Configuration (Cisco 3845 Router), page 4



Headquarters Office Configuration (Cisco 3845 Router)

HUB-R1# show running-config


Current configuration : 9385 bytes!version 12.3no service padservice timestamps debug datetime msec

1 Headquarters location 6 DSL link from the Branch 1 router to the Internet

2 ATM link from the Headquarters router to the Internet

7 Serial link from the Branch 2 router to the Internet

3 VPN tunnel through the Internet to Branch 1 8 Branch 1 location

4 The Internet, as represented by the cloud 9 Branch 2 location

5 VPN tunnel through the Internet to Branch 2

4OL-6573-01


service timestamps log datetime msecservice password-encryption!hostname HUB-R1!boot-start-markerboot-end-marker!enable secret 5 $1$t8oN$hXmGodPh8ZM/ka6k/9aO51!username cisco secret 5 $1$cfjP$kKpBWe3pfKXfpK0RIqX/E.no network-clock-participate slot 1no network-clock-participate slot 2no network-clock-participate slot 3no network-clock-participate slot 4no network-clock-participate wic 0no network-clock-participate wic 1no network-clock-participate wic 2no network-clock-participate wic 3no network-clock-participate aim 0no network-clock-participate aim 1aaa new-model!!! ENABLE AAA AND USE LOCAL AUTHENTICATION FOR VPN CONNECTIONS!aaa authentication login USERLIST localaaa session-id commonip subnet-zeroip cef!! CREATE DHCP POOL FOR INTERNAL CLIENTS ON VLAN 10!ip dhcp excluded-address 192.168.1.1!ip dhcp pool LOCAL network 192.168.1.0 255.255.255.0 default-router 192.168.1.1!!no ip domain lookupip domain name cisco.com! ENABLE MULTICAST ROUTINGip multicast-routingip ids po max-events 100no ftp-server write-enablevoice-card 0 no dspfarm!!!voice class permanent 1 signal timing oos timeout 65535 signal keepalive disabled signal sequence oos no-action!!controller T1 0/2/0 framing sf linecode ami!controller T1 0/2/1 framing sf linecode ami

5OL-6573-01


! CLASSIFY DIFFERENT QOS TRAFFIC, SETTING IP PRECEDENCE AND DSCP!class-map match-all data match ip precedence 2class-map match-all control-traffic match ip dscp af31class-map match-all video match ip precedence 4class-map match-all voice match ip dscp ef!!! ALLOCATE AVAILABLE BANDWIDTH FOR EACH QOS CLASSIFICATION, DEPENDING ON EXPECTED NEED! FOR EXAMPLE, DSCP VALUE EF (CLASS VOICE) WILL BE GIVEN 35% OF THE BANDWIDTH!policy-map LLQ class control-traffic bandwidth percent 5 class voice priority percent 35 class video bandwidth percent 15 class data bandwidth percent 20 class class-default fair-queue!!! SET THE IKE POLICY TO USE 3DES!crypto isakmp policy 10 encr 3des authentication pre-share group 2!!SPECIFY THAT ISAKMP CLIENTS (SPOKE ROUTERS) WILL NOT NEED TO USE XAUTH (USERNAME AND PASSWORD) WHEN CONNECTING!crypto isakmp key cisco address 10.32.150.46 no-xauthcrypto isakmp key cisco address 10.32.153.34 no-xauth!!crypto ipsec transform-set TRANSFORM_1 esp-3des esp-sha-hmac!! DEFINE THE REMOTE SPOKES, THEIR IP ADDRESSES AND ANY POLICIES THAT NEED TO BE IMPLEMENTEDcrypto map INT_CM 1 ipsec-isakmp description === Peer device = Branch-2 === set peer 10.32.150.46 set security-association lifetime kilobytes 530000000 set security-association lifetime seconds 14400 set transform-set TRANSFORM_1 match address IPSEC_ACL_1crypto map INT_CM 2 ipsec-isakmp description === Peer device = Branch-1 === set peer 10.32.153.34 set security-association lifetime kilobytes 530000000 set security-association lifetime seconds 14400 set transform-set TRANSFORM_1 match address IPSEC_ACL_2!!!

6OL-6573-01


! CREATE TUNNELS TO THE SPOKE ROUTERS. THE MTU IS LOWERED TO ALLOW THE GRE AND IP-SEC HEADER! PIM SD IS ENABLED SO AS TO ALLOW MULTICAST, AND THE TUNNEL SOURCE AND DESTINATION ARE SPECIFIED!interface Tunnel0 description === Peer device = Branch-2 === bandwidth 10000 ip unnumbered Vlan10 ip mtu 1420 ip pim sparse-dense-mode qos pre-classify tunnel source ATM1/0 tunnel destination 10.32.150.46 crypto map INT_CM!interface Tunnel1 description === Peer device = Branch-1 === bandwidth 10000 ip unnumbered Vlan10 ip mtu 1420 ip pim sparse-dense-mode qos pre-classify tunnel source ATM1/0 tunnel destination 10.32.153.34 crypto map INT_CM!! THIS LOOPBACK INTERFACE ACTS AS THE MULTICAST RP!interface Loopback100 ip address 192.168.4.1 255.255.255.255 ip pim sparse-dense-mode!! THIS VIF INTERFACE IS USED AS THE MULTICAST SOURCE FOR THE VOICE ENDPOINTinterface Vif1 ip address 192.168.6.1 255.255.255.0 ip pim sparse-dense-mode!! NOT USED!interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto!! NOT USED!interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto!! INTERFACE CONNECTING TO THE PUBLIC NETWORK IN OUR SCENARIO! ATM PVC 10/100 IS USED IN THIS EXAMPLE. THE PREVIOUSLY DEFINED LLQ QOS POLICY IS USED HEREinterface ATM1/0 description === Public interface === bandwidth 155000

7OL-6573-01


ip address 10.32.152.26 255.255.255.252 ip ospf network point-to-point no atm ilmi-keepalive crypto map INT_CM pvc 10/100 protocol ip 10.32.152.25 broadcast vbr-rt 100000 100000 service-policy output LLQ !! PLACE ALL SWITCHPORT INTERFACES INTO VLAN 10!interface FastEthernet4/0 switchport access vlan 10 no ip address!interface FastEthernet4/1 switchport access vlan 10 no ip address!! ... REDUNDANT FAST ETHERNET CONFIGURATION OMITTED.!interface FastEthernet4/15 switchport access vlan 10 no ip address!interface GigabitEthernet4/0 no ip address shutdown!interface Vlan1 no ip address!! INTERFACE FOR CONNECTING INTERNAL HOSTS. !interface Vlan10 description === Private interface === ip address 192.168.1.1 255.255.255.0 ip pim sparse-dense-mode!! ENABLE ROUTING FOR ALL RELEVANT NETWORKS (INTERNAL USER SUBNET, LOOPBACK FOR RP AND VIF FOR VOICE)!router ospf 1 log-adjacency-changes network 192.168.1.0 0.0.0.255 area 0 network 192.168.4.1 0.0.0.0 area 0 network 192.168.6.0 0.0.0.255 area 0!! DEFINE STATIC ROUTES SO THAT THE REMOTE NETWORKS STAY IN THE ROUTING TABLE, EVEN IF CONNECTION IS LOST! THIS PREVENTS ROUTING TABLE FLAPS!ip classlessip route 0.0.0.0 0.0.0.0 10.32.152.25ip route 192.168.2.0 255.255.255.0 Null0 249ip route 192.168.3.0 255.255.255.0 Null0 249!ip http serverno ip http secure-server!! CONFIGURE AUTOMATIC DISCOVERY OF GROUP-TO-RENDEZVOUS POINT (AUTO-RP)!ip pim send-rp-announce Loopback100 scope 5ip pim send-rp-discovery Loopback100 scope 5

8OL-6573-01


! SPECIFY TRAFFIC TO BE ENCRYPTED (HERE IT'S ALL GRE TRAFFIC)!ip access-list extended IPSEC_ACL_1 permit gre host 10.32.152.26 host 10.32.150.46ip access-list extended IPSEC_ACL_2 permit gre host 10.32.152.26 host 10.32.153.34!!control-plane!!CONFIGURE THE VOICE PORT AND LINK IT TO DIAL-PEER 100. THIS CONNECTION IS PERMANENT. THE VOICE-CLASS WAS DEFINED EARLIER IN THE CONFIGURATION, AND ESTABLISHES AN 'ALWAYS ON' CONNECTION!voice-port 0/1/0 voice-class permanent 1 timeouts call-disconnect 3 connection trunk 100!voice-port 0/1/1!!!!THIS DIAL-PEER CONNECTS THE VOICE PORT TO MULTICAST GROUP 239.168.1.100. g711 CODEC (64k) IS USED, AND VAD IS ENABLED!dial-peer voice 100 voip destination-pattern 100 session protocol multicast session target ipv4:239.168.1.100:19890 codec g711ulaw vad aggressive!!!line con 0 stopbits 1line aux 0 stopbits 1line vty 0 4 login authentication USERLIST!end!


Branch-1# show running-config


Current configuration : 6300 bytes!! Last configuration change at 03:11:55 UTC Sat Apr 17 2004! NVRAM config last updated at 02:03:50 UTC Sat Apr 17 2004!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!!

9OL-6573-01


hostname Branch-1!boot-start-markerboot-end-marker!logging buffered 4096 informationalenable secret 5 $1$b7.Q$Y2x1UXyRifSStbkR/YyrP.!username cisco password 7 0519050B234D5C0617memory-size iomem 20no network-clock-participate wic 1no network-clock-participate wic 2no network-clock-participate wic 3no network-clock-participate wic 4no network-clock-participate wic 5no network-clock-participate wic 6no network-clock-participate wic 7no network-clock-participate wic 8no network-clock-participate aim 0no network-clock-participate aim 1mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180aaa new-model!!aaa authentication login USERLIST localaaa session-id commonip subnet-zeroip cef!!ip dhcp excluded-address 192.168.2.1!ip dhcp pool LOCAL network 192.168.2.0 255.255.255.0 default-router 192.168.2.1!!no ip domain lookupip domain name cisco.comip multicast-routingip sap cache-timeout 30ip ssh time-out 30ip ids po max-events 100no ftp-server write-enablevoice-card 0!!no virtual-template subinterface!!!voice class permanent 1 signal timing oos timeout 65535 signal keepalive disabled signal sequence oos no-action!!!controller T1 3/0 framing sf linecode ami

10OL-6573-01


controller T1 3/1 framing sf linecode ami!! CLASSIFY DIFFERENT QOS TRAFFIC, SETTING IP PRECEDENCE AND DSCP!class-map match-all data match ip precedence 2class-map match-all control-traffic match ip dscp af31class-map match-all video match ip precedence 4class-map match-all voice match ip dscp ef!! ALLOCATE AVAILABLE BANDWIDTH FOR EACH QOS CLASSIFICATION, DEPENDING ON EXPECTED NEED! FOR EXAMPLE, DSCP VALUE EF (CLASS VOICE) WILL BE GIVEN 35% OF THE BANDWIDTH!policy-map LLQ class control-traffic bandwidth percent 5 class voice priority percent 35 class video bandwidth percent 15 class data bandwidth percent 20 class class-default fair-queue!!! SET THE IKE POLICY TO USE 3DES!crypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key cisco address 10.32.152.26 no-xauth!!crypto ipsec transform-set TRANSFORM_1 esp-3des esp-sha-hmac!! SPECIFY REMOTE PEER!crypto map INT_CM 1 ipsec-isakmp description === Peer device = HUB-R1 === set peer 10.32.152.26 set security-association lifetime kilobytes 530000000 set security-association lifetime seconds 14400 set transform-set TRANSFORM_1 match address IPSEC_ACL_1!!! CREATE TUNNEL TO THE HUB ROUTERS. THE MTU IS LOWERED TO ALLOW THE GRE AND IPSEC HEADER! PIM SD IS ENABLED SO AS TO ALLOW MULTICAST, AND THE TUNNEL SOURCE AND DESTINATION ARE SPECIFIED!!interface Tunnel0 description === Peer device = HUB-R1 === bandwidth 10000 ip unnumbered FastEthernet0/0 ip mtu 1420 ip pim sparse-dense-mode

11OL-6573-01


qos pre-classify tunnel source 10.32.153.34 tunnel destination 10.32.152.26 crypto map INT_CM!! VIF INTERFACE FOR MULTICAST SOURCE ADDRESS (USED FOR VOICE MULTICAST)!interface Vif1 ip address 192.168.7.1 255.255.255.0 ip pim sparse-dense-mode!interface FastEthernet0/0 description === Private interface === ip address 192.168.2.1 255.255.255.0 ip pim sparse-dense-mode duplex auto speed auto!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!! DSL INTERFACE CONNECTING TO THE PUBLIC NETWORK IN OUR SCENARIO! ATM PVC 8/35 IS USED IN THIS EXAMPLE. !interface ATM2/0 no ip address no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO pvc 0/35 encapsulation aal5snap ! pvc 8/35 vbr-nrt 2000 1000 encapsulation aal5mux ppp Virtual-Template1 !!interface FastEthernet4/0 no ip address!interface FastEthernet4/1 no ip address!interface FastEthernet4/2 no ip address!interface FastEthernet4/3 no ip address!! LOGICAL INTERFACE FOR DSL LINK. THE PREVIOUSLY DEFINED LLQ QOS POLICY IS USED HERE! PPP MULTILINK IS ENABLED SO INTERFACE CAN SUPPORT QOS!interface Virtual-Template1 description === Public interface === ip address 10.32.153.34 255.255.255.252 service-policy output LLQ ppp multilink ppp multilink fragment delay 8 ppp multilink interleave crypto map INT_CM

12OL-6573-01


interface Vlan1 no ip address!router ospf 1 log-adjacency-changes network 192.168.2.0 0.0.0.255 area 0 network 192.168.7.0 0.0.0.255 area 0!ip classlessip route 0.0.0.0 0.0.0.0 10.32.153.33ip route 192.168.1.0 255.255.255.0 Null0 249!ip http serverno ip http secure-server!! SPECIFY TRAFFIC TO BE ENCRYPTED (HERE IT'S ALL GRE TRAFFIC)!ip access-list extended IPSEC_ACL_1 permit gre host 10.32.153.34 host 10.32.152.26!!!control-plane!!!! CONFIGURE THE VOICE PORT AND LINK IT TO DIAL-PEER 100. THIS CONNECTION IS PERMANENT. THE VOICE-CLASS WAS DEFINED EARLIER IN ! THE CONFIGURATION, AND ESTABLISHES AN 'ALWAYS ON' CONNECTION!voice-port 1/0 voice-class permanent 1 timeouts call-disconnect 3 connection trunk 100!voice-port 1/1!voice-port 1/2!voice-port 1/3!!!THIS DIAL-PEER CONNECTS THE VOICE PORT TO MULTICAST GROUP 239.168.1.100. g711 CODEC (64k) IS USED, AND VAD IS ENABLED!dial-peer voice 100 voip destination-pattern 100 session protocol multicast session target ipv4:239.168.1.100:19890 codec g711ulaw vad aggressive!!!line con 0line aux 0line vty 0 4 login authentication USERLIST!end

13OL-6573-01



Branch-2# show running-configBuilding configuration...

Current configuration : 5041 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Branch-2!boot-start-markerboot-end-marker!enable secret 5 $1$9BB/$KP4mHUWzUxzpDEPg5s7ow/!username cisco password 7 10481A170C07memory-size iomem 25mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180aaa new-model!!aaa authentication login USERLIST localaaa session-id commonip subnet-zeroip cef!!ip dhcp excluded-address 192.168.3.1!ip dhcp pool LOCAL network 192.168.3.0 255.255.255.0 default-router 192.168.3.1!!no ip domain lookupip domain name cisco.comip multicast-routingip audit notify logip audit po max-events 100!no ftp-server write-enablevoice-card 0 no dspfarm!!!voice class permanent 1 signal timing oos timeout 65535 signal keepalive disabled signal sequence oos no-action!!crypto isakmp policy 10 encr 3des authentication pre-share group 2

14OL-6573-01


crypto isakmp key cisco address 10.32.152.26 no-xauth!!crypto ipsec transform-set TRANSFORM_1 esp-3des esp-sha-hmac!crypto map INT_CM 1 ipsec-isakmp description === Peer device = HUB-R1 === set peer 10.32.152.26 set security-association lifetime kilobytes 530000000 set security-association lifetime seconds 14400 set transform-set TRANSFORM_1 match address IPSEC_ACL_1!!!class-map match-all data match ip precedence 2class-map match-all control-traffic match ip dscp af31class-map match-all video match ip precedence 4class-map match-all voice match ip dscp ef!!policy-map LLQ class control-traffic bandwidth percent 5 class voice priority percent 35 class video bandwidth percent 15 class data bandwidth percent 20 class class-default fair-queue!!!interface Tunnel0 description === Peer device = HUB-R1 === bandwidth 10000 ip unnumbered FastEthernet0/0 ip mtu 1420 ip pim sparse-dense-mode qos pre-classify tunnel source Serial0/0/0 tunnel destination 10.32.152.26 crypto map INT_CM!interface Vif1 ip address 192.168.5.1 255.255.255.0 ip pim sparse-dense-mode!interface FastEthernet0/0 description === Private interface === ip address 192.168.3.1 255.255.255.0 ip pim sparse-dense-mode duplex auto speed auto no keepalive!!!

15OL-6573-01


interface FastEthernet0/1 no ip address duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1!interface FastEthernet0/3/0 no ip address shutdown!interface FastEthernet0/3/1 no ip address shutdown!interface FastEthernet0/3/2 no ip address shutdown!interface FastEthernet0/3/3 no ip address shutdown!interface Serial0/0/0 description === Public interface === ip address 10.32.150.46 255.255.255.252 service-policy output LLQ crypto map INT_CM!interface Vlan1 no ip address!router ospf 1 log-adjacency-changes network 192.168.3.0 0.0.0.255 area 0 network 192.168.5.0 0.0.0.255 area 0!ip classlessip route 0.0.0.0 0.0.0.0 10.32.150.45ip route 0.0.0.0 0.0.0.0 Serial0/0/0!ip http serverno ip http secure-server!ip access-list extended IPSEC_ACL_1 permit gre host 10.32.150.46 host 10.32.152.26!!!control-plane!!voice-port 0/1/0 voice-class permanent 1 timeouts call-disconnect 3 connection trunk 100!voice-port 0/1/1!!!dial-peer cor custom!!

16OL-6573-01

Hoot and Holler over V3PN Configuration ExampleVerify

dial-peer voice 100 voip destination-pattern 100 session protocol multicast session target ipv4:239.168.1.100:19890 codec g711ulaw vad aggressive!!!line con 0 exec-timeout 0 0line aux 0line vty 0 4 password 7 0002000E0D4B login authentication USERLIST!!end

VerifyThis section provides information you can use to confirm your configuration is working properly. The verification process includes two parts:

• Verify Headquarters Connectivity, page 17

• Verify Remote Location Connectivity, page 27

Verify Headquarters ConnectivityThis section provides instructions for verifying that your configuration works properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.

In summary:

• show crypto isakmp sa—Shows whether the remote routers have successfully connected.

• show crypto ipsec sa—Shows information about each IPSec SA.

• show ip ospf neighbor—Shows whether the router has Open Shortest Path First (OSPF) neighbors.

• show ip route—Shows whether the remote networks and multicast subnets are accessible (assess routing table).

• show ip pim neighbor—After a routing table is verified, shows whether a valid Protocol Independent Multicast (PIM) neighbor exists.

• show ip pim rp map—Shows whether the rendezvous point (RP) (in this instance, the router) is being correctly learned.

• show ip mroute active—Shows whether any active multicast streams exist (in this case, voice streams).

• show voice trunk-conditioning supervisory—Shows whether the voice port connection is up.

• show voip rtp connections—Presents sources and destination of a RTP voice stream.

17OL-6573-01


• show voice call summary—Shows information about a call (such as the codec being used or the state of the phone).

• show class-map—Displays the QoS marking scheme (such as voice traffic that is marked up). This defines it as a V3PN implementation.

• show policy-map interface atm 1/0 output—Shows how traffic has been queued on the ATM interface. Note that different queues have different packet counts because traffic is assigned on the basis of differentiated services code point (DCSP) and IP precedence values.

• show crypto engine brief—Shows the VPN engine currently being run.

Representative output from each of these commands is presented in the verification summaries that follow.

Note Relevant display output is highlighted in bold text as appropriate.

The following is an output example for the show crypto isakmp sa command, performed using the configuration on the Headquarters router:

HUB-R1# show crypto isakmp sa

dst src state conn-id slot10.32.152.26 10.32.153.34 QM_IDLE 29 010.32.152.26 10.32.150.46 QM_IDLE 31 0

The following is an output example for the show crypto ipsec sa command, performed using the configuration on the Headquarters router:

HUB-R1# show crypto ipsec sa

interface: Tunnel0 Crypto map tag: INT_CM, local addr. 10.32.152.26

protected vrf: local ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0) current_peer: 10.32.153.34:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 174918, #pkts encrypt: 174918, #pkts digest: 174918 #pkts decaps: 126855, #pkts decrypt: 126855, #pkts verify: 126855 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 66, #recv errors 0

local crypto endpt.: 10.32.152.26, remote crypto endpt.: 10.32.153.34 path mtu 1420, media mtu 1420 current outbound spi: 69111392

inbound esp sas: spi: 0xD5823DEF(3582082543) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5213, flow_id: 93, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508969241/10148) ike_cookies: DE2C7D5A FB6197B3 795753FB 41D07F6D IV size: 8 bytes replay detection support: Y

inbound ah sas:

18OL-6573-01


inbound pcp sas:

outbound esp sas: spi: 0x69111392(1762726802) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5214, flow_id: 94, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508968340/10147) ike_cookies: DE2C7D5A FB6197B3 795753FB 41D07F6D IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:


local crypto endpt.: 10.32.152.26, remote crypto endpt.: 10.32.150.46 path mtu 1420, media mtu 1420 current outbound spi: D3C362F0

inbound esp sas: spi: 0x4589EBE8(1166666728) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5219, flow_id: 99, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (528510577/14207) ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y spi: 0xC172073D(3245475645) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5221, flow_id: 101, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (522107198/14206) ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x2A87D473(713544819) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5220, flow_id: 100, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (528510577/14205)

19OL-6573-01


ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y spi: 0xD3C362F0(3552797424) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5222, flow_id: 102, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (522107166/14204) ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:





inbound ah sas:

inbound pcp sas:


outbound ah sas:

20OL-6573-01


outbound pcp sas:




inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x2A87D473(713544819) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5220, flow_id: 100, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (528510577/14266) ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y spi: 0xD3C362F0(3552797424) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5222, flow_id: 102, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (522108025/14266) ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y

outbound ah sas:

21OL-6573-01


outbound pcp sas:

interface: ATM1/0 Crypto map tag: INT_CM, local addr. 10.32.152.26




inbound ah sas:

inbound pcp sas:


outbound ah sas:

outbound pcp sas:


22OL-6573-01




inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x2A87D473(713544819) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5220, flow_id: 100, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (528510577/14262) ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y spi: 0xD3C362F0(3552797424) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5222, flow_id: 102, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (522107953/14261) ike_cookies: 59F8CBF0 5B2E8553 7D356DD4 F5DE05AD IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

The following is an output example for the show ip ospf neighbors command, performed using the configuration on the Headquarters router:

HUB-R1# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface192.168.7.1 0 FULL/ - 00:00:39 192.168.2.1 Tunnel1192.168.5.1 0 FULL/ - 00:00:36 192.168.3.1 Tunnel0

23OL-6573-01


The following is an output example for the show ip route command, performed using the configuration on the Headquarters router:

HUB-R1# show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.32.152.25 to network 0.0.0.0

192.168.4.0/32 is subnetted, 1 subnetsC 192.168.4.1 is directly connected, Loopback100O 192.168.5.0/24 [110/11] via 192.168.3.1, 00:12:48, Tunnel0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 10.32.152.24/30 is directly connected, ATM1/0C 192.168.6.0/24 is directly connected, Vif1O 192.168.7.0/24 [110/11] via 192.168.2.1, 00:12:48, Tunnel1C 192.168.1.0/24 is directly connected, Vlan10O 192.168.2.0/24 [110/11] via 192.168.2.1, 00:12:50, Tunnel1O 192.168.3.0/24 [110/11] via 192.168.3.1, 00:12:50, Tunnel0S* 0.0.0.0/0 [1/0] via 10.32.152.25

The following is an output example for the show ip pim neighbors command, performed using the configuration on the Headquarters router:

HUB-R1# show ip pim neighbor

PIM Neighbor TableNeighbor Interface Uptime/Expires Ver DRAddress Prio/Mode192.168.3.1 Tunnel0 00:13:52/00:01:40 v2 1 / S192.168.2.1 Tunnel1 00:13:44/00:01:18 v2 1 / S

The following is an output example for the show ip pim rp map command, performed using the configuration on the Headquarters router:

HUB-R1# show ip pim rp map

PIM Group-to-RP MappingsThis system is an RP (Auto-RP)This system is an RP-mapping agent (Loopback100)

Group(s) 224.0.0.0/4 RP 192.168.4.1 (?), v2v1 Info source: 192.168.4.1 (?), elected via Auto-RP Uptime: 2d02h, expires: 00:02:25

The following is an output example for the show ip mroute active command, performed using the configuration on the Headquarters router:

HUB-R1# show ip mroute active

Active IP Multicast Sources - sending >= 4 kbps

Group: 239.168.1.100, (?) Source: 192.168.5.2 (?) Rate: 0 pps/0 kbps(1sec), 0 kbps(last 0 secs), 2 kbps(life avg) Source: 192.168.7.2 (?) Rate: 0 pps/0 kbps(1sec), 80 kbps(last 40 secs), 2 kbps(life avg)

24OL-6573-01


The following is an output example for the show voice trunk-conditioning supervisory command, performed using the configuration on the Headquarters router:

HUB-R1# show voice trunk-conditioning supervisory

SLOW SCAN0/1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master status: trunk connected sequence oos : no-action pattern : timing : idle = 0, restart = 0, standby = 0, timeout = 65535 supp_all = 0, supp_voice = 0, keep_alive = 0 timer: oos_ais_timer = 0, timer = 0

The following is an output example for the show voip rtp connections command, performed using the configuration on the Headquarters router:

HUB-R1# show voip rtp connections

VoIP RTP active connections :No. CallId dstCallId LocalRTP RmtRTP LocalIP RemoteIP1 16 15 20380 19890 192.168.6.2 239.168.1.100Found 1 active RTP connections

The following is an output example for the show voice call summary command, performed using the configuration on the Headquarters router:

HUB-R1# show voice call summary

PORT CODEC VAD VTSP STATE VPM STATE============== ======== === ==================== ======================0/1/0 g711ulaw y S_CONNECT S_TRUNKED0/1/1 - - - FXSLS_ONHOOK

The following is an output example for the show class-map command, performed using the configuration on the Headquarters router:

HUB-R1# show class-map

Class Map match-all control-traffic (id 1) Match ip dscp af31

Class Map match-any class-default (id 0) Match any

Class Map match-all video (id 3) Match ip precedence 4

Class Map match-all voice (id 2) Match ip dscp ef

The following is an output example for the show policy-map interface atm 1/0 output command, performed using the configuration on the Headquarters router:

HUB-R1# show policy-map interface atm 1/0 output

ATM1/0: VC 10/100 -

Service-policy output: LLQ

Class-map: control-traffic (match-all) 180010 packets, 43922248 bytes 5 minute offered rate 1000 bps, drop rate 0 bps

25OL-6573-01


Match: ip dscp af31 Queueing Output Queue: Conversation 265 Bandwidth 5 (%) Bandwidth 5000 (kbps) Max Threshold 64 (packets) (pkts matched/bytes matched) 89887/21932300 (depth/total drops/no-buffer drops) 0/0/0

Class-map: voice (match-all) 6485132 packets, 1893649352 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 35 (%) Bandwidth 35000 (kbps) Burst 875000 (Bytes) (pkts matched/bytes matched) 147/42924 (total drops/bytes drops) 48/14016

Class-map: video (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip precedence 4 Queueing Output Queue: Conversation 266 Bandwidth 15 (%) Bandwidth 15000 (kbps) Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0

Class-map: data (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip precedence 2 Queueing Output Queue: Conversation 267 Bandwidth 20 (%) Bandwidth 20000 (kbps) Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any) 97836 packets, 15410572 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing Flow Based Fair Queueing Maximum Number of Hashed Queues 256 (total queued/total drops/no-buffer drops) 0/0/0

The following is an output example for the show crypto engine brief command, performed using the configuration on the Headquarters router:

HUB-R1# show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module crypto engine type: hardware State: Enabled Product Name: Onboard-VPN FW Version: 01100200 Time running: 479742 seconds Compression: Yes DES: Yes

26OL-6573-01


3 DES: Yes AES CBC: Yes (128,192,256) AES CNTR: No Maximum buffer length: 4096 Maximum DH index: 0500 Maximum SA index: 0500 Maximum Flow index: 1000 Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation crypto engine type: software serial number: 77C943AD crypto engine state: installed crypto engine in slot: N/A

Verify Remote Location ConnectivityThis section provides instructions for verifying that your configuration works properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.

In general, the show commands that are used to verify remote location connectivity are the same as the commands used for the Headquarters router. See the “Verify Headquarters Connectivity” section on page 17 for summaries of the show commands that are common to both Headquarters and branch verification. The following commands are used for the remote locations only:

• show policy-map interface virtual-access 4 output—Shows how traffic has been queued on the DSL interface (Branch 1). Note that different queues have different packet counts because traffic is assigned on the basis of DCSP and IP precedence values.

• show policy-map interface serial 0/0/0 output—Shows how traffic has been queued on the serial interface (Branch 2). Note that different queues have different packet counts because traffic is assigned on the basis of DCSP and IP precedence values.

Representative output for each of these commands is presented in the verification summaries that follow.

Note Relevant display output is highlighted in bold text.

Example output is split into two sections:

• Verifying Branch 1 Router, page 27

• Verifying Branch 2 Router, page 34

Verifying Branch 1 Router

The following is an output example for the show crypto isakmp sa command, performed using the configuration on the Branch 1 router (DSL):

Branch-1# show crypto isakmp sa

dst src state conn-id slot10.32.152.26 10.32.153.34 QM_IDLE 4 0

27OL-6573-01


The following is an output example for the show crypto ipsec sa command, performed using the configuration on the Branch 1 router:

Branch-1# show crypto ipsec sa



local crypto endpt.: 10.32.153.34, remote crypto endpt.: 10.32.152.26 path mtu 1420, media mtu 1420 current outbound spi: D5823DEF

inbound esp sas: spi: 0x69111392(1762726802) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5151, flow_id: 31, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508937407/10703) ike_cookies: 795753FB 41D07F6D DE2C7D5A FB6197B3 IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xD5823DEF(3582082543) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5152, flow_id: 32, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508938275/10702) ike_cookies: 795753FB 41D07F6D DE2C7D5A FB6197B3 IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

interface: Virtual-Template1 Crypto map tag: INT_CM, local addr. 10.32.153.34

protected vrf: local ident (addr/mask/prot/port): (10.32.153.34/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (10.32.152.26/255.255.255.255/47/0) current_peer: 10.32.152.26:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 78380, #pkts encrypt: 78380, #pkts digest: 78380

28OL-6573-01


#pkts decaps: 118426, #pkts decrypt: 118426, #pkts verify: 118426 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 11, #recv errors 0



inbound ah sas:

inbound pcp sas:


outbound ah sas:

outbound pcp sas:

interface: Virtual-Access3 Crypto map tag: INT_CM, local addr. 10.32.153.34



inbound esp sas: spi: 0x69111392(1762726802) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, }

29OL-6573-01


slot: 0, conn id: 5151, flow_id: 31, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508937361/10700) ike_cookies: 795753FB 41D07F6D DE2C7D5A FB6197B3 IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:


outbound ah sas:

outbound pcp sas:

interface: Virtual-Access4 Crypto map tag: INT_CM, local addr. 10.32.153.34




inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xD5823DEF(3582082543) transform: esp-3des esp-sha-hmac ,

30OL-6573-01


in use settings ={Tunnel, } slot: 0, conn id: 5152, flow_id: 32, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508938172/10695) ike_cookies: 795753FB 41D07F6D DE2C7D5A FB6197B3 IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

The following is an output example for the show ip ospf neighbor command, performed using the configuration on the Branch 1 router:

Branch-1# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface192.168.1.1 0 FULL/ - 00:00:35 192.168.1.1 Tunnel0

The following is an output example from the show ip route command, performed using the configuration on the Branch 1 router:

Branch-1# show ip route



192.168.4.0/32 is subnetted, 1 subnetsO 192.168.4.1 [110/11] via 192.168.1.1, 00:33:28, Tunnel0O 192.168.5.0/24 [110/21] via 192.168.1.1, 00:33:28, Tunnel0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masksC 10.32.153.33/32 is directly connected, Virtual-Access4C 10.32.153.32/30 is directly connected, Virtual-Access3 is directly connected, Virtual-Access4O 192.168.6.0/24 [110/11] via 192.168.1.1, 00:33:28, Tunnel0C 192.168.7.0/24 is directly connected, Vif1O 192.168.1.0/24 [110/11] via 192.168.1.1, 00:33:28, Tunnel0C 192.168.2.0/24 is directly connected, FastEthernet0/0O 192.168.3.0/24 [110/21] via 192.168.1.1, 00:33:28, Tunnel0S* 0.0.0.0/0 [1/0] via 10.32.153.33

The following is an output example for the show ip pim neighbor command, performed using the configuration on the Branch 1 router:

Branch-1# show ip pim neighbor

PIM Neighbor TableNeighbor Interface Uptime/Expires Ver DRAddress Prio/Mode192.168.1.1 Tunnel0 00:20:59/00:01:25 v2 1 / S

The following is an output example for the show ip pim rp mapping command, performed using the configuration on the Branch 1 router:

Branch-1# show ip pim rp mapping

31OL-6573-01


PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4 RP 192.168.4.1 (?), v2v1 Info source: 192.168.4.1 (?), elected via Auto-RP Uptime: 00:20:28, expires: 00:02:23

The following is an output example for the show ip mroute active command, performed using the configuration on the Branch 1 router:

Branch-1# show ip mroute active



The following is an output example for the show voice trunk-conditioning supervisory command, performed using the configuration on the Branch 1 router:

Branch-1# show voice trunk-conditioning supervisory

SLOW SCAN1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master status: trunk connected sequence oos : no-action pattern : timing : idle = 0, restart = 0, standby = 0, timeout = 65535 supp_all = 0, supp_voice = 0, keep_alive = 0 timer: oos_ais_timer = 0, timer = 0

The following is an output example for the show voip rtp connections command, performed using the configuration on the Branch 1 router:

Branch-1# show voip rtp connections


The following is an output example for the show voice call summary command, performed using the configuration on the Branch 1 router:

Branch-1# show voice call summary

PORT CODEC VAD VTSP STATE VPM STATE============== ======== === ==================== ======================1/0 g711ulaw y S_CONNECT S_TRUNKED1/1 - - - FXSLS_ONHOOK1/2 - - - FXSLS_ONHOOK1/3 - - - FXSLS_ONHOOK

The following is an output example for the show class map command, performed using the configuration on the Branch 1 router:

Branch-1# show class-map

Class Map match-all control-traffic (id 1) Match ip dscp af31

32OL-6573-01


Class Map match-any class-default (id 0) Match any

Class Map match-all video (id 3) Match ip precedence 4

Class Map match-all voice (id 2) Match ip dscp ef

The following is an output example for the show policy-map interface virtual-access 4 output command, performed using the configuration on the Branch 1 router:

Branch-1 #show policy-map interface virtual-access 4 output

Virtual-Access4


Class-map: control-traffic (match-all) 45166 packets, 10659176 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 Queueing Output Queue: Conversation 265 Bandwidth 5 (%) Bandwidth 50 (kbps) Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0

Class-map: voice (match-all) 3241999 packets, 920726516 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp ef Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 35 (%) Bandwidth 350 (kbps) Burst 8750 (Bytes) (pkts matched/bytes matched) 3217794/913852296 (total drops/bytes drops) 0/0



Class-map: class-default (match-any)

33OL-6573-01


41789 packets, 6646861 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing Flow Based Fair Queueing Maximum Number of Hashed Queues 256 (total queued/total drops/no-buffer drops) 0/0/0

The following is an output example for the show crypto engine brief command, performed using the configuration on the Branch 1 router:

Branch-1# show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module crypto engine type: hardware State: Enabled VPN Module in slot: 0 Product Name: AIM-VPN/BPII Software Serial #: 55AA Device ID: 0014 - revision 0002 Vendor ID: 13A3 Revision No: 0x00140002 VSK revision: 0 Boot version: 255 DPU version: 0 HSP version: 2.2(21) (ALPHA) Time running: 0 Seconds Compression: Yes DES: Yes 3 DES: Yes AES CBC: Yes (128,192,256) AES CNTR: No Maximum buffer length: 4096 Maximum DH index: 1000 Maximum SA index: 1000 Maximum Flow index: 2000 Maximum RSA key size: 2048

crypto engine name: Cisco VPN Software Implementation crypto engine type: software serial number: 70107010 crypto engine state: installed crypto engine in slot: N/A

Verifying Branch 2 Router

The following is an output example for the show crypto isakmp sa command, performed using the configuration on the Branch 2 router (serial):

Branch-2# show crypto isakmp sa

dst src state conn-id slot10.32.152.26 10.32.150.46 QM_IDLE 3 0

The following is an output example for the show crypto ipsec sa command, performed using the configuration on the Branch 2 router:

Branch-2# show crypto ipsec sa


34OL-6573-01



local crypto endpt.: 10.32.150.46, remote crypto endpt.: 10.32.152.26 path mtu 1420, media mtu 1420 current outbound spi: C172073D

inbound esp sas: spi: 0x2A87D473(713544819) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5151, flow_id: 31, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508372675/14364) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y spi: 0xD3C362F0(3552797424) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5153, flow_id: 33, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (521045477/14364) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x4589EBE8(1166666728) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5152, flow_id: 32, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508372675/14364) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y spi: 0xC172073D(3245475645) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5154, flow_id: 34, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (521045458/14363) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:interface: Serial0/0/0

35OL-6573-01


Crypto map tag: INT_CM, local addr. 10.32.150.46


local crypto endpt.: 10.32.150.46, remote crypto endpt.: 10.32.152.26 path mtu 1420, media mtu 1420 current outbound spi: C172073D

inbound esp sas: spi: 0x2A87D473(713544819) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5151, flow_id: 31, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508372675/14361) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y spi: 0xD3C362F0(3552797424) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5153, flow_id: 33, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2Branch-2# sa timing: remaining key lifetime (k/sec): (521045425/14360) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y

inbound ah sas: inbound pcp sas:

outbound esp sas: spi: 0x4589EBE8(1166666728) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5152, flow_id: 32, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (508372675/14360) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y spi: 0xC172073D(3245475645) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5154, flow_id: 34, crypto map: INT_CM crypto engine type: Hardware, engine_id: 2 sa timing: remaining key lifetime (k/sec): (521045411/14359) ike_cookies: 7D356DD4 F5DE05AD 59F8CBF0 5B2E8553 IV size: 8 bytes replay detection support: Y

outbound ah sas: outbound pcp sas:

36OL-6573-01


The following is an output example for the show ip ospf neighbor command, performed using the configuration on the Branch 2 router:

Branch-2# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface192.168.1.1 0 FULL/ - 00:00:37 192.168.1.1 Tunnel0

The following is an output example for the show ip route command, performed using the configuration on the Branch 2 router:

Branch-2# show ip route



192.168.4.0/32 is subnetted, 1 subnetsO 192.168.4.1 [110/11] via 192.168.1.1, 00:31:10, Tunnel0C 192.168.5.0/24 is directly connected, Vif1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masksC 10.32.150.44/30 is directly connected, Serial0/0/0O 192.168.6.0/24 [110/11] via 192.168.1.1, 00:31:10, Tunnel0O 192.168.7.0/24 [110/21] via 192.168.1.1, 00:31:10, Tunnel0O 192.168.1.0/24 [110/11] via 192.168.1.1, 00:31:11, Tunnel0O 192.168.2.0/24 [110/21] via 192.168.1.1, 00:31:11, Tunnel0C 192.168.3.0/24 is directly connected, FastEthernet0/0S* 0.0.0.0/0 [1/0] via 10.32.150.45 is directly connected, Serial0/0/0

The following is an output example for the show ip pim neighbor command, performed using the configuration on the Branch 2 router:

Branch-2# show ip pim neighbor

PIM Neighbor TableNeighbor Interface Uptime/Expires Ver DRAddress Prio/Mode192.168.1.1 Tunnel0 00:31:52/00:01:26 v2 1 / S

The following is an output example for the show ip pim rp mapping command, performed using the configuration on the Branch 2 router:

Branch-2# show ip pim rp mapping

PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4 RP 192.168.4.1 (?), v2v1 Info source: 192.168.4.1 (?), elected via Auto-RP Uptime: 2d03h, expires: 00:02:47

The following is an output example for the show ip mroute active command, performed using the configuration on the Branch 2 router:

Branch-2# show ip mroute active


37OL-6573-01



The following is an output example for the show voice trunk-conditioning supervisory command, performed using the configuration on the Branch 2 router:

Branch-2# show voice trunk-conditioning supervisory

SLOW SCAN0/1/0 : state : TRUNK_SC_CONNECT, voice : on, signal : on ,master status: trunk connected sequence oos : no-action pattern : timing : idle = 0, restart = 0, standby = 0, timeout = 65535 supp_all = 0, supp_voice = 0, keep_alive = 0 timer: oos_ais_timer = 0, timer = 0

The following is an output example for the show voip rtp connections command, performed using the configuration on the Branch 2 router:

Branch-2# show voip rtp connections


The following is an output example for the show voice call summary command, performed using the configuration on the Branch 2 router:

Branch-2# show voice call summary

PORT CODEC VAD VTSP STATE VPM STATE============== ======== === ==================== ======================0/1/0 g711ulaw y S_CONNECT S_TRUNKED0/1/1 - - - FXSLS_ONHOOK

The following is an output example for the show policy-map interface serial 0/0/0 output command, performed using the configuration on the Branch 2 router:

Branch-2# show policy-map interface serial 0/0/0 output

Serial0/0/0


Class-map: control-traffic (match-all) 50099 packets, 11823300 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: ip dscp af31 Queueing Output Queue: Conversation 265 Bandwidth 5 (%) Bandwidth 77 (kbps) Max Threshold 64 (packets) (pkts matched/bytes matched) 863/203668 (depth/total drops/no-buffer drops) 0/0/0

Class-map: voice (match-all) 3241968 packets, 920715872 bytes 5 minute offered rate 0 bps, drop rate 0 bps

38OL-6573-01


Match: ip dscp ef Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 35 (%) Bandwidth 540 (kbps) Burst 13500 (Bytes) (pkts matched/bytes matched) 13/3532 (total drops/bytes drops) 0/0



Class-map: class-default (match-any) 75804 packets, 9111740 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing Flow Based Fair Queueing Maximum Number of Hashed Queues 256 (total queued/total drops/no-buffer drops) 0/0/0

The following is an output example for the show crypto engine brief command, performed using the configuration on the Branch 2 router:

Branch-2# show crypto engine brief

crypto engine name: Virtual Private Network (VPN) Module crypto engine type: hardware State: Enabled Product Name: Onboard-VPN NetGX Middleware Version: v1.2.0 NetGX Firmware Version: v2.2.0 Time running: 414404 seconds Compression: Yes DES: Yes 3 DES: Yes AES CBC: Yes (128,192,256) AES CNTR: No Maximum buffer length: 4096 Maximum DH index: 0300 Maximum SA index: 0300 Maximum Flow index: 2400 Maximum RSA key size: 2048

39OL-6573-01

Hoot and Holler over V3PN Configuration ExampleTroubleshoot

crypto engine name: Cisco VPN Software Implementation crypto engine type: software serial number: FFFFFFFF crypto engine state: installed crypto engine in slot: N/A

TroubleshootThis section provides information you can use to confirm that your configuration is working properly.





The following debug commands must be running on both IPSec routers (peers). Security associations must be cleared on both peers.

• debug crypto engine—Displays information pertaining to the crypto engine, such as when the Cisco IOS software is performing encryption or decryption operations.

• debug crypto ipsec—Displays IPSec negotiations of phase 2.

• debug crypto isakmp—Displays ISAKMP negotiations of phase 1.

• debug ip pim auto-rp—Displays the contents of each PIM packet used in the automatic discovery of group-to-rendezvous point (RP) mapping as well as the actions taken on the address-to-RP mapping database.

• clear crypto isakmp—Clears the security associations related to phase 1.

• clear crypto sa—Clears the security associations related to phase 2.

The following is an example of output for the debug crypto isakmp and debug crypto ipsec commands. Relevant display output is shown in bold text, and comments are preceded by an exclamation point and shown in italics.

router# debug crypto isakmprouter# debug crypto ipsec

Jul 29 16:06:33.619 PDT: ISAKMP (0:134217730): received packet from 10.32.150.46 dport 500 sport 500 Global (I) MM_SA_SETUPJul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHJul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4 Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0Jul 29 16:06:33.635 PDT: ISAKMP: Looking for a matching key for 10.32.150.46 in default : successJul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 10.32.150.46Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):SKEYID state generatedJul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payloadJul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): vendor ID is UnityJul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payload

40OL-6573-01




Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): vendor ID is DPDJul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payloadJul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): speaking to another IOS box!Jul 29 16:06:33.635 PDT: ISAKMP:received payload type 20Jul 29 16:06:33.635 PDT: ISAKMP:received payload type 20Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEJul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4 Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):Send initial contactJul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDRJul 29 16:06:33.639 PDT: ISAKMP (0:134217730): ID payload next-payload : 8 type : 1 address : 10.32.152.26 protocol : 17 port : 500 length : 12Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):Total payload length: 12Jul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1): sending packet to 10.32.150.46 my_port 500 peer_port 500 (I) MM_KEY_EXCHJul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETEJul 29 16:06:33.639 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5 Jul 29 16:06:33.643 PDT: ISAKMP (0:134217730): received packet from 10.32.150.46 dport 500 sport 500 Global (I) MM_KEY_EXCHJul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0Jul 29 16:06:33.643 PDT: ISAKMP (0:134217730): ID payload next-payload : 8 type : 1 address : 10.32.150.46 protocol : 17 port : 500 length : 12Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0! REMOTE PEER IS SHOWN TO BE AUTHENTICATED IN THE NEXT LINE.Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):SA authentication status: authenticatedJul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):SA has been authenticated with 10.32.150.46Jul 29 16:06:33.643 PDT: ISAKMP: Trying to insert a peer 10.32.152.26/10.32.150.46/500/, and inserted successfully.Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCHJul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6 Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODEJul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6 Jul 29 16:06:33.643 PDT: ISAKMP (0:134217730): received packet from 10.32.150.46 dport 500 sport 500 Global (I) MM_KEY_EXCHJul 29 16:06:33.643 PDT: ISAKMP: set new node 2118711810 to QM_IDLE Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 2118711810Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1): processing DELETE payload. message ID = 2118711810Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):deleting node 2118711810 error FALSE reason "Informational (in) state 1"Jul 29 16:06:33.643 PDT: IPSEC(key_engine): got a queue event with 1 kei messagesJul 29 16:06:33.643 PDT: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMPJul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE! PHASE 1 IS SHOWN TO BE COMPLETED SUCCESSFULLY IN THE NEXT LINE.Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Jul 29 16:06:33.643 PDT: ISAKMP:(0:2:SW:1):beginning Quick Mode exchange, M-ID of 159862783

41OL-6573-01


Jul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1): sending packet to 10.32.150.46 my_port 500 peer_port 500 (I) QM_IDLE Jul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Node 159862783, Input = IKE_MESG_INTERNAL, IKE_INIT_QMJul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1Jul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETEJul 29 16:06:33.651 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Jul 29 16:06:33.923 PDT: ISAKMP (0:134217730): received packet from 10.32.150.46 dport 500 sport 500 Global (I) QM_IDLE Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 159862783Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing SA payload. message ID = 159862783Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1Jul 29 16:06:33.923 PDT: ISAKMP: transform 1, ESP_3DESJul 29 16:06:33.923 PDT: ISAKMP: attributes in transform:Jul 29 16:06:33.923 PDT: ISAKMP: encaps is 1 (Tunnel)Jul 29 16:06:33.923 PDT: ISAKMP: SA life type in secondsJul 29 16:06:33.923 PDT: ISAKMP: SA life duration (basic) of 3600Jul 29 16:06:33.923 PDT: ISAKMP: SA life type in kilobytesJul 29 16:06:33.923 PDT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Jul 29 16:06:33.923 PDT: ISAKMP: authenticator is HMAC-SHAJul 29 16:06:33.923 PDT: ISAKMP: group is 1

! A PROPOSAL IS FOUND THAT IS COMPATIBLE IN THE NEXT LINE.Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1):atts are acceptable.Jul 29 16:06:33.923 PDT: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.32.152.26, remote= 10.32.150.46, local_proxy= 10.32.152.26/255.255.255.255/47/0 (type=1), remote_proxy= 10.32.150.46/255.255.255.255/47/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12Jul 29 16:06:33.923 PDT: Crypto mapdb : proxy_match src addr : 10.32.152.26 dst addr : 10.32.150.46 protocol : 47 src port : 0 dst port : 0Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 159862783Jul 29 16:06:33.923 PDT: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 159862783Jul 29 16:06:33.931 PDT: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 159862783Jul 29 16:06:33.931 PDT: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 159862783Jul 29 16:06:33.931 PDT: ISAKMP: Locking peer struct 0x6635AA1C, IPSEC refcount 1 for for stuff_keJul 29 16:06:33.931 PDT: ISAKMP:(0:2:SW:1): Creating IPSec SAsJul 29 16:06:33.931 PDT: inbound SA from 10.32.150.46 to 10.32.152.26 (f/i) 0/ 0 (proxy 10.32.150.46 to 10.32.152.26)Jul 29 16:06:33.931 PDT: has spi 0x1442EBFC and conn_id 0 and flags 13Jul 29 16:06:33.931 PDT: lifetime of 3600 secondsJul 29 16:06:33.931 PDT: lifetime of 4608000 kilobytesJul 29 16:06:33.931 PDT: has client flags 0x0Jul 29 16:06:33.931 PDT: outbound SA from 10.32.152.26 to 10.32.150.46 (f/i) 0/0 (proxy 10.32.152.26 to 10.32.150.46)Jul 29 16:06:33.931 PDT: has spi -2093906224 and conn_id 0 and flags 1BJul 29 16:06:33.931 PDT: lifetime of 3600 secondsJul 29 16:06:33.931 PDT: lifetime of 4608000 kilobytesJul 29 16:06:33.931 PDT: has client flags 0x0Jul 29 16:06:33.931 PDT: ISAKMP:(0:2:SW:1): sending packet to 10.32.150.46 my_port 500 peer_port 500 (I) QM_IDLE Jul 29 16:06:33.935 PDT: ISAKMP:(0:2:SW:1):deleting node 159862783 error FALSE reason "No Error"

42OL-6573-01

Hoot and Holler over V3PN Configuration ExampleRelated Information

Jul 29 16:06:33.935 PDT: ISAKMP:(0:2:SW:1):Node 159862783, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH! PHASE 2 IS SHOWN TO BE COMPLETED SUCCESSFULLY IN THE NEXT LINE. Jul 29 16:06:33.935 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETEJul 29 16:06:33.935 PDT: IPSEC(key_engine): got a queue event with 2 kei messagesJul 29 16:06:33.935 PDT: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 10.32.152.26, remote= 10.32.150.46, local_proxy= 10.32.152.26/0.0.0.0/47/0 (type=1), remote_proxy= 10.32.150.46/0.0.0.0/47/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x1442EBFC(339930108), conn_id= 0, keysize= 0, flags= 0x13Jul 29 16:06:33.935 PDT: IPSEC(initialize_sas): , (key eng. msg.) OUTBOUND local= 10.32.152.26, remote= 10.32.150.46, local_proxy= 10.32.152.26/0.0.0.0/47/0 (type=1), remote_proxy= 10.32.150.46/0.0.0.0/47/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x833186D0(2201061072), conn_id= 0, keysize= 0, flags= 0x1BJul 29 16:06:33.935 PDT: Crypto mapdb : proxy_match src addr : 10.32.152.26 dst addr : 10.32.150.46 protocol : 47 src port : 0 dst port : 0Jul 29 16:06:33.935 PDT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 101.253.249.204Jul 29 16:06:33.935 PDT: IPSec: Flow_switching Allocated flow for sibling 80000003 Jul 29 16:06:33.935 PDT: IPSEC(policy_db_add_ident): src 10.32.152.26, dest 10.32.150.46, dest_port 0Jul 29 16:06:33.935 PDT: IPSEC(create_sa): sa created, (sa) sa_dest= 10.32.152.26, sa_proto= 50, sa_spi= 0x1442EBFC(339930108), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4002Jul 29 16:06:33.935 PDT: IPSEC(create_sa): sa created, (sa) sa_dest= 10.32.150.46, sa_proto= 50, sa_spi= 0x833186D0(2201061072), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4001

Related Information • Cisco IOS Quality of Service Configuration Guide, Release 12.3

• Cisco IOS Security Configuration Guide

• Cisco IOS Voice Command Reference, Release 12.3

• Cisco IOS Wide-Area Networking Configuration Guide

• Cisco Technical Assistance Center

43OL-6573-01

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/wan_vcg.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_vcg.htm


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/voice_r/index.htm


Hoot and Holler over V3PN Configuration ExampleRelated Information


isco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, rvice marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Cek Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, olver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQss Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath

d trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

demarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relatico and any other company. (0501R)

44OL-6573-01

Finding Feature Documentation

Note We recommend that you use the Cisco Router and Security Device Manager (SDM) to configure your router. To access SDM, see the quick start guide that you received with your router.

You can access Cisco IOS feature documentation in the following ways:

• Using Cisco.com Feature Resources, page 1

• Finding Documentation for a Specific Feature by Using Cisco Feature Navigator, page 2

• Finding Documentation for All Supported Features on Your Router by Using Cisco Feature Navigator, page 3

• Finding Feature Documentation by Browsing Feature Modules by Cisco IOS Release, page 4

• Finding Feature Documentation by Browsing Cisco IOS Release Notes, page 4

For a list of key supported features, see the data sheet and other product literature for your router. Additional IOS-related technical documentation can be found at this URL:


Using Cisco.com Feature ResourcesFollowing are links to resources available on Cisco.com for voice, security, and dial configuration.

Voice Configuration ResourcesThe Cisco IOS Voice Configuration Library is available at this URL:

http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_voice_configuration_library_glossary/vcl.htm







Finding Documentation for a Specific Feature by Using Cisco Feature Navigator

Security Configuration ResourcesThe Cisco IOS Security Configuration Guide is available at this URL:

http://www.cisco.com/en/US/docs/ios/12_3/featlist/sec_vcg.html

Dial Configuration ResourcesThe Cisco IOS Dial Technologies Configuration Guide is available at this URL:

http://www.cisco.com/en/US/docs/ios/12_3/featlist/dial_vcg.html

Finding Documentation for a Specific Feature by Using Cisco Feature Navigator

Cisco Feature Navigator is the best tool for finding feature documentation.

Note Cisco Feature Navigator does not support all platforms and software releases, such as some older releases and some limited-lifetime releases.

Step 1 Go to Cisco Feature Navigator at http://www.cisco.com/go/fn.

You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box, and follow the instructions that appear.

Step 2 Click Search by Feature.

Step 3 Enter the feature name, and click Search.

The search results appear in the Features Available box. You may have to scroll down to see the Features Available box.

If the Features Available box displays “None Available,” then try searching for a variation of the feature name. You may have to scroll up to see the search field.

If the Features Available box displays your feature, proceed to Step 4.

Step 4 Click the feature name in the Features Available box.

Step 5 Click Show Description(s), which is just below the Features Available box.

Cisco Feature Navigator displays a short description of the feature and, when the feature is complex or involves user configuration, provides a “For More Information” link.

Step 6 Click For More Information, if it is available.

Cisco Feature Navigator displays the feature documentation, usually in the form of a feature module, which includes information on configuring, verifying, and troubleshooting the feature.

2Finding Feature Documentation

OL-5994-01

http://www.cisco.com/en/US/docs/ios/12_3/featlist/dial_vcg.html

http://www.cisco.com/go/fn

http://www.cisco.com/en/US/docs/ios/12_3/featlist/sec_vcg.html

Finding Documentation for All Supported Features on Your Router by Using Cisco Feature Navigator

Finding Documentation for All Supported Features on Your Router by Using Cisco Feature Navigator

Cisco Feature Navigator is the best tool for finding documentation for all the features on your router.

Note Cisco Feature Navigator does not support all platforms and software releases, such as some older releases and some limited-lifetime releases.

Step 1 Go to Cisco Feature Navigator at http://www.cisco.com/go/fn.

You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box, and follow the instructions that appear.

Step 2 Click Search by Release/Image Name/Product Code/Platform.

Step 3 In the drop-down menu next to “Platform,” choose your router.

Step 4 Click Continue.

Cisco Feature Navigator displays a list of features that are supported on your router. Do one of the following, as appropriate:

• To access documentation for a specific feature on this list, proceed to Step 5.

• To display a list of features that are supported in a specific Cisco IOS release, use the “Major Release” or “Release” pull-down menu to select the Cisco IOS release.

Cisco Feature Navigator displays a list of features that are supported by the selected Cisco IOS release on your router.

To access documentation for a specific feature on this list, proceed to Step 5.

• To display a list of features that are supported in a specific feature set, use the “Feature Set” pull-down menu to select the feature set.

Cisco Feature Navigator displays a list of features that are supported on the selected feature set and Cisco IOS release on your router.

Step 5 Click the feature name.

Cisco Feature Navigator displays a short description of the feature and, when the feature involves user configuration, provides a “For More Information” link.

Step 6 Click For More Information, if it is available.

Cisco Feature Navigator displays the feature documentation, usually in the form of a feature module, which includes information on configuring, verifying, and troubleshooting the feature.


OL-5994-01


Finding Feature Documentation by Browsing Feature Modules by Cisco IOS Release


If you know the specific feature name and the Cisco IOS release in which the feature was introduced, you can browse the Cisco IOS feature modules by Cisco IOS release to find feature documentation.

Note Feature modules are not created for all features, such as uncomplicated features that do not involve any user configuration. To access all feature descriptions and configuration information, go to Cisco Feature Navigator, or read the Cisco IOS release notes in addition to browsing the Cisco IOS feature modules.

Step 1 Go to http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm.

Step 2 Select the appropriate release.

Step 3 Click New Feature Documentation.

Step 4 Navigate to your Cisco IOS software release.

Step 5 Select the feature module.

Finding Feature Documentation by Browsing Cisco IOS Release NotesIf you know the specific Cisco IOS release in which the feature was introduced, you can browse the Cisco IOS release notes to find feature descriptions.

Note Cisco IOS release notes typically include descriptions only of uncomplicated features that were introduced in the software release, but that do not involve any user configuration. To access all feature descriptions and configuration information, go to Cisco Feature Navigator, or read the Cisco IOS release notes in addition to browsing the Cisco IOS feature modules.

Step 1 Go to http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm.

Step 2 Select the appropriate release.

Step 3 Click Release Notes.

Step 4 Select your platform.

Step 5 Select the release notes for your Cisco IOS software release.

Step 6 Navigate to the “New and Changed Information” section. If you selected a “T” release, the section might be called “New Features and Important Notes.”


OL-5994-01

http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/index.htm



OL-5994-01

Changing the Configuration Register Settings

This document describes the 16-bit configuration register in NVRAM and includes the following sections:

• Platforms Supported by This Document, page 1

• About the Configuration Register, page 1

• Changing the Configuration Register Settings, page 4

• Displaying the Configuration Register Settings, page 5

• Configuring the Console Line Speed (Cisco IOS CLI), page 5





About the Configuration RegisterThe router has a 16-bit configuration register in NVRAM. Each bit has value 1 (on or set) or value 0 (off or clear), and each bit setting affects the router behavior upon the next reload power cycle.

You can use the configuration register to

• Force the router to boot into the ROM monitor (bootstrap program)

• Select a boot source and default boot filename

• Enable or disable the Break function

• Control broadcast addresses

• Recover a lost password

• Change the console line speed




About the Configuration Register

Table 1 describes the configuration register bits.

Table 1 Configuration Register Bit Descriptions

Bit Number Hexadecimal Meaning

00–03 0x0000–0x000F Boot field. The boot field setting determines whether the router loads an operating system and where it obtains the system image.

See Table 2 for details.

06 0x0040 Causes the system software to ignore the contents of NVRAM.

07 0x0080 Original Equipment Manufacturer (OEM) bit enabled.

08 0x0100 Controls the console Break key:

• (Factory default) Setting bit 8 causes the processor to ignore the console Break key.

• Clearing bit 8 causes the processor to interpret Break as a command to force the router into the ROM monitor mode, halting normal operation.

Break can always be sent in the first 60 seconds while the router is rebooting, regardless of the configuration register settings.

09 0x0200 This bit controls the system boot:

• Setting bit 9 causes the system to use the secondary bootstrap.

• (Factory default) Clearing bit 9 causes the system to boot from flash memory.

This bit is typically not modified.

10 0x0400 Controls the host portion of the IP broadcast address:

• Setting bit 10 causes the processer to use all zeros.

• (Factory default) Clearing bit 10 causes the processor to use all ones.

Bit 10 interacts with bit 14, which controls the network and subnet portions of the IP broadcast address. See Table 3 for the combined effects of bits 10 and 14.

05, 11, 12

0x0020, 0x0800, 0x1000

Controls the console line speed. See Table 4 for the eight available bit combinations and console line speeds.

Factory default is 9600 baud, where bits 5, 11, and 12 are all zero (clear).

Note You cannot change the console line speed configuration register bits from the Cisco IOS command-line interface (CLI). You can, however, change these bits from the ROM monitor (see “Using the ROM Monitor”). Or, instead of changing the configuration register settings, you can set the console line speed through other Cisco IOS commands..

13 0x2000 Determines how the router responds to a network boot failure:

• Setting bit 13 causes the router to boot the default ROM software after 6 unsuccessful network boot attempts.

• (Factory default) Clearing bit 13 causes the router to indefinitely continue network boot attempts.

2Changing the Configuration Register Settings

OL-5598-01

b_rommon.pdf

b_rommon.pdf

About the Configuration Register

Table 2 describes the boot field, which is the lowest four bits of the configuration register (bits 3, 2, 1, and 0). The boot field setting determines whether the router loads an operating system and where the router obtains the system image.

Table 3 shows how each setting combination of bits 10 and 14 affects the IP broadcast address.

Table 4 shows the console line speed for each setting combination of bits 5, 11, and 12.

14 0x4000 Controls the network and subnet portions of the IP broadcast address:

• Setting bit 10 causes the processor to use all zeros.

• (Factory default) Clearing bit 10 causes the processor to use all ones.

Bit 14 interacts with bit 10, which controls the host portion of the IP broadcast address. See Table 3 for the combined effect of bits 10 and 14.

15 0x8000 Enables diagnostic messages and ignores the contents of NVRAM.

Table 1 Configuration Register Bit Descriptions (continued)

Bit Number Hexadecimal Meaning

Table 2 Boot Field Configuration Register Bit Descriptions

Boot Field (Bits 3, 2, 1, and 0) Meaning

0000

(0x0)

At the next power cycle or reload, the router boots to the ROM monitor (bootstrap program). To use the ROM monitor, you must use a terminal or PC that is connected to the router console port. For information about connecting the router to a PC or terminal, see the hardware installation guide for your router.

In ROM monitor mode, you must manually boot the system image or any other image by using the boot ROM monitor command. See the section “Booting an Image (boot)” in “Using the ROM Monitor.”

0001

(0x01)

Boots the first image in flash memory as a system image.

0010 - 1111

(0x02 - 0xF)

At the next power cycle or reload, the router sequentially processes each boot system command in global configuration mode that is stored in the configuration file until the system boots successfully.

If no boot system commands are stored in the configuration file, or if executing those commands is unsuccessful, then the router attempts to boot the first image file in flash memory.

Table 3 Broadcast Address Configuration Register Bit Combinations

Bit 10 Bit 14 Broadcast Address (<net> <host>)

0 0 <ones> <ones>

1 0 <ones> <zeros>

1 1 <zeros> <zeros>

0 1 <zeros> <ones>


OL-5598-01

b_rommon.pdf

Changing the Configuration Register Settings

Changing the Configuration Register SettingsYou can change the configuration register settings from either the ROM monitor or the Cisco IOS CLI. This section describes how to modify the configuration register settings from the Cisco IOS CLI. To change the configuration register from the ROM monitor, see ” Using the ROM Monitor.”

To change the configuration register settings from the Cisco IOS CLI, complete the following steps:

Step 1 Connect a terminal or PC to the router console port. If you need help, see the hardware installation guide for your router.

Step 2 Configure your terminal or terminal emulation software for 9600 baud (default), 8 data bits, no parity, and 2 stop bits.

Step 3 Power on the router.

Step 4 If you are asked whether you would like to enter the initial dialog, answer no:

Would you like to enter the initial dialog? [yes]: no

After a few seconds, the user EXEC prompt (Router>) appears.

Step 5 Enter privileged EXEC mode by typing enable and, if prompted, enter your password:

Router> enablePassword: passwordRouter#

Step 6 Enter global configuration mode:

Router# configure terminal

Enter configuration commands, one per line.Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z

Step 7 To change the configuration register settings, enter the config-register value command, where value is a hexadecimal number preceded by 0x:

Router(config)# config-register 0xvalue

Table 4 Console Line Speed Configuration Register Bit Combinations

Bit 5 Bit 11 Bit 12Console Line Speed (baud)

1 1 1 115200

1 0 1 57600

1 1 0 38400

1 0 0 19200

0 0 0 9600

0 1 0 4800

0 1 1 2400

0 0 1 1200


OL-5598-01

b_rommon.pdf

Displaying the Configuration Register Settings

Note The Cisco IOS software does not allow you to change the console speed bits directly with the config-register command. To change the console speed from the Cisco IOS CLI, see the “Configuring the Console Line Speed (Cisco IOS CLI)” section on page 5.

Step 8 Exit global configuration mode:

Router(config)# endRouter#

Step 9 Save the configuration changes to NVRAM:

Router# copy run start

The new configuration register settings are saved to NVRAM, but they do not take effect until the next router reload or power cycle.

Displaying the Configuration Register SettingsTo display the configuration register settings that are currently in effect and the settings that will be used at the next router reload, enter the show version command in privileged EXEC mode.

The configuration register settings are displayed in the last line of the show version command output:

Configuration register is 0x142 (will be 0x142 at next reload)

Configuring the Console Line Speed (Cisco IOS CLI)The combined setting of bits 5, 11, and 12 determines the console line speed. You can modify these particular configuration register bits only from the ROM monitor. See ” Using the ROM Monitor.”

To configure the console line speed from the Cisco IOS command-line interface, complete the following steps:


Step 1 Router> enablePassword: passwordRouter#

Enables privileged EXEC mode. Enter your password if prompted.

Step 2 Router# configure terminalRouter(config)#


Step 3 Router(config)# line console 0 Router(config-line)#

Specifies the console line and enters line configuration mode.

Step 4 Router(config-line)# speed baud Specifies the console line speed. Possible values (in baud): 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200.


OL-5598-01

b_rommon.pdf

Configuring the Console Line Speed (Cisco IOS CLI)





OL-5598-01

Using the ROM Monitor

Many users do not use the ROM monitor at all, unless during power up or reload, the router does not find a valid system image, the last digit of the boot field in the configuration register is 0, or you enter the Break key sequence during the first 60 seconds after reloading the router.

This document describes how to use the ROM monitor to manually load a system image, upgrade the system image when there are no TFTP servers or network connections, or for disaster recovery.


• Prerequisites for Using the ROM Monitor, page 1

• Information About the ROM Monitor, page 2

• How to Use the ROM Monitor—Typical Tasks, page 3


Platforms Supported by This DocumentThis document describes use of the ROM monitor with the following platforms:




Prerequisites for Using the ROM MonitorConnect a terminal or PC to the router console port. For help, see the quick start guide or the hardware installation guide for your router.


© 2006 Cisco Systems, Inc. All rights reserved.


Information About the ROM Monitor

Information About the ROM MonitorBefore using the ROM monitor, you should understand the following concepts:

• ROM Monitor Mode Command Prompt, page 2

• Why Is My Router in ROM Monitor Mode?, page 2

• When Would I Use the ROM Monitor?, page 2

• Tips for Using ROM Monitor Commands, page 3

• Accessibility, page 3

ROM Monitor Mode Command PromptThe ROM monitor uses the rommon x > command prompt. The x variable begins at 1 and increments each time you press Return or Enter in ROM monitor mode.

Why Is My Router in ROM Monitor Mode?Your router boots to ROM monitor mode when one of the following occurs:

• During power up or reload, the router does not find a valid system image.

• The last digit of the boot field in the configuration register is 0 (for example, 0x100 or 0x0).

• You enter the Break key sequence during the first 60 seconds after reloading the router.

To exit ROM monitor mode, see the “Exiting ROM Monitor Mode” section on page 29.

When Would I Use the ROM Monitor?Many users do not use the ROM monitor at all, except in the following uncommon situations:

• Manually loading a system image—You can load a system image without configuring the router to attempt to load that image in future system reloads or power-cycles. This can be useful for testing a new system image or for troubleshooting. See the “Loading a System Image (boot)” section on page 10.

• Upgrading the system image when there are no TFTP servers or network connections, and a direct PC connection to the router console is the only viable option—See information about upgrading the system image in configuration documentation for your router.

• During troubleshooting if the router crashes and hangs—See the “Troubleshooting Crashes and Hangs (stack, context, frame, sysret, meminfo)” section on page 24.

• Disaster recovery—Use one of the following methods for recovering the system image or configuration file:

– Console download (xmodem)—Use this method if the computer that is attached to your console has a terminal emulator that supports the Xmodem Protocol. See the “Downloading Files over the Router Console Port (xmodem)” section on page 15.

For more information about using the Xmodem protocol, see the Xmodem Console Download Procedure Using ROMmon at the following URL:

http://www.cisco.com/warp/public/130/xmodem_generic.html

2Using the ROM Monitor

OL-5997-02


How to Use the ROM Monitor—Typical Tasks

– TFTP download (tftpdnld)—Use this method if you can connect a TFTP server directly to the fixed LAN port on your router. See the “Recovering the System Image (tftpdnld)” section on page 20.

Note Recovering the system image is different from upgrading the system image. You need to recover the system image if it becomes corrupt or if it is deleted because of a disaster that affects the memory device severely enough to require deleting all data on the memory device in order to load a system image.

Tips for Using ROM Monitor Commands • ROM monitor commands are case sensitive.

• You can halt any ROM monitor command by entering the Break key sequence (Ctrl-Break) on the PC or terminal. The Break key sequence varies, depending on the software on your PC or terminal. If Ctrl-Break does not work, see the Standard Break Key Sequence Combinations During Password Recovery tech note.

• To find out which commands are available on your router and to display command syntax options, see the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)” section on page 8.

AccessibilityThis product can be configured using the Cisco command-line interface (CLI). The CLI conforms to accessibility code 508 because it is text based and because it relies on a keyboard for navigation. All functions of the router can be configured and monitored through the CLI.

For a complete list of guidelines and Cisco products adherence to accessibility, see Cisco Accessibility Products at the following URL:

http://www.cisco.com/web/about/responsibility/accessibility/products

How to Use the ROM Monitor—Typical TasksThis section provides the following procedures:

• Entering ROM Monitor Mode, page 5

• Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?), page 8

• Displaying Files in a File System (dir), page 10

• Loading a System Image (boot), page 10

• Downloading Files over the Router Console Port (xmodem), page 15

• Modifying the Configuration Register (confreg), page 16

• Obtaining Information on USB Flash Devices, page 18

• Modifying the I/O Memory (iomemset), page 19

• Recovering the System Image (tftpdnld), page 20

• Troubleshooting Crashes and Hangs (stack, context, frame, sysret, meminfo), page 24


OL-5997-02




http://www.cisco.com/web/about/responsibility/accessibility/products


• Exiting ROM Monitor Mode, page 29

Note This section does not describe how to perform all possible ROM monitor tasks. Use the command help to perform any tasks that are not described in this document. See the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)” section on page 8.


OL-5997-02


Entering ROM Monitor ModeThis section provides two ways to enter ROM monitor mode:

• Using the Break Key Sequence to Interrupt the System Reload and Enter ROM Monitor Mode, page 5

• Setting the Configuration Register to Boot to ROM Monitor Mode, page 6

Prerequisites

Connect a terminal or PC to the router console port. For help, see the quick start guide that shipped with your router or see the hardware installation guide for your router.

Using the Break Key Sequence to Interrupt the System Reload and Enter ROM Monitor Mode

This section describes how to enter ROM monitor mode by reloading the router and entering the Break key sequence.

SUMMARY STEPS

1. enable

2. reload

3. Press Ctrl-Break.

DETAILED STEPS


Step 1 enable




Step 2 reload

Example:Router# reload

Reloads the operating system.

Step 3 Press Ctrl-Break.

Example:Router# send break

Interrupts the router reload and enters ROM monitor mode.

• You must perform this step within 60 seconds after you enter the reload command.

• The Break key sequence varies, depending on the software on your PC or terminal. If Ctrl-Break does not work, see the Standard Break Key Sequence Combinations During Password Recovery tech note.


OL-5997-02





Examples

This section provides the following example:

Sample Output for the reload CommandUse break key sequence to enter rom monitorRouter# reload

Proceed with reload? [confirm] *Sep 23 15:54:25.871: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.telnet> send break *** System received an abort due to Break Key ***signal= 0x3, code= 0x0, context= 0x431aaf40PC = 0x4008b5dc, Cause = 0x20, Status Reg = 0x3400c102rommon 1 >


The Break key sequence varies, depending on the software on your PC or terminal. See the Standard Break Key Sequence Combinations During Password Recovery tech note.

What to Do Next

• Proceed to the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)” section on page 8.

• If you use the Break key sequence to enter ROM monitor mode when the router would otherwise have booted the system image, you can exit ROM monitor mode by doing one of the following:

– Enter the i or reset command, which restarts the booting process and loads the system image.

– Enter the cont command, which continues the booting process and loads the system image.

Setting the Configuration Register to Boot to ROM Monitor Mode

This section describes how to enter ROM monitor mode by setting the configuration register to boot to ROM monitor mode at the next system reload or power-cycle.

Caution Do not set the configuration register by using the config-register 0x0 command after you have set the baud rate. To set the configuration register without affecting the baud rate, use the the current configuration register setting by entering the show ver | inc configuration command, and then replacing the last (rightmost) number with a 0 in the configuration register command.


OL-5997-02




SUMMARY STEPS

1. enable


3. config-register 0x0

4. exit

5. write memory

6. reload

DETAILED STEPS


Step 1 enable







Step 3 config-register 0x0

Example:Router(config)# config-register 0x0

Changes the configuration register settings.

• The 0x0 setting forces the router to boot to the ROM monitor at the next system reload.

Step 4 exit

Example:Router(config)# exit

Exits global configuration mode.

Step 5 write memory

Example:Router# write memory

Sets to boot the system image from flash memory.

Step 6 reload

Example:Router# reload

<output deleted>

rommon 1>

Reloads the operating system.

• Because of the 0x0 configuration register setting, the router boots to ROM monitor mode.


OL-5997-02


Examples

The following example shows how to set the configuration register to boot to ROM monitor mode:

Router>Router> enableRouter# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# config-register 0x0Router(config)# exitRouter#*Sep 23 16:01:24.351: %SYS-5-CONFIG_I: Configured from console by consoleRouter# write memoryBuilding configuration...[OK]Router# reloadProceed with reload? [confirm] *Sep 23 16:01:41.571: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc. Initializing memory for ECC.Router platform with 262144 Kbytes of main memoryMain memory is configured to 64 bit mode with ECC enabled

Readonly ROMMON initializedrommon 1 >

What to Do Next

Proceed to the “Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)” section on page 8.

Displaying Commands and Command Syntax in ROM Monitor Mode (?, help, -?)This section describes how to display ROM monitor commands and command syntax options.

SUMMARY STEPS

1. ? or help

2. command -?


OL-5997-02


DETAILED STEPS

Examples

This section provides the following examples:

• Sample Output for the ? or help ROM Monitor Command, page 9

• Sample Output for the xmodem -? ROM Monitor Command, page 10

Sample Output for the ? or help ROM Monitor Commandrommon 1 > ?

alias set and display aliases commandboot boot up an external processbreak set/show/clear the breakpointconfreg configuration register utilitycont continue executing a downloaded imagecontext display the context of a loaded imagecookie display contents of cookie PROM in hexdev list the device tabledir list files in file systemdis display instruction streamdnld serial download a program moduleframe print out a selected stack framehelp monitor builtin command helphistory monitor command historyiomemset set IO memory percentmeminfo main memory informationrepeat repeat a monitor commandreset system resetrommon-pref select ROMMONset display the monitor variablesshowmon display currently selected ROM monitorstack produce a stack tracesync write monitor environment to NVRAMsysret print out info from last system returntftpdnld tftp image downloadunalias unset an aliasunset unset a monitor variable


Step 1 ?

or

help

Example:rommon 1 > ?

Example:rommon 1 > help

Displays a summary of all available ROM monitor commands.

Step 2 command -?

Example:rommon 16 > display -?

Displays syntax information for a ROM monitor command.


OL-5997-02


xmodem x/ymodem image download

Sample Output for the xmodem -? ROM Monitor Commandrommon 11 > xmodem -?

xmodem: illegal option -- ?usage: xmodem [-cyrx] destination filename-c CRC-16-y ymodem-batch protocol-r copy image to dram for launch-x do not launch on download completion

For more information about using Xmodem, see the Xmodem Console Download Procedure Using ROMmon at the following URL:


Displaying Files in a File System (dir)To display a list of the files and directories in the file system, use the dir command, as shown in the following example:

rommon 4 > dir flash:program load complete, entry point: 0x8000f000, size: 0xcb80Directory of flash: 3934 14871760 -rw- c2800nm-ipbase-mz.124-37211 1447053 -rw- C2800NM_RM2.srecrommon 5 > dir usbflash1:program load complete, entry point: 0x8000f000, size: 0x3d240Directory of usbflash1: 2 14871760 -rw- c2800nm-ipbase-mz.124-3

Loading a System Image (boot)This section describes how to load a system image by using the boot ROM monitor command.

Prerequisites

Determine the filename and location of the system image that you want to load.

SUMMARY STEPS

1. boot or boot flash:[filename] or boot filename tftpserver or boot [filename]

or

boot usbflash<x>:[filename]


OL-5997-02



DETAILED STEPS

Examples

The following example shows how to load boot flash memory and USB boot flash memory:

rommon 7 > boot flash:[filename]program load complete, entry point: 0x8000f000, size: 0xcb80 program load complete, entry point: 0x8000f000, size: 0xe2eb30Self decompressing the image : ######################################################################################################################################################### [OK] Smart Init is enabledSmart init is sizing iomem ID MEMORY_REQ TYPE0003E9 0X003DA000 Router Mainboard 0X0014B430 DSP SIMM 0X000021B8 Onboard USB 0X002C29F0 public buffer pools 0X00211000 public particle pools


Step 1 boot

or

boot flash:[filename]

or

boot filename tftpserver

or

boot [filename]

orboot usbflash[x]:[filename]

Example:ROMMON > boot

Example:ROMMON > boot flash:

Example:ROMMON > boot someimage 172.16.30.40

Example:ROMMON > boot someimage

Example:ROMMON > boot usbflash0:someimage

In order, the examples here direct the router to:

• Boot the first image in flash memory.

• Boot the first image or a specified image in flash memory.

• Boot the specified image over the network from the specified TFTP server (hostname or IP address).

• Boot from the boothelper image because it does not recognize the device ID. This form of the command is used to boot a specified image from a network (TFTP) server.

• Boot the image stored on the USB flash device.

Note Platforms can boot from USB in ROM monitor with or without a compact flash device. It is not necessary to use a bootloader image from the compact flash device. Partitions, such as usbflash0:2:image_name, are not supported on USB flash drives. The boot usbflash<x>: command will boot the first file on the device, if it is a valid image.

You can override the default boothelper image setting by setting the BOOTLDR Monitor environment variable to point to another image. Any system image can be used for this purpose.

• Options for the boot command are -x (load image but do not execute) and -v (verbose).


OL-5997-02


TOTAL: 0X009FAFD8 If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupportedconfiguration or there is a software problem andsystem operation may be compromised.Rounded IOMEM up to: 10Mb.Using 3 percent iomem. [10Mb/256Mb] Restricted Rights Legend Use, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Fri 22-Jul-05 11:37 by hqluongImage text-base: 0x40098478, data-base: 0x41520000 Port Statistics for unclassified packets is not turned on.Cisco Router (revision 48.46) with 251904K/10240K bytes of memory.Processor board ID 2 Gigabit Ethernet interfaces2 Serial(sync/async) interfaces2 Channelized T1/PRI portsDRAM configuration is 64 bits wide with parity enabled.239K bytes of non-volatile configuration memory.253160K bytes of USB Flash usbflash1 (Read/Write)127104K bytes of ATA CompactFlash (Read/Write) Press RETURN to get started!

*Sep 23 16:11:42.603: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB device has been inserted in port 1.*Sep 23 16:11:43.011: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up*Sep 23 16:11:43.383: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up*Sep 23 16:11:43.943: %LINK-3-UPDOWN: Interface Serial0/3/0, changed state to down*Sep 23 16:11:43.947: %LINK-3-UPDOWN: Interface Serial0/3/1, changed state to down*Sep 23 16:11:43.955: %USBFLASH-5-CHANGE: usbflash1 has been inserted!*Sep 23 16:11:44.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up*Sep 23 16:11:44.383: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down*Sep 23 16:11:44.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to down*Sep 23 16:11:44.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/1, changed state to down*Sep 23 16:11:46.115: %SYS-5-CONFIG_I: Configured from memory by console*Sep 23 16:11:46.327: %SYS-5-RESTART: System restarted --


OL-5997-02


Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Fri 22-Jul-05 11:37 by hqluong*Sep 23 16:11:46.331: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start*Sep 23 16:11:46.539: %SYS-6-BOOTTIME: Time taken to reboot after reload = 605 seconds*Sep 23 16:11:46.735: %CONTROLLER-5-UPDOWN: Controller T1 0/2/0, changed state to down (LOS detected)*Sep 23 16:11:46.735: %CONTROLLER-5-UPDOWN: Controller T1 0/2/1, changed state to down (LOS detected)*Sep 23 16:11:48.055: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down*Sep 23 16:11:48.067: %LINK-5-CHANGED: Interface Serial0/3/0, changed state to administratively down*Sep 23 16:11:48.079: %LINK-5-CHANGED: Interface Serial0/3/1, changed state to administratively downRouter>rommon 1 > boot usbflash1:imageprogram load complete, entry point: 0x8000f000, size: 0x3d240 program load complete, entry point: 0x8000f000, size: 0xe2eb30Self decompressing the image : ######################################################################################################################################################### [OK] Smart Init is enabledSmart init is sizing iomem ID MEMORY_REQ TYPE0003E9 0X003DA000 Router Mainboard 0X0014B430 DSP SIMM 0X000021B8 Onboard USB 0X002C29F0 public buffer pools 0X00211000 public particle poolsTOTAL: 0X009FAFD8 If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupportedconfiguration or there is a software problem andsystem operation may be compromised.Rounded IOMEM up to: 10Mb.Using 3 percent iomem. [10Mb/256Mb] Restricted Rights Legend Use, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Fri 22-Jul-05 11:37 by hqluong


OL-5997-02


Image text-base: 0x40098478, data-base: 0x41520000 Port Statistics for unclassified packets is not turned on.Cisco Router (revision 48.46) with 251904K/10240K bytes of memory.Processor board ID 2 Gigabit Ethernet interfaces2 Serial(sync/async) interfaces2 Channelized T1/PRI portsDRAM configuration is 64 bits wide with parity enabled.239K bytes of non-volatile configuration memory.253160K bytes of USB Flash usbflash1 (Read/Write)127104K bytes of ATA CompactFlash (Read/Write) Press RETURN to get started!

*Sep 23 16:19:56.611: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB device has been inserted in port 1.*Sep 23 16:19:57.015: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up*Sep 23 16:19:57.391: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up*Sep 23 16:19:57.951: %LINK-3-UPDOWN: Interface Serial0/3/0, changed state to down*Sep 23 16:19:57.955: %LINK-3-UPDOWN: Interface Serial0/3/1, changed state to down*Sep 23 16:19:57.963: %USBFLASH-5-CHANGE: usbflash1 has been inserted!*Sep 23 16:19:58.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up*Sep 23 16:19:58.391: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down*Sep 23 16:19:58.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to down*Sep 23 16:19:58.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/1, changed state to down*Sep 23 16:20:00.139: %SYS-5-CONFIG_I: Configured from memory by console*Sep 23 16:20:00.351: %SYS-5-RESTART: System restarted --Cisco IOS Software, 2800 Software (C2800NM-IPBASE-M), Version 12.4(3), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by Cisco Systems, Inc.Compiled Fri 22-Jul-05 11:37 by hqluong*Sep 23 16:20:00.355: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start*Sep 23 16:20:00.567: %SYS-6-BOOTTIME: Time taken to reboot after reload = 87 seconds*Sep 23 16:20:00.763: %CONTROLLER-5-UPDOWN: Controller T1 0/2/0, changed state to down (LOS detected)*Sep 23 16:20:00.763: %CONTROLLER-5-UPDOWN: Controller T1 0/2/1, changed state to down (LOS detected)*Sep 23 16:20:02.083: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down*Sep 23 16:20:02.091: %LINK-5-CHANGED: Interface Serial0/3/0, changed state to administratively down*Sep 23 16:20:02.103: %LINK-5-CHANGED: Interface Serial0/3/1, changed state to administratively downRouter>

What to Do Next

If you want to configure the router to load a specified image at the next system reload or power-cycle, see the following documents:

• “Booting Commands” chapter of the Cisco IOS Configuration Fundamentals Command Reference

• Cisco IOS Configuration Fundamentals and Network Management Configuration Guide


OL-5997-02

/en/US/docs/ios/12_2/configfun/command/reference/frf010.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_configuration_guide09186a008017d578.html


Downloading Files over the Router Console Port (xmodem)This section describes how to download a file over the router console port by using the Xmodem Protocol. Use the console download function when you do not have access to a TFTP server but need to download a system image or configuration file to the router. This procedure can also be used when there are no TFTP servers or network connections, and a direct PC connection to the router console is the only viable option.

For more information about using Xmodem, see the Xmodem Console Download Procedure Using ROMmon at the following URL:


Prerequisites

• Download the file to your PC. Go to the Software Center at the following URL: http://www.cisco.com/kobayashi/sw-center/index.shtml.

• Connect your PC to the router console port and launch a terminal emulator program. To see examples for how to perform this task for similar routers, see the Xmodem Console Download Procedure Using ROMmon tech note.

Restrictions

• If you use a PC to download a file over the router console port at 115,200 bps, make sure that the PC serial port uses a 16550 universal asynchronous receiver/transmitter (UART).

• If the PC serial port does not use a 16550 UART, we recommend using a speed equal to or lower than 38,400 bps for downloading a file over the console port.

• Transfer using the xmodem command works only on the console port.

• You can only download files to the router. You cannot use the xmodem command to retrieve files from the router.

• Because the ROM monitor console download uses the console to perform the data transfer, error messages are displayed on the console only after the data transfer is terminated. If an error occurs during console download, the download is terminated, and an error message is displayed. If you changed the baud rate from the default rate, the error message is followed by a message that tells you to restore the terminal to the baud rate that is specified in the configuration register.

SUMMARY STEPS

1. xmodem [-[c][y][r][x]] destination-file-name

DETAILED STEPS

Step 1 xmodem [-[c][y][r][x]] destination-file-name

Use this command to download a file over the console port using the ROM monitor. For example:

rommon > xmodem -c c2801-is-mz.122-10a.bin

See Table 1 for xmodem command syntax descriptions.


OL-5997-02


http://www.cisco.com/kobayashi/sw-center/index.shtml




What to Do Next




Modifying the Configuration Register (confreg)This section describes how to modify the configuration register by using the confreg ROM monitor command. You can also modify the configuration register setting from the Cisco IOS command-line interface (CLI) by using the config-register command in global configuration mode. For more information on the config-register command in global configuration mode and on using the confreg command in ROM monitor mode, see the Cisco IOS Configuration Fundamentals Command Reference.

Caution Do not set the configuration register by using the config-register 0x0 command after setting the baud rate. To set the configuration register without affecting the baud rate, use the the current configuration register setting by entering the show ver | inc configuration command and then replacing the last (rightmost) number with a 0 in the configuration register command.

Table 1 xmodem Command Syntax Descriptions

Keyword or Argument Description

-c (Optional) Performs the download using 16-bit cyclic redundancy check (CRC) error checking to validate packets. The default setting is 8-bit CRC.

-y (Optional) Performs the download using Ymodem protocol. The default setting is Xmodem protocol. The protocols differ as follows:

• The Xmodem protocol supports a 128-block transfer size, whereas the ymodem protocol supports a 1024-block transfer size.

• The Ymodem protocol uses 16-bit CRC error checking to validate each packet. Depending on the device that the software is being downloaded from, the Xmodem protocol might not support this function.

-r (Optional) Image is loaded into DRAM for execution. The default setting is to load the image into flash memory.

-x (Optional) Image is loaded into DRAM without being executed.

destination-file-name The name of the system image file or the system configuration file. For the router to recognize it, the name of the configuration file must be router_confg.


OL-5997-02


http://www.cisco.com/en/US/products/ps6350/products_command_reference_book09186a008042deb0.html



Prerequisites

To learn about the configuration register and the function of each of the 16 bits, see the Changing the Configuration Register Settings document.

Restrictions

The modified configuration register value is automatically written into NVRAM, but the new value does not take effect until you reset or power-cycle the router.

SUMMARY STEPS

1. confreg [value]

DETAILED STEPS

Examples

In the following example, the configuration register is set to boot the system image from flash memory:

rommon 3 > confreg 0x2102

In the following example, no value is entered; therefore, the system prompts for each bit in the register:

rommon 7 > confreg

Configuration Summaryenabled are:console baud: 9600boot: the ROM Monitordo you wish to change the configuration? y/n [n]: y enable "diagnostic mode"? y/n [n]: y enable "use net in IP bcast address"? y/n [n]: y enable "load rom after netboot fails"? y/n [n]: y enable "use all zero broadcast"? y/n [n]: y enable "break/abort has effect"? y/n [n]: y enable "ignore system config info"? y/n [n]: y change console baud rate? y/n [n]: y enter rate: 0 = 9600, 1 = 4800, 2 = 1200, 3 = 2400 [0]: 0 change the boot characteristics? y/n [n]: y enter to boot:0 = ROM Monitor1 = the boot helper image2-15 = boot system


Step 1 confreg [value]

Example:rommon > confreg 0x2102

Changes the configuration register settings while in ROM monitor mode.

• Optionally, enter the new hexadecimal value for the configuration register. The value range is from 0x0 to 0xFFFF.

• If you do not enter the value, the router prompts for each bit of the 16-bit configuration register.


OL-5997-02


[0]: 0 Configuration Summaryenabled are:diagnostic modeconsole baud: 9600boot: the ROM Monitorrommon 8>

Obtaining Information on USB Flash DevicesThis section describes how to obtain information on USB devices that are installed in the router. For instructions on booting from a USB flash device, see the “Loading a System Image (boot)” section on page 10.

SUMMARY STEPS

1. dir usbflash [x]:

2. dev

DETAILED STEPS

Examples

Sample Output for the dir usbFlash Command

rommon > dir usbflash0:

Directory of usbflash0:

2 18978364 -rw- c3845-entbasek9-mz.124-0.5

Sample Output for the dev ROM Monitor Command

rommon 2 > dev

Devices in device table:

id name

flash: compact flash

bootflash: boot flash

usbflash0: usbflash0


Step 1 dir usbflash [x]:

Example:rommon > dir usbflash1:

Displays the contents of the USB flash device, including directories, files, permissions, and sizes.

• 0—USB flash device inserted in port 0

• 1—USB flash device inserted in port 1

Step 2 dev

Example:ROMMON > dev

Shows the targeted USB flash devices that are inserted in the router and the valid device names that may or may not be currently inserted.


OL-5997-02


usbflash1: usbflash1

eprom: eprom

Modifying the I/O Memory (iomemset)This section describes how to modify the I/O memory by using the memory-size iomemset command.

Note Use the iomemset command only if it is needed for temporarily setting the I/O memory from ROM monitor mode. Using this command improperly can adversely affect the functioning of the router. The Cisco IOS software can override the I/O memory percentage if the memory-size iomem command is set in the NVRAM configuration. If the Cisco IOS command is present in the NVRAM configuration, the I/O memory percentage set in the ROM monitor with the iomemset command is used only the first time the router is booted up. Subsequent reloads use the I/O memory percentage set by using the memory-size iomem command that is saved in the NVRAM configuration. If you need to set the router I/O memory permanently by using a manual method, use the memory-size iomem Cisco IOS command. If you set the I/O memory from the Cisco IOS software, you must restart the router for I/O memory to be set properly.

SUMMARY STEPS

1. iomemset i/o-memory percentage

DETAILED STEPS

Examples

In the following example, the percentage of DRAM used for I/O memory is set to 15:

rommon 2 > iomemset usage: iomemset [smartinit | 5 | 10 | 15 | 20 | 25 | 30 | 40 | 50 ] rommon 3 > rommon 3 > iomemset 15 Invoking this command will change the io memory percent *****WARNING:IOS may not keep this value***** Do you wish to continue? y/n: [n]: y

rommon 4 > meminfo -------------------------------------------------Current Memory configuration is:Onboard SDRAM: Size = 128 MB : Start Addr = 0x10000000-----Bank 0 128 MB-----Bank 1 0 MB


Step 1 iomemset i/o-memory percentage

Example:rommon> iomemset 15

• Reallocates the percentage of DRAM used for I/O memory and processor memory.


OL-5997-02


Dimm 0: Size = 256 MB : Start Addr = 0x00000000-----Bank 0 128 MB-----Bank 1 128 MB-------------------------------------------------Main memory size: 384 MB in 64 bit mode.Available main memory starts at 0xa0015000, size 393132KBIO (packet) memory size: 10 percent of main memory.NVRAM size: 191KB

Recovering the System Image (tftpdnld)This section describes how to download a Cisco IOS software image from a remote TFTP server to the router flash memory by using the tftpdnld command in ROM monitor mode.

Caution Use the tftpdnld command only for disaster recovery because it can erase all existing data in flash memory before it downloads a new software image to the router.

Before you can enter the tftpdnld command, you must set the ROM monitor environment variables.

Prerequisites

Connect the TFTP server to a fixed network port on your router.

Restrictions

• LAN ports on network modules or interface cards are not active in ROM monitor mode. Therefore, only a fixed port on your router can be used for TFTP download. This can be a fixed Ethernet port on the router, that is either of the two Gigabit Ethernet ports on Cisco routers with those ports.

• You can only download files to the router. You cannot use the tftpdnld command to retrieve files from the router.

SUMMARY STEPS

1. IP_ADDRESS=ip_address

2. IP_SUBNET_MASK=ip_address

3. DEFAULT_GATEWAY=ip_address

4. TFTP_SERVER=ip_address

5. TFTP_FILE=[directory-path/]filename

6. FE_PORT=[0 | 1]

7. FE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5]

8. GE_PORT=[0 | 1]

9. GE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5]

10. MEDIA_TYPE=[0 | 1]

11. TFTP_CHECKSUM=[0 | 1]

12. TFTP_DESTINATION=[flash: | usbflash0: | usbflash1:]


OL-5997-02


13. TFTP_MACADDR=MAC_address

14. TFTP_RETRY_COUNT=retry_times

15. TFTP_TIMEOUT=time

16. TFTP_VERBOSE=setting

17. set

18. tftpdnld [-hr]

19. y

DETAILED STEPS


Step 1 IP_ADDRESS=ip_address

Example:rommon > IP_ADDRESS=172.16.23.32

Sets the IP address of the router.

Step 2 IP_SUBNET_MASK=ip_address

Example:rommon > IP_SUBNET_MASK=255.255.255.224

Sets the subnet mask of the router.

Step 3 DEFAULT_GATEWAY=ip_address

Example:rommon > DEFAULT_GATEWAY=172.16.23.40

Sets the default gateway of the router.

Step 4 TFTP_SERVER=ip_address

Example:rommon > TFTP_SERVER=172.16.23.33

Sets the TFTP server from which the software will be downloaded.

Step 5 TFTP_FILE=[directory-path/]filename

Example:rommon > TFTP_FILE=archive/rel22/c2801-i-mz

Sets the name and location of the file that will be downloaded to the router.

Step 6 FE_PORT=[0 | 1]

Example:rommon > FE_PORT=0

(Optional) Sets the input port to use one of the Fast Ethernet ports.

Step 7 FE_SPEED_MODE=[0 | 1 | 2 | 3 | 4]

Example:rommon > FE_SPEED_MODE=3

(Optional) Sets the Fast Ethernet port speed mode, with these options:

• 0—10 Mbps, half-duplex

• 1—10 Mbps, full-duplex



• 4—Automatic selection (default)


OL-5997-02


Step 8 GE_PORT=[0 | 1]

Example:rommon > GE_PORT=0

(Optional) Sets the input port to use one of the Gigabit Ethernet ports (not available on Cisco 1800 series routers, Cisco 2801 routers, or Cisco 2811 routers).

Step 9 GE_SPEED_MODE=[0 | 1 | 2 | 3 | 4 | 5]

Example:rommon > GE_SPEED_MODE=3

(Optional) Sets the Gigabit Ethernet port speed mode, with these options:





• 4—1 Gbps, full-duplex

• 5—Automatic selection (default)

(This option is not available on Cisco 1800 series routers, Cisco 2801 routers, or Cisco 2811 routers.)

Step 10 MEDIA_TYPE=[0 | 1]

Example:rommon > MEDIA_TYPE=1

(Optional) Sets the Gigabit Ethernet connection media type, RJ-45 (0) or SFP (1). Small form-factor pluggable (SFP) mode is applicable only if GE_PORT=0 (gig 0/0); RJ-45 mode is available on both gig 0/0 and gig 0/1 (GE_PORT = 0 or 1). (This option is not available on Cisco 1800 series routers, Cisco 2801 routers, or Cisco 2811 routers.)

Step 11 TFTP_CHECKSUM=[0 | 1]

Example:rommon > TFTP_CHECKSUM=0

(Optional) Determines whether the router performs a checksum test on the downloaded image.

• 1—Checksum test is performed (default).

• 0—No checksum test is performed.

Step 12 TFTP_DESTINATION=[flash: | usbflash0: | usbflash1:]

Example:rommon > TFTP_DESTINATION=usbflash0:

(Optional) Designates the targeted flash device as compact flash or USB flash.

• flash:—Compact flash device (default).

• usbflash0:—USB flash device inserted in port 0

• usbflash1:—USB flash device inserted in port 1

Step 13 TFTP_MACADDR=MAC_address

Example:rommon > TFTP_MACADDR=000e.8335.f360

(Optional) Sets the Media Access Controller (MAC) address for this router.

Step 14 TFTP_RETRY_COUNT=retry_times

Example:rommon > TFTP_RETRY_COUNT=10

(Optional) Sets the number of times that the router attempts Address Resolution Protocol (ARP) and TFTP download. The default is 7.

Step 15 TFTP_TIMEOUT=time

Example:TFTP_TIMEOUT=1800

(Optional) Sets the amount of time, in seconds, before the download process times out. The default is 2400 seconds (40 minutes).



OL-5997-02


Examples

Sample Output for Recovering the System Image (tftpdnld)rommon 16 > IP_ADDRESS=171.68.171.0 rommon 17 > IP_SUBNET_MASK=255.255.254.0 rommon 18 > DEFAULT_GATEWAY=171.68.170.3 rommon 19 > TFTP_SERVER=171.69.1.129 rommon 20 > TFTP_FILE=c2801-is-mz.113-2.0.3.Q rommon 21 > tftpdnld

IP_ADDRESS: 171.68.171.0 IP_SUBNET_MASK: 255.255.254.0 DEFAULT_GATEWAY: 171.68.170.3 TFTP_SERVER: 171.69.1.129 TFTP_FILE: c2801-is-mz.113-2.0.3.Q

Invoke this command for disaster recovery only. WARNING: all existing data in all partitions on flash will be lost! Do you wish to continue? y/n: [n]: y

Step 16 TFTP_VERBOSE=setting

Example:rommon > TFTP_VERBOSE=2

(Optional) Configures how the router displays file download progress, with these options:

• 0—No progress is displayed.

• 1—Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting.

• 2—Detailed progress is displayed during the file download process; for example:

Initializing interface.Interface link state up.ARPing for 1.4.0.1ARP reply for 1.4.0.1 received. MAC address 00:00:0c:07:ac:01

Step 17 set

Example:rommon > set

Displays the ROM monitor environment variables. Verify that you correctly configured the ROM monitor environment variables.

Step 18 tftpdnld [-h] [-r]

Example:rommon > tftpdnld

Downloads the system image specified by the ROM monitor environment variables.

• Entering -h displays command syntax help text.

• Entering -r downloads and boots the new software but does not save the software to flash memory.

• Using no option (that is, using neither -h nor -r) downloads the specified image and saves it in flash memory.

Step 19 y

Example:Do you wish to continue? y/n: [n]: y

Confirms that you want to continue with the TFTP download.



OL-5997-02


Receiving c2801-is-mz.113-2.0.3.Q from 171.69.1.129 !!!!!.!!!!!!!!!!!!!!!!!!!.!! File reception completed. Copying file c2801-is-mz.113-2.0.3.Q to flash. Erasing flash at 0x607c0000 program flash location 0x60440000 rommon 22 >

Sample Output for the set ROM Monitor Commandrommon 3 > set

PS1=rommon ! > IP_ADDRESS=172.18.16.76 IP_SUBNET_MASK=255.255.255.192 DEFAULT_GATEWAY=172.18.16.65 TFTP_SERVER=172.18.16.2 TFTP_FILE=anyname/rel22_Jan_16/c2801-i-mz

What to Do Next




Troubleshooting Crashes and Hangs (stack, context, frame, sysret, meminfo)This section lists and describes some ROM monitor commands that can be used to troubleshoot router crashes and hangs.

Most ROM monitor debug commands are functional only when the router crashes or hangs. If you enter a debug command when crash information is not available, the following error message appears:

"xxx: kernel context state is invalid, can not proceed."

The ROM monitor commands in this section are all optional and can be entered in any order.

Router Crashes

A router or system crash is a situation in which the system detects an unrecoverable error and restarts itself. The errors that cause crashes are typically detected by processor hardware, which automatically branches to special error-handling code in the ROM monitor. The ROM monitor identifies the error, prints a message, saves information about the failure, and restarts the system. For detailed information about troubleshooting crashes, see the Troubleshooting Router Crashes and Understanding Software-forced Crashes tech notes.

Router Hangs

A router or system hang is a situation in which the system does not respond to input at the console port or to queries sent from the network, such as Telnet and Simple Network Management Protocol (SNMP).

Router hangs occur when:

• The console does not respond


OL-5997-02

http://www.cisco.com/warp/public/122/crashes_router_troubleshooting.shtml

http://www.cisco.com/warp/public/122/crashes_swforced_troubleshoot.html





• Traffic does not pass through the router

Router hangs are discussed in detail in the Troubleshooting Router Hangs tech note.

ROM Monitor Console Communication Failure

Under certain misconfiguration situations, it can be impossible to establish a console connection with the router due to a speed mismatch or other incompatibility. The most obvious symptom is erroneous characters in the console display.

If a ROM monitor failure of this type occurs, you may need to change a jumper setting on the motherboard so that the router can boot for troubleshooting. Procedures for accessing the motherboard and jumper locations are described in the installation of internal components section of the hardware installation document for your router.

The jumper to be changed is DUART DFLT, which sets the console connection data rate to 9600 regardless of user configuration. The jumper forces the data rate to a known good value.

Restrictions

Do not manually reload or power-cycle the router unless reloading or power cycling is required for troubleshooting a router crash. The system reload or power-cycle can cause important information to be lost that is needed for determining the root cause of the problem.

SUMMARY STEPS

1. stack or k

2. context

3. frame [number]

4. sysret

5. meminfo

DETAILED STEPS


Step 1 stack

or

k

Example:rommon > stack

(Optional) Obtains a stack trace.

• For detailed information on how to effectively use this command in ROM monitor mode, see the Troubleshooting Router Hangs tech note.

Step 2 context

Example:rommon > context

(Optional) Displays the CPU context at the time of the fault.

• If it is available, the context from kernel mode and process mode of a loaded image is displayed.


OL-5997-02

http://www.cisco.com/warp/public/63/why_hang.html




Examples

This section provides the following examples:

• Sample Output for the stack ROM Monitor Command, page 27

• Sample Output for the context ROM Monitor Command, page 27

• Sample Output for the frame ROM Monitor Command, page 28

• Sample Output for the sysret ROM Monitor Command, page 28

• Sample Output for the meminfo ROM Monitor Command, page 28

Step 3 frame [number]

Example:rommon > frame 4

(Optional) Displays an entire individual stack frame.

• The default is 0 (zero), which is the most recent frame.

Step 4 sysret

Example:rommon > sysret

(Optional) Displays return information from the last booted system image.

• The return information includes the reason for terminating the image, a stack dump of up to eight frames, and, if an exception is involved, the address at which the exception occurred.

Step 5 meminfo [-l]

Example:rommon > meminfo

(Optional) Displays memory information, including:

• Main memory size, starting address, and available range

• Packet memory size

• NVRAM size

Alternatively, using the meminfo -l command provides information on supported DRAM configurations for the router.



OL-5997-02


Sample Output for the stack ROM Monitor Commandrommon 6> stack

Kernel Level Stack Trace:Initial SP = 0x642190b8, Initial PC = 0x607a0d44, RA = 0x61d839f8Frame 0 : FP= 0x642190b8, PC= 0x607a0d44, 0 bytesFrame 1 : FP= 0x642190b8, PC= 0x61d839f8, 24 bytesFrame 2 : FP= 0x642190d0, PC= 0x6079b6c4, 40 bytesFrame 3 : FP= 0x642190f8, PC= 0x6079ff70, 32 bytesFrame 4 : FP= 0x64219118, PC= 0x6079eaec, 0 bytes

Process Level Stack Trace:Initial SP = 0x64049cb0, Initial PC = 0x60e3b7f4, RA = 0x60e36fa8Frame 0 : FP= 0x64049cb0, PC= 0x60e3b7f4, 24 bytesFrame 1 : FP= 0x64049cc8, PC= 0x60e36fa8, 24 bytesFrame 2 : FP= 0x64049ce0, PC= 0x607a5800, 432 bytesFrame 3 : FP= 0x64049e90, PC= 0x607a8988, 56 bytesFrame 4 : FP= 0x64049ec8, PC= 0x64049f14, 0 bytes

Sample Output for the context ROM Monitor Commandrommon 7> context

Kernel Level Context: Reg MSW LSW | Reg MSW LSW------ ---------- ---------- | ----- ---------- ----------zero : 00000000 00000000 | s0 : 00000000 34018001AT : 00000000 24100000 | s1 : 00000000 00000001v0 : 00000000 00000003 | s2 : 00000000 00000003v1 : 00000000 00000000 | s3 : 00000000 00000000a0 : 00000000 0000002b | s4 : 00000000 64219118a1 : 00000000 00000003 | s5 : 00000000 62ad0000a2 : 00000000 00000000 | s6 : 00000000 63e10000a3 : 00000000 64219118 | s7 : 00000000 63e10000t0 : 00000000 00070808 | t8 : ffffffff e7400884t1 : 00000000 00000000 | t9 : 00000000 00000000t2 : 00000000 63e10000 | k0 : 00000000 00000000t3 : 00000000 34018001 | k1 : 00000000 63ab871ct4 : ffffffff ffff80fd | gp : 00000000 63c1c2d8t5 : ffffffff fffffffe | sp : 00000000 642190b8t6 : 00000000 3401ff02 | s8 : 00000000 6429274ct7 : 00000000 6408d464 | ra : 00000000 61d839f8HI : ffffffff e57fce22 | LO : ffffffff ea545255EPC : 00000000 607a0d44 | ErrPC : ffffffff bfc05f2cStat : 34018002 | Cause : 00000020

Process Level Context: Reg MSW LSW | Reg MSW LSW------ ---------- ---------- | ----- ---------- ----------zero : 00000000 00000000 | s0 : 00000000 6401a6f4AT : 00000000 63e10000 | s1 : 00000000 00000000v0 : 00000000 00000000 | s2 : 00000000 64049cf0v1 : 00000000 00000440 | s3 : 00000000 63360000a0 : 00000000 00000000 | s4 : 00000000 63360000a1 : 00000000 00070804 | s5 : 00000000 62ad0000a2 : 00000000 00000000 | s6 : 00000000 63e10000a3 : 00000000 00000000 | s7 : 00000000 63e10000t0 : 00000000 00000000 | t8 : ffffffff e7400884t1 : 00000000 64928378 | t9 : 00000000 00000000t2 : 00000000 00000001 | k0 : 00000000 644822e8t3 : ffffffff ffff00ff | k1 : 00000000 61d86d84t4 : 00000000 6079eee0 | gp : 00000000 63c1c2d8


OL-5997-02


t5 : 00000000 00000001 | sp : 00000000 64049cb0t6 : 00000000 00000000 | s8 : 00000000 6429274ct7 : 00000000 6408d464 | ra : 00000000 60e36fa8HI : ffffffff e57fce22 | LO : ffffffff ea545255EPC : 00000000 60e3b7f4 | ErrPC : ffffffff ffffffffStat : 3401ff03 | Cause : ffffffff

Sample Output for the frame ROM Monitor Commandrommon 6 > frame 2

Stack Frame 2, SP = 0x642190d0, Size = 40 bytes[0x642190d0 : sp + 0x000] = 0xffffffff[0x642190d4 : sp + 0x004] = 0xbfc05f2c[0x642190d8 : sp + 0x008] = 0xffffffff[0x642190dc : sp + 0x00c] = 0xffffffff[0x642190e0 : sp + 0x010] = 0x6401a6f4[0x642190e4 : sp + 0x014] = 0x00000000[0x642190e8 : sp + 0x018] = 0x64049cf0[0x642190ec : sp + 0x01c] = 0x63360000[0x642190f0 : sp + 0x020] = 0x63360000[0x642190f4 : sp + 0x024] = 0x6079ff70

Sample Output for the sysret ROM Monitor Commandrommon 8> sysret

System Return Info:count: 19, reason: user breakpc:0x801111b0, error address: 0x801111b0Stack Trace:FP: 0x80005ea8, PC: 0x801111b0FP: 0x80005eb4, PC: 0x80113694FP: 0x80005f74, PC: 0x8010eb44FP: 0x80005f9c, PC: 0x80008118FP: 0x80005fac, PC: 0x80008064FP: 0x80005fc4, PC: 0xfff03d70FP: 0x80005ffc, PC: 0x00000000FP: 0x00000000, PC: 0x00000000

Sample Output for the meminfo ROM Monitor Commandrommon 3> meminfo

-------------------------------------------------Current Memory configuration is:Onboard SDRAM: Size = 128 MB : Start Addr = 0x10000000-----Bank 0 128 MB-----Bank 1 0 MBDimm 0: Size = 256 MB : Start Addr = 0x00000000-----Bank 0 128 MB-----Bank 1 128 MB-------------------------------------------------Main memory size: 384 MB in 64 bit mode.Available main memory starts at 0xa0015000, size 393132KBIO (packet) memory size: 10 percent of main memory.NVRAM size: 191KB


OL-5997-02


You can also use the meminfo -l command to show the supported DRAM configurations for the router. The following is sample output for the command:

rommon 4 > meminfo -l

The following 64 bit memory configs are supported:-------------------------------------------------Onboard SDRAM DIMM SOCKET 0 TOTAL MEMORYBank 0 Bank1 Bank 0 Bank 1------------- ------------- ------------128 MB 0 MB 0 MB 0 MB 128 MB128 MB 0 MB 64 MB 0 MB 192 MB128 MB 0 MB 64 MB 64 MB 256 MB128 MB 0 MB 128 MB 0 MB 256 MB128 MB 0 MB 128 MB 128 MB 384 MB128 MB 0 MB 256 MB 0 MB 384 MB



• Troubleshooting Router Crashes

• Understanding Software-forced Crashes

• Troubleshooting Router Hangs

Exiting ROM Monitor ModeThis section describes how to exit ROM monitor mode and enter the Cisco IOS command-line interface (CLI). The method that you use to exit ROM monitor mode depends on how your router entered ROM monitor mode:

• If you reload the router and enter the Break key sequence to enter ROM monitor mode when the router would otherwise have booted the system image, you can exit ROM monitor mode by doing either of the following:

– Enter the i command or the reset command, which restarts the booting process and loads the system image.

– Enter the cont command, which continues the booting process and loads the system image.

• If your router entered ROM monitor mode because it could not locate and load the system image, perform the steps in the following procedure.

SUMMARY STEPS

1. dir flash: [directory]

2. boot flash: [directory] [filename] or boot filename tftpserver or boot [filename]


OL-5997-02





DETAILED STEPS

Examples

Sample Output for the dir flash: Command in ROM Monitor moderommon > dir flash:

File size Checksum File name 2229799 bytes (0x220627) 0x469e c2801-j-m2.113-4T

What to Do Next

Now that you have a system image running on your router, configure the router to load the correct image at the next system reload or power-cycle. See the following documents:




Step 1 dir flash:[directory]

Example:rommon > dir flash:

Displays a list of the files and directories in flash memory.

• Locate the system image that you want the router to load.

• If the system image is not in flash memory, use the second or third option in Step 2.

Step 2 boot flash:[directory] [filename]

or

boot filename tftpserver

or

boot [filename]

Example:ROMMON > boot flash:myimage

Example:ROMMON > boot someimage 172.16.30.40

Example:ROMMON > boot

In order, the examples here direct the router to:

• Boot the first image or a specified image in flash memory.

• Boot the specified image over the network from the specified TFTP server (hostname or IP address).

• Boot from the boothelper image because it does not recognize the device ID. This form of the command is used to netboot a specified image.

You can override the default boothelper image setting by setting the BOOTLDR Monitor environment variable to point to another image. Any system image can be used for this purpose.

Note Options to the boot command are -x (load image but do not execute) and -v (verbose).


OL-5997-02




Additional ReferencesThe following sections provide references related to using the ROM monitor.

Related Documents

Related Topic Document Title

Connecting your PC to the router console port • Quick start guide for your router

• Hardware installation guide for your router

Break key sequence combinations for entering ROM monitor mode within the first 60 seconds of rebooting the router

Standard Break Key Sequence Combinations During Password Recovery

Upgrading the ROM monitor ROM Monitor Download Procedures for Cisco 2691, Cisco, 3631, Cisco 3725, and Cisco 3745 Routers

Note These procedures also apply to Cisco 1841 series, Cisco 2800 series, and Cisco 3800 series routers.

Using the boot image (Rx-boot) to recover or upgrade the system image

How to Upgrade from ROMmon Using the Boot Image

Booting and configuration register commands Cisco IOS Configuration Fundamentals Command Reference

Loading and maintaining system images; rebooting Cisco IOS Configuration Fundamentals and Network Management Configuration Guide

Choosing and downloading system images Software Center at


Console download (xmodem) Xmodem Console Download Procedure Using ROMmon

Router crashes Troubleshooting Router Crashes

Understanding Software-forced Crashes

Router hangs Troubleshooting Router Hangs


OL-5997-02



http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis2600/hw_inst/hw_notes/piperrom.htm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis2600/hw_inst/hw_notes/piperrom.htm

http://www.cisco.com/warp/public/130/rommon_boot_image.html









Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2006 Cisco Systems, Inc. All rights reserved.

Description Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.1

1. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.


CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)


OL-5997-02


Using CompactFlash Memory Cards

Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers use external CompactFlash (CF) memory cards to store the system image, some software feature data, and configuration files. The CF memory cards use the following file systems. The file system that is supported depends on router model:

• Class B flash file system, also known as the low-end file system (LEFS)

• Class C flash file system, similar to the standard DOS file system

This document contains the following sections:

• Platforms Supported by This Document, page 1

• Requirements and Restrictions, page 2

• Online Insertion and Removal, page 2

• How to Format CompactFlash Memory Cards, page 3

• File Operations on CompactFlash Memory Cards, page 5

• Directory Operations on a CompactFlash Memory Card, page 8








Requirements and Restrictions

Requirements and Restrictions • Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers do not support

internal flash memory. Because the system image can be stored only on a CF memory card, you need to have a CF memory card installed to boot the system image.

• We recommend that you erase (Class B) or format (Class C) new CF memory cards to initialize them with either a Class B or Class C flash file system. This ensures proper formatting and enables the ROM monitor to recognize and boot the flash memory.

• Only CF memory cards purchased from Cisco are supported on these platforms.

Cisco 1800 Series Routers and Cisco 2801 Routers

• Support only the Class C flash file system.

• Support only external CF memory cards.

• The CF memory card file system can be formatted on a Cisco 1800 series router or Cisco 2801 router. After the file system has been formatted, files on the CF memory card can be copied to or from any PC that is equipped with a CF memory reader. If you use a PC to format the CF memory card, use only the Microsoft 16-bit File Allocation Table (FAT16) file system.

Cisco 3800 Series Routers and Cisco 2800 Series Routers (Except for Cisco 2801 Routers)

• Support Class B and Class C flash file systems.

• Support only external CF memory cards.

• If you use a PC to format the CF memory cards, you can format the cards with the Microsoft 16-bit File Allocation Table (FAT16), Microsoft 32-bit File Allocation Table (FAT32), or Microsoft Windows NT file system (NTFS). Alternatively, you can format the CF memory card on the router.

Note When formatted on the router, flash memory cards are formatted with the DOSFS file system, a platform-independent industry-standard file system that is supported on all Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers.

Online Insertion and RemovalOnline insertion and removal (OIR) is a feature that allows you to replace CF memory cards without turning off the router and without affecting the operation of other interfaces. OIR of CF memory cards provides uninterrupted operation to network users, maintains routing information, and ensures session preservation.

Caution The external CF memory card should not be removed if the flash memory busy “CF” LED on the router is ON, because this indicates that the software is accessing the CF memory card. Removing the CF memory card may disrupt the network, because some software features use the CF memory card to store tables and other important data.

For instructions on inserting, removing, and replacing the external CF memory card, see the hardware installation documentation that came with your router.

2Using CompactFlash Memory Cards

OL-5596-01

How to Format CompactFlash Memory Cards

How to Format CompactFlash Memory CardsThis section contains the following procedures:

• Determining the File System on a CompactFlash Memory Card, page 3

• Formatting CompactFlash Memory as a Class B Flash File System, page 4

• Formatting CompactFlash Memory as a Class C File System, page 4

Determining the File System on a CompactFlash Memory CardTo determine the file system of a CF memory card, enter the show flash: all command in privileged EXEC mode.

• If geometry and format information does not appear in the output, the card is formatted with a Class B flash file system.

• If geometry and format information appears in the output, the card is formatted with a Class C flash file system.

The following examples show sample outputs for Class B and Class C flash file systems.

External Card with Class B Flash File System: Example

The geometry and format information does not appear.

Router# show flash: all

Partition Size Used Free Bank-Size State CopyMode 1 125184K 20390K 104793K 0K Read/WriteDirect

System Compact Flash directory:File Length Name/status addr fcksum ccksum 1 6658376 c28xx-i-mz 0x40 0xE0FF 0xE0FF 2 14221136 c2800-telcoent-mz 0x6599C8 0x5C3D 0x5C3D[20879640 bytes used, 107308776 available, 128188416 total]125184K bytes of ATA System Compact Flash (Read/Write)

Chip information NOT available.

External Card with Class C Flash File System: Example

The geometry and format information is displayed in this format.

Router# show flash: all

-#- --length-- -----date/time------ path1 6658376 Mar 01 2004 04:27:46 c28xx-i-mz

25268224 bytes available (6664192 bytes used)

******** ATA Flash Card Geometry/Format Info ********


OL-5596-01

How to Format CompactFlash Memory Cards

ATA CARD GEOMETRY Number of Heads: 4 Number of Cylinders 490 Sectors per Cylinder 32 Sector Size 512 Total Sectors 62720

ATA CARD FORMAT Number of FAT Sectors 31 Sectors Per Cluster 8 Number of Clusters 7796 Number of Data Sectors 62560 Base Root Sector 155 Base FAT Sector 93 Base Data Sector 187

Formatting CompactFlash Memory as a Class B Flash File SystemUse the erase flash: command in privileged EXEC mode to

• Format CF memory cards with a Class B flash file system

• Remove the files from a CF memory card previously formatted with a Class B flash file system

Formatting CompactFlash Memory as a Class B Flash File System: ExampleRouter# erase flash:

Erasing the flash filesystem will remove all files! Continue? [confirm]Current DOS File System flash card in flash: will be formatted into LowEnd File System flash card! Continue? [confirm]Erasing device...eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee...erasedErase of flash: complete

Formatting CompactFlash Memory as a Class C File SystemUse the format flash: command in privileged EXEC mode to:

• Format CF memory cards with a Class C flash file system

• Remove the files from a CF memory card previously formatted with a Class C flash file system

Formatting CompactFlash Memory as a Class C Flash File System: Example

Router# format flash:

Format operation may take a while. Continue? [confirm]Format operation will destroy all data in "flash:". Continue? [confirm]Enter volume ID (up to 64 chars)[default flash]:Current Low End File System flash card in flash will be formatted into DOSFile System flash card! Continue? [confirm]Format:Drive communication & 1st Sector Write OK...Writing Monlib sectors ..................................................................Monlib write complete


OL-5596-01

File Operations on CompactFlash Memory Cards

Format:All system sectors written. OK...Format:Total sectors in formatted partition:250592Format:Total bytes in formatted partition:128303104Format:Operation completed successfully.Format of flash complete

File Operations on CompactFlash Memory CardsFile and directory operations vary according to the formatted file system—Class B or Class C.

This section describes the following file operations for external CF memory cards:

• Copying Files, page 5

• Displaying Files, page 5

• Displaying File Content, page 6

• Displaying Geometry and Format Information (Class C Only), page 6

• Deleting Files, page 7

• Renaming Files, page 8

Copying FilesTo copy files, enter the copy command in privileged EXEC mode. To indicate a file that is stored in a CF memory card, precede the filename with flash:.

Examples: Copying Files

In the following example, the file my-config1 on the CF memory card is copied into the startup-config file in the system memory:

Router# copy flash:my-config1 startup-config

Destination filename [startup-config]?[OK]517 bytes copied in 4.188 secs (129 bytes/sec)

In the following example, the file my-config2 on the CF memory card is copied into the running-config file in the system memory:

Router# copy flash:my-config2 running-config

Destination filename [running-config]?709 bytes copied in 0.72 secs

Displaying FilesTo display a list of files on a CF memory card, enter the dir flash: command in privileged EXEC mode:

Router# dir flash:

Directory of flash:/ 1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata 3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz63930368 bytes total (51007488 bytes free)


OL-5596-01


Displaying File ContentTo display the content of a file that is stored in flash memory, enter the more flash: command in privileged EXEC mode:

Router# more flash:c28xx-i-mz

00000000: 7F454C46 01020100 00000000 00000000 .ELF .... .... ....00000010: 00020061 00000001 80008000 00000034 ...a .... .... ...400000020: 00000054 20000001 00340020 00010028 ...T ... .4. ...(00000030: 00050008 00000001 0000011C 80008000 .... .... .... ....00000040: 80008000 00628A44 00650EEC 00000007 .... .b.D .e.l ....00000050: 0000011C 0000001B 00000001 00000006 .... .... .... ....00000060: 80008000 0000011C 00004000 00000000 .... .... ..@. ....00000070: 00000000 00000008 00000000 00000021 .... .... .... ...!00000080: 00000001 00000002 8000C000 0000411C .... .... ..@. ..A.00000090: 00000700 00000000 00000000 00000004 .... .... .... ....000000A0: 00000000 00000029 00000001 00000003 .... ...) .... ....000000B0: 8000C700 0000481C 00000380 00000000 ..G. ..H. .... ....000000C0: 00000000 00000004 00000000 0000002F .... .... .... .../000000D0: 00000001 10000003 8000CA80 00004B9C .... .... ..J. ..K.000000E0: 00000020 00000000 00000000 00000008 ... .... .... ....000000F0: 00000000 0000002F 00000001 10000003 .... .../ .... ....00000100: 8000CAA0 00004BBC 00623FA4 00000000 ..J ..K< .b?$ ....00000110: 00000000 00000008 00000000 3C1C8001 .... .... .... <...00000120: 679C4A80 3C018001 AC3DC70C 3C018001 g.J. <... ,=G. <...00000130: AC3FC710 3C018001 AC24C714 3C018001 ,?G. <... ,$G. <...00000140: AC25C718 3C018001 AC26C71C 3C018001 ,%G. <... ,&G. <...00000150: AC27C720 3C018001 AC30C724 3C018001 ,'G <... ,0G$ <...00000160: AC31C728 3C018001 AC32C72C 3C018001 ,1G( <... ,2G, <...--More-- q

Displaying Geometry and Format Information (Class C Only)To display the geometry and format information of a CF memory card formatted with a Class C flash file system, enter the show flash: filesys command in privileged EXEC mode:

Router# show flash: filesys

******** ATA Flash Card Geometry/Format Info ********

ATA CARD GEOMETRY Number of Heads: 4 Number of Cylinders 490 Sectors per Cylinder 32 Sector Size 512 Total Sectors 62720

ATA CARD FORMAT Number of FAT Sectors 31 Sectors Per Cluster 8 Number of Clusters 7796 Number of Data Sectors 62560 Base Root Sector 155 Base FAT Sector 93 Base Data Sector 187


OL-5596-01


Deleting FilesTo delete a file from a CF memory card, enter the delete flash: command.

If you are using a Class B flash file system, after you enter the delete flash: command, the memory space of the deleted file remains occupied, although the deleted file cannot be recovered. To reclaim the memory space occupied by a deleted file, enter the squeeze flash: command, in privileged EXEC mode.

Note The squeeze flash command applies only to the Class B flash file system. This command is unnecessary with Class C flash file systems, because unused file space is recovered automatically. Moreover, the squeeze flash command is not supported on Cisco 1800 series routers or Cisco 2801 routers.

Note The dir flash: command does not display deleted files and files with errors. On Class B flash file systems, to display all files, including files with errors and deleted files whose memory space have not been reclaimed with the squeeze flash: command, enter the dir /all flash: command or the show flash: command in privileged EXEC mode.

Deleting a File from a CompactFlash Memory Card with a Class B Flash File System: Example

In the following example, the file c28xx-i-mz.tmp is deleted from the external CF memory card:

Router# delete flash:c28xx-i-mz.tmp

Delete filename [c28xx-i-mz.tmp]?Delete flash:c28xx-i-mz.tmp? [confirm]

Because the file was deleted, it does not appear when you enter the dir flash: command:

Router# dir flash:

Directory of flash:/1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata 3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz63930368 bytes total (51007488 bytes free)

However, if you are using a Class B file system, because the deleted file’s memory space has not yet been reclaimed, the deleted file is listed when you enter the show flash: command:

Router# show flash:

Flash Compact Flash directory:File Length Name/status 1 6458208 c28xx-i-mz.tmp [deleted] 2 6458208 c28xx-i-mz[12916544 bytes used, 3139776 available, 16056320 total]15680K bytes of ATA Compact Flash (Read/Write)

To reclaim the memory space of deleted files, enter the squeeze flash: command:

Router# squeeze flash:

Squeeze operation may take a while. Continue? [confirm]squeeze in progress...sssssssssssssssssssssssseeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeRebuild file system directory...Squeeze complete


OL-5596-01

Directory Operations on a CompactFlash Memory Card

Renaming FilesTo rename a file on a CF memory card, enter the rename command in privileged EXEC mode:

Router# dir flash:

Directory of flash:/

3 -rw- 6458388 Mar 01 2004 00:00:58 c28xx-i-mz.tmp 1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata

63930368 bytes total (51007488 bytes free)

Router# rename flash:c28xx-i-mz.tmp flash:c28xx-i-mz

Destination filename [c28xx-i-mz]?

Router# dir flash:


1580 -rw- 6462268 Mar 06 2004 06:14:02 c28xx-i-mz.3600ata 3 -rw- 6458388 Mar 01 2004 00:01:24 c28xx-i-mz


Directory Operations on a CompactFlash Memory CardDirectory operations vary according to the formatted file system—Class B or Class C.

The following sections describe directory operations for external CF memory cards on Cisco routers:

• Entering a Directory and Determining Which Directory You Are In, page 8

• Creating a New Directory, page 9

• Removing a Directory, page 10

Entering a Directory and Determining Which Directory You Are InTo enter a directory of a CF memory card, enter the cd command in privileged EXEC mode. The cd command specifies or changes the default directory or file system. If you enter cd only, without specifying a file system, the router enters the default home directory, which is flash.

Router# cd

To determine which directory you are in, enter the pwd command in privileged EXEC mode. The CLI displays which directory or file system is specified as the default by the cd command.

Router# pwdflash:


OL-5596-01


To display a list of files in the directory that you are in, enter the dir command in privileged EXEC mode. The command-line interface will display the files in the file system that was specified as the default by the cd command.

Router# dir




Entering a Directory: Example

To enter the /config directory:

Router# cd config

To verify that you are in the /config directory:

Router# pwd

flash:/config/

Router# dir

Directory of flash:/config/

380 -rw- 6462268 Mar 08 2004 06:14:02 myconfig1 203 -rw- 6458388 Mar 03 2004 00:01:24 myconfig2


Creating a New DirectoryTo create a directory in flash memory, enter the mkdir flash: command in privileged EXEC mode.

Creating a New Directory: Example

In the following example, a new directory named “config” is created; then a new subdirectory named “test-config” is created within the “config” directory.

Router# dir flash:



63930368 bytes total (51007488 bytes free)Router# mkdir flash:/config

Create directory filename [config]?Created dir flash:/config

Router# mkdir flash:/config/test-config

Create directory filename [/config/test-config]?Created dir flash:/config/test-config


OL-5596-01


Router# dir flash:


3 -rw- 6458208 Mar 01 2004 00:04:08 c28xx-i-mz.tmp 1580 drw- 0 Mar 01 2004 23:48:36 config


Removing a DirectoryTo remove a directory in flash memory, enter the rmdir flash: command in privileged EXEC mode.

Before you can remove a directory, you must remove all files and subdirectories from the directory.

Example: Removing a Directory

In the following example, the subdirectory test-config is removed.

Router# dir


1581 drw- 0 Mar 01 2004 23:50:08 test-config

128094208 bytes total (121626624 bytes free)Router# rmdir flash:/config/test-config

Remove directory filename [/config/test-config]?Delete flash:/config/test-config? [confirm]Removed dir flash:/config/test-configRouter# dir


No files in directory






OL-5596-01

Upgrading the System Image

This document describes how to upgrade the Cisco IOS software system image on your router.


• Restrictions for Upgrading the System Image, page 1

• Information About Upgrading the System Image, page 2

• How to Upgrade the System Image, page 3


Platforms Supported by This Document • Cisco 1800 series routers



Restrictions for Upgrading the System Image • Cisco 3800 series routers, Cisco 2800 series routers, and Cisco 1800 series routers support only

external compact flash memory cards. Internal flash memory is not supported. For more details, see Using CompactFlash Memory Cards.




Upgrading the System ImageInformation About Upgrading the System Image

Information About Upgrading the System ImageTo upgrade the system image on your router, you should understand the following concepts:

• Why Would I Upgrade the System Image?, page 2

• Which Cisco IOS Release Is Running on My Router Now?, page 2

• How Do I Choose the New Cisco IOS Release and Feature Set?, page 2

• Where Do I Download the System Image?, page 2

Why Would I Upgrade the System Image?System images contain the Cisco IOS software. Your router already has an image on it when you receive it. Nevertheless, you may want to load a different image onto the router at some point. For example, you may want to upgrade your software to the latest release, or you may want to use the same Cisco IOS release for all the routers in a network. Different system images contain different sets of Cisco IOS features.

Which Cisco IOS Release Is Running on My Router Now?To determine which Cisco IOS release is currently running on your system, and the filename of the system image, enter the show version command in user EXEC or privileged EXEC mode.

How Do I Choose the New Cisco IOS Release and Feature Set?To determine which Cisco IOS releases and feature sets support your platform and required features, go to Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

For more detailed information on choosing the new Cisco IOS release and feature set, see the How to Choose a Cisco IOS Software Release tech note.

Where Do I Download the System Image?You must have an account on Cisco.com to use the following websites. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box, and follow the instructions that appear.

If you know which Cisco IOS release and feature set you want to download, go to the Download Software Area at http://www.cisco.com/kobayashi/sw-center/index.shtml.

If you want more information before selecting the Cisco IOS release and feature set, go to the Software Center at http://www.cisco.com/kobayashi/sw-center/index.shtml.

2OL-5595-01



http://www.cisco.com/warp/public/130/choosing_ios.shtml




Upgrading the System ImageHow to Upgrade the System Image

How to Upgrade the System ImageThis section provides information about performing the following tasks:

• Saving Backup Copies of Your Old System Image and Configuration, page 3

• Ensuring Adequate DRAM for the New System Image, page 4

• Ensuring Adequate Flash Memory for the New System Image, page 6

• Copying the System Image into Flash Memory, page 10

• Loading the New System Image, page 17

• Saving Backup Copies of Your New System Image and Configuration, page 22

Saving Backup Copies of Your Old System Image and ConfigurationTo avoid unexpected downtime if you encounter serious problems using your new system image or startup configuration, we recommend that you save backup copies of your current startup configuration file and Cisco IOS software system image file on a server.


To save backup copies of the startup configuration file and the system image file, complete the following steps.

SUMMARY STEPS

1. enable


3. dir flash:


DETAILED STEPS


Step 1 enable







• The configuration file copy can serve as a backup copy.


3OL-5595-01



Examples

The following examples show how to copy a startup configuration to a TFTP server and how to copy from flash memory to an FTP server.




Remote host[]? 192.0.0.1

Name of configuration file to write [rtr2-confg]? rtr2-config-b4upgrade Write file rtr2-confg-b4upgrade on host 192.0.0.1?[confirm] <cr> ![OK]


The following example uses the dir flash: command in privileged EXEC mode to learn the name of the system image file and the copy flash: tftp: command in privileged EXEC mode to copy the system image (c2800-2is-mz) to a TFTP server. The router uses the default username and password.

Router# dir flash:

System flash directory:File Length Name/status1 4137888 c2800-image-mz[4137952 bytes used, 12639264 available, 16777216 total]16384K bytes of processor board System flash (Read/Write)\

Router# copy flash: tftp:

IP address of remote host [255.255.255.255]? 192.0.0.1 filename to write on tftp host? c2800-image-mz writing c2800-image-mz !!!!...successful ftp write.

Ensuring Adequate DRAM for the New System ImageThis section describes how to check whether your router has enough DRAM for upgrading to the new system image.

Step 3 dir flash:

Example:Router# dir flash:


• Learn the name of the system image file.




• Copy the system image file to a server. This file can serve as a backup copy.

• Enter the flash memory partition number if prompted.



4OL-5595-01


Prerequisites

Choose the Cisco IOS release and system image to which you want to upgrade. See the “Information About Upgrading the System Image” section on page 2.

SUMMARY STEPS

1. Select the system image in the Download Software Area at the following URL:

http://www.cisco.com/kobayashi/sw-center/index.shtml.

2. Write down the minimum memory requirements for the image, as displayed in the File Download Information table.

3. show version

4. Add the memory sizes that are displayed in the show version command output to calculate your router’s DRAM size.

5. Compare the calculated DRAM size with the minimum memory requirements from Step 2.

a. If the DRAM is equal to or greater than the new system image’s minimum memory requirements, then proceed to the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.

b. If the DRAM is less than the new system image’s minimum flash requirements, then you must upgrade your DRAM. See the hardware installation guide for your router.

DETAILED STEPS

Step 1 Select the system image in the Download Software Area at the following URL:


You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Step 2 Write down the minimum memory requirements for the image, as displayed in the File Download Information table.

Step 3 show version

Use this command to display the router processor and memory (shown in bold text in the following sample output):

Router# show version

Cisco IOS Software, 2800 Software (C2800-IPBASE-M), Version 12.3(2), [fc3]Copyright (c) 2004 by Cisco Systems, Inc.Compiled Thu 11-Aug-04 18:15

ROM: System Bootstrap, Version 12.3(2)

Router1 uptime is 1 day, 23 hours, 15 minutesSystem returned to ROM by reload at 13:11:44 UTC Fri Mar 12 2004Running default software

Cisco 2800(revision 2.0) with 231424K/30720K bytes of memory.Processor board ID FHH0746C0422 Gigabit Ethernet interfaces2 Serial interfaces2 Channelized E1/PRI ports2 Channelized T1/PRI ports

5OL-5595-01




DRAM configuration is 64 bits wide with parity enabled.479K bytes of NVRAM.125440K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x820

Router#

Step 4 Add the memory sizes that are displayed in the show version command output to calculate the amount of DRAM in your router.

For example, in the sample show version command output shown in Step 3, you would add 231424 KB and 30720 KB for a total of 262144 KB, or 256 MB, of DRAM.

Tip To convert from kilobytes (KB) to megabytes (MB), divide the number of kilobytes by 1024.

Step 5 Compare the amount of DRAM in the router to the minimum memory requirements from Step 2.

a. If the DRAM is equal to or greater than the new system image’s minimum memory requirements, proceed to the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.

b. If the DRAM is less than the new system image’s minimum memory requirements, you must upgrade your DRAM. See the hardware installation guide for your router.

What to Do Next

Proceed to the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.

Ensuring Adequate Flash Memory for the New System ImageThis section describes how to check whether your router has enough flash memory to upgrade to the new system image and, if necessary, how to properly delete files in flash memory to make room for the new system image. For more information, see Using Compact Flash Memory Cards.

Prerequisites

• Choose the Cisco IOS release and system image to which you want to upgrade. See the “Information About Upgrading the System Image” section on page 2.

• Select the system image in the Download Software Area at:


You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

From the File Download Information table, write down the minimum flash requirements for the image.

SUMMARY STEPS

1. enable

2. (Class B file systems only) squeeze flash:

6OL-5595-01

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/2800/sw/tac_tsa/b_cflash.htm



3. dir flash:

4. From the displayed output of the dir flash: command, compare the number of bytes available to the minimum flash requirements for the new system image.

a. If the available memory is equal to or greater than the new system image’s minimum flash requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.

b. If the available memory is less than the new system image’s minimum flash requirements, proceed to Step 5.

5. From the displayed output of the dir flash: command, compare the number of bytes total to the size of the system image to which you want to upgrade.

a. If the total memory is less than the new system image’s minimum flash requirements, you must upgrade your compact flash memory card. See the hardware installation guide for your router.

b. If the total memory is equal to or greater than the new system image’s minimum flash requirements, proceed to Step 6.

6. dir /all flash:

7. From the displayed output of the dir /all flash: command, write down the names and directory locations of the files that you can delete.

8. (Optional) copy flash: {tftp | rcp}

9. (Optional) Repeat Step 8 for each file that you identified in Step 7.

10. delete flash:directory-path/filename

11. Repeat Step 10 for each file that you identified in Step 7.

12. (Class B file systems only) squeeze flash:

13. dir flash:[partition-number:]

14. From the displayed output of the dir flash: command, compare the number of bytes available to the size of the system image to which you want to upgrade.

a. If the available memory is less than the new system image’s minimum flash requirements, then you must upgrade your compact flash memory card to a size that can accommodate both the existing files and the new system image. See the hardware installation guide for your router.

b. If the available memory is equal to or greater than the new system image’s minimum flash requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.

7OL-5595-01


DETAILED STEPS

Step 1 enable

Use this command to enter privileged EXEC mode. Enter your password if prompted. For example:

Router> enable Password:Router#

Step 2 (Class B file systems only) squeeze flash:

Note The squeeze command is only applicable for Class B flash file systems. It is not needed for Class C flash file systems. For more details on supported flash file systems, see Using CompactFlash Memory Cards.

Use this command to reclaim the memory space of previously deleted files:



Step 3 dir flash:

Use this command to display the layout and contents of flash memory:

Router# dir flash:

Flash CompactFlash directory:File Length Name/status 1 6458208 c38xx-i-mz.tmp [deleted] 2 6458208 c38xx-i-mz[12916544 bytes used, 3139776 available, 16056320 total]15680K bytes of ATA CompactFlash (Read/Write)

Step 4 From the displayed output of the dir flash: command, compare the number of bytes available to the minimum flash requirements for the new system image.

• If the available memory is equal to or greater than the new system image’s minimum flash requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.

• If the available memory is less than the new system image’s minimum flash requirements, proceed to Step 5.

Step 5 From the displayed output of the dir flash: command, compare the number of bytes total to the size of the system image to which you want to upgrade.

• If the total memory is less than the new system image’s minimum flash requirements, you must upgrade your compact flash memory card. See the hardware installation guide for your router.

• If the total memory is equal to or greater than the new system image’s minimum flash requirements, proceed to Step 6.

Step 6 dir /all flash:

Use this command to display a list of all files and directories in flash memory:

Router# dir /all flash:

8OL-5595-01





Step 7 From the displayed output of the dir /all flash: command, write down the names and directory locations of the files that you can delete. If you cannot delete any files, you must upgrade your compact flash memory card. See the hardware installation guide for your router.

Note Do not delete the system image that the router already uses. If you are not sure which files can be safely deleted, either consult your network administrator or upgrade your compact flash memory card to a size that can accommodate both the existing files and the new system image. See the hardware installation guide for your router.

Step 8 copy flash:{tftp | rcp}

(Optional) Copy a file to a server before deleting the file from flash memory. When prompted, enter the filename and the server’s hostname or IP address:

Router# copy flash tftp

Step 9 (Optional) Repeat Step 8 for each file that you identified in Step 7.

Step 10 delete flash:directory-path/filename

Use this command to delete a file in flash memory:

Router# delete flash:c38xx-i-mz.tmp

Delete filename [c38xx-i-mz.tmp]? <cr> Delete flash:c38xx-i-mz.tmp? [confirm] <cr>

Step 11 Repeat Step 10 for each file that you identified in Step 7.

Step 12 (Class B file systems only) squeeze flash:

Use this command to reclaim the memory space of previously deleted files, for example:



Step 13 dir flash:

Use this command to display the layout and contents of flash memory:

Router# dir flash:

Flash CompactFlash directory:File Length Name/status 1 6458208 c38xx-i-mz.tmp [deleted] 2 6458208 c38xx-i-mz[12916544 bytes used, 3139776 available, 16056320 total]15680K bytes of ATA CompactFlash (Read/Write)

9OL-5595-01


Step 14 From the displayed output of the dir flash: command, compare the number of bytes available to the size of the system image to which you want to upgrade.

• If the available memory is less than the new system image’s minimum flash requirements, you must upgrade your compact flash memory card to a size that can accommodate both the existing files and the new system image. See the hardware installation guide for your router.

• If the available memory is equal to or greater than the new system image’s minimum flash requirements, proceed to the “Copying the System Image into Flash Memory” section on page 10.

What to Do Next

Proceed to the “Copying the System Image into Flash Memory” section on page 10.

Copying the System Image into Flash MemoryThis section describes how to copy the system image into the compact flash memory card for your router. Choose one of the following methods:

• Using TFTP or Remote Copy Protocol to Copy the System Image into Flash Memory, page 10

• Using the ROM Monitor to Copy the System Image over a Network, page 12

• Using a PC with a CompactFlash Card Reader to Copy the System Image into Flash Memory, page 15

• Using Console Download (xmodem) in ROM Monitor to Copy the System Image into Flash Memory, page 16

Using TFTP or Remote Copy Protocol to Copy the System Image into Flash Memory

This section describes how to use TFTP or Remote Copy Protocol (RCP) to upgrade the system image. This is the recommended and most common method of upgrading the system image.

Prerequisites

• Install a TFTP server or an RCP server application on a TCP/IP-ready workstation or PC. Many third-party vendors provide free TFTP server software, which you can find by searching for “TFTP server” in a web search engine.

If you use TFTP:

– Configure the TFTP application to operate as a TFTP server, not a TFTP client.

– Specify the outbound file directory to which you will download and store the system image.

• Download the new Cisco IOS software image into the workstation or PC. See the “Where Do I Download the System Image?” section on page 2.

• Establish a console session to the router. We recommend that you connect your PC directly to the router console port. See the quick start guide that shipped with your router.

10OL-5595-01


• Verify that the TFTP or RCP server has IP connectivity to the router. If you cannot successfully ping between the TFTP or RCP server and the router, do one of the following:

– Configure a default gateway on the router.

– Make sure that the server and the router each have an IP address in the same network or subnet. See the tech note, Determining IP Addresses: Frequently Asked Questions.

Tip For more detailed information on how to perform the prerequisites, see the Software Installation and Upgrade Procedure tech note.

SUMMARY STEPS

1. enable

2. copy tftp flash or copy rcp flash

3. When prompted, enter the IP address of the TFTP or RCP server.

4. When prompted, enter the filename of the Cisco IOS software image to be installed.

5. When prompted, enter the filename as you want it to appear on the router.

6. If an error message appears that says, “Not enough space on device,” do one of the following, as appropriate:

• If you are certain that all the files in flash memory should be erased, enter y twice when prompted to erase flash before copying.

• If you are not certain that all files in flash memory should be erased, press Ctrl-Z and follow the instructions in the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.

Note Cisco 1841 and Cisco 2801 routers only support DOSFS (Class C) flash memory file systems. If there is not enough space, you will not be prompted to erase flash memory. Instead, the operation aborts and you will need to erase some files manually to make enough space for the image.

7. If the error message does not appear, enter no when prompted to erase the flash memory before copying.

DETAILED STEPS

Step 1 enable

Use this command to enter privileged EXEC mode. Enter your password if prompted:

Router> enable Password: <password> Router#

11OL-5595-01

http://www.cisco.com/warp/public/130/sw_upgrade_proc_ram.shtml




Step 2 copy tftp flash or copy rcp flash

Use one of these commands to copy a file from a server to flash memory:

Router# copy tftp flash

Step 3 When prompted, enter the IP address of the TFTP or RCP server:

Address or name of remote host []? 10.10.10.2

Step 4 When prompted, enter the filename of the Cisco IOS software image to be installed:

Source filename []? c2600-i-mz.121-14.bin

Note The filename is case sensitive.

Step 5 When prompted, enter the filename as you want it to appear on the router. Typically, the same filename is entered as was used in Step 4:

Destination filename []? c2600-i-mz.121-14.bin

Step 6 If an error message appears that says, “Not enough space on device,” do one of the following as appropriate:

• If you are certain that all the files in flash memory should be erased, enter y when prompted twice to confirm that flash memory will be erased before copying:

Accessing tftp://10.10.10.2/c2600-i-mz.121-14.bin... Erase flash: before copying? [confirm] y Erasing the flash filesystem will remove all files! Continue? [confirm] y Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

• If you are not certain that all the files in flash memory should be erased, press Ctrl-Z and follow the instructions in the “Ensuring Adequate Flash Memory for the New System Image” section on page 6.

Step 7 If the error message does not appear, enter no when prompted to erase the flash memory before copying:

Accessing tftp://10.10.10.2/c2600-i-mz.121-14.bin... Erase flash: before copying? [confirm] no


See theCommon Problems in Installing Images Using TFTP or an RCP Server tech note.

What to Do Next

Proceed to the “Loading the New System Image” section on page 17.

Using the ROM Monitor to Copy the System Image over a Network

This section describes how to download a Cisco IOS software image from a remote TFTP server to the router flash memory by using the tftpdnld ROM monitor command.

12OL-5595-01


Before you can enter the tftpdnld ROM monitor command, you must set the ROM monitor environment variables.

Prerequisites

Connect the TFTP server to a fixed network port on your router.

Restrictions

The LAN ports on network modules or interface cards are not active in ROM monitor mode. Therefore, only a fixed port on your router can be used for TFTP download. This can be either a fixed Ethernet port on the router or one of the Gigabit Ethernet ports on routers equipped with them.

Note You can use this command only to download files to the router. You cannot use tftpdnld to get files from the router.

SUMMARY STEPS

1. Enter ROM monitor mode

2. Set the IP_ADDRESS=ip_address configuration variable.

3. Set the IP_SUBNET_MASK=ip_address configuration variable.

4. Set the DEFAULT_GATEWAY=ip_address configuration variable.

5. Set the TFTP_SERVER=ip_address configuration variable.

6. Set the TFTP_FILE=[directory-path/]filename configuration variable.

7. (Optional) Set the GE_PORT=[0 | 1 ] configuration variable.

8. (Optional) Set the MEDIA_TYPE=[0 | 1] configuration variable.

9. (Optional) Set the TFTP_CHECKSUM=[0 | 1] configuration variable.

10. (Optional) Set the TFTP_RETRY_COUNT=retry_times configuration variable.

11. (Optional) Set the TFTP_TIMEOUT=time configuration variable.

12. (Optional) Set the TFTP_VERBOSE=setting configuration variable.

13. Use the set command to verify that you have set the variables correctly.

14. Use the tftpdnld [-r] command to download the image.

DETAILED STEPS

Step 1 Enter ROM monitor mode.

Step 2 Set the IP address of the router. For example:

rommon > IP_ADDRESS=172.16.23.32

Step 3 Set the IP subnet mask. For example:

rommon > IP_SUBNET_MASK=255.255.255.224

Step 4 Set the default gateway address. For example:

rommon > DEFAULT_GATEWAY=172.16.23.40

13OL-5595-01


Step 5 Set the TFTP server IP address, which is the location from which the software will be downloaded:

rommon > TFTP_SERVER=172.16.23.33

Step 6 Set the name and directory location to which the image file will be downloaded onto the router. For example:

rommon > TFTP_FILE=archive/rel22/c2600-i-mz

Step 7 (Optional) Set the input port to use a Gigabit Ethernet port, available on Cisco 2800 series and Cisco 3800 series routers. Usage is GE_PORT=[0 | 1], selecting either gig 0/0 or gig 0/1. For example:

rommon > GE_PORT=0

Step 8 (Optional) Set the Ethernet connection media type, RJ-45 or SFP. Usage is MEDIA_TYPE=[0 | 1], where RJ-45=0 and SFP=1 (SFP is applicable only if GE_PORT=0 in the previous step):

rommon > MEDIA_TYPE=1

Step 9 (Optional) Decide whether the router will perform a checksum test on the downloaded image. Usage is TFTP_CHECKSUM=[0|1], where 1=checksum test is performed (default) and 0=no checksum test. For example:

rommon > TFTP_CHECKSUM=0

Step 10 (Optional) Set the number of times that the router will attempt Address Resolution Protocol (ARP) and TFTP download. The default is 7 attempts. For example:

rommon > TFTP_RETRY_COUNT=10

Step 11 (Optional) Set the amount of time, in seconds, before the download process times out. The default is 2400 seconds (40 minutes). The following example shows 1800 seconds (30 minutes):

TFTP_TIMEOUT=1800

Step 12 (Optional) Configure how the router will display the file download progress. Usage is TFTP_VERBOSE=[0 | 1 | 2], where:

0=No progress is displayed.

1=Exclamation points (!!!) are displayed to indicate file download progress. This is the default setting.

2=Detailed progress is displayed during the file download process, for example:

Initializing interface.Interface link state up.ARPing for 1.4.0.1ARP reply for 1.4.0.1 received. MAC address 00:00:0c:07:ac:01

Step 13 Use the set command to display the ROM monitor environment variables to verify that you have configured them correctly. For example:

rommon > set

Step 14 Download the system image, as specified by the ROM monitor environmental variables, using the tftpdnld [-r] command. Without the -r option, the command downloads the specified image and saves it in flash memory, deleting all existing data in all partitions in flash memory. Using the -r option downloads and boots the new software but does not save the software to flash memory.

rommon> tftpdnld [-r]

14OL-5595-01


A prompt is displayed:

Do you wish to continue? y/n: [n]: y

Entering “y” confirms that you want to continue with the TFTP download.

What to Do Next


Using a PC with a CompactFlash Card Reader to Copy the System Image into Flash Memory

Because the system image is stored on an external CompactFlash memory card, you can use a PC with a compact flash card reader to format the card and copy a new system image file onto the card. However, this upgrade method is not commonly used.

For more information about using flash memory cards, see Using CompactFlash Memory Cards.

Prerequisites

• Download the new Cisco IOS Software image to the PC. See the “Where Do I Download the System Image?” section on page 2.

• Locate the compact flash memory card slot on the router chassis. For help with locating the slot and instructions for removing and inserting the card, see the hardware installation guide for your router.

Caution Removing the compact flash memory card may disrupt the network because some software features use the compact flash memory card to store tables and other important data.

SUMMARY STEPS

1. Remove the compact flash memory card from the router.

2. Insert the card into the compact flash card reader on a PC.

3. Use the PC to copy the system image file to the compact flash memory card.

4. Remove the card from the compact flash card reader.

5. Insert the compact flash memory card into the router.

DETAILED STEPS

Step 1 Remove the compact flash memory card from the router.

Step 2 Insert the card into the compact flash card reader on a PC.

Step 3 Use the PC to copy the system image file to the compact flash memory card.

Step 4 Remove the card from the compact flash card reader.

Step 5 Insert the compact flash memory card into the router.

15OL-5595-01


What to Do Next


Using Console Download (xmodem) in ROM Monitor to Copy the System Image into Flash Memory

Use console download, a ROM monitor function, when you do not have access to a TFTP server.

For detailed information about the console download function and the xmodem ROM monitor command, see the Xmodem Console Download Procedure Using ROMmon tech note.

Prerequisites

• Download the new Cisco IOS software image to your PC. See the “Where Do I Download the System Image?” section on page 2.

• Connect your PC to the router console port, and launch a terminal emulator program. For examples of performing this task on similar routers, see the Xmodem Console Download Procedure Using ROMmon tech note.

Restrictions

• If you use a PC to download a Cisco IOS image over the router console port at 115,200 bps, make sure that the PC serial port uses a 16550 universal asynchronous receiver/transmitter (UART).

• If the PC serial port does not use a 16550 UART, we recommend using a speed of 38,400 bps or lower when downloading a Cisco IOS image over the console port.

• The xmodem transfer works only on the console port.

• You can only use the xmodem command to download files to the router. You cannot use xmodem to get files from the router.

• Because the ROM monitor console download uses the console to perform the data transfer, error messages are displayed on the console only after the data transfer is terminated. If an error occurs during console download, the download is terminated, and an error message is displayed. If you changed the baud rate from the default rate, the error message is followed by a message that tells you to restore the terminal to the baud rate specified in the configuration register.

SUMMARY STEPS

1. xmodem [-[c][y][r][x]] destination-file-name

16OL-5595-01





DETAILED STEPS

Step 1 xmodem [-[c][y][r][x]] destination-file-name

Use this command to download the system image over the console port, using the ROM monitor. See Table 1 for command syntax descriptions.

What to Do Next


Loading the New System ImageThis section describes how to load the new system image that you copied into flash memory. First, determine whether you are in ROM monitor mode or in the Cisco IOS CLI. Then choose one of the following methods of loading the new system image:

• Loading the New System Image from the Cisco IOS Software, page 17

• Loading the New System Image from ROM Monitor Mode, page 20

Loading the New System Image from the Cisco IOS Software

This section describes how to load the new system image from the Cisco IOS software.

Table 1 xmodem Command Syntax Descriptions

Keyword or Argument Description

-c (Optional) Performs the download using 16-bit cyclic redundancy check (CRC) error checking to validate packets. The default is 8-bit CRC.

-y (Optional) Performs the download using ymodem protocol. The default is xmodem protocol. The protocols differ as follows:

• The xmodem protocol supports a 128-block transfer size, whereas the ymodem protocol supports a 1024-block transfer size.

• The ymodem protocol uses 16-bit CRC error checking to validate each packet. Depending on the device that the software is being downloaded from, this function might not be supported by the xmodem protocol.

-r (Optional) Image is loaded into DRAM for execution. The default is to load the image into flash memory.

-x (Optional) Image is loaded into DRAM without being executed.

destination-file-name The name of the system image file or the system configuration file. For the router to recognize it, the name of the configuration file must be router_config.

17OL-5595-01


SUMMARY STEPS

1. dir flash:


3. no boot system

4. (Optional) boot system flash: system-image-filename

5. (Optional) Repeat to specify the order in which the router should attempt to load any backup system images.

6. exit

7. show version

8. If the last digit in the configuration register is 0 or 1, proceed to Step 9. However, if the last digit in the configuration register is between 2 and F, proceed to Step 12.


10. config-register 0x2102

11. exit

12. copy run start

13. reload

14. When prompted to save the system configuration, enter no.

15. When prompted to confirm the reload, enter y.

16. show version

DETAILED STEPS

Step 1 dir flash:

Use this command to display a list of all files and directories in flash memory:

Router# dir flash:




Note Determine whether the new system image is the first file or the only file listed in the dir flash command output ( is not required if it is the first file or only file listed).


Use this command to enter global configuration mode:


Router(config)#

18OL-5595-01


Step 3 no boot system

Use this command to delete all entries in the bootable image list, which specifies the order in which the router attempts to load the system images at the next system reload or power cycle:

Router(config)# no boot system

Step 4 If the new system image is the first file or the only file displayed in the dir flash: command output, you do not need to perform the following step.

boot system flash: system-image-filename

Use this command to load the new system image after the next system reload or power cycle. For example:

Router(config)# boot system flash: c2600-i-mz.121-14.bin

Step 5 (Optional) Repeat to specify the order in which the router should attempt to load any backup system images.

Step 6 exit

Use this command to exit global configuration mode:

Router(config)# exit Router#

Step 7 show version

Use this command to display the configuration register setting:


Cisco Internetwork Operating System Software...Configuration register is 0x0

Router#

Step 8 If the last digit in the configuration register is 0 or 1, proceed to Step 9. However, if the last digit in the configuration register is between 2 and F, proceed to Step 12.




Router(config)#

Step 10 config-register 0x2102

Use this command to set the configuration register so that, after the next system reload or power cycle, the router loads a system image from the boot system commands in the startup configuration file:

Router(config)# config-register 0x2102

Step 11 exit



19OL-5595-01


Step 12 copy run start

Use this command to copy the running configuration to the startup configuration:


Step 13 reload

Use this command to reload the operating system:

Router# reload

Step 14 When prompted to save the system configuration, enter no:

System configuration has been modified. Save? [yes/no]: no

Step 15 When prompted to confirm the reload, enter y:

Proceed with reload? [confirm] y

Step 16 show version

Use this command to verify that the router loaded the proper system image:


00:22:25: %SYS-5-CONFIG_I: Configured from console by consoleCisco Internetwork Operating System Software ...System returned to ROM by reloadSystem image file is "flash:c2600-i-mz.121-14.bin"

What to Do Next

Proceed to the “Saving Backup Copies of Your New System Image and Configuration” section on page 22.

Loading the New System Image from ROM Monitor Mode

This section describes how to load the new system image from ROM monitor mode.

SUMMARY STEPS

1. dir flash:[partition-number:]

2. confreg 0x2102

3. boot flash:[partition-number:]filename

4. After the system loads the new system image, press Return a few times to display the Cisco IOS command-line interface (CLI) prompt.

5. enable


7. no boot system

8. boot system flash new-system-image-filename

20OL-5595-01


9. (Optional) Repeat to specify the order in which the router should attempt to load any backup system images.

10. exit

11. copy run start

DETAILED STEPS

Step 1 dir flash:[partition-number:]

Use this command to list files in flash memory:

rommon > dir flash:

File size Checksum File name 2229799 bytes (0x220627) 0x469e C2600-j-m2.113-4T

Note whether the new system image is the first file or the only file listed in the dir flash command output. ( is not required if the image is the first file or only file listed.)

Step 2 confreg 0x2102

Use this command to set the configuration register so that, after the next system reload or power cycle, the router loads a system image from the boot system commands in the startup configuration file:

rommon > confreg 0x2102

Step 3 boot flash:[partition-number:]filename

Use this command to force the router to load the new system image:

rommon > boot flash:C2600-j-m2.113-4T

Step 4 After the system loads the new system image, press Return a few times to display the Cisco IOS CLI prompt.

Step 5 enable

Use this command to enable privileged EXEC mode, and enter your password if prompted:

Router> enable Password: <password> Router#



Router# configure terminalRouter(config)#

Step 7 no boot system

Eliminate all entries in the bootable image list, which specifies the system image that the router loads at startup:

Router(config)# no boot system

Step 8 If the new system image is the first file or only the file displayed in the dir flash: command output, this step is not required.

boot system flash new-system-image-filename

21OL-5595-01


Use this command to load the new system image after the next system reload or power cycle:

Router(config)# boot system flash c2600-i-mz.121-14.bin

Step 9 (Optional) Repeat to specify the order in which the router should attempt to load any backup system images.

Step 10 exit



Step 11 copy run start

Use this command to copy the running configuration to the startup configuration:


What to Do Next

Proceed to the “Saving Backup Copies of Your New System Image and Configuration” section on page 22.

Saving Backup Copies of Your New System Image and ConfigurationTo aid file recovery and to minimize downtime in the event of file corruption, we recommend that you save backup copies of the startup configuration file and the Cisco IOS software system image file on a server.

Tip Do not erase any existing backup copies of your configuration and system image that you saved before upgrading your system image. If you encounter serious problems using your new system image or startup configuration, you can quickly revert to the previous working configuration and system image, if necessary.


To save backup copies of the startup configuration file and the system image file, complete the following steps.

SUMMARY STEPS

1. enable


3. dir flash:


22OL-5595-01


DETAILED STEPS

Examples




Remote host[]? 172.16.101.101

Name of configuration file to write [rtr2-confg]? <cr> Write file rtr2-confg on host 172.16.101.101?[confirm] <cr> ![OK]


The following example uses the dir flash: privileged EXEC command to obtain the name of the system image file and the copy flash: tftp: privileged EXEC command to copy the system image (c2800-2is-mz) to a TFTP server. The router uses the default username and password.

Router# dir flash:

System flash directory:File Length Name/status1 4137888 c2800-image-mz[4137952 bytes used, 12639264 available, 16777216 total]16384K bytes of processor board System flash (Read/Write)\


Step 1 enable







• The configuration file copy serves as a backup copy.


Step 3 dir flash:

Example:Router# dir flash:


• Write down the name of the system image file.




• Copy the system image file to a server to serve as a backup copy.

• Enter the flash memory partition number if prompted.


23OL-5595-01

Upgrading the System ImageAdditional References

Router# copy flash: tftp: IP address of remote host [255.255.255.255]? 192.0.0.1 filename to write on tftp host? c2800-image-mz writing c2800-image-mz !!!!...successful ftp write.

Additional ReferencesThe following sections provide references related to upgrading the system image on your router.

Related Documents and Websites

Related Topic Document Title or Website

Matching Cisco IOS releases and features to hardware Cisco Feature Navigator at http://www.cisco.com/go/fn1


Choosing the Cisco IOS release and feature set How to Choose a Cisco IOS Software Release

Downloading system images

Displaying minimum DRAM and flash memory requirements

Download Software Area at http://www.cisco.com/kobayashi/sw-center/index.shtml1

Choosing and downloading system images Software Center at http://www.cisco.com/kobayashi/sw-center/index.shtml

Loading and maintaining system images Cisco IOS Configuration Fundamentals and Network Management Configuration Guide

Using external compact flash memory cards Using Compact Flash Memory Cards

Removing, inserting, and upgrading compact flash memory cards

hardware installation guide for your router

Connecting your PC to the router console port quick start guide for your router

Upgrading the system image on similar routers Software Installation and Upgrade Procedure

Verifying that the router and the server are on the same network

Determining IP Addresses: Frequently Asked Questions

Troubleshooting while using TFTP or RCP to copy the system image into flash memory

Common Problems in Installing Images Using TFTP or an RCP Server

Using the ROM monitor Using the ROM Monitor

Using console download (xmodem) in the ROM monitor to copy the system image into flash memory

Xmodem Console Download Procedure Using ROMmon

Upgrading the system image from boot mode How to Upgrade from ROMmon Using the Boot Image

24OL-5595-01


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/2800/sw/tac_tsa/b_cflash.htm

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/2800/sw/tac_tsa/b_rommon.htm



http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/fun_r/index.htm


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/fun_r/index.htm



http://www.cisco.com/warp/public/130/rommon_boot_image.html



Description Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.1



25OL-5595-01






26OL-5595-01

Troubleshooting Links

• Password Recovery Procedures

• Troubleshooting Router Crashes

• Troubleshooting Router Hangs

• Troubleshooting Memory Problems

• Troubleshooting High CPU Utilization on Cisco Routers

• Technical Assistance Center (TAC) Website

You must have an account on Cisco.com to access the following tools. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box, and follow the instructions.

• TAC Case Collection Troubleshooting Assistant

• Error Message Decoder Research and resolve error messages

• Output Interpreter Generate output analysis of show commands

• Bug Toolkit Search for known caveats by software version, feature set, and keyword




http://www.cisco.com/warp/public/474/index.shtml



http://www.cisco.com/warp/public/63/mallocfail.shtml

http://www.cisco.com/warp/public/63/highcpu.html


http://www.cisco.com/kobayashi/support/tac/tsa/launch_tsa.html

http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl




2Troubleshooting Links

OL-5999-01