Chapter 6

Sometimes the best way to learn something is to jump in feet fist. This means immersing yourself in Cisco router command language and until you speak it fluently. Your first configurations should be simple ones, based on getting the basic functionality of the router working. This section is devoted to simple configurations. It will get you started with router maintenance and configuration.

Before going forward, make sure that you can go backward. If your routers are already functional, you will want to backup their configuration files, store the passwords in a safe place, and be able to restore the router to a default configuration.

There are two basic ways to backup the router’s configuration file. First, use a terminal emulator like HyperTerminal, telnet, or NetTerm to connect to the router. Next, use the appropriate command to display the configuration file on the screen. In IOS, the command is "show running-config", in the 700 series routers the command is "upload". Once the whole file has displayed, use cut-and-paste to transfer the file to a text editor like Notepad, WordPad, or vi. Be sure to save the file as a text file (*.txt).

The second method is to write the configuration file to a TFTP server. IOS has long supported TFTP, and the 700 series router OS rev. 4.2 has recently added TFTP support. It does not matter what type of TFTP server you run, just so long as you can write a file to it. You must know the IP address and host name. Some more secure versions of the TFTP server will not create blank files for new file transfers. You must create a blank file and make it writeable before you can copy information into it over the network. This is mostly on Unix systems; executing the commands in Figure 6-1 will get you around the problem.

In IOS, use the command "write network". IOS will take you through a series of questions, including file name and hostname, or IP address where you want to TFTP the file. This dialog can be seen in Figure 6-2.

In the 700 series OS, you use the command "UPload TFTP <ip address> <file name>". "ip address" is the IP address of your TFTP server, and "file name" is the file name into which to write the information on the TFTP server. An example of this is shown in Figure 6-3.

Once you have successfully backed up your existing configuration files, you can start to learn more about your routers. If you manage to get the configuration so confused you feel you need to start over, you should do so. The command to erase the configuration on an IOS router is "write erase". This will wipe out the existing configuration. Next, using the "reload" command, you can reboot the router. It will come up to the initial configuration menu and will only be accessible through the console serial port. The 700 series command to return the router to its factory default state is "set defaults". It will automatically reboot after you execute this command, and like the IOS router, will only be accessible through the console serial port.

Those just jumping in to Cisco routers need to become accustomed to Cisco router OS command language. This section will take you through some of the basic parts of the overall router configuration. The goal is to modularize the configuration elements so they make more sense to you.

These are basic configurations. They are the minimum configurations necessary to verify that the connection works. Once you have completed this section, you should move on to the advanced configurations. These will tell you how to polish your configuration, so the network performs exactly the way you want it to perform.

All Cisco routers are full of passwords. There are passwords for logging in to the router, passwords for entering enable mode, and passwords for dial-up connections. Each password could be different if you wanted to configure a router that way (not that it makes sense to do it, but it can be done.) Changing passwords periodically is the cornerstone of a good security policy. In this section, we explore how to setup and change passwords for different functions of Cisco routers.

By default, Cisco does not require passwords to access the console or auxiliary serial ports. This is not usually a problem; however, it can be if there are no controls on physical access. If anyone can walk up to a router and plug-in a laptop or terminal, then definitely apply to the console and auxiliary ports. This is especially true if you have connected a modem to the auxiliary port. With a modem connection, you can never be sure who might find the modem number and dial it. If there are no passwords on the router, someone could easily find a way to break into your network.

To place a password on IOS router serial ports, you need to enter global configuration mode. Next, select the interface to which you want to apply the password ("con 0" for the console and "aux 0" for the auxiliary port.) As you select each interface, use the "password" command to add a password to the port. Be sure to exit and save the configuration to NVRAM.

By default, the console and auxiliary port configuration looks like Figure 6-4 (for IOS version 11.2).

Figure 6-5 shows the configuration dialog from enable mode, showing the application of passwords to the console and auxiliary ports. In this example, the passwords have different values so you can track how the different configuration commands affect the configuration file. Of course, a password is useless if the router never checks for it so be sure to add the "login" command to the console and auxiliary lines also. This tells the IOS to prompt the user for a password when they try to gain access.

Once completed, you can see the passwords in the configuration file. Figure 6-6 shows the passwords in plain text as they appear in the configuration file.

Like IOS, the placement of password access control on a 700 series router is a two step command. First, the password must be set using the "SEt PAssword SYstem [ENcrypted] [<password>]" command, shown in figure 6-7. The resulting configuration file change is shown in Figure 6-8. You can only change this password from the global profile environment. It controls access for both console and telnet sessions. By default, access control is enabled for telnet connections, but not for the console.

Next, enable console password access with the command "SEt LOcalaccess ON | PArtial | PRotected". This command is shown in figure 6-9.

You can check to make sure the console is secure using the "logout" command. It will end your authorized session, but the prompt will stay the same. Now, run a command like "upload", which displays the configuration file. If you receive an error, you know you must use the command "login" and then enter the system password to identify yourself to the router again. Note that the password will not echo back to you as you enter it during login. This command dialog is shown in Figure 6-10.

Protecting the router from unauthorized access via the network is paramount. Unlike physical access, where a cracker risks being seen using the router, telnet connections allow access to the router from anywhere on the planet, making it much harder to detect break-ins. Always password protect Telnet connections to routers.

During the initial setup dialog IOS asks you to "Enter virtual terminal password." This example uses the phrase "enter-here", resulting in the configuration changes shown in Figure 6-11. The "line vty 0 4" indicates there are five virtual terminal lines available (0 through 4.) Each supports its own telnet session. All of them allow users to login to the router if they enter the proper password.

The password is the same for all five virtual terminals. You could set the password on each terminal by entering a command sequence such as the one shown in Figure 6-12. (Note the short hand command "copy run start" used in place of "copy running-config startup-config".)

This resulted in the configuration changes shown in Figure 6-13. Changing the password for each vty individually splits them out in the configuration file from one line ("line vty 0 4") to five separate lines.

This example is not very practical, because a user connecting to the router via telnet would not know to which port they were connected; therefore, they would have a hard time determining which password to use. To set the passwords for all vty lines to the same string, we would use the dialog in Figure 6-14.

This resulted in the configuration collapsing all five vty lines back to a single entry, as shown in figure 6-15.

There is only one password protecting the Cisco 7x0 series routers from administrative access. This password gives you access to the router, as well as administrative control. The password is not configured by default and must be added with the command "SEt PAssword SYstem [ENcrypted] [<password>]". The documentation is slightly incorrect in that the ENcrypted option is always the default, and is therefore never required. The command, shown in figure 6-16 sets the password and adds the line shown in figure 6-17 to the configuration file.

You must be in the global profile to affect this password change. Should you change to a sub-profile (like LAN), you would get an error message. An example of this error is displayed in Figure 6-18.

By default, telnet access to this router is protected. This is done through the "SEt REmoteaccess OFF | PArtial | PRotected" command. If, for some reason, you should want to disable telnet access, you can use the command shown in figure 6-19.

This will result in the message "Remote configuration is disabled - ACCESS DENIED" being displayed when you try to telnet to the router. You can restore it to its default configuration by setting remote access back to "protected", as shown in figure 6-20.

IOS understands the concept of multiple levels of security. In the default setup, you have an access mode and an enable mode. Enable mode gives you complete administrative access to the Cisco router. The normal password for enable mode is the enable password. By default, this password is stored in plain text like the vty, console, and auxiliary passwords. However, if you want more protection, you can create an (encrypted) enable secret password.

If there is an enable password (but not an enable secret password), it will protect access to enable mode. An enable secret password supercedes a mere enable password and the router will require its use to access enable mode (regardless of the presence of an enable password). The enable secret password is more secure, not only because it is encrypted, but also because it uses stronger encryption than normal (See "Encrypting Passwords" below).

To set an enable password, use the "enable password" command (see the dialog in figure 6-21):

This either adds or changes the "enable password" line in the configuration file so it looks like figure 6-22.

Setting an enable secret password is just as simple. By using the "enable secret" command, you can add or change the encrypted password protecting enable mode. This is shown in figure 6-23.

This either adds or changes the line in the configuration file shown in Figure 6-24. As you can see, the password is not stored in plain text as it is with the enable, vty, console, and auxiliary passwords. This makes your router more secure, because anyone seeing the configuration file, (whether over your shoulder or on a print out) will not be able to pickup the password to access enable mode in your router. It also means you cannot rely on text files or printed copies of your configuration file to reference your router passwords. You will have to store them somewhere safe or you will not be able to get them back if you lose them.

Encrypting passwords may be scary to someone that is used to reading them in stored configuration files. Getting over this fear is of paramount importance for the security of your network. If anyone looking over your shoulder or reading configuration files on your hard disk can read router passwords in plain text, you are asking for trouble. You need to make it as hard as possible for unauthorized personnel to get into your routers. The first line of defense is encrypting your router password.

There are two types of encryption algorithms in IOS. The first is a hard encryption based on a hashed MD5 algorithm. This hard encryption is used only on the "enable secret" password. The second is much less secure, and has already been broken. Programs to decrypt it are not hard to find on the Internet and Cisco has known about their existence since 1995. Do not rely on this weak encryption to stop anything more than over-the-shoulder password leaks. For Cisco's official stance on this, see the URL

Without weak encryption set, the passwords in the configuration file look like figure 6-25.

Turning on the password encryption service in the global configuration mode automatically encrypts all passwords (except the "enable secret") with weak encryption. Add the password encryption service as per the dialog in figure 6-26.

Once entered, your configuration file will look like figure 6-27.

Remember that this encryption can be broken and is only meant to stop people reading over your shoulder. If you have to send a copy of your configuration file to anyone, make sure to delete or cross out the encrypted passwords. You can do this by copying the text file aside and changing it to look something like figure 6-28.

Next, print or e-mail this version with no real passwords. (Readers will notice that the "enable secret" password was also deleted.) Although the encryption used to create it has not been broken, you should not take the chance someone else will acquire it.

As a side note, you should also make sure to remove any information about SNMP community string names if you send your configuration file to someone else. (See later discussions on security and SNMP for more information.)

The 700 series router OS handles encryption in a very straightforward way. The system and PPP passwords can be set using the "encrypted" key word. The command line help shows the system and PPP passwords being set in the manner shown in figure 6-29.

As noted before, if you try to set the system password without using the "encrypted" keyword (as in figure 6-30), the OS encrypts it anyway, resulting in the configuration entry shown in figure 6-31.

Set the PPP host password with the command shown in figure 6-23. This also results in an encrypted password in the configuration file, without it being explicitly asked for. This can be seen in Figure 6-33.

It is puzzling why Cisco includes the "encrypted" keyword as an option, when you always get an encrypted password (whether you use it or not.)

An interface statement in the configuration file controls each physical networking port on a Cisco IOS router. To make changes to an interface, you must enter the interface name first. When you do, you will notice the prompt change from "(config)" in global configuration mode to "(config-if)" in interface configuration mode. You can see this in figure 6-34.

Once you are in interface configuration mode, all interface related commands entered will affect that specific interface only. If you enter a command supported only in global configuration mode, you will revert to that mode. In figure 6-35 you can see that the administrator is in global configuration mode when the command "interface ethernet 0" is entered. After the command is processed, the prompt changes to "(config-if)" to indicate you are now configuring the interface. Enter the IP address for that interface. Note that you remain in interface configuration mode. However, once you enter the global configuration mode command to create a user, the system reverts to global configuration mode.

There will be instances when the commands you are entering are ambiguous to the command line processor. In this case, the command may be valid, but you cannot enter it from the current mode. To solve this problem, simply "exit" back to the global configuration mode, as shown in figure 6-36:

The 700 series OS does not use the concept of interfaces, but rather one of profiles. Because it is a fixed configuration router with only one Ethernet port and one ISDN BRI port, it doesn't really need to generalize LAN and WAN connections as IOS routers do. Instead, the LAN port has a separate profile from the "user" profiles used to connect via ISDN to WAN sites. To make changes to the Ethernet configuration, you must first be in the LAN profile.

The most basic configuration necessary on the Ethernet port is to set the IP address and network mask. Once done, the Ethernet port is ready for use, unless the Ethernet port is shut down. In this case, invoke the "no shutdown" command to bring the interface into an active state. On some Cisco routers, you have a choice of connector for certain Ethernet ports. For example, a two-port Ethernet card for a series 4000 router (figure 6-37) has both AUI and 10-BaseT ports. If an Ethernet interface has multiple connectors, you must choose which one you are going to use in the configuration using the "media-type" command.

If your network is subnetted, there is a chance that the subnet you are using is illegal, as far as RFC 950 is concerned. Although these subnets may be illegal, some people still use them, and they can function without error. However, Cisco is bound to support the RFCs and enforce their proper use. This means you may not be able to enter an IP address and netmask sometimes. Instead, the router will kick out a "bad mask" error. If you feel that your subnet will work properly, and want to make the personal decision to override the RFC in your network, use the "ip subnet-zero" command.

An example of how to setup an Ethernet interface detailing all the above concerns can be seen in figure 6-38. The initial configuration for the interface is listed in figure 6-39. The new configuration, showing the changes entered in figure 6-38 can be seen in figure 6-40.

Notice that the "ip subnet-zero" command is not part of the interface configuration in figure 6-40, but rather part of the global configuration. In basic terms, either your router supports RFC illegal subnets or it does not. There is no way to set it on a per interface basis. Also, notice that the "media-type" command does not show up. Some Cisco routers can automatically sense which port is in use and override the command. On these routers the "media-type" command is not necessary and becomes a hidden command in the configuration file.

Setting up the Ethernet port for TCP/IP is fairly trivial for Cisco 700 series routers. The only item that may cause you trouble is the Node/Hub switch next to the Ethernet port. This switch configures the Ethernet port to act as a node connected to a hub, or as a hub with a node connected to it. This is not immediately clear by looking at it, and you may think that it is for selecting what the router is plugged into (it is not, however.) If you are connecting the router to a hub so many devices can route through it, you need to set the switch to node. If you are connecting a single PC directly to the router, it will act as a hub for that PC and you must set the switch to hub.

Statistically speaking, you have a 50-50 chance of selecting the proper setting. If you do not get a link light, you need to change the switch position. You should first shut the router off, then change the switch setting and reboot. If you try changing the switch position while the router is on, you will only get confused. This is because the Ethernet port only seems to check the switch setting at boot and ignores it afterward. By making sure you change the switch position only when the power is off, you decrease your chance of confusion. A rear view of the Cisco 766 router can be seen in figure 6-41.

Figure 6-41. From left to right, the first three things are the Serial console port, the 10BaseT Ethernet port, and the Node/Hub switch. If the link light (shown here as the fifth item) is on, then you have properly connected the router to your other networking equipment.

To set the IP address and netmask on the Ethernet port, you must make configuration changes to the LAN profile. Enter the LAN profile using the "cd lan" command, and then set the IP address with the "set ip address" command. Similarly, the network mask is set with the "set ip netmask" command. This dialog is shown in figure 6-42.

The high capacity lines we will be discussing are the more ubiquitous 56/64 Kbps (DS0) and 1.544/2.048 Mbps T1/E1 (DS1) lines. These require more physical setup than they do router configuration. Once the line is installed from Site A to Site B, the first step is to install a CSU/DSU at each end, and make sure the telco can see both of them. Next, try a remote loopback to make sure they can see each other. Only then should you connect a router to the CSU/DSU and attempt to setup the serial interface.

For our example (shown in figure 6-43), we have two locations named Site A and Site B. Site A has a Cisco 4000 series router with four port serial card and a dual Ethernet card installed. Site B is using a Cisco 2501 router. The two sites use the same external CSU/DSU, and connect via a T1 line provided by the local telco.

Once the T1 line checks out, the router setup can proceed. This is extremely easy. First, the Ethernet port is set up (We will assume this has been done just as it was in the example above.). Next, the serial line receives an IP address, the serial interface is turned on, and we make sure the router is routing.

For our example, we will use the IP network 208.213.188.0 to connect the two routers. Site A will receive the IP address of 208.213.188.1 and Site B will receive 208.213.188.2. Because an entire Class C IP network used, the netmask is 255.255.255.0.

By default, the configuration of Site A's serial 0 interface is shown in figure 6-44. It is configured for the Site A configuration with the dialog shown in figure 6-45.

First, enter global configuration mode; next, select the interface. Add the ip address to the interface, and activate it with the "no shutdown" command. Finally, issue the "exit" to return to global configuration mode, and the "ip routing" command to turn on ip routing. (By default, IP routing is on; however, if the router was previously used in bridging mode, the command "no ip routing" would appear in the configuration. The "ip routing" command is a useful double-check that routing is turned on although it is not necessary in most cases.

Following the series of commands in figure 6-45, the interface configuration looks like figure 6-46. The setup for Site B is identical. The only difference is the IP address assigned to interface serial 0. In this case, it will be 208.213.188.2.

Readers should note that the use of an entire class C IP network for a point-to-point link wastes IP address space tremendously. It is shown here only as an example. To avoid this waste, setup a subnet with a netmask of 255.255.255.252. This will provide just two valid IP addresses, one for each side of the point-to-point WAN connection. An even better way of configuring this connection would be with an unnumbered IP address on the serial interfaces. However, since neither subnetting nor unnumbered ip addresses have been discussed, a whole class C is used for this example. If you wish, you can use a whole class C to test a WAN line, like we have done here, but you should never make a configuration like this permanent.

Once the line is active, you should see the messages in figure 6-47 at the console. If you have connected through the network, use the command "terminal monitor" from the enable command prompt to have them pop up on your screen. This must be done each time you login to the router through the network.

The interface state changes to up if the router can see the CSU/DSU and the interface is not shutdown. Once both routers have their interfaces up, they attempt to establish the line protocol. That done, the two routers should be talking to each other. You can verify the state of the line at any time using the "show interface" command. This is shown in figure 6-48.

The first thing to notice from the output of the "show interface serial 0" command is the state of the line. In this case, you see that the interface is up, and so is the line protocol. There is then a whole flurry of information about the state of the line and its configuration, followed by the serial line statistics since they were last reset. At the end, you can see the state of the control line signals.

The control line signals allow the CSU/DSU and the router to gain information about each other. In a working configuration, all the signals should be up. If one of these is down, you may have a problem with the CSU/DSU, the cable, or the T1 connection to the telco.

If all of this looks good, try sending data to the other end. The "ping" command sends a data packet from one router to the other, and asks for a reply. You should get a reply all the time on a T1 line. If you do not, there may be something wrong with the line or some of the equipment in between the routers (cable, CSU/DSU, telco equipment). The only exception to this may be the first time it is tried. You can issue the "ping" command from user mode or exec mode. This is shown in figure 6-49.

One way to test a T1 line, is to hammer it with "ping" packets and their replies. Using "ping" interactively from the enable mode can do this. (In fact, "ping" is interactive only under the enable mode.) You simply enter "ping" on the command line, and the router will prompt you for more information. By choosing a very high number of times to send the ping packet (and increasing the datagram size), you can load the line with data. If no failures occur, you can consider the line clean. In this example, 1,000 packets are sent. Each is 1024 bytes in length. An example of the extended "ping" dialog is shown in figure 6-50.

Setting up IP addresses on other interfaces is just as easy. Simply select the interface to which you want to add an IP address using the "interface" command and add the IP address. Remember to make sure the interface is not shut down.

If we take the above example for a T1 connection and look at it from the real world, we will notice something missing. There is nothing communicating over the T1 line except the two Cisco routers! If we add an Ethernet port to each router, the nodes on each of those Ethernet networks can communicate over the T1 line. A diagram of this sample network is shown in Figure 6-51.

Before the network on one Ethernet can see the other, you need to route the IP protocol properly. Do this each time from the point of view of the machine you are on. There are two basic point of views per site: the nodes attached to the network and the router. The nodes attached to the network should all have the IP address of the routers’ Ethernet port as their default gateway. There are several ways to accomplish this, depending on the type of node. The most prevalent are in the Windows 95 desktop system. Begin by clicking on Start ® Settings ® Control Panel, and double clicking on the Network icon. Choose the TCP/IP setting for the Ethernet card, highlight it, click "Properties", and then click on the "Gateway" tab (shown in figure 6-52). From here, you should enter the IP address of the routers’ Ethernet port. If you enter an address not on your local network, the machine will not route properly.

By having interfaces on the local and the WAN networks, the router already knows how to route between those. What it does not know about is the Ethernet network on the router it talks to over the T1. In order to inform the router about the Ethernet network at the remote site, add a static route to that network. Use the "ip route" command in global configuration mode to do this.

Site A needs a route to the Site B Ethernet network, 208.213.190.0. Site B needs a route to the Site A network, 208.213.189.0. One option is to route the network to the remote WAN IP address as shown in figures 6-53 and 6-54.

Another option is not to use the IP address of the remote router's serial port, but rather to use the local router’s interface name. In this case, both routers use Serial0 as the destination for the remote route. This is shown in figure 6-55 and 6-56.

Another way to simplify the configuration would be to use a default route. In this case, each router effectively says, "route everything I don't otherwise know how to route through this destination." You do this by removing the explicit routes to 208.213.189.0 and 208.213.190.0 and replace them with routes to 0.0.0.0. The network 0.0.0.0 has a network mask of 0.0.0.0. This is what makes it a default route.

While this is a little neater, it may cause you some problems later. For example, what if Site A gets an Internet connection and connects it to the Serial1 interface (as shown by figure 6-59)? In this case, you must set a default route to the Internet, so Site A can connect to all those sites you do not know about. This works fine for Site B. Its default route will get packets to the Site A network and the Internet. However, Site A must remove the default route to Site B and add one to the Internet. It must also add an explicit route to Site B, or else all packets destined for Site B will be sent out to the Internet.

The configuration at Site B stays the same (figure 6-61) while the configuration for Site A changes. Site A gets a default route to the Internet via Serial1, and a static route to Site B, as seen in figure 6-60.

ISDN has two electrical signaling standards. The first is U-loop, which is the signaling coming from the telco to your site. U-loop hauls ISDN signal long distances from the telco to your home or office. The second signaling standard is S/T-loop. U-loop converts to S/T-loop at your site. A device called an NT-1 does the conversion.

The S/T-loop signaling permits multiple ISDN devices to share a single ISDN line. If you have an ISDN fax machine (group 4 fax), you may be able to plug it in to the S/T-loop port on your NT-1, even an NT-1 built into a 700 series router. It will all depend on the compatibility of the devices you are using.

The key for determining if your router has a built-in NT-1 is the presence of a U-loop port. If the router does not have a clearly marked U-loop port, it probably needs an external NT-1. This will take U-loop in from the telco, and convert it to S/T-loop signaling. Depending on the external NT-1, you may get more than one S/T-loop connection for external ISDN devices. Other ISDN devices include ISDN fax machines, ISDN credit card verification systems, and ISDN phones.

Setting up a BRI in IOS is a multistage process. First, you must connect the ISDN line to the telco and configure the line itself (as well as the ISDN switch type your telco is using.) Next, you have to configure the dial-out and dial-in information. Finally, you need to verify routing over the BRI.

Initially, no ISDN switch type is set and there is no really useful configuration information for your BRI interface. This is shown in figure 6-64.

The first thing to do is physically connect the ISDN line to the wall jack coming from your telco. This will go into a port on your router labeled "ISDN U-loop". If your router does not have this port, connect it to the U-loop port on an external NT-1. Next, connect the S/T-loop port on the external NT-1 to your router. Routers like the Cisco 766 have a built-in NT-1 and convert U-loop to S/T-loop internally. With these routers, the U-loop signal from the telco connects directly to the router. The direct U-loop to router connection is shown in figure 6-66. Figure 6-65 shows a router with an external NT-1 connected to the telco's U-loop. It provides S/T-loop for the router's BRI port.

Once the router is connected to the telco (whether through an external NT-1 or not), you can start configuring the BRI port in IOS. The first thing to do is to activate the BRI port, so you can verify that it sees the telco. The command "show isdn status" will display the current state of the BRI line. At this point, all you care about is the layer 1 status. If it shows "DEACTIVATED", you have a problem seeing the telco. This may be a bad connection from the router to the S/T-loop port on an external NT-1, or a bad connection from the U-loop port to the telco. You may also see this if the BRI port is shut down.

Once you see the port listed as "ACTIVE", you can start looking at the layer 2 status. If you see "TEI_ASSIGNED", you still have a problem. You need to see "MULTIPLE_FRAME_ESTABLISHED" to know the line is working properly. This can happen if the S/T-loop connection is good (which it always is on routers with internal NT-1 devices) and the U-loop connection does not see the telco. Once you see "ACTIVE" for layer 1 and "MULTIPLE_FRAME_ESTABLISHED" for layer 2, you can move on to configuring the BRI port.

At this point, you can add the SPIDs (System Profile ID numbers) and directory numbers to the BRI interface. The SPIDs are usually the ten digit phone numbers of the B channels with some digits prepended and/or appended to them. The directory number is always the seven-digit portion of the B channel phone number. For example, if one B channel phone number was (703) 555-4567, the SPID might have the numbers 01 prepended to it, and the numbers 0001 appended to it. In this case the SPID would be 0170355545670001 and the directory number would be 5554567. The SPID and directory numbers must be numeric strings without spaces or punctuation in order for the router (and the telco switch) to manipulate them.

The SPID and directory number for each B channel are set on the same line using the "isdn spidX" command, where X is 1 for the first B channel and 2 for the second. Next, add the SPID string, and add the directory number last. This can be seen in figure 6-67.

Once you have entered the SPIDs into the configuration, the output of the "show isdn status" command should change radically for layers 2 and 3. Layer 2 should show lines for "spid1 configured, spid1 sent, spid1 valid" and with similar lines for SPID 2. The output should also have "MULTIPLE_FRAME_ESTABLISHED" listed twice (one for each B channel). You should also notice changes in the number of "activated dsl 0 CCBs" in layer 3. It is possible you will not see that, but rather something like figure 6-68.

Note that the SPIDs show as both "NOT sent" and "NOT valid". The important point is that they have not been sent to the telco ISDN switch, so there is no way the router can know they are valid. They will eventually be sent to the telco and be verified, but there is no reason to wait. Use the command "clear interface bri0" to reset the port, and the router will immediately try to synchronize with the telco ISDN switch. When it does, you will see output from "show isdn status" like that in figure 6-69.

If one of your SPIDs is wrong, you may see a line saying, "spid 2 NOT valid". An example of this is shown in figure 6-70.

In this case, you should reconfigure the SPID to correct the problem. On some routers, the SPIDs may not be reset when you use the command "clear interface bri 0". In this case, you will need to place an ISDN call (which we are not ready to do), or reboot the router. After a reboot, it may still be necessary to clear the interface to synchronize the SPIDs with the telco. Another way to do SPID synchronization is to unplug the BRI line from the router, clear the interface, and then plug it back in. In this case, the output from "show isdn status" will look like figure 6-71.

Correct the SPID and directory information and synchronize with the telco until you get both B channels working. (This assumes that you have ordered your ISDN line with two B channels. It is possible to order only one B channel, done usually when you want to limit costs and bandwidth.) In the case of only one B channel, the telco will only give you the SPID and directory numbers for one B channel at line installation. Otherwise, they give you two.

The configuration now needs some expanding. We will be configuring the router for a very basic dial-out connection. First, we need to add an IP address for this router's BRI port. We will also set the line encapsulation to PPP and the authentication to CHAP (Challenge Handshake Authentication Protocol). We will disable CDP (Cisco Discovery Protocol) and enable compression (which may not be supported on all routers) using the STAC algorithm. Additionally, we will use a "dialer map" command to set the phone number and name of the remote router. Finally, we add a default route to the remote router.

We must also declare what packets the router will find interesting. Only interesting packets will make the router place a call and bring up the connection. To define what is interesting, use the "dialer-group" command in the BRI interface. This selects the number of the "dialer-list" of protocols.

In this case, our local IP address is 204.176.118.226 with a netmask of 255.255.255.240. This shows that we have subnetted a class C for an ISDN WAN. This is done to prevent wasting IP address space. The "dialer map" command shows we are using the IP protocol and connecting to a router named wan4500, which has an IP address of 204.176.118.225. The phone number to reach this router is 3496400. The dialog for entering this information into the router configuration is shown in figure 6-72.

The final piece of the configuration is the creation of a user account and password for the remote router. CHAP uses this so the remote router can authenticate the router calling it. In this case, we add the user name wan4500(as shown in figure 6-73), since it is the name of the remote router. CHAP uses the name of the remote router as the user name, and the passwords on both routers must match. Hence, each router in a CHAP connection has the other router's name as a user name in its local configuration.

You must also add the user name and CHAP password of the local router to the remote router; add a static route to the local router's Ethernet network; and add a "dialer map" statement to route IP back to the remote site. The configuration dialog for this is shown in figure 6-74. Remember that the passwords must be the same on both routers for CHAP to work properly. Readers will note there is no phone number in the remote router's "dialer map" statement. For the moment, we are only dialing from the remote site (router name cisco-2503) to the central site (router name wan4500). This assumes that the remote router is preconfigured for dial-in ISDN. For this example, we will say that the Ethernet network attached to the local router is 208.213.189.0. Note how this network is routed to the IP address of the local router's BRI port.

Testing the connection is actually quite easy. All you need to do is use the ping command to see if you get a response from the remote router (shown in figure 6-75). If you are on the console, you will see standard debugging information. This can be important in troubleshooting the connection for the first time. If you are not on the console, use the command "terminal monitor" from enable mode to see the same information.

If this command does not work, you will need to verify your connection and CHAP passwords. You can use debugging built into the router to help you. In order to see the output of the debugging statements, you must be on the console or enter the "terminal monitor" command in enable mode. From there, you can set different debugging options using the "debug" command (this also works from enable mode.)

You may be tempted to turn on all sorts of debugging information on your first try. Be aware that you may get more than you need, and debugging has a dramatic impact on router performance. You should try one or two debugging options to get a feel for the verbosity of their output first. When you are done use "no debug all" or "undebug all" to turn off all debugging.

You can debug the CHAP authentication session using "debug ppp authentication". If your CHAP passwords do not match, you will see output like that shown below when trying to ping the remote side. Notice that the CHAP protocol returns a failure with the error message "MD compare failed". This clue pointing to the passwords not matching is shown in figure 6-76.

Other useful debugging statements are:

• Debug isdn events - shows ISDN events in more detail.
• Debug isdn q921 - shows low level ISDN protocol communication
• Debug isdn q931 - shows higher level ISDN protocol communications
• Debug dialer events - shows when "interesting" packets cause an outbound dial attempt
• Debug dialer packets - copious output showing all packets interesting to the dialer
• Debug ppp authentication - shows the CHAP communication between routers
• Debug ppp negotiation - shows all PPP associated protocol negotiation including CHAP, CCP, IPCP, LCP, and PPP.

Configuring the Cisco 700 series router for ISDN is much easier than using IOS in some ways. Because it is a small ISDN-to-Ethernet access router, its operating system and configuration information are already set up for this kind of connection. Assume the Ethernet port and system name have already been setup using the commands shown in figure 6-77.

The first step is to make sure the Cisco 700 series can see the telco ISDN switch. Plug the telco ISDN line into the U-loop port on the back of the router. If your router only has an S/T-loop port, plug your external NT-1 into that, and plug the U-loop cable into the external NT-1. Next, configure the ISDN switch type and the SPID and directory number for both B channels into your router. The configuration dialog for this can be seen in figure 6-78.

When you enter each SPID, the router will respond "You may reboot system to register the new SPID at any time." This is a polite way of telling you that you will need to reboot the router before the telco will register the SPIDs. You can reboot the router using the "reboot" command. When the router comes back up, you may see a message asking you to wait a bit before the SPIDs register with the telco. Once that time expires, you should see a few more messages telling you that the telco has accepted the SPIDs. An example of this is seen in figure 6-79.

You can check the status of the ISDN line at any time by using the "show status" command. If everything is setup correctly, you should see output like that in figure 6-80.

Out of the box, there are some settings you may not want to use. The first is bridging. You can either bridge or route, but not both. Since we want to route, we must turn bridging off in the global configuration, as shown in figure 6-81.

The next step is to create a user profile for the ISDN port. Since we are still using CHAP and validating passwords in both directions, the name of the user profile must be the name of the router we will be calling (in this case, "wan4500".) This is done using the "set user" command, as shown in figure 6-82.

Now set the IP address, netmask, phone number to dial, and turn IP routing on. The phone numbers are added with the "set X number" command where X is the number of the B channel. If both B channels dial one number, set them to the same number. This will only work if the number you are calling automatically rolls over to the next line. If this is not the case, you will need to set them to the different numbers. If you only want to use one channel, do not set the second number. By default, multilink PPP is enabled. This is how the two B channels combine into one 128 Kbps WAN connection. Multilink PPP must also be enabled on the remote router if it is going to be used. The command dialog for this setup is shown in figure 6-83.

Before you can successfully dial the remote router, you must add the password for the CHAP connection. Remember that the router system name for the local router is the user name, and the name of the remote router is the profile name. All that remains is to add the CHAP password to the configuration. In this case, we will use the "set ppp secret client" command as shown in figure 6-84. If we had been using the "set ppp password client" command, we would have been setting the PAP password, not the CHAP password. This password must match the one on the remote router.

You should now be able to connect to the remote router. An easy way to test this is to ping the IP address of its ISDN port. This should bring up the ISDN line, authenticate the call, and pass the ping packet. An example of this is shown in figure 6-85.

The only thing you really care about is the round trip time. This shows that the packets made it to the other side and were answered. If you try this while the line is up, you will see much better response time, and no confusing status messages about the line coming up and channels being added to a connection. This is shown in figure 6-86.

The final configuration item is to set the default route. The default route tells the router how to route packets for which it does not have an explicit route. The gateway will be the remote router, which could be a corporate ISDN hub or an ISP. This is shown in figure 6-87.

If there is a problem with the ISDN line, you will notice the light labeled NT-1 on the front of the router will blink periodically. This assumes your router has a built-in NT-1. Even if it does not blink, the light labeled line will only illuminate if it can see the telco. These should be the first things you check to make sure the telco connection is operational.

The command "show status" will display the current state of the ISDN connection. If the line to the telco is not working properly, you will see output like that shown in figure 6-88. Notice that the line status is deactivated.

If the line is connected, but the wrong switch type or SPIDs are set, you will see output like this. By default, the switch type is set to 5ESS. If this is not the type of switch you have and you do not change the switch type, you may see something like figure 6-89.

Proper configuration shows the SPIDs accepted by the telco ISDN switch, as seen in figure 6-90

Actual configurations are your best guide to seeing how fully integrated routers work in real networks. In this chapter, we prepared our routers for basic configurations, but we also connected to an existing router with a much more advanced setup. The actual setups of those routers are shown here.

As has already been stated, for security reasons you should remove any sensitive information when sending router configurations. Printing them in a book is no different. All passwords, phone numbers, and site names have been changed.

This router was set up for basic IOS T1 and ISDN connection. You can see all the changes to the basic setup in the configurations above. The complete configuration file is shown in figure 6-91.

!

version 11.2

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname cisco-2503

!

enable secret 5 NOT_SHOWN

!

username wan4500 password 7 NOT_SHOWN

ip domain-name abc.com

ip name-server 199.29.53.67

ip name-server 199.29.53.118

isdn switch-type basic-ni1

!

interface Ethernet0

ip address 204.176.117.9 255.255.255.0

no ip route-cache

no ip mroute-cache

!

interface Serial0

ip address 204.176.118.22 255.255.255.252

no ip route-cache

no ip mroute-cache

!

interface Serial1

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

interface Serial2

no ip address

shutdown

!

interface Serial3

no ip address

shutdown

!

interface BRI0

ip address 204.176.118.230 255.255.255.240

encapsulation ppp

no ip route-cache

no ip mroute-cache

isdn spid1 70328838120101 2883812

isdn spid2 70328838130101 2883813

dialer map ip 204.176.118.225 name wan4500 3496400

dialer-group 1

compress stac

no cdp enable

ppp authentication chap

!

no ip classless

ip route 0.0.0.0 0.0.0.0 204.176.118.225

snmp-server community NOT_SHOWN RO

snmp-server community NOT_SHOWN RW

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 0 0

line aux 0

transport input all

line vty 0 4

password 7 NOT_SHOWN

login

!

end

This Cisco 766 router configuration was the actual configuration used to connect to the router named wan4500. Many of the items shown are system defaults. The complete configuration is listed in Figure 6-92.

CD

SET SCREENLENGTH 20

SET COUNTRYGROUP 1

SET LAN MODE ANY

SET WAN MODE ONLY

SET AGE OFF

SET MULTIDESTINATION OFF

SET SWITCH NI-1

SET 1 SPID 70328838120101

SET 1 DIRECTORYNUMBER 2883812

SET 2 SPID 70328838130101

SET 2 DIRECTORYNUMBER 2883813

SET AUTODETECTION OFF

SET CONFERENCE 60

SET TRANSFER 61

SET 1 DELAY 30

SET 2 DELAY 30

SET BRIDGING OFF

SET LEARN ON

SET PASSTHRU OFF

SET SPEED AUTO

SET PLAN NORMAL

SET 1 AUTO ON

SET 2 AUTO ON

SET 1 NUMBER

SET 2 NUMBER

SET 1 BACKUPNUMBER

SET 2 BACKUPNUMBER

SET 1 RINGBACK

SET 2 RINGBACK

SET 1 CLIVALIDATENUMBER

SET 2 CLIVALIDATENUMBER

SET CLICALLBACK OFF

SET CLIAUTHENTICATION OFF

SET SYSTEMNAME cisco766

LOG CALLS TIME VERBOSE

SET UNICASTFILTER OFF

DEMAND 1 THRESHOLD 0

DEMAND 2 THRESHOLD 48

DEMAND 1 DURATION 1

DEMAND 2 DURATION 1

DEMAND 1 SOURCE LAN

DEMAND 2 SOURCE BOTH

TIMEOUT 1 THRESHOLD 0

TIMEOUT 2 THRESHOLD 48

TIMEOUT 1 DURATION 0

TIMEOUT 2 DURATION 0

TIMEOUT 1 SOURCE LAN

TIMEOUT 2 SOURCE BOTH

SET REMOTEACCESS PROTECTED

SET LOCALACCESS ON

SET CLICKSTART ON

SET LOGOUT 5

SET CALLERID OFF

SET PPP AUTHENTICATION IN CHAP PAP

SET PPP CHAPREFUSE NONE

SET PPP AUTHENTICATION OUT NONE

SET PPP TAS CLIENT 0.0.0.0

SET PPP TAS CHAPSECRET LOCAL ON

SET PPP CALLBACK REQUEST OFF

SET PPP CALLBACK REPLY OFF

SET PPP NEGOTIATION INTEGRITY 10

SET PPP NEGOTIATION COUNT 10

SET PPP NEGOTIATION RETRY 3000

SET PPP TERMREQ COUNT 2

SET PPP MULTILINK ON

SET COMPRESSION STAC

SET PPP BACP ON

SET PPP ADDRESS NEGOTIATION LOCAL OFF

SET IP PAT UDPTIMEOUT 5

SET IP PAT TCPTIMEOUT 30

SET CALLDURATION 0

SET SNMP CONTACT ""

SET SNMP LOCATION ""

SET SNMP TRAP COLDSTART OFF

SET SNMP TRAP WARMSTART OFF

SET SNMP TRAP LINKDOWN OFF

SET SNMP TRAP LINKUP OFF

SET SNMP TRAP AUTHENTICATIONFAIL OFF

SET DHCP OFF

SET DHCP DOMAIN

SET DHCP NETBIOS_SCOPE

SET VOICEPRIORITY INCOMING INTERFACE PHONE1 ALWAYS

SET VOICEPRIORITY OUTGOING INTERFACE PHONE1 ALWAYS

SET CALLWAITING INTERFACE PHONE1 ON

SET VOICEPRIORITY INCOMING INTERFACE PHONE2 ALWAYS

SET VOICEPRIORITY OUTGOING INTERFACE PHONE2 ALWAYS

SET CALLWAITING INTERFACE PHONE2 ON

SET CALLTIME VOICE INCOMING OFF

SET CALLTIME VOICE OUTGOING OFF

SET CALLTIME DATA INCOMING OFF

SET CALLTIME DATA OUTGOING OFF

SET USER LAN

SET IP ROUTING ON

SET IP ADDRESS 204.176.117.10

SET IP NETMASK 255.255.255.0

SET IP FRAMING ETHERNET_II

SET IP PROPAGATE ON

SET IP COST 1

SET IP RIP RECEIVE V1

SET IP RIP UPDATE OFF

SET IP RIP VERSION 1

SET USER Internal

SET IP FRAMING ETHERNET_II

SET USER Standard

SET PROFILE ID 000000000000

SET PROFILE POWERUP ACTIVATE

SET PROFILE DISCONNECT KEEP

SET IP ROUTING ON

SET IP ADDRESS 0.0.0.0

SET IP NETMASK 0.0.0.0

SET IP FRAMING NONE

SET IP RIP RECEIVE V1

SET IP RIP UPDATE OFF

SET IP RIP VERSION 1

SET USER wan4500

SET PROFILE ID 000000000000

SET PROFILE POWERUP ACTIVATE

SET PROFILE DISCONNECT KEEP

SET 1 NUMBER 3496400

SET 2 NUMBER 3496400

SET PPP SECRET CLIENT ENCRYPTED 15010e0f162f3f75

SET IP ROUTING ON

SET IP ADDRESS 204.176.118.234

SET IP NETMASK 255.255.255.240

SET IP FRAMING NONE

SET IP PROPAGATE ON

SET IP COST 1

SET IP RIP RECEIVE V1

SET IP RIP UPDATE OFF

SET IP RIP VERSION 1

SET IP ROUTE DEST 0.0.0.0/0 GATEWAY 204.176.118.225 PROPAGATE OFF COST 1

CD

LOGOUT

A medium sized core router in a corporation might use this type of setup. In this case, the router is a Cisco 4500 with 8-port BRI, dual Ethernet, and four high-speed serial cards. The complete configuration is shown in figure 6-93.

!

version 11.2

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname wan4500

!

enable secret 5 NOT_SHOWN

enable password 7 NOT_SHOWN

!

username wan4500 password 7 NOT_SHOWN

username sitea password 7 NOT_SHOWN

username cisco-2503 password 7 NOT_SHOWN

username cisco766 password 7 NOT_SHOWN

no ip source-route

ip domain-name abc.com

ip name-server 199.29.53.67

ip name-server 199.29.53.118

isdn switch-type basic-ni1

!

interface Ethernet0

ip address 199.29.53.55 255.255.255.0

media-type 10BaseT

!

interface Serial0

description To Chantilly Warehouse

ip address 204.176.118.21 255.255.255.252

bandwidth 1536

!

interface Serial1

no ip address

shutdown

!

interface Serial2

no ip address

shutdown

!

interface Serial3

no ip address

shutdown

!

interface BRI0

description Full time centrex connectiont to Site A

ip address 204.176.118.45 255.255.255.252

no ip mroute-cache

encapsulation ppp

isdn spid1 7186418419100 6418419

isdn spid2 7186418422100 6418422

peer default ip address 204.176.118.46

dialer idle-timeout 86400

dialer map ip 204.176.118.46 name sitea broadcast

dialer-group 2

no fair-queue

no cdp enable

ppp authentication chap

ppp multilink

!

interface BRI1

ip unnumbered Dialer1

no ip mroute-cache

encapsulation ppp

isdn spid1 71834964000101 3496400

isdn spid2 71834964010101 3496401

no peer default ip address

dialer rotary-group 1

dialer-group 1

no fair-queue

compress stac

no cdp enable

!

interface BRI2

ip unnumbered Dialer1

no ip mroute-cache

encapsulation ppp

isdn spid1 71834964020101 3496402

isdn spid2 71834964030101 3496403

no peer default ip address

dialer rotary-group 1

dialer-group 1

no fair-queue

compress stac

no cdp enable

!

interface BRI3

ip unnumbered Dialer1

no ip mroute-cache

encapsulation ppp

isdn spid1 71834264220101 3426422

isdn spid2 71834264350101 3426435

no peer default ip address

dialer rotary-group 1

dialer-group 1

no fair-queue

compress stac

no cdp enable

!

interface BRI4

ip unnumbered Dialer1

no ip mroute-cache

encapsulation ppp

isdn spid1 71834264690101 3426469

isdn spid2 71834264140101 3426414

no peer default ip address

dialer rotary-group 1

dialer-group 1

no fair-queue

compress stac

no cdp enable

!

interface BRI5

no ip address

shutdown

!

interface BRI6

no ip address

shutdown

!

interface BRI7

no ip address

shutdown

!

interface Dialer1

ip address 204.176.118.225 255.255.255.240

ip tcp header-compression passive

no ip mroute-cache

encapsulation ppp

dialer in-band

dialer idle-timeout 300

dialer map ip 204.176.118.230 name cisco-2503

dialer map ip 204.176.118.231 name sitea

dialer map ip 204.176.118.234 name cisco766

dialer-group 1

no fair-queue

compress stac

no cdp enable

ppp authentication chap

ppp multilink

!

router rip

redistribute static

network 204.176.118.0

network 199.29.53.0

!

no ip classless

ip route 0.0.0.0 0.0.0.0 199.29.53.4

ip route 204.176.118.20 255.255.255.252 Serial0

ip route 204.176.118.200 255.255.255.248 204.176.118.231

!

snmp-server community NOT_SHOWN RO

snmp-server community NOT_SHOWN RW

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

line con 0

length 22

line aux 0

transport input all

line vty 0 4

password 7 NOT_SHOWN

login

transport preferred none

!

end