Cisco Router 800 Series Software Configuration Guide
Have a look at the manual Cisco Router 800 Series Software Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
7-61
Cisco 800 Series Software Configuration Guide
78-5372-06
Chapter 7 Router Feature Configuration
Configuring IGMP Proxy and Sparse Mode
Step 7ip address {ip-address subnet-mask
negotiated}Specify an IP address and subnet mask for the
dialer interface, or indicate that the IP address
is to be negotiated.
Step 8ip pim {sparse | dense} -modeConfigure the dialer interface for PIM sparse
mode or PIM dense mode.
Step 9ip igmp mroute-proxy loopback 0When used with the ip igmp proxy-service
command, this command enables all
forwarding entries in the multicast forward
table of IGMP to report to a proxy service
interface.
Step 10endExit router configuration mode.
Step 11interface loopback 0Enter loopback interface configuration mode.
Step 12ip address ip-address subnet-maskConfigure an IP address and subnet mask for
the loopback 0 interface.
Step 13ip pim sparse-modeConfigure the loopback interface for PIM
sparse mode or PIM dense mode.
Step 14ip igmp helper-address udl ethernet 0Enter IGMP helper-address unidirectional
link to Ethernet 0
Step 15ip igmp proxy-serviceEnable the multicast route proxy service.
Based on the IGMP query interval, the router
periodically checks the mroute table for
forwarding entries that match interfaces
configured with the ip igmp mroute-proxy
command. Where there is a match, one IGMP
report is created and received on this
interface. This command is intended to be
used with the ip igmp helper-address udl
command, which forwards the IGMP report to
an upstream router. Command Task
Chapter 7 Router Feature Configuration Configuring IGMP Proxy and Sparse Mode 7-62 Cisco 800 Series Software Configuration Guide 78-5372-06 Configuration Example The following example shows the relevant IGMP proxy and sparse mode commands. The Ethernet 0, Ethernet 1, and loopback 0 interfaces have been configured for PIM sparse mode; the PIM RP address has been defined as 10.5.1.1. ip pim rp-address 10.5.1.1 5 access-list 5 permit 239.0.0.0 255.255.255.255 ! interface loopback 0 ip address 10.7.1.1 255.255.255.0 ip pim sparse-mode ip igmp helper-address udl ethernet 0 ip igmp proxy-service ! interface ethernet 0 ip address 10.2.1.2 255.255.255.0 ip pim sparse-mode ip igmp unidirectional link ! interface ethernet 1 ip address 10.5.1.1 255.255.255.0 ip pim sparse-mode ip igmp mroute-proxy loopback 0 ! Verifying Your Configuration You can verify your configuration by using the show ip igmp interface ethernet 0 multicasting command. You should see a verification output similar to the following: router#show ip igmp interface ethernet 0 Ethernet0 is up, line protocol is up Internet address is 10.2.1.2 255.255.255.0 IGMP is enabled on interface Current IGMP host version is 2 Current IGMP router version is 2 IGMP query interval is 60 seconds IGMP querier timeout is 120 seconds IGMP max query response time is 10 seconds Last member query response interval is 1000 ms Inbound IGMP access group is not set IGMP activity: 1 joins, 0 leaves Multicast routing is enabled on interface
7-63 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 7 Router Feature Configuration Configuring IP Security and GRE Tunneling Multicast designated router (DR) is 10.2.1.2 (this system) IGMP querying router is 10.2.1.2 (this system) Multicast groups joined (number of users): 224.0.1.40 (1) Configuring IP Security and GRE Tunneling IP Security (IPSec) provides secure tunnels between two peers, such as two routers. You can define which packets are to be considered sensitive and sent through these secure tunnels. You can also define the parameters which should be used to protect these sensitive packets, by specifying characteristics of these tunnels. When the IPSec peer sees a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. This section contains the following topics: Configuring Internet Protocol Parameters Configuring an Access List Configuring IPSec Configuring a GRE Tunnel Interface Configuring the Ethernet Interface Configuring Static Routes Configuring and Monitoring High-Speed Crypto Configuration Example Configurations for both IPSec and Generic Routing Encapsulation (GRE) tunneling are presented in this section. Perform the following steps to configure IPSec using a GRE tunnel, beginning in global configuration mode. For general IPSec configuration, go to: www.cisco.com/warp/public/707/index.shtml#ipsec Configuring Internet Protocol Parameters Complete the follow steps to configure IP parameters, starting in global configuration mode.
Chapter 7 Router Feature Configuration Configuring IP Security and GRE Tunneling 7-64 Cisco 800 Series Software Configuration Guide 78-5372-06 Configuring an Access List Use the access-list command to create an access list that permits the GRE protocol and that specifies the starting and ending IP addresses of the GRE tunnel. Use the following syntax: access-list 101 permit gre host ip-address host ip-address In the preceding command line, the first host ip-address specifies the tunnel starting point, and the second host ip-address specifies the tunnel end point. Configuring IPSec Follow the steps below to configure IPSec, starting in global configuration mode. Command Task Step 1ip subnet-zeroConfigure the router to recognize the zero subnet range as the valid range of addresses. Step 2no ip fingerBlock incoming IP finger packets. Step 3no ip domain-lookupDisable the router from interpreting unfamiliar words (typographical errors) as host names entered during a console session. Step 4ip classlessFollow classless routing forwarding rules. Command Task Step 1crypto isakmp policy 10Define an Internet Key Exchange (IKE) policy, and assign the policy a priority. This command places the router in IKE policy configuration mode. Step 2hash md5Specify the md5 hash algorithm for the policy. Step 3authentication pre-shareSpecify pre-share key as the authentication method. Step 4exitExit IKE policy configuration mode.
7-65 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 7 Router Feature Configuration Configuring IP Security and GRE Tunneling Configuring a GRE Tunnel Interface Follow the steps below to configure the generic routing encapsulation (GRE) tunnel interface, starting in global configuration mode. Step 5crypto isakmp key name address ip-addressConfigure a pre-shared key and static IP address for each VPN client. Step 6crypto ipsec transform-set name esp-des esp-md5-hmacDefine a combination of security associations to occur during IPSec negotiations. Step 7crypto map name local-address ethernet 1Create a crypto map, and specify and name an identifying interface to be used by the crypto map for IPSec traffic. Step 8crypto map name seq-num ipsec-isakmp Enter crypto map configuration mode, and create a crypto map entry in IPSec ISAKMP mode. Step 9set peer ip-addressIdentify the remote IPSec peer. Step 10set transform-set nameSpecify the transform set to be used. Step 11match address access-list-idSpecify an extended access list for the crypto map entry. Step 12exitExit crypto map configuration mode. Command Task Command Task Step 1interface tunnel 0Configure the tunnel 0 interface. Step 2ip address ip-address subnet-maskSet the IP address and subnet mask for the tunnel 0 interface. Step 3tunnel source ethernet 1Specify the Ethernet 1 interface as the tunnel source. Step 4tunnel destination default-gateway-ip-addressSpecify the default gateway as the tunnel destination.
Chapter 7 Router Feature Configuration Configuring IP Security and GRE Tunneling 7-66 Cisco 800 Series Software Configuration Guide 78-5372-06 Configuring the Ethernet Interfaces Perform the following tasks to configure the Ethernet 0 and Ethernet 1 interfaces, starting in global configuration mode. Configuring Static Routes Complete the following steps to configure static routes, starting in global configuration mode. Step 5crypto map nameAssociate a configured crypto map to the tunnel 0 interface. Step 6exitExit the tunnel 0 interface configuration. Command Task Command Task Step 1interface ethernet 0Configure the Ethernet 0 interface. Step 2ip address ip-address subnet-maskSet the IP address and subnet mask for the Ethernet 0 interface. Step 3exitExit the Ethernet 0 interface configuration. Step 4interface ethernet 1Configure the Ethernet 1 interface. Step 5ip address ip-address subnet-maskSet the IP address and subnet mask for the Ethernet 1 interface. Step 6crypto map nameAssociate a crypto map with the Ethernet 1 interface. Step 7endExit router configuration mode.
7-67 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 7 Router Feature Configuration Configuring IP Security and GRE Tunneling Configuring and Monitoring High-Speed Crypto Use the following command to enable high-speed crypto, starting with global configuration mode. crypto engine accelerator To disable high-speed crypto, use the following command: no crypto engine accelerator To monitor high-speed crypto, use the following command: show crypto engine accelerator statistic For more information on configuring IPSec, refer to the Cisco IOS Security Configuration Guide. Configuration Example This configuration example for the Cisco 831 router shows IPSec being used over a GRE tunnel. The example also applies to a Cisco SOHO 91 router. You do not need to enter the commands marked “default.” These commands appear automatically in the configuration file that is generated when you use the show running-config command. ! version 12.2 no service pad service timestamps debug datetime msec Command Task Step 1ip route default-gateway-ip-address mask ethernet 1Create a static route for the Ethernet 1 interface. Step 2ip route default-gateway-ip-address mask tunnel 0Create a static route for the tunnel 0 interface. Step 3ip route default-gateway-ip-address mask gateway-of-last-resortCreate a static route to the gateway of last resort. Step 4endExit router configuration mode.
Chapter 7 Router Feature Configuration Configuring IP Security and GRE Tunneling 7-68 Cisco 800 Series Software Configuration Guide 78-5372-06 service timestamps log datetime msec no service password-encryption ! hostname 831-uut1 ! memory-size iomem 10 ! ip subnet-zero ! ip audit notify log ip audit po max-events 100 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key grel address 100.1.1.1 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set strong esp-3des esp-sha-hmac ! crypto map mymap local-address Ethernet1 crypto may mymap 1 ipsec-isakmp set peer 100.1.1.1 set transform-set strong match address 151 ! ! ! ! interface Tunnel0 ip address 1.1.1.1 255.255.255.0 tunnel source Ethernet1 tunnel destination 100.1.1.1 crypto map mymap ! interface Ethernet0 ip address 202.2.2.2 255.255.255.0 hold-queue 100 out ! interface Ethernet1 ip address 100.1.1.1 255.255.255.0 crypto map mymap ! ip classless ip route 200.1.1.0 255.255.255.0 Tunnel0 ip http server !
7-69 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 7 Router Feature Configuration Configuring IP Security and GRE Tunneling ! access-list 151 permit gre host 100.1.1.2 host 100.1.1.1 ! line con 0 no modem enable stopbits 1 line aux 0 line vty 0 4 ! scheduler max-task-time 5000 The following example shows IPSec configuration on a Cisco 837 router. version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 837-uutl ! memory-size iomem 10 ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 ! crypto isakmp policy 1 encr 3des authentication pre-share crypto isakmp key grel address 100.1.1.1 ! crypto ipsec transform-set strong esp-3des esp-sha-hmac ! crypto map mymap local-address ATM0 crypto map mymap 1 ipsec-isakmp set peer 100.1.1.1 set transform-set strong match address 151 ! interface Tunnel0
Chapter 7 Router Feature Configuration Configuring Multilink PPP Fragmentation and Interleaving 7-70 Cisco 800 Series Software Configuration Guide 78-5372-06 ip address 1.1.1.1 255.255.255.0 ip mtu 1440 tunnel source ATM0 tunnel destination 100.1.1.1 crypto map mymap ! interface Ethernet0 ip address 202.2.2.2 255.255.255.0 hold-queue 100 out ! interface ATM0 ip address 100.1.1.2 255.255.255.0 no atm ilmi-keepalive pvc 1/40 protocol ip 100.1.1.1 broadcast encapsulation aa15snap ! dsl operating-mode auto crypto map mymap ! ip classless ip route 200.1.1.0 255.255.255.0 Tunnel0 ip http server ip pim bidir-enable Configuring Multilink PPP Fragmentation and Interleaving You should configure multilink PPP fragmentation if you have point-to-point connection using PPP encapsulation or if you have links slower than your network. PPP support for interleaving can be configured on a dialer interface. Follow the steps below to configure multilink PPP and interleaving on a dialer interface, beginning in global configuration mode. Command Task Step 1interface dialerEnter configuration mode for the dialer interface. Step 2ppp multilinkEnable multilink PPP for the dialer interface.