Cisco Router 800 Series Software Configuration Guide
Have a look at the manual Cisco Router 800 Series Software Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1-9 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 1 Concepts PPP Authentication Protocols RIP, refer to the Cisco IOS 12.0(1)T documentation set. For information on accessing the documentation, see the “References to Cisco IOS Documentation Set” on page xxi. EIGRP EIGRP is an advanced Cisco proprietary distance-vector and link state routing protocol, which means it uses a metric more sophisticated than distance (hop count) for route selection. Enhanced IGRP uses a metric based on a successor, which is a neighboring router that has a least-cost path to a destination that is guaranteed not to be part of a routing loop. If a successor for a particular destination does not exist but neighbors advertise the destination, the router must recompute a route. Each router running Enhanced IGRP sends hello packets every 5 seconds to inform neighboring routers that it is functioning. If a particular router does not send a hello packet within a prescribed period, Enhanced IGRP assumes that the state of a destination has changed and sends an incremental update. Because Enhanced IGRP supports IP, you can use one routing protocol for multi-protocol network environments, minimizing the size of the routing tables and the amount of routing information. PPP Authentication Protocols The Point-to-Point Protocol (PPP) encapsulates network layer protocol information over point-to-point links. PPP originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation. PPP supports these functions by providing an extensible Link Control Protocol (LCP) and a family of Network Control Protocols (NCPs) to negotiate optional configuration parameters and facilities.
Chapter 1 Concepts PPP Authentication Protocols 1-10 Cisco 800 Series Software Configuration Guide 78-5372-06 The current implementation of PPP supports two security authentication protocols to authenticate a PPP session: Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) PPP with PAP or CHAP authentication is often used to inform the central site which remote routers are connected to it. PAP PAP uses a two-way handshake to verify the passwords between routers. To illustrate how PAP works, imagine a network topology in which a remote office Cisco 827 router is connected to a corporate office Cisco 3600 router. After the PPP link is established, the remote office router repeatedly sends a configured username and password until the corporate office router accepts the authentication. PAP has the following characteristics: The password portion of the authentication is sent across the link in clear text (not scrambled or encrypted). PAP provides no protection from playback or repeated trial-and-error attacks. The remote office router controls the frequency and timing of the authentication attempts. CHAP CHAP uses a three-way handshake to verify passwords. To illustrate how CHAP works, imagine a network topology in which a remote office Cisco 827 router is connected to a corporate office Cisco 3600 router. After the PPP link is established, the corporate office router sends a challenge message to the remote office router. The remote office router responds with a variable value. The corporate office router checks the response against its own calculation of the value. If the values match, the corporate office router accepts the authentication. The authentication process can be repeated any time after the link is established.
1-11 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 1 Concepts TACACS+ CHAP has the following characteristics: The authentication process uses a variable challenge value rather than a password. CHAP protects against playback attack through the use of the variable challenge value, which is unique and unpredictable. Repeated challenges limit the time of exposure to any single attack. The corporate office router controls the frequency and timing of the authentication attempts. NoteCisco recommends using CHAP because it is the more secure of the two protocols. TACACS+ Cisco 800 series routers support the Terminal Access Controller Access Control System Plus (TACACS+) protocol through Telnet. TACACS+ is a Cisco proprietary authentication protocol that provides remote access authentication and related network security services, such as event logging. User passwords are administered in a central database rather than in individual routers. TACACS+ also provides support for separate modular authentication, authorization, and accounting (AAA) facilities that are configured at individual routers. Network Interfaces This section describes the network interface protocols that Cisco 800 series routers support. The following network interface protocols are supported: Ethernet AT M ISDN
Chapter 1 Concepts Network Interfaces 1-12 Cisco 800 Series Software Configuration Guide 78-5372-06 Ethernet Ethernet is a baseband LAN protocol that transports data and voice packets to the WAN interface using carrier sense multiple access collision detect (CSMA/CD). The term Ethernet is now often used to refer to all CSMA/CD LANs. Ethernet was designed to serve in networks with sporadic, occasionally heavy traffic requirements, and the IEEE 802.3 specification was developed in 1980 based on the original Ethernet technology. Under the Ethernet CSMA/CD media-access process, any host on a CSMA/CD LAN can access the network at any time. Before sending data, CSMA/CD hosts listen for traffic on the network. A host wanting to send data waits until it detects no traffic before it transmits. Ethernet allows any host on the network to transmit whenever the network is quiet. A collision occurs when two hosts listen for traffic, hear none, and then transmit simultaneously. In this situation, both transmissions are damaged, and the hosts must retransmit at some later time. Algorithms determine when the colliding hosts should retransmit. ATM Asynchronous Transfer Mode (ATM) is a high-speed, multiplexing and switching protocol that supports multiple traffic types including voice, data, video, and imaging. ATM is composed of fixed-length cells that switch and multiplex all information for the network. An ATM connection is simply used to transfer bits of information to a destination router or host. The ATM network is considered a LAN with high bandwidth availability. Unlike a LAN, which is connectionless, ATM requires certain features to provide a LAN environment to the users. Each ATM node must establish a separate connection to every node in the ATM network that it needs to communicate with. All such connections are established through a permanent virtual circuit (PVC). PVC A PVC is a connection between remote hosts and routers. A PVC is established for each ATM end node with which the router communicates. The characteristics of the PVC that are established when it is created are set by the ATM adaptation
1-13 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 1 Concepts Network Interfaces layer (AAL) and the encapsulation type. An AAL defines the conversion of user information into cells. An AAL segments upper-layer information into cells at the transmitter and reassembles the cells at the receiver. Cisco routers support the AAL5 format, which provides a streamlined data transport service that functions with less overhead and affords better error detection and correction capabilities than AAL3/4. AAL5 is typically associated with variable bit rate (VBR) traffic and unspecified bit rate traffic (UBR). Cisco 800 series routers also support AAL1 and 2 formats. ATM encapsulation is the wrapping of data in a particular protocol header. The type of router you are connecting to determines the type of ATM PVC encapsulation types. The routers support the following encapsulation types for ATM PVCs: LLC/SNAP (RFC 1483) VC-MUX (RFC 1483) PPP (RFC 2364) Each PVC is considered a complete and separate link to a destination node. Users can encapsulate data as needed across the connection. The ATM network disregards the contents of the data. The only requirement is that data be sent to the routers ATM subsystem in a manner that follows the specific AAL format. Dialer Interface A dialer interface assigns PPP features (such as authentication and IP address assignment method) to a PVC. Dialer interfaces are used when configuring PPP over ATM. Dialer interfaces can be configured independently of any physical interface and applied dynamically as needed.
Chapter 1 Concepts Dial Backup 1-14 Cisco 800 Series Software Configuration Guide 78-5372-06 Dial Backup Dial backup provides protection against WAN downtime by allowing user to configure a backup modem line connection. The following can be used to bring up the dial backup feature in the Cisco IOS software: Backup Interface Floating Static Routers Dialer Watch Backup Interface A backup interface is an interface that stays idle until certain circumstances occur, such as WAN downtime, at which point it is activated. The backup interface can be a physical interface such as Basic Rate Interface (BRI), or an assigned backup dialer interface to be used in a dialer pool. While the primary line is up, the backup interface is placed in standby mode. In standby mode, the backup interface is effectively shut down until it is enabled. Any route associated with the backup interface does not appear in the routing table. Because the backup interface command is dependent on the router’s identifying that an interface is physically down, it is commonly used to back up ISDN BRI connections and async lines and leased lines. The interfaces to such connections go up when the primary line fails, and the backup interface quickly identifies such failures. Floating Static Routes Floating static routes are static routes that have an administrative distance greater than the administrative distance of dynamic routes. Administrative distances can be configured on a static route so that the static route is less desirable than a dynamic route. In this manner, the static route is not used when the dynamic route is available. However, if the dynamic route is lost, the static route can take over, and the traffic can be sent through this alternate route. If this alternate route uses a Dial-on-Demand Routing (DDR) interface, then that interface can be used as a backup feature.
1-15 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 1 Concepts NAT Dialer Watch Dialer watch is a backup feature that integrates dial backup with routing capabilities. Dialer watch provides reliable connectivity without having to define traffic of interest to trigger outgoing calls at the central router. Hence, dialer watch can be considered regular DDR with no requirement for traffic of interest. By configuring a set of watched routes that define the primary interface, you are able to monitor and track the status of the primary interface as watched routes are added and deleted. When a watched route is deleted, dialer watch checks for at least one valid route for any of the IP addresses or networks being watched. If there is no valid route, the primary line is considered down and unusable. If there is a valid route for at least one of the watched IP networks defined and the route is pointing to an interface other than the backup interface configured for dialer watch, the primary link is considered up and dialer watch does not initiate the backup link. NAT Network address translation (NAT) provides a mechanism for a privately addressed network to access registered networks, such as the Internet, without requiring a registered subnet address. This mechanism eliminates the need for host renumbering and allows the same IP address range to be used in multiple intranets. NAT is configured on the router at the border of an inside network (a network that uses nonregistered IP addresses) and an outside network (a network that uses a globally unique IP address; in this case, the Internet). NAT translates the inside local addresses (the nonregistered IP addresses assigned to hosts on the inside network) into globally unique IP addresses before sending packets to the outside network. With NAT, the inside network continues to use its existing private or obsolete addresses. These addresses are converted into legal addresses before packets are forwarded onto the outside network. The translation function is compatible with standard routing; the feature is required only on the router connecting the inside network to the outside domain.
Chapter 1 Concepts Easy IP (Phase 1) 1-16 Cisco 800 Series Software Configuration Guide 78-5372-06 Translations can be static or dynamic. A static address translation establishes a one-to-one mapping between the inside network and the outside domain. Dynamic address translations are defined by describing the local addresses to be translated and the pool of addresses from which to allocate outside addresses. Allocation occurs in numeric order and multiple pools of contiguous address blocks can be defined. NAT eliminates the need to readdress all hosts that require external access, saving time and money. It also conserves addresses through application port-level multiplexing. With NAT, internal hosts can share a single registered IP address for all external communications. In this type of configuration, relatively few external addresses are required to support many internal hosts, thus conserving IP addresses. Because the addressing scheme on the inside network may conflict with registered addresses already assigned within the Internet, NAT can support a separate address pool for overlapping networks and translate as appropriate. Easy IP (Phase 1) The Easy IP (Phase 1) feature combines Network Address Translation (NAT) and PPP/Internet Protocol Control Protocol (IPCP). This feature enables a Cisco router to automatically negotiate its own registered WAN interface IP address from a central server and to enable all remote hosts to access the Internet using this single registered IP address. Because Easy IP (Phase 1) uses existing port-level multiplexed NAT functionality within the Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet. The Easy IP (Phase 1) feature combines NAT and PPP/IPCP. With NAT, the router translates the nonregistered IP addresses used by the LAN devices into the globally unique IP address used by the dialer interface. The ability of multiple LAN devices to use the same globally unique IP address is known as overloading. NAT is configured on the router at the border of an inside network (a network that uses nonregistered IP addresses) and an outside network (a network that uses a globally unique IP address; in this case, the Internet). With PPP/IPCP, the Cisco routers automatically negotiate a globally unique (registered) IP address for the dialer interface from the ISP router.
1-17 Cisco 800 Series Software Configuration Guide 78-5372-06 Chapter 1 Concepts Easy IP (Phase 2) Easy IP (Phase 2) The Easy IP (Phase 2) feature combines Dynamic Host Configuration Protocol (DHCP) server and relay. DHCP is a client-server protocol that enables devices on an IP network (the DHCP clients) to request configuration information from a DHCP server. DHCP allocates network addresses from a central pool on an as-needed basis. DHCP is useful for assigning IP addresses to hosts connected to the network temporarily or for sharing a limited pool of IP addresses among a group of hosts that do not need permanent IP addresses. DHCP frees you from having to assign an IP address to each client manually, and configures the router to forward UDP broadcasts, including IP address requests, from DHCP clients. DHCP allows for increased automation and fewer network administration problems by Eliminating the need for the manual configuration of individual computers, printers, and shared file systems Preventing the simultaneous use of the same IP address by two clients Allowing configuration from a central site NoteWhen using NAT, DHCP relay cannot be used on the Cisco 800 series routers. The built-in DHCP server should be used instead. Cisco Easy VPN Client Routers and other forms of broadband access provide high-performance connections to the Internet. However, many applications also require the security of Virtual Private Network (VPN) connections to perform a high level of authentication and to encrypt the data between two particular endpoints. Establishing a VPN connection between two routers can be complicated, and it typically requires tedious coordination between network administrators to configure the two routers’ VPN parameters. The Cisco Easy VPN client feature eliminates much of this tedious work by implementing Cisco’s Unity Client protocol, which allows most VPN parameters to be defined at a VPN 3000 concentrator acting as an IPSec server.
Chapter 1 Concepts VoIP 1-18 Cisco 800 Series Software Configuration Guide 78-5372-06 After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 800 series router. When the IPSec client then initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection. VoIP The Cisco 827-4V router is a voice-and-data-capable router that provides Voice-over-IP (VoIP) functionality and can carry voice traffic (such as telephone calls and faxes) over an IP network. Cisco voice support is implemented using voice packet technology. There are two primary applications for VoIP: It provides a central-site telephony termination facility for VoIP traffic from multiple voice-equipped remote office facilities. It provides a PSTN gateway for Internet telephone traffic. VoIP used as a PSTN gateway leverages the standardized use of H.323-based Internet telephone client applications. In VoIP, the digital signal processor (DSP) segments the voice signal into frames and stores them in voice packets. These voice packets are transported by using IP in compliance with H.323 signaling standards. H.323 H.323 is an International Telecommunication Union (ITU-T) standard that describes packet-based video, audio, and data conferencing. H.323 is an umbrella standard that describes the architecture of the conferencing system and refers to a set of other standards (H.245, H.225.0, and Q.931) to describe its actual protocol. Cisco H.323 Version 2 support upgrades Cisco IOS software to comply with the mandatory requirements and several of the optional features of the version 2 specification. This upgrade enhances the existing VoIP gateway and the Multimedia Conference Manager (gatekeeper and proxy). A gateway allows H.323 terminals to communicate with non-H.323 terminals by converting protocols, and it is an endpoint on the LAN that provides real-time, two-way communications between H.323 terminals on the LAN and other ITU-T terminals in the WAN or to another H.323 gateway.