Cisco Router 860, 880 Series User Manual

							 
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706 
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco 860 and Cisco 880 Series Integrated 
Services Routers Software Configuration 
Guide
Customer Order Number: Text Part Number: 78-xxxxx-xx 
						

							 
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL 
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT 
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT 
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE 
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public 
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. 
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH 
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT 
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF 
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, 
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO 
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the 
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide © 2008 Cisco Systems, Inc. All rights reserved.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, 
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, 
FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, 
MeetingPlace, MGX, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and 
TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. 
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship 
between Cisco and any other company. (0709R) 
						

							 
iii
Book Title
78-xxxxx-xx
CONTENTS
78-xxxxx-xx i
Preface     xv
Objective     xv
Audience     xv
Organization     xvi
Conventions     xvii
Related Documentation     xviii
Searching Cisco Documents     xix
Obtaining Documentation and Submitting a Service Request     xix
Overview/Getting Started
CHAPTER 1Product Overview     1-1
General Description     1-1
Cisco 860 Series ISRs     1-1
4-port 10/100 FE LAN Switch     1-1
Security Features     1-2
802.11n Wireless LAN Option     1-2
Cisco 880 Series ISRs     1-2
Models of the Cisco 880 Series ISRs     1-2
Common Features     1-3
Voice Features     1-4
Licensing     1-4
Selecting Feature Sets     1-5
CHAPTER 2Wireless Device Overview     2-1
Management Options     2-1
Network Configuration Examples     2-2
Root Access Point     2-2
Central Unit in an All-Wireless Network     2-3
CHAPTER 3Basic Router Configuration     3-1
Interface Ports     3-2 
						

							 
Contents
iv
Book Title
78-xxxxx-xx
Default Configuration     3-2
Information Needed for Configuration     3-4
Configuring Basic Parameters     3-5
Configuring Global Parameters     3-6
Configuring the Fast Ethernet LAN Interfaces     3-6
Configuring WAN Interfaces     3-6
Configuring a Wireless Interface     3-10
Configuring a Loopback Interface     3-10
Configuring Command-Line Access     3-12
Configuring Static Routes     3-14
Example     3-15
Verifying Configuration     3-15
Configuring Dynamic Routes     3-15
Configuring Routing Information Protocol     3-16
Configuring Enhanced Interior Gateway Routing Protocol     3-17
Example     3-18
Verifying Configuration     3-18
CHAPTER 4Basic Wireless Device Configuration     4-1
Establishing a Wireless Configuration Session     4-1
Closing the Session     4-3
Configuring Basic Settings     4-4
Cisco Express Setup     4-4
Cisco IOS Setup     4-4
Configuring Wireless Security Settings     4-9
Using VLANs     4-9
Configuring Wireless Quality of Service     4-10
Configuring the Router
CHAPTER 5Configuring Backup Data Lines and Remote Management     5-1
Configuring Backup Interfaces     5-2
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port     5-2
Example     5-6
Configuring Data Line Backup and Remote Management Through the ISDN S/T Port     5-8
Configuring ISDN Settings     5-10
Configuring Aggregator and ISDN Peer Router     5-13
Configuring the Cellular Wireless Interface     5-15 
						

							 
Contents
v
Book Title
78-xxxxx-xx
Restrictions for Configuring Cellular Wireless Interface     5-15
Configuring Data Account Provisioning     5-15
Configuring DDR     5-21
Configuring DDR Backup     5-23
Examples for Configuring Cellular Wireless Interfaces     5-26
Basic Cellular Interface Configuration     5-26
Tunnel over Cellular Interface Configuration     5-27
Cellular Wireless Modem as Backup with NAT and IPsec Configuration     5-27
Configuring Cellular Wireless Interface Data Line Backup     5-31
CHAPTER 6Configuring Security Features     6-1
Authentication, Authorization, and Accounting     6-1
Configuring AutoSecure     6-2
Configuring Access Lists     6-2
Access Groups     6-3
Configuring Cisco IOS Firewall     6-3
Configuring Cisco IOS IPS     6-4
URL Filtering     6-4
Cisco Adaptive Control Technology     6-4
Configuring VPN     6-5
Configure a VPN over an IPSec Tunnel     6-7
Create a Cisco Easy VPN Remote Configuration     6-14
Configure a Site-to-Site GRE Tunnel     6-16
CHAPTER 7Configuring the Ethernet Switches     7-1
Switch Port Numbering and Naming     7-1
Restrictions for the FE Switch     7-1
Information About Ethernet Switches     7-2
VLANs and VLAN Trunk Protocol     7-2
Inline Power     7-2
Layer 2 Ethernet Switching     7-2
802.1x Authentication     7-3
Spanning Tree Protocol     7-3
Cisco Discovery Protocol     7-3
Switched Port Analyzer     7-3
IGMP Snooping     7-3
Storm Control     7-4
Fallback Bridging     7-4 
						

							 
Contents
vi
Book Title
78-xxxxx-xx
How to Configure Ethernet Switches     7-4
Configuring VLANs     7-4
Configuring Layer 2 Interfaces     7-6
Configuring 802.1x Authentication     7-6
Configuring Spanning Tree Protocol     7-6
Configuring MAC Table Manipulation     7-7
Configuring Cisco Discovery Protocol     7-7
Configuring the Switched Port Analyzer     7-7
Configuring Power Management on the Interface     7-8
Configuring IP Multicast Layer 3 Switching     7-8
Configuring IGMP Snooping     7-8
Configuring Per-Port Storm Control     7-9
Configuring Fallback Bridging     7-9
Configuring Separate Voice and Data Subnets     7-9
Managing the Switch     7-10
CHAPTER 8Configuring Voice Functionality     8-1
Voice Ports     8-1
Analog and Digital Voice Port Assignments     8-1
Voice Port Configuration     8-2
Call Control Protocols     8-2
Session Initiation Protocol (SIP)     8-2
Media Gateway Control Protocol (MGCP)     8-2
H.323     8-3
Dial Peer Configuration     8-3
Other Voice Features     8-3
Real-Time Transport Protocols     8-3
Dual Tone Multi Frequency Relay     8-4
CODECs     8-4
SCCP-Controlled Analog Ports with Supplementary Features     8-4
Fax Services     8-5
Fax Pass-Through     8-5
Cisco Fax Relay     8-5
T.37 Store-and-Forward Fax     8-5
T.38 Fax Relay     8-5
Unified Survival Remote Site Telephony     8-5
Verification of Voice Configuration     8-6
Configuring and Administering the Wireless Device 
						

							 
Contents
vii
Book Title
78-xxxxx-xx
Service Set Identifier (SSID)     9-1
Understanding SSIDs     9-1
Multiple SSIDs on Wireless Devices in the Access Point Role     9-1
SSIDs on Wireless Devices in Other Roles     9-2
Configuring SSIDs     9-2
SSID Parameters     9-2
Using Spaces in SSIDs     9-2
Creating a Global SSID     9-3
Guest Mode SSID     9-4
Including an SSID in an SSIDL IE     9-5
Assigning IP Redirection for an SSID     9-6
Guidelines for Using IP Redirection     9-7
Configuring IP Redirection     9-7
Multiple Basic SSIDs     9-8
Configuring Multiple Basic SSIDs     9-8
Using a RADIUS Server for SSID Authorization     9-11
NAC Support for MBSSID     9-12
Configuring NAC     9-14
CHAPTER 10Configuring Radio Settings     10-1
Enabling the Radio Interface     10-2
Configuring the Role in the Radio Network     10-2
Radio Tracking     10-4
Fast Ethernet Tracking     10-4
MAC-Address Tracking     10-4
Configuring Radio Data Rates     10-4
Configuring MCS Rates     10-7
Configuring Radio Transmit Power     10-9
Limiting the Power Level for Associated Client Devices     10-9
Configuring Radio Channel Settings     10-10
802.11n Channel Widths     10-10
Enabling and Disabling World Mode     10-11
Disabling and Enabling Short Radio Preambles     10-12
Configuring Transmit and Receive Antennas     10-13
Disabling and Enabling Aironet Extensions     10-14
Configuring the Ethernet Encapsulation Transformation Method     10-15
Enabling and Disabling Public Secure Packet Forwarding     10-15 
						

							 
Contents
viii
Book Title
78-xxxxx-xx
Configuring Protected Ports     10-16
Configuring the Beacon Period and the DTIM     10-17
Configure RTS Threshold and Retries     10-17
Configuring the Maximum Data Retries     10-18
Configuring the Fragmentation Threshold     10-19
Enabling Short Slot Time for 802.11g Radios     10-19
Performing a Carrier Busy Test     10-19
Configuring VoIP Packet Handling     10-20
Cipher Suites and WEP     11-1
Understanding Cipher Suites and WEP     11-1
Configuring Cipher Suites and WEP     11-2
Creating WEP Keys     11-3
Enabling Cipher Suites and WEP     11-5
Enabling and Disabling Broadcast Key Rotation     11-6
Authentication Types for Wireless Devices     12-1
Understanding Authentication Types     12-1
Open Authentication to the Access Point     12-2
Shared Key Authentication to the Access Point     12-2
EAP Authentication to the Network     12-3
MAC Address Authentication to the Network     12-5
Combining MAC-Based, EAP, and Open Authentication     12-6
Using CCKM for Authenticated Clients     12-6
Using WPA Key Management     12-7
Configuring Authentication Types     12-8
Assigning Authentication Types to an SSID     12-9
Configuring Authentication Holdoffs, Timeouts, and Intervals     12-15
Configuring the 802.1X Supplicant     12-16
Creating a Credentials Profile     12-16
Applying the Credentials to an Interface or SSID     12-17
Creating and Applying EAP Method Profiles for the 802.1X Supplicant     12-18
Matching Access Point and Client Device Authentication Types     12-20
CHAPTER 13Configuring VLANs     13-1
Understanding VLANs     13-1
Related Documents     13-3
Incorporating Wireless Devices into VLANs     13-3
Configuring VLANs     13-3 
						

							 
Contents
ix
Book Title
78-xxxxx-xx
Configuring a VLAN     13-4
Assigning Names to VLANs     13-6
Using a RADIUS Server to Assign Users to VLANs     13-7
Viewing VLANs Configured on the Access Point     13-8
VLAN Configuration Example     13-8
Using an Access Point as a Local Authenticator     14-1
Understanding Local Authentication     14-1
Configuring a Local Authenticator     14-2
Guidelines for Local Authenticators     14-2
Configuration Overview     14-2
Configuring the Local Authenticator Access Point     14-3
Configuring Other Access Points to Use the Local Authenticator     14-6
Configuring EAP-FAST Authentication     14-7
Limiting the Local Authenticator to One Authentication Type     14-9
Unblocking Locked Usernames     14-9
Viewing Local Authenticator Statistics     14-10
Using Debug Messages     14-11
Hot Standby Access Points     15-1
Understanding Hot Standby     15-1
Configuring a Hot Standby Access Point     15-2
Verifying Standby Operation     15-5
Workgroup Bridge Mode     16-1
Understanding Workgroup Bridge Mode     16-1
Treating Workgroup Bridges as Infrastructure Devices or as Client Devices     16-3
Configuring a Workgroup Bridge for Roaming     16-3
Configuring a Workgroup Bridge for Limited Channel Scanning     16-4
Configuring a Client VLAN     16-5
Configuring Workgroup Bridge Mode     16-5
The Workgroup Bridge in a Lightweight Environment     16-7
Guidelines for Using Workgroup Bridges in a Lightweight Environment     16-8
CHAPTER 17Administering the Wireless Device     17-1
Disabling the Mode Button Function     17-2
Preventing Unauthorized Access to Your Access Point     17-3
Protecting Access to Privileged EXEC Commands     17-3
Default Password and Privilege Level Configuration     17-4
Setting or Changing a Static Enable Password     17-4 
						

							 
Contents
x
Book Title
78-xxxxx-xx
Protecting Enable and Enable Secret Passwords with Encryption     17-5
Configuring Username and Password Pairs     17-7
Configuring Multiple Privilege Levels     17-7
Controlling Access Point Access with RADIUS     17-9
Default RADIUS Configuration     17-9
Configuring RADIUS Login Authentication     17-10
Defining AAA Server Groups     17-11
Configuring RADIUS Authorization for User Privileged Access and  
Network Services     17-13
Displaying the RADIUS Configuration     17-14
Controlling Access Point Access with TACACS+     17-14
Default TACACS+ Configuration     17-14
Configuring TACACS+ Login Authentication     17-15
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services     17-16
Displaying the TACACS+ Configuration     17-17
Administering the Wireless Hardware and Software     17-17
Resetting the Wireless Device to Factory Default Configuration     17-17
Rebooting the Wireless Device     17-17
Upgrading Software on the Access Point     17-18
Downgrading Software on the Access Point     17-20
Recovering Software on the Access Point     17-20
Monitoring the Wireless Device     17-20
Managing the System Time and Date     17-21
Understanding Simple Network Time Protocol     17-21
Configuring SNTP     17-22
Configuring Time and Date Manually     17-22
Configuring a System Name and Prompt     17-25
Default System Name and Prompt Configuration     17-26
Configuring a System Name     17-26
Understanding DNS     17-26
Creating a Banner     17-28
Default Banner Configuration     17-29
Configuring a Message-of-the-Day Login Banner     17-29
Configuring a Login Banner     17-30
Configuring Ethernet Speed and Duplex Settings     17-30
Configuring the Access Point for Wireless Network Management     17-31
Configuring the Access Point for Local Authentication and Authorization     17-31
Configuring the Authentication Cache and Profile     17-32
Configuring the Access Point to Provide DHCP Service     17-35