When traffic crosses a WAN link, the connection needs a layer 2 protocol to encapsulate traffic. The standard Frame Relay encapsulation protocol is a versatile and common encapsulation protocol used with Frame Relay. See Step 4 to set the encapsulation method. Selects the interface to configure and enters interface configuration mode. Router config-if ip address Router config-if clock rate Configures the clock rate for the hardware to an acceptable bit rate per second bps.
Range is from bits per second. Note The clock rate configuration is only applicable to the DCE interfaces. Note The following clock rate options are supported: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Router config-if mtu Configures the MTU size for the interface. Default is bytes. This section provides you the information on configuring options features and the Cisco IOS XE commands required to configure these features:. Enhanced Object Tracking. The carrier-delay command in tracking configuration mode enables tracking to consider the carrier-delay timer configured on an interface.
You can specify a period of time in seconds to delay communicating status change of a tracked interface. You can set a specific amount of time for the router to wait before trying to bring up a NIM interface after the NIM goes down using the serial restart-delay command in the interface configuration mode. Router config-if serial restart-delay NRZI uses relational encoding to interpret signals rather than determining absolute values.
You can enable NRZI format using the nrzi-encoding command in the interface configuration mode. You can enable the data terminal ready DTR pulse signal intervals on the serial interfaces using the pulse-time command in interface configuration mode. When the serial line protocol goes down for example, because of loss of synchronization , the interface hardware is reset and the DTR signal is held inactive for at least the specified interval.
Setting up the DTR pulse signal intervals is useful for handling encryption or other similar devices that use the toggling of the DTR signal to resynchronize. You can configure the ignore [cts dcd dsr dtr rts] command to ignore the incoming signals that may be flapping due to certain cabling issues. When the ignore [cts dcd dsr dtr rts] command is configured, a signal is automatically seen as asserted.
Router config-if ignore [cts dcd dsr dtr rts]. Note For the For the ignore command, the availability of cts, dcd, dsr, dtr and rts keyword options depend on whether the interface is a DTE or DCE interface. Inverting the Clock Signal. Systems that use long cables or cables that are not transmitting the TxC clock signal might experience high error rates when operating at higher transmission speeds.
If a Serial NIM port is reporting a high number of error packets, a phase shift might be the problem; inverting the clock might correct this phase shift. You can use the no invert-txclock command to change the clock signal back to its original phase. Using the ping command, you can verify that an interface port is functioning properly.
The ping command sends echo request packets out to a remote device at an IP address that you specify. After sending an echo request, the system waits a specified time for the remote device to reply. Each echo reply is displayed as an exclamation point! A series of exclamation points!!!!! Following is an example of a successful ping command to a remote server with the address If the connection fails, verify that you have the correct IP address for the destination and that the device is active powered on , and repeat the ping command.
On a Cisco 1-, 2-, and 4-port Serial Network Interface Modules, the looback feature works as intended only when a serial interface is connected to a DCE cable. F ollowing example shows loopback command configured under interface configuration mode:. You can use the output from the following show commands to verify your configuration:. Router show version.
Copyright c by Cisco Systems, Inc. All rights reserved. For more details, see the. Uptime for this control processor is 1 hour, 28 minutes. System image file is "bootflash:isruniversalk9. This product contains cryptographic features and is subject to United. States and local country laws governing import, export, transfer and. Delivery of Cisco cryptographic products does not imply. Importers, exporters, distributors and users are responsible for. This example configures bit Diffie-Hellman, which is the default.
Specify the security association's lifetime—in seconds. This example configures seconds one day. Each authentication method requires an additional companion configuration as follows:. If you specify RSA signatures as the authentication method in a policy, you must configure the peers to obtain certificates from a certification authority CA.
And, of course, the CA must be properly configured to issue the certificates. The certificates are used by each peer to securely exchange public keys. RSA signatures require that each peer has the remote peer's public signature key. When both peers have valid certificates, they will automatically exchange public keys with each other as part of any IKE negotiation in which RSA signatures are used. If you specify RSA encrypted nonces as the authentication method in a policy, you need to ensure that each peer has the other peers' public keys.
Instead, you ensure that each peer has the others' public keys by doing the following:. To make this happen, specify two policies: a higher-priority policy with RSA encrypted nonces, and a lower-priority policy with RSA signatures. When IKE negotiations occur, RSA signatures will be used the first time because the peers do not yet have each others' public keys.
Then, future IKE negotiations will be able to use RSA-encrypted nonces because the public keys will have been exchanged. If you specify pre-shared keys as the authentication method in a policy, you must configure these pre-shared keys as described in the "Configuring Pre-shared Keys" section.
If you specify digital certificates as the authentication method in a policy, the CA must be properly configured to issue certificates. Digital certificates simplify authentication. You need only enroll each peer with the CA, rather than manually configuring each peer to exchange keys. Cisco recommends using digital certificates in a network of more than 50 peers.
If RSA encryption is configured and signature mode is negotiated, the peer will request both signature and encryption keys. Basically, the router will request as many keys as the configuration will support. If RSA encryption is not configured, it will just request a signature key. To configure pre-shared keys, perform these steps at each peer that uses pre-shared keys in an IKE policy:. Each peer identity should be set to either its host name or by its IP address.
By default, a peer identity is set to its IP address. Step 2 Specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. At a given peer, you could specify the same key to share with multiple remote peers; however, a more secure approach is to specify different keys to share between different pairs of peers. Note The following procedure is based on the "Site-to-Site Scenario" section. However, the same configuration commands can be used in an extranet scenario.
To specify pre-shared keys at a peer, complete the following steps in global configuration mode:. This example specifies the address keyword, which uses IP address At the local peer : Specify the shared key the headquarters router will use with the remote office router. This example configures the shared key test to be used with the remote peer Again, this example specifies the address keyword, which uses IP address At the remote peer : Specify the shared key to be used with the local peer.
This is the same key you just specified at the local peer. This example configures the shared key test to be used with the local peer The address keyword is typically used when there is only one interface and therefore only one IP address that will be used by the peer for IKE negotiations, and the IP address is known.
Use the hostname keyword if there is more than one interface on the peer that might be used for IKE negotiations, or if the interface IP address is unknown such as with dynamically-assigned IP addresses. To configure your Cisco series router to use digital certificates as the authentication method, use the following steps, beginning in global configuration mode.
Cisco recommends using 3DES. Note This example only configures the head-end Cisco series router. Additionally, each peer must be enrolled with a CA. This configuration example does not configure the CA. CA configuration instructions should be obtained from your CA vendor. Declares a CA. The name should be the domain name of the CA.
This command puts you into the ca-identity configuration mode. The URL should include any nonstandard cgi-bin script location. Optional Specifies that other peer certificates can still be accepted by your router even if the appropriate CRL is not accessible to your router. Optional Specifies how many times the router will continue to send unsuccessful certificate requests before giving up. By default, the router will never give up trying. Optional Specifies that other peers certificates can still be accepted by your router even if the appropriate CRL is not accessible to your router.
Note Although the above output shows "no volume limit" for the lifetime, you can currently only configure a time lifetime such as seconds ; volume limit lifetimes are not configurable. Tip If you have trouble, use the show version command to ensure your Cisco series router is running a Cisco IOS software image that supports crypto. Because pre-shared keys were specified as the authentication method for policy 1 in the "Configuring IKE Policies" section , the policy that will also be used on the business partner router complete the following steps at the headquarters router as well as the business partner router:.
In this scenario, you only need to complete this task at the business partner router. Note The following procedure is based on the "Extranet Scenario" section. To configure a different pre-shared key for use between the headquarters router and the business partner router, complete the following steps in global configuration mode:. At the local peer : Specify the shared key the headquarters router will use with the business partner router. This task was already completed on the headquarters router when policy 1 was configured in the "Configuring IKE Policies" section.
This section contains basic steps to configure IPSec and includes the following tasks:. In some cases, you might need to add a statement to your access lists to explicitly permit this traffic. Crypto access lists use the same format as standard access lists. However, the permit command instructs the router to encrypt data, and the deny command instructs the router to allow unencrypted data.
Crypto access lists are used to define which IP traffic will be protected by crypto and which traffic will not be protected by crypto. These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface. For example, you can create access lists to protect all IP traffic between the headquarters router and business partner router.
The access lists themselves are not specific to IPSec. It is the crypto map entry referencing the specific access list that defines whether IPSec processing is applied to the traffic matching a permit in the access list. To create a crypto access list, enter the following command in global configuration mode:. Specify conditions to determine which IP packets are protected. This example configures access list to encrypt all IP traffic between the headquarters server translated inside global IP address We recommend that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword.
The access-list command designates a numbered extended access list; the ip access-list extended command designates a named access list. Tip If you have trouble, make sure you are specifying the correct access list number. You must define transform sets regardless of the tunneling protocol you use.
To define a transform set and configure IPSec tunnel mode, complete the following steps starting in global configuration mode:. Define a transform set and enter crypto-transform configuration mode. This example combines AH 1 transform ah-sha-hmac, ESP 2 encryption transform esp-des, and ESP authentication transform esp-sha-hmac in the transform set proposal4.
There are complex rules defining which entries you can use for the transform arguments. These rules are explained in the command description for the crypto ipsec transform-set command. You can also use the crypto ipsec transform-set?
Change the mode associated with the transform set. The mode setting is only applicable to traffic whose source and destination addresses are the IPSec peer addresses; it is ignored for all other traffic. All other traffic is in tunnel mode only. This example configures tunnel mode for the transport set proposal4, which creates an IPSec tunnel between the IPSec peer addresses. This header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the invariant fields in the outer IP header.
It does not provide confidentiality protection. AH uses a keyed-hash function rather than digital signatures. This header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of the data. If ESP is used to validate data integrity, it does not include the invariant fields in the IP header. Note AH and ESP can be used independently or together, although for most applications just one of them is sufficient. For both of these protocols, IPSec does not define the specific security algorithms to use, but rather, provides an open framework for implementing industry-standard algorithms.
Remote devices need to be managed through a VPN from the central site when operating on a centralized IT model. VPN devices support numerous configuration options to determine the tunnel endpoint and, depending on the method chosen, these options may impact the manageability of the network. Refer to the "Dynamic versus Static Crypto Maps" section on page for a discussion of when to use static or dynamic crypto maps.
To be the most effective in managing remote devices, you must use static cryptographic maps at the site where your management applications are located. Dynamic cryptographic maps can be used at the headend for ease of configuration. Dynamic maps, however, accept only incoming IKE requests, and because dynamic maps cannot initiate an IKE request, it is not always guaranteed that a tunnel exists between the remote device and the headend site.
Static cryptographic map configuration includes the static IP addresses of the remote peers. Thus, remote sites must use static IP addresses to support remote management. For IPSec to succeed between two IPSec peers, both peer crypto map entries must contain compatible configuration statements. When two peers try to establish a security association SA , they must each have at least one crypto map entry that is compatible with one of the other peer crypto map entries.
For two crypto map entries to be compatible, they must meet the following minimum criteria:. In the case where the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be "permitted" by the peer crypto access list. This means that you can specify lists such as lists of acceptable transforms within the crypto map entry.
After you have completed configuring IPSec at each participating IPSec peer, configure crypto map entries and apply the crypto maps to interfaces. The task of configuring IPSec at each peer can be eased by utilizing dynamic crypto maps. By configuring the head-end Cisco series router with a dynamic map, and the peers with a static map, the peer will be permitted to establish an IPSec security association even though th e router does not have a crypto map entry specifically configured to meet all of the remote peer requirements.
This section contains basic steps to configure crypto maps and includes the following tasks:. To create crypto map entries that will use IKE to establish the SAs, complete the following steps starting in global configuration mode:. Create the crypto map and specify a local address physical interface to be used for the IPSec traffic. This step is only required if you have previously used the loopback command or if you are using GRE tunnels.
Enter crypto map configuration mode, specify a sequence number for the crypto map you created in Step 1, and configure the crypto map to use IKE to establish SAs. This example configures sequence number 2 and IKE for crypto map s4second.
Specify an extended access list. This example configures access list , which was created in the "Creating Crypto Access Lists" section. This is the peer to which IPSec protected traffic can be forwarded. Specify which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority highest priority first.
To create dynamic crypto map entries that will use IKE to establish the SAs, complete the following steps, starting in global configuration mode:. Specifies which transform sets are allowed for the crypto map entry. This is the only configuration statement required in dynamic crypto map entries.
Optional Accesses list number or name of an extended access list. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec security in the context of this crypto map entry. Note Although access-lists are optional for dynamic crypto maps, they are highly recommended. If the access list is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list.
If the access list is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets. This is similar to static crypto maps because they also require that an access list be specified. Care must be taken if the any keyword is used in the access list, because the access list is used for packet filtering as well as for negotiation. This is rarely configured in dynamic crypto map entries.
Dynamic crypto map entries are often used for unknown remote peers. Optional If you want the security associations for this crypto map to be negotiated using shorter IPSec security association lifetimes than the globally specified lifetimes, specify a key lifetime for the crypto map entry.
In the following example, peer Tip If you have trouble, make sure you are using the correct IP addresses. You need to apply a crypto map set to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the interface traffic against the crypto map set, and to use the specified policy during connection or SA negotiation on behalf of traffic to be protected by crypto.
To apply a crypto map set to an interface, complete the following steps starting in global configuration mode:. Specify a physical interface on which to apply the crypto map and enter interface configuration mode. Apply the crypto map set to the physical interface. This example configures crypto map s4second, which was created in the "Creating Crypto Map Entries" section.
Manually established SAs are reestablished immediately. Note Using the clear crypto sa command without parameters clears out the full SA database, which clears out active security sessions. You may also specify the peer , map , or entry keywords to clear out only a subset of the SA database. In particular, QoS features provide better and more predictable network service by:. You configure QoS features throughout a network to provide for end-to-end QoS delivery.
The following three components are necessary to deliver QoS across a heterogeneous network:. Not all QoS techniques are appropriate for all network routers. Because edge routers and backbone routers in a network do not necessarily perform the same operations, the QoS tasks they perform might differ as well.
This section contains basic steps to configure QoS weighted fair queuing WFQ , which applies priority or weights to identified traffic on the GRE tunnel you configured in the "Step 1—Configuring the Tunnel" section. When an application is recognized and classified by NBAR, a network can invoke services for that specific application. MQC provides a clean separation between the specification of a classification policy and the specification of other policies that act based on the results of the applied classification.
Configuring a QoS policy typically requires the configuration of traffic classes, the configuration of policies that will be applied to those traffic classes, and the attaching of policies to interfaces using the commands in the sections that follow. Use the class-map configuration command to define a traffic class and the match criteria that will be used to identify traffic as belonging to that class. Match statements can include criteria such as protocol, ACL, IP precedence value, or interface identifier.
The match criteria is defined with one or more of the match statements entered within the class-map configuration mode listed in the table below:. Specifies the user-defined name of the class map. The match-all option specifies that all match criteria in the class map must be matched. The match-any option specifies that one or more match criteria must match. Use the no class-map command to disable the class map. Use the no match-all and no match-any commands to disable these commands within the class map.
Use the match not command to configure a match that evaluates to true if the packet does not match the specified protocol. Enter the show class-map command to display all class map information. You can also enter the show class-map class-name command to display the class map information of a user-specified class map. Use the policy-map configuration command to specify the QoS policies to apply to traffic classes defined by a class map.
QoS policies that can be applied to traffic classification are listed in the table below. Enables weighted random early detection WRED drop policy for a traffic class which has a bandwidth guarantee. Specifies maximum number of packets queued for a traffic class in the absence of random-detect. Use the no policy-map command to deconfigure the policy map. Use the no bandwidth , no police , no set, and no random-detect commands to disable these commands within the policy map.
Use the service-policy interface configuration command to attach a policy map to an interface and to specify the direction in which the policy should be applied on either packets coming into the interface or packets leaving the interface. Specifies the name of the policy map to be attached to the output direction of the interface. Specifies the name of the policy map to be attached to the input direction of the interface.
Use the no service-policy [ input output ] policy-map-name command to detach a policy map from an interface. Use the s how policy-map [ interface [ interface-spec [ input output [ class class-name ]]]] command to display the configuration of a policy map and its associated class maps. Forms of this command are listed in the following table:. Displays statistics and configurations of all input and output policies, which are attached to an interface. Displays configuration and statistics of the input and output policies attached to a particular interface.
Displays configuration and statistics of the input policy attached to an interface. Displays configuration statistics of the output policy attached to an interface. Displays the configuration and statistics for the class name configured in the policy. Weighted Fair Queuing WFQ provides traffic priority management that automatically sorts among individual traffic streams without requiring that you first define access lists. WFQ can also manage duplex data streams such as those between pairs of applications, and simplex data streams such as voice or video.
There are two categories of WFQ sessions: high bandwidth and low bandwidth. Low-bandwidth traffic has effective priority over high-bandwidth traffic, and high-bandwidth traffic shares the transmission service proportionally according to assigned weights.
When WFQ is enabled for an interface, new messages for high-bandwidth traffic streams are discarded after the configured or default congestive messages threshold has been met. However, low-bandwidth conversations, which include control message conversations, continue to enqueue data. As a result, the fair queue may occasionally contain more messages than its configured threshold number specifies.
With standard WFQ, packets are classified by flow. WFQ allocates an equal share of the bandwidth to each flow. Flow-based WFQ is also called fair queuing because all flows are equally weighted. To configure fair queuing on an interface, complete the following steps starting in global configuration mode:.
Specify an interface and enter interface configuration mode. Packets satisfying the match criteria for a class constitute the traffic for that class. A queue is reserved for each class, and traffic belonging to a class is directed to that class queue.
Once a class has been defined according to its match criteria, you can assign it characteristics. To characterize a class, you assign it bandwidth, weight, and maximum packet limit. The bandwidth assigned to a class is the minimum bandwidth delivered to the class during congestion. To characterize a class, you also specify the queue limit for that class, which is the maximum number of packets allowed to accumulate in the class queue.
Packets belonging to a class are subject to the bandwidth and queue limits that characterize the class. After a queue has reached its configured queue limit, enqueuing of additional packets to the class causes tail drop or packet drop to take effect, depending on how class policy is configured.
Tail drop is used for CBWFQ classes unless you explicitly configure policy for a class to use weighted random early detection WRED to drop packets as a means of avoiding congestion. Note that if you use WRED packet drop instead of tail drop for one or more classes comprising a policy map, you must ensure that WRED is not configured for the interface to which you attach that service policy.
If a default class is configured, all unclassified traffic is treated as belonging to the default class. If no default class is configured, then by default the traffic that does not match any of the configured classes is flow classified and given best-effort treatment. Once a packet is classified, all of the standard mechanisms that can be used to differentiate service among the classes apply.
Flow classification is standard WFQ treatment. WFQ allocates an equal share of bandwidth to each flow. Flow-based WFQ is also called fair queueing because all flows are equally weighted. For CBWFQ, which extends the standard WFQ, the weight specified for the class becomes the weight of each packet that meets the match criteria of the class.
Packets that arrive at the output interface are classified according to the match criteria filters you define, then each one is assigned the appropriate weight. The weight for a packet belonging to a specific class is derived from the bandwidth you assigned to the class when you configured it; in this sense the weight for a class is user-configurable.
After a packet's weight is assigned, the packet is enqueued in the appropriate class queue. CBWFQ uses the weights assigned to the queued packets to ensure that the class queue is serviced fairly. For this reason, you should ensure that WFQ is not enabled on such an interface.
To create a class map containing match criteria against which a packet is checked to determine if it belongs to a class, and to effectively create the class whose policy can be specified in one or more policy maps, use the first command in global configuration mode to specify the class-map name. Then use one of the following commands in class-map configuration mode:.
Specifies the name of the numbered ACL against whose contents packets are checked to determine if they belong to the class. Specifies the name of the output interface used as a match criterion against which packets are checked to determine if they belong to the class. Specifies the name of the protocol used as a match criterion against which packets are checked to determine if they belong to the class.
To configure a policy map and create class policies including a default class comprising the service policy, use the first global configuration command to specify the policy-map name. Then use the following policy-map configuration commands to configure policy for a standard class and the default class.
For each class that you define, you can use one or more of the following policy-map configuration commands to configure class policy. For example, you might specify bandwidth for one class and both bandwidth and queue limit for another class. The policy-map default class is the class to which traffic is directed if that traffic does not satisfy the match criteria of other classes whose policy is defined in the policy map.
To configure policy for more than one class in the same policy map, repeat Steps 2 through 4. Note that because this set of commands uses queue-limit, the policy map uses tail drop for both class policies, not WRED packet drop. To attach a service policy to an interface and enable CBWFQ on the interface, you must create a policy map.
You can configure class policies for as many classes as are defined on the router up to the maximum of Specifies the name of a class to be created and included in the service policy. Specifies the amount of bandwidth in kilobits per second kbps to be assigned to the class. Specifies the amount of bandwidth in kilobits per second to be assigned to the default class.
Specifies the maximum number of packets that can be enqueued for the specified default class. To attach a service policy to the output interface and enable CBWFQ on the interface, use the interface configuration command in the following table:. Note When CBWFQ is enabled, all classes configured as part of the service policy map are installed in the fair queueing system. To display the contents of a specific policy map, a specific class from a specific policy map, or all policy maps configured on an interface, use one of the following global configuration commands:.
Displays the configuration of all classes comprising the specified policy map. Displays the configuration of the specified class of the specified policy map. Displays the configuration of all classes configured for all policy maps on the specified interface.
Cisco IOS software provides an extensive set of security features with which you can configure a simple or elaborate firewall, according to your particular requirements. When you configure Cisco IOS firewall features on your Cisco router, you turn your router into an effective, robust firewall. Cisco IOS firewall features are designed to prevent unauthorized, external individuals from gaining access to your internal network, and to block attacks on your network, while at the same time allowing authorized users to access network resources.
Note Although Cisco series routers support intrusion detection features, intrusion detection configuration procedures are not explained in this guide. For detailed information on intrusion detection, refer to the Intrusion Detection Planning Guide. At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure your Cisco series router to function as a firewall by using the following Cisco IOS security features:.
For information on how to access these documents, see "Related Documentation" section on page xi. This section explains how to configure an extended access list, which is a sequential collection of permit and deny conditions that apply to an IP address. Note The extended access list configuration explained in this section is different from the crypto access list configuration explained in the "Creating Crypto Access Lists" section.
Crypto access lists are used to define which IP traffic is or is not protected by crypto, while an extended access list is used to determine which IP traffic to forward or block at an interface. The simplest connectivity to the Internet is to use a single device to provide the connectivity and firewall function to the Internet. With everything being in a single device, it is easy to address translation and termination of the VPN tunnels.
Complexity arises when you need to add extra Cisco series routers to the network. This normally leads people into building a network where the corporate network touches the Internet through a network called the DMZ, or demilitarized zone.
To create an extended access list that denies and permits certain types of traffic, complete the following steps starting in global configuration mode:. Enter the show access-lists EXEC command to display the contents of the access list. After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. To apply an access list inbound and outbound on an interface, complete the following steps starting in global configuration mode:.
For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an "icmp host unreachable" message. For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the destination address of the packet against the access list.
If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an "ICMP Host Unreachable" message.
Indicates whether the software processes that handle the line protocol consider the line usable or whether the line has been taken down by an administrator. Indicates whether keepalives are set and the interval between keepalives if they have been set. Indicates either full-duplex or half-duplex mode and other link configuration details. Number of hours, minutes, and seconds since the last packet was successfully received by the interface and processed locally on the router.
This field is useful for detecting when a dead interface failed. Note This field is not updated by fast-switched traffic. Number of hours, minutes, and seconds since the last packet was successfully transmitted by the interface. Number of hours, minutes, and seconds or never since the interface was last reset because a transmission took too long.
When the number of hours in any of the "last" fields exceeds 24 hours, the number of days and hours is printed. If that field overflows, asterisks are printed. Elapsed time since the counters that measure cumulative statistics such as number of bytes transmitted and received shown in this report were last reset to zero. Variables that might affect routing for example, load and reliability are not cleared when the counters are cleared.
Number of packets in the input queue. A slash separates the following values that indicate the maximum size of the queue, the number of packets dropped because of a full queue, and the number of times that queued packets have been discarded. Number of packets in the output queue that have been dropped because of a full queue.
Queuing strategy applied to the interface, which is configurable under the interface. The default is FIFO. Number of packets in the output queue. A slash separates the following values that indicate the maximum size of the queue and the number of packets dropped because of a full queue.
Average number of bits and packets transmitted per second in the last 5 minutes. If the interface is not in promiscuous mode, it senses network traffic that it sends and receives rather than all network traffic. The 5-minute input and output rates should be used only as an approximation of traffic per second during a given 5-minute period. These rates are exponentially weighted averages with a time constant of 5 minutes.
A period of four time constants must pass before the average will be within 2 percent of the instantaneous rate of a uniform stream of traffic over that period. Note The 5-minute period referenced in this output is a load interval that is configurable under the interface. The default value is 5 minutes. Total number of bytes, including data and MAC encapsulation, in the error-free packets received by the system. Number of received packets discarded because there was no buffer space in the main system.
Ignored Broadcast storms on Ethernet and bursts of noise on serial lines are often responsible for no input buffer events. Number of packets that are discarded because they are smaller than the minimum packet size of the medium. For instance, any Ethernet packet that is less than 64 bytes is considered a runt.
Number of packets that are discarded because they exceed the maximum packet size of the medium. For example, any Ethernet packet that is greater than bytes is considered a giant. Number of times that the interface requested another interface within the router to slow down. Errors that include runts, giants, no buffer, cyclic redundancy check CRC , frame, overrun, and ignored counts.
Other input-related errors can also cause the input errors count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts. Errors created when the CRC generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. A high number of CRCs is usually the result of collisions or a station that is transmitting bad data.
Number of packets received incorrectly that have a CRC error and a non-integer number of octets. On a LAN, this error is usually the result of collisions or a malfunctioning Ethernet device. Number of times that the receiver hardware was unable to handle received data to a hardware buffer because the input rate exceeded the receiver's ability to handle the data.
Number of received packets that were ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different from system buffer space. Broadcast storms and bursts of noise can cause the ignored count to increase.
Number of packets with a dribble condition. Dribble bit error indicates that a frame is slightly too long. This frame error counter is incremented only for informational purposes; the router accepts the frame. Total number of bytes, including data and MAC encapsulations, that have been transmitted by the system.
Number of times that the transmitter has run faster than the router could handle. This error may never be reported on some interfaces. Sum of all errors that prevented the final transmission of datagrams out of the integrated service engine that is being examined. This number may not balance with the sum of the enumerated output errors, because some datagrams may have more than one error, and others may have errors that do not fall into any of the specifically tabulated categories.
Number of messages that have been retransmitted because of an Ethernet collision. This error is usually the result of an overextended LAN such as an Ethernet or transceiver cable that is too long, there are more than two repeaters between stations, or there are too many cascaded multiport transceivers. A packet that collides is counted only once in output packets. Number of times that an interface has been completely reset.
This can occur if packets that were queued for transmission were not sent within several seconds. On a serial line, this error can be caused by a malfunctioning modem that is not supplying the transmit clock signal or caused by a cable problem.
If the system notices that the carrier detect line of a serial interface is up, but the line protocol is down, it periodically resets the interface in an effort to restart it. Interface resets can also occur when an interface is looped back or shut down. Count of frames that are greater than bytes and that have been transmitted. This error indicates that the transmitter has been on the interface longer than the time necessary to transmit the largest frame. Number of late collisions.
A collision becomes a late collision when it occurs after the preamble has been transmitted. Indicates that the chip, while ready to transmit a frame, had to defer because the carrier was asserted. Address Resolution Protocol. Alternate term for service module.
A small subset of the system software that runs on the module. It boots the module from the network and assists in software installation and upgrades, disaster recovery, and other operations when the module cannot access its software. A small set of system software that runs when the system first powers up.
It loads the operating system from the disk, network, or compactFlash , which loads and runs the Cisco Wide Area Application Services application. The bootloader may optionally load and run the boothelper. File Transfer Protocol. Standalone content engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router. Network Time Protocol. Protocol built on top of TCP that ensures accurate local timekeeping with reference to radio and atomic clocks located on the Internet.
This protocol is capable of synchronizing distributed clocks within milliseconds over long time periods. Industry-standard protocol for capturing log information for devices on a network. Transmission Control Protocol. Connection-oriented transport-layer protocol that provides reliable full-duplex data transmission. Trivial File Transfer Protocol.
Simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication for example, username and password. User Datagram Protocol. Wide Area Application Engine hardware plus software that accelerates content delivery, while ensuring the maximum scalability and availability of the content.
Note See Internet working Terms and Acronyms for terms not included in this glossary. For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:.
Revised: January 7, Table 1 Network Module Hardware Model. On This Hardware Interface Command or Action. From the Network-Module Interface. Caution Because you may lose data, use the service-module integrated-service-engine reset command only to recover from a shutdown or failed state. Use service module reset command to recover from shutdown. Register 0x D 02A8 45E1 Register 0x Table 4 show controllers integrated-service-engine Field Descriptions Field. Table 5 show diag subslot Field Descriptions Field.
Hardware is BCM, address is Last input , output , output hang never. Last clearing of "show interface" counters never. Received broadcasts, 0 runts, 0 giants, 0 throttles. Table 6 show interfaces integrated-service-engine Field Descriptions Field. WAE Wide Area Application Engine hardware plus software that accelerates content delivery, while ensuring the maximum scalability and availability of the content. Related Topic. CF card. Status of hard drive activity On—Active Off—Inactive.
Status of system shutdown Note Do not remove power without first shutting down the application. On—System is shut down and ready for host power down Off—Application is stable Flashing—System shutdown is in progress. Configure These Settings Using This Configuration Interface. Enters global configuration mode on the host router.
Returns to global configuration mode on the host router. Open or Router telnet Press Ctrl-Shift-6 x. Closes the service module session and returns to the router CLI. Caution Using this command does not provide an orderly software shutdown and may impact file operations that are in progress. Router config. Displays information about network module and host-router hardware.
Displays information about the module side of the router-module interface. Displays a list of the application processes that are running. Displays the configuration commands that are in effect. Pings the service module to check network connectivity.
Displays version information for installed hardware and software. Displays the startup configuration stored on the CompactFlash drive. Displays information about the network module interfaces. This command was introduced for ISE network modules. Number of the router chassis slot for the network module. This command was introduced for the ISE network module. Displays controller information for ISE network modules.
Displays basic interface configuration information for ISE network modules. Optional Clears the ISE configuration session. Configures an interface and enters interface configuration mode. Displays controller information for a network module.
Displays basic interface configuration information for network modules. Receive Rx and transmit Tx traffic statistics collected by the chip. This command was implemented on the Cisco AS This command was implemented on the Cisco router. Revision number signifying a minor revision of the NME hardware. Revision number of the circuit board in the module. Revision number signifying a minor revision of the NME. Maximum transmission unit MTU of the integrated-service-engine interface. Bandwidth of the interface, in kilobits per second.
Encapsulation method that is assigned to the interface, ARPA in this case. This method, called configuration mode , provides the greatest power and flexibility. Before you begin configuring the synchronous serial interface, make sure to do the following:.
Router config-if half-duplex timer dcd-drop-delay Specifies the time that the interface waits in controlled carrier mode. See Table for a list of half-duplex timer commands. See Table , Table , and Table for lists of clock rate settings for specific interfaces. Router config-if dce-terminal-timing-enable. Cisco IADs that use long cables might experience high error rates when operating at higher transmission speeds, because the clock and data signals can shift out of phase.
If a DCE port is reporting a high number of bad packets, inverting the clock by means of this command can often correct the shift. To enable NRZI encoding on an interface, enter this command. CTS delay 1. RTS 3 drop delay. If you need to change the default configuration for these voice ports, perform the following tasks. The first two tasks are required; the third task is optional.
Step 1 Identify the voice port and enter voice-port configuration mode. Step 2 Configure the following mandatory voice-port parameters:. Dial type. Signal type. Call progress tone. Step 3 Optional Configure a description.
Enters voice-port configuration mode. Configures the voice-port connection mode type and the destination telephone number. The plar value is used for private line automated ringdown PLAR connections. The tie-line value is used for a tie-line connection to a PBX.
The plar-opx value, for PLAR off-premises extension, allows the local voice port to provide a local response before the remote voice port receives an answer. Configures the voice-port dial-type. Configures the signaling type for analog FXO voice ports. The default is loop-start. Configures the companding standard used to convert between analog and digital signals in PCM systems. The default for this command is northamerica.
Optional Enters a string description for the voice port. The string describes the voice port in displays. You can use the description command to note the voice port location or use. In most situations, the default voice-port values are adequate for FXS voice ports.
If you need to change the default configuration for the FXS voice ports, perform the following tasks. Configures the signaling type for analog FXS voice ports. To configure the ATM interface parameters for your application, you need the following information:. The linecode is automatically set to binary 8-zero substitution B8ZS. Router config interface atm 0. If you enable ILMI keepalives without specifying the seconds, the default time interval is 3 seconds. Router config-if-vc encapsulation aal5autoppp virtual-template 1.
The following example shows typical output from the show interface atm 0 command:. The card provides asymmetric digital subscriber line ADSL or symmetric high bit-rate digital subscriber line SHDSL high-speed digital data transfer between a single customer premises equipment CPE subscriber and the central office. See the following sections for configuration tasks for this feature. Each task in the list is identified as either required or optional:. DMT Issue 1.
Make sure that active PVCs are up. This is the default. Optional only for NT-configured ports. Turns on the power supplied from the port to a TE device. Saves the configuration changes to NVRAM so that they are not lost during resets, power cycles, or power outages. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Log in to Save Content. PDF - Complete Book 3.
Configuring the Hostname and Password One of the first configuration tasks is to configure the hostname and set an encrypted password. To configure the hostname and password, perform the following steps. Step 2 configure terminal Example: Router configure terminal Enters global configuration mode. Step 4 enable secret password Example: Router config enable secret guessme Enters an enable secret password. Step 5 line console Example: Router config line console 0 Enters line configuration mode to configure the console port.
Step 6 exec-timeout Example: Router config-line exec-timeout 0 0 If no input is detected during the interval, the EXEC facility resumes the current connection. Step 7 exit Example: Router config-line exit Exits to global configuration mode.
Verifying the Hostname and Password To verify that you configured the correct hostname and password, follow these steps: Step 1 Enter the show config command: Router config show config Using out of bytes! Step 2 Exit global configuration mode and attempt to reenter it, using the new enable password: Router exit. To configure Fast Ethernet interfaces, perform the following steps.
Step 3 ip routing Example: Router config ip routing Enables routing protocols as required for your global configuration. Step 5 ip address ip address subnet mask Example: Router config-if ip address Step 6 exit Example: Router config-if exit Exits to global configuration mode. Step 7 Ctrl-z Example: Router Ctrl-z Returns to enable mode when you finish configuring the interfaces.
To configure the network clock, perform the following steps. Step 8 exit Example: Router config-if exit Exits to global configuration mode. Step 9 Ctrl-z Example: Router Returns to enable mode when you finish configuring interfaces. Step 5 clock source line Example: Router config-controller clock source line Specifies which end of the circuit provides clocking. Step 10 channel-group channel-group-number timeslots range Example: Router config-controller channel-group 0 timeslots 1,,7 Specifies the channel group and time slots to be mapped.
Step 12 ip address ip address subnet mask Example: Router config-if ip address Step 13 exit Example: Router config-if exit Exits to global configuration mode. Step 14 Ctrl-z Example: Router Returns to enable mode when you finish configuring interfaces. Step 7 channel-group channel-group-number timeslots range Example: Router config-controller channel-group 1 timeslots Specifies the channel group and time slots to be mapped. Step 9 ip address ip address subnet mask Example: Router config-if ip address Step 10 exit Example: Router config-if exit Exits to global configuration mode.
Step 11 Ctrl-z Example: Router Returns to enable mode when you finish configuring interfaces. Step 3 isdn switch-type primary Example: Router config isdn switch-type primary-net5 Optional; see note. Step 5 pri-group timeslots range Example: Router config-if pri-group timeslots Configures the PRI group for T1 to carry voice traffic.
Step 7 no line-power Example: Router config-if no line-power Turns on or turns off the power supplied from an NT-configured port to a TE device. Step 8 isdn incoming-voice voice Example: Router config-if isdn incoming-voice voice Routes incoming ISDN voice calls to the voice module. Step 9 exit Example: Router config-if exit Exits to global configuration mode.
Step 10 Ctrl-z Example: Router Returns to enable mode when you finish configuring interfaces. Step 6 Repeat Step 3 for each additional DS0 group. Step 10 no shutdown Example: Router config-voice-port no shutdown Activates the voice port. Step 11 Exit voice-port configuration mode and repeat Step 5 through Step 8 for the remaining digital voice ports. Configures any required digital voice ports.
Step 12 exit Example: Router config-if exit Exits to global configuration mode. Step 13 Ctrl-z Example: Router Returns to enable mode when you finish configuring interfaces. Step 5 exit Example: Router config-if exit Exits to global configuration mode. Step 4 exit Example: Router config-if exit Exits to global configuration mode. Step 3 tdm-group tdm-group-no timeslot timeslot-list Example: Router config-controller tdm-group 1 timeslot Configures a list of time slots for creating clear channel groups pass-through for time-division multiplexing TDM cross-connect.
Step 4 exit Example: Router config-controller exit Exits to global controller mode. Step 6 no keepalive Example: Router config-if no keepalive Sets the no keepalive function. Step 7 exit Example: Router config-if exit Exits serial interface mode. Step 8 connect id serial-1 controller-2 tdm-group-no-2 Example: Router config connect Configures cross-connect pass-through between physical serial interface and a controller. Step 6 half-duplex timer dcd-drop-delay value Example: Router config-if half-duplex timer dcd-drop-delay Specifies the time that the interface waits in controlled carrier mode.
Step 9 invert-txc Example: Router config-if invert-txc Cisco IADs that use long cables might experience high error rates when operating at higher transmission speeds, because the clock and data signals can shift out of phase. Step 11 exit Example: Router config-if exit Exits to global configuration mode. Step 12 Ctrl-z Example: Router Returns to enable mode when you finish configuring the interfaces. Step 2 Configure the following mandatory voice-port parameters: a.
Connection b. Dial type c. Signal type d. Call progress tone Step 3 Optional Configure a description. Perform the following steps to configure FXO voice ports. Step 8 cptone local Example: Router config-voice-port cptone ca Configures the appropriate call progress tone for the local region. Step 10 exit Example: Router config-voice-port exit Exits to voice-port mode. Step 11 Ctrl-z Example: Router Returns to enable mode when you finish configuring the interfaces.
Perform the following steps to configure FXS voice ports. Step 6 cptone local Example: Router config-voice-port cptone ca Configures the appropriate call progress tone for the local region. Step 8 exit Example: Router config-voice-port exit Exits to voice-port mode.
Step 9 Ctrl-z Example: Router Returns to enable mode when you finish configuring the interfaces. Step 5 exit Example: Router config-ctrl exit Exits to controller mode. Step 7 ip address ip address subnet mask Example: Router config-if ip address Step 8 atm uni-version version-number Example: Router config-if atm uni-version 3.
Step 18 exit Example: Router config exit Exits global configuration mode. Configuration Tasks See the following sections for configuration tasks for this feature. Step 4 ip address ip address subnet mask Example: Router config-if ip address Step 13 exit Example: Router config exit Exits from global configuration mode. Step 6 no ip address Example: Router config-if no ip address Specifies that there is no IP address for this interface.
График работы: - - на 2-ой 20 часов Стоимость самовывоза: 180 рублей в случае нежели заказ оформлен. Большевиков цокольный этаж, право, по ул. График работы: с Санкт-Петербург -. График работы: - Санкт-Петербург - на 2-ой день опосля.
Software Configuration Guide for Cisco IOS Release (2)GC and (3)GC. OL CHAPTER. Configuring EIGRP in a MANET Software Activation Configuration Guide, Cisco IOS Release 15M&T. , , , , , and. platforms. The following commands were. This document describes how to use the Cisco Configuration Professional (Cisco CP) in order to set the basic configuration of the router.