Cisco 7100 Series Specifications

170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comCisco Systems, Inc.Corporate HeadquartersTel:800 553-NETS (6387)Fax:408 526-4000408

Documentation CD-ROMCisco 7100 Series VPN Configuration GuidexivNote If you are a network administrator and need personal technical assistance with aC

Comprehensive Configuration ExamplesCisco 7100 Series VPN Configuration Guide4-28 set peer 172.16.2.7 set transform-set proposal4 match address 111!in

Extranet VPN Business Scenario 4-29Headquarters Router Configuration no keepalive fair-queue 64 256 0 framing c-bit cablelength 10 dsu bandwidth 4421

Comprehensive Configuration ExamplesCisco 7100 Series VPN Configuration Guide4-30Business Partner Router Configurationbus-ptnr# show running-configBuil

Extranet VPN Business Scenario 4-31Business Partner Router Configuration fair-queue 64 256 0 framing c-bit cablelength 10 dsu bandwidth 44210 clock s

Comprehensive Configuration ExamplesCisco 7100 Series VPN Configuration Guide4-32

Index 1INDEXSymbols? command 1-2Aabbreviating commands, context-sensitive help 1-2access controlplanning 2-5undefined packets and 3-36, 4-26access gr

Cisco 7100 Series VPN Configuration GuideIndex 2business partner router 4-30 to 4-31headquarters router 4-27 to 4-29intranetheadquarters router 3-37 t

Index 3documentationaudience viiiCD-ROM xivconventions xiifeedback xivlatest version ixorganization ixpurpose viirelated xEedge routers, QoS function

Cisco 7100 Series VPN Configuration GuideIndex 4IICMP Host Unreachable message 3-36, 4-26IKEdescription 3-12keysSee keys, preshared 3-16, 4-10policies

Index 5tunnelsconfiguring 4-9verifying SA global lifetimes 3-20IPSec access listsexplicitly permitting traffic (note) 4-12requirements 3-19, 4-12IPSe

CHAPTER Using Cisco IOS Software 1-11Using Cisco IOS SoftwareThis chapter provides helpful tips for understanding and configuring Cisco IOS softwareusi

Cisco 7100 Series VPN Configuration GuideIndex 6Ooutside global address 4-5outside local address 4-5outside network 4-4Ppackets, flow classification 3

Index 7show interfaces tunnel command 3-7show ip nat translations verbose command 4-8show version command 3-18source routing, disabling 2-5spoofing,

Cisco 7100 Series VPN Configuration GuideIndex 8See also intranet VPN scenarioWweighted fair queuingSee WFQWFQconfiguring fair queuing 3-10traffic pri

Getting HelpCisco 7100 Series VPN Configuration Guide1-2Getting HelpEntering a question mark (?) at the system prompt displays a list of commands avai

Using Cisco IOS Software 1-3Finding Command OptionsFinding Command OptionsThis section provides an example of how to display syntax for a command. Th

Getting HelpCisco 7100 Series VPN Configuration Guide1-4Router(config)# controller t1 ?<0-3> Controller unit numberRouter(config)# controller t

Using Cisco IOS Software 1-5Finding Command OptionsRouter(config-controller)# cas-group ?<0-23> Channel numberRouter(config-controller)# cas-gr

Getting HelpCisco 7100 Series VPN Configuration Guide1-6Router(config-controller)# cas-group 1 timeslots ?<1-24> List of timeslots which compris

Using Cisco IOS Software 1-7Finding Command OptionsRouter(config-controller)# cas-group 1 timeslots 1-24 type ?e&m-fgb E & M Type II FGBe&

Understanding Command ModesCisco 7100 Series VPN Configuration Guide1-8Understanding Command ModesThe Cisco IOS user interface is divided into many di

Using Cisco IOS Software 1-9Summary of Main Command ModesThe configuration modes allow you to make changes to the running configuration. If youlater sa

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUTNOTICE. ALL STATEMENTS, INFORMATION, AND RECOMME

Understanding Command ModesCisco 7100 Series VPN Configuration Guide1-10For more information regarding command modes, refer to the “Using the Command

Using Cisco IOS Software 1-11Using the no and default Forms of CommandsUsing the no and default Forms of CommandsAlmost every configuration command al

Saving Configuration ChangesCisco 7100 Series VPN Configuration Guide1-12

CHAPTER Before You Begin 2-12Before You BeginThis chapter provides an overview of the business scenarios covered in this guide, itemsyou should consid

Overview of Business ScenariosCisco 7100 Series VPN Configuration Guide2-2In each scenario, a tunnel is constructed, encryption is applied on the tunn

Before You Begin 2-3ConsiderationsConsiderationsThe following are considerations to observe when configuring a VPN on your Cisco 7100series router:• S

ConsiderationsCisco 7100 Series VPN Configuration Guide2-4— Be careful not to violate access control lists. You can configure a tunnel with asource and

Before You Begin 2-5Considerations— Think about access control before you connect a console port to the network in anyway, including attaching a mode

ConsiderationsCisco 7100 Series VPN Configuration Guide2-6— Normally, you should disable directed broadcasts for all applicable protocols onyour firewa

Before You Begin 2-7AssumptionsAssumptionsThis guide assumes the following:• You have successfully installed, powered on, and initially configured you

Preface viiPrefaceThis preface describes the purpose, objectives, audience, organization, and conventions ofthe Cisco 7100 Series VPN Configuration Gu

AssumptionsCisco 7100 Series VPN Configuration Guide2-8On CCO, follow this path:Service and Support: Technical Documents: Documentation Home Page: Cis

CHAPTER Intranet VPN Business Scenario 3-13Intranet VPN BusinessScenarioThis chapter explains the basic tasks for configuring an IP-based, intranet Vir

Scenario DescriptionCisco 7100 Series VPN Configuration Guide3-2Scenario DescriptionFigure 3-1 shows a headquarters network providing a remote office a

Intranet VPN Business Scenario 3-3Scenario DescriptionFigure 3-2 Intranet VPN Scenario Physical ElementsThe configuration steps in the following secti

Step 1—Configuring the TunnelCisco 7100 Series VPN Configuration Guide3-4Table 3-1 Physical ElementsStep 1—Configuring the TunnelTunneling provides a w

Intranet VPN Business Scenario 3-5Step 1—Configuring the TunnelFigure 3-3 IP Tunneling Terminology and ConceptsGRE is capable of handling the transpo

Step 1—Configuring the TunnelCisco 7100 Series VPN Configuration Guide3-6Configuring the Tunnel Interface, Source, and DestinationTo configure a GRE tun

Intranet VPN Business Scenario 3-7Verifying the Tunnel Interface, Source, and DestinationNote When configuring GRE, you must have only Cisco routers o

Step 2—Configuring Quality of ServiceCisco 7100 Series VPN Configuration Guide3-8 Queueing strategy:fifo Output queue 0/0, 0 drops; input queue 0/75

Intranet VPN Business Scenario 3-9Step 2—Configuring Quality of ServiceYou configure QoS features throughout a network to provide for end-to-end QoS d

AudienceCisco 7100 Series VPN Configuration GuideviiiThe intranet and extranet business scenarios introduced in this guide include specific tasksand co

Step 2—Configuring Quality of ServiceCisco 7100 Series VPN Configuration Guide3-10Configuring Weighted Fair QueuingWFQprovidestrafficpriority management

Intranet VPN Business Scenario 3-11Verifying Weighted Fair QueuingVerifying Weighted Fair QueuingTo verify the configuration:• Enter the show interfac

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-12IPSec is a framework of open standards, developed by the Internet Engineerin

Intranet VPN Business Scenario 3-13Configuring IKE PoliciesNote This section only contains basic configuration information for enabling encryptionserv

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-14Creating PoliciesTo create an IKE policy, complete the followingsteps starti

Intranet VPN Business Scenario 3-15Configuring IKE PoliciesAdditional Configuration Required for IKE PoliciesDepending on which authentication method

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-16• Preshared keys authentication method:If you specify preshared keys as the

Intranet VPN Business Scenario 3-17Configuring IKE PoliciesNote Set an ISAKMP identity whenever you specify preshared keys. The addresskeyword is typ

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-18Verifying IKE PoliciesTo verify the configuration:• Enterthe show crypto isak

Intranet VPN Business Scenario 3-19Configuring IPSecBridging software.X.25 software, Version 3.0.0.SuperLAT software copyright 1990 by Meridian Techn

Preface ixOrganizationOrganizationThe major sections of this guide are as follows:Where to Get the Latest Version of This GuideThe hard copy of this

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-20Setting Global Lifetimes for IPSec Security AssociationsYoucan change the gl

Intranet VPN Business Scenario 3-21Configuring IPSecCreating Crypto Access ListsCrypto access lists are used to define which IP trafficwill beprotected

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-22Defining Transform SetsA transform set represents a certain combination of se

Intranet VPN Business Scenario 3-23Configuring IPSecNote AH and ESP can be used independently or together, although for most applicationsjust one of

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-24Note In IPSec transport mode, only the IP payload is encrypted, and the orig

Intranet VPN Business Scenario 3-25Configuring IPSecFigure 3-4 IPSec in Tunnel and Transport ModesVerifying Transform SetsTo verify the configuration:

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-26Configuring Crypto MapsCrypto map entries created for IPSec pull together the

Intranet VPN Business Scenario 3-27Configuring Crypto MapsWhen two peers try to establish a SA, they must each have at least one crypto map entrythat

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-28Creating Crypto Map EntriesTo create a crypto map entry that will use IKE to

Intranet VPN Business Scenario 3-29Configuring Crypto MapsVerifying Crypto Map EntriesTo verify the configuration:• Enter the show crypto map EXEC com

Related DocumentationCisco 7100 Series VPN Configuration GuidexRelated DocumentationYour Cisco 7100 series router and the Cisco IOS software running o

Step 3—Configuring EncryptionCisco 7100 Series VPN Configuration Guide3-30TipsIf you have trouble, make sure you are using the correct IP addresses.Ap

Intranet VPN Business Scenario 3-31Configuring Crypto MapsFor redundancy, you could apply the same crypto map set to more than one interface. Thedefa

Step 4—Configuring Cisco IOS Firewall FeaturesCisco 7100 Series VPN Configuration Guide3-32Verifying Crypto Map Interface AssociationsTo verify the co

Intranet VPN Business Scenario 3-33Step 4—Configuring Cisco IOS Firewall FeaturesYou can use Cisco IOS Firewall features to configure your Cisco IOS r

Step 4—Configuring Cisco IOS Firewall FeaturesCisco 7100 Series VPN Configuration Guide3-34Note Refer to the “Traffic Filtering and Firewalls” part of

Intranet VPN Business Scenario 3-35Creating Extended Access Lists Using Access List NumbersCreating Extended Access Lists Using Access List NumbersTo

Step 4—Configuring Cisco IOS Firewall FeaturesCisco 7100 Series VPN Configuration Guide3-36Applying Access Lists to InterfacesAfter you create an acce

Intranet VPN Business Scenario 3-37Verifying Extended Access Lists Are Applied CorrectlyVerifying Extended Access Lists Are Applied CorrectlyTo verif

Comprehensive Configuration ExamplesCisco 7100 Series VPN Configuration Guide3-38!hostname hq-sanjose!boot system flash bootflash:boot bootldr bootfla

Intranet VPN Business Scenario 3-39Headquarters Router Configurationinterface Serial1/0 ip address 172.17.2.4 255.255.255.0 no ip directed-broadcast

Preface xiRelated Documentation— For information on setting up quality of service (QoS), refer to the Quality ofService Solutions Configuration Guide

Comprehensive Configuration ExamplesCisco 7100 Series VPN Configuration Guide3-40Remote Office Router Configurationro-rtp# show running-configBuilding c

Intranet VPN Business Scenario 3-41Remote Office Router Configurationinterface FastEthernet0/0 ip address 10.1.4.2 255.255.255.0 no ip directed-broad

Comprehensive Configuration ExamplesCisco 7100 Series VPN Configuration Guide3-42

CHAPTER Extranet VPN Business Scenario 4-14Extranet VPN BusinessScenarioThis chapter explains the basic tasks for configuring an IP-based, extranet Vir

Scenario DescriptionCisco 7100 Series VPN Configuration Guide4-2Scenario DescriptionThe extranet scenario introduced in Figure 4-1 builds on the intra

Extranet VPN Business Scenario 4-3Scenario DescriptionThe IPSec tunnel between the two sites is configured on the second serial interface inchassis sl

Step 1—Configuring Network Address TranslationCisco 7100 Series VPN Configuration Guide4-4Table 4-1 lists the scenario’s physical elements.Table 4-1 P

Extranet VPN Business Scenario 4-5Step 1—Configuring Network Address Translation2 Verifying Static Inside Source Address TranslationStatictranslation

Step 1—Configuring Network Address TranslationCisco 7100 Series VPN Configuration Guide4-6Figure 4-3 NAT Inside Source TranslationThe following proces

Extranet VPN Business Scenario 4-7Configuring Static Inside Source Address Translation5 When the router receivesthe packetwith the inside global IP a

ConventionsCisco 7100 Series VPN Configuration GuidexiiConventionsCommand descriptions use the following conventions:Convention Descriptionboldface fo

Step 1—Configuring Network Address TranslationCisco 7100 Series VPN Configuration Guide4-8Verifying Static Inside Source Address TranslationTo verify

Extranet VPN Business Scenario 4-9Step 2—Configuring Encryption and an IPSec TunnelStep 2—Configuring Encryption and an IPSec TunnelFor the ISM in slo

Step 2—Configuring Encryption and an IPSec TunnelCisco 7100 Series VPN Configuration Guide4-10Configuring a Different Shared KeyBecause preshared keys

Extranet VPN Business Scenario 4-11Configuring IPSec and IPSec Tunnel ModeNote Set an ISAKMP identity whenever you specify preshared keys. The addres

Step 2—Configuring Encryption and an IPSec TunnelCisco 7100 Series VPN Configuration Guide4-125 Defining Transform Sets and Configuring IPSec Tunnel Mod

Extranet VPN Business Scenario 4-13Configuring IPSec and IPSec Tunnel ModeVerifying Crypto Access ListsTo verify the configuration:• Enter the show ac

Step 2—Configuring Encryption and an IPSec TunnelCisco 7100 Series VPN Configuration Guide4-14Note AH and ESP can be used independently or together, a

Extranet VPN Business Scenario 4-15Configuring IPSec and IPSec Tunnel ModeNote In IPSec tunnel mode, the entire original IP datagram is encrypted, an

Step 2—Configuring Encryption and an IPSec TunnelCisco 7100 Series VPN Configuration Guide4-16Figure 4-4 IPSec in Tunnel and Transport ModesVerifying

Extranet VPN Business Scenario 4-17Configuring Crypto MapsConfiguring Crypto MapsForIPSec to succeed between twoIPSec peers, both peers’ crypto map en

Preface xiiiCisco Connection OnlineCisco Connection OnlineCisco Connection Online (CCO) is Cisco Systems’ primary, real-time support channel.Maintena

Step 2—Configuring Encryption and an IPSec TunnelCisco 7100 Series VPN Configuration Guide4-18Creating Crypto Map EntriesTo create crypto map entries

Extranet VPN Business Scenario 4-19Configuring Crypto MapsVerifying Crypto Map EntriesTo verify the configuration:• Enter the show crypto map EXEC com

Step 2—Configuring Encryption and an IPSec TunnelCisco 7100 Series VPN Configuration Guide4-20TipsIf you have trouble, make sure you are using the cor

Extranet VPN Business Scenario 4-21Configuring Crypto MapsFor redundancy, you could apply the same crypto map set to more than one interface. Thedefa

Step 3—Configuring Quality of ServiceCisco 7100 Series VPN Configuration Guide4-22Step 3—Configuring Quality of ServiceCisco IOS QoS service models, fe

Extranet VPN Business Scenario 4-23Verifying Weighted Fair QueuingVerifying Weighted Fair QueuingTo verify the configuration:• Enter the show interfac

Step 4—Configuring Cisco IOS Firewall FeaturesCisco 7100 Series VPN Configuration Guide4-24Note Refer to the “Traffic Filtering and Firewalls” part of

Extranet VPN Business Scenario 4-25Step 4—Configuring Cisco IOS Firewall FeaturesVerifying Extended Access ListsTo verify the configuration:• Enter th

Step 4—Configuring Cisco IOS Firewall FeaturesCisco 7100 Series VPN Configuration Guide4-26For inbound access lists, after receiving a packet, the Cis

Extranet VPN Business Scenario 4-27Comprehensive Configuration ExamplesComprehensive Configuration ExamplesFollowingare comprehensivesample configurati