?
Solved

Cisco 3660 Config Explanation

Posted on 2005-03-14
13
Medium Priority
?
7,976 Views
Last Modified: 2013-12-12
Can anyone please describe what I am looking at in the following config, line by line starting with the interfaces? I am a Cisco newbie. Thanks a million for your help.  

aaa authentication login default local-case
aaa session-id common
ip subnet-zero
ip cef
no ip domain lookup
ip name-server xxx.xx.xx.xx

interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address xx.xxx.xxx.xxx 255.255.255.224
 duplex auto
 speed auto
 interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 no ip address
 encapsulation frame-relay IETF
 frame-relay lmi-type ansi
!
interface Serial1/0.1 point-to-point
 ip unnumbered FastEthernet0/1
 frame-relay interface-dlci xxx IETF  
!
interface Serial1/1
 no ip address
 ip access-group 115 in
 encapsulation frame-relay IETF
 shutdown
 service-module t1 timeslots 1-2
!
interface Serial1/1.1 point-to-point
 bandwidth 128
 ip address 172.16.252.1 255.255.255.252
 ip nat inside
 shutdown
 frame-relay interface-dlci xxx CISCO  
!
ip nat pool Newark xx.xxx.xxx.xxx xx.xxx.xxx.xxx netmask 255.255.255.0
ip nat inside source list 110 pool overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0.1
ip route 172.16.1.0 255.255.255.0 xx.xxx.xxx.xxx
ip route 172.16.10.0 255.255.255.0 xx.xxx.xxx.xxx
!
!
logging xx.xxx.xxx.xxx
access-list 10 permit xx.x.xx.x 0.0.0.255
access-list 50 permit xx.xxx.xxx.xxx
access-list 50 deny   any log
access-list 110 deny   ip 172.16.100.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 deny   ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 110 deny   ip 172.16.100.0 0.0.0.255 172.16.251.0 0.0.0.255
access-list 110 permit ip 172.16.100.0 0.0.0.255 any
access-list 115 permit tcp any any established
access-list 115 permit ip 172.16.0.0 0.0.255.255 any
snmp-server community xxxxxxxxxxxxx
snmp-server community xxxxxxxxx  RW 50
snmp-server location Internet Router 3660
snmp-server enable traps tty
snmp-server host xx.xxx.xxx.xx xxxxxxxxxxx
radius-server authorization permit missing Service-Type
 line con 0
 password 7 xxxxxxxxxxxxx
line aux 0
line vty 0 4
 access-class 10 in
 password 7 xxxxxxxxxxxxxxxx
 ntp clock-period 17180442
ntp server xxx.x.xx.xx

end

Border#
0
Comment
Question by:ITHCI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13541428
I'll do my best....

//-- enable aaa authentication. Choices are TACACS+, RADIUS and LOCAL. This is setup to use local username/password database
//--I would expect to see something like this to go with it:
  username <user1> password <encrypted password>
  username <user2> password <encrypted password>
//--and this command appears missing:
  aaa new-model

aaa authentication login default local-case
aaa session-id common

//-- enable the router to use subnet zero. Strict RFC standards restrict the use of subnet 0 and broadcast subnets.
//-- without this command, you could not use something like 192.168.0.0/24
ip subnet-zero

//-- "cef" stands for Cisco Express Forwarding, or Fastswitching. Let's the router "switch" traffic if it can rather than "route" all of it
ip cef

//-- From the router console, don't try to do a name lookup if I fat-finger in a command. If you don't enter this command, and you
//-- are at the router prompt and mis-type a command, you have to wait for the router trying to do a namelookup on the misspelling
no ip domain lookup

//-- this is the nameserver that the router will use to try to resolve names if you don't disable lookup above
ip name-server xxx.xx.xx.xx

//-- Interface FastEthernet 0/0 is not used. It does not have an ip address and is "administratively down"
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!

//-- Interface FastEthernet 0/1 appears to be your LAN interface, with a specified IP address
interface FastEthernet0/1
 ip address xx.xxx.xxx.xxx 255.255.255.224
 duplex auto
 speed auto

//-- This interface is also "administratively down", and not in use
 interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
//-- this appears to be the first of 2 T1 frame-relay interfaces. IP address is not assigned to the major interface, but
//-- to the sub-interface instead. Encapsulation choices are HDLC, PPP, or Frame-relay
interface Serial1/0
 no ip address
 encapsulation frame-relay IETF  <== 2 choices of encapsulation type - IETF and CISCO, dictated by what is at the other end
 frame-relay lmi-type ansi  <== lmi-type is dictated by the Telco
!
//-- this is the frame-relay sub-interface
interface Serial1/0.1 point-to-point

//-- don't need to assign a specific IP address to this interface, just use the same IP as the Fast 0/0
 ip unnumbered FastEthernet0/1
//-- tell the sub-interface what the telco-assigned DLCI is to use
 frame-relay interface-dlci xxx IETF  
!

interface Serial1/1
 no ip address
 ip access-group 115 in
 encapsulation frame-relay IETF
 shutdown                            <== this interface is not used
 service-module t1 timeslots 1-2
!
\\-- since this interface is also shutdown, the configuration is irrelevant, but does show an alternate configuration
\\-- with a specific IP address and "CISCO" frame encapsulation
interface Serial1/1.1 point-to-point
 bandwidth 128
 ip address 172.16.252.1 255.255.255.252
 ip nat inside
 shutdown
 frame-relay interface-dlci xxx CISCO  
!
\\-- This set's up a NAT pool, but since none of your interfaces have it applied
\\-- "nat inside" and "nat outside" - it is not being used
ip nat pool Newark xx.xxx.xxx.xxx xx.xxx.xxx.xxx netmask 255.255.255.0

\\-- more nat stuff. Use access-list 110 to define what traffic will use the nat pool
ip nat inside source list 110 pool overload

\\-- disable the internal web server. There is a web interface to the router, but it is essentially still command line, not a GUI
no ip http server

\\-- enable classless ip behavior. This is a difficult concept to explain, just suffice it to say that it is neccessary
ip classless

\\-- set the default route to go out the frame-relay subinterface
ip route 0.0.0.0 0.0.0.0 Serial1/0.1

\\--set specific static routes for these two subnets
ip route 172.16.1.0 255.255.255.0 xx.xxx.xxx.xxx
ip route 172.16.10.0 255.255.255.0 xx.xxx.xxx.xxx

!
!
\\-- send all syslog to this host IP address
logging xx.xxx.xxx.xxx

\\-- This is an access-list applied to the telnet (vty) interfaces below with "access-class"
access-list 10 permit xx.x.xx.x 0.0.0.255

\\-- This access-list restricts access to the router via SNMP to those defined in the acl
access-list 50 permit xx.xxx.xxx.xxx
access-list 50 deny   any log  <== log any attempts to access snmp from non-authorized hosts

\\-- This acl defines the traffic to use the NAT pool above
access-list 110 deny   ip 172.16.100.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 deny   ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 110 deny   ip 172.16.100.0 0.0.0.255 172.16.251.0 0.0.0.255
access-list 110 permit ip 172.16.100.0 0.0.0.255 any

\\-- This acl was applied to the now unused Serial 1/1  "ip access-group 115 in"
access-list 115 permit tcp any any established
access-list 115 permit ip 172.16.0.0 0.0.255.255 any

\\-- set the snmp community strings. There should be a Read Write (RW), and a Read Only (RO)
\\-- the "50" at the end applies access-list 50 restrictions
\\-- community strings are like passwords and should follow the same rules
snmp-server community xxxxxxxxxxxxx
snmp-server community xxxxxxxxx  RW 50
snmp-server location Internet Router 3660
snmp-server enable traps tty
\\-- this is the snmp-server that traps will be sent to, using the applied community string
snmp-server host xx.xxx.xxx.xx xxxxxxxxxxx

\\--not really doing anything without several other commands to define the ip address of the radius server
radius-server authorization permit missing Service-Type

\\-- This sets up a password to access the router via the console port
 line con 0
 password 7 xxxxxxxxxxxxx

\\-- there are no specific configurations applied to the AUX port
line aux 0

\\-- these are for the telnet Vty sessions. Up to 5 simultaneous sessions are allowed (0 -4)
line vty 0 4
 access-class 10 in
 password 7 xxxxxxxxxxxxxxxx

\\--set by NTP service, this should not be configured by hand
 ntp clock-period 17180442

\\-- set the system clock using NTP protocol, using this IP address as the master server
ntp server xxx.x.xx.xx

What else ya need to know?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 13543987
\\-- enable classless ip behavior. This is a difficult concept to explain, just suffice it to say that it is neccessary
ip classless

IP addressing can adhere to the strict class boundaries such as:
Class A comprises networks 1.0.0.0 through 127.0.0.0.
Class B contains networks 128.0.0.0 through 191.255.0.0; the network number is in the first two octets.
Class C networks range from 192.0.0.0 through 223.255.255.0, with the network number contained in the first three octets.
Classes D, E, and F
Addresses falling into the range of 224.0.0.0 through 254.0.0.0 are either experimental or are reserved for special purpose use and don't specify any network.

IP classless allows the router to understand addressing outside the strict class boundries detailed above. In other words,
it allows you to break up an address into any smaller size block you like, this is called variable length subnet masking.
If this feature is not enabled then this router will not understand VLSM.

harbor235
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13544061
Thanks, harbor235! I was working with limited time when I posted...
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:ITHCI
ID: 13544491
I guess my next question is which of the interface's is connected to the T1 line coming in, and I am also adding another T1 line today and was wondering what I would need to do in order to do this. I am under the impression that the other T1 interface was configured for a previous configuration and is now administrativey shutdown. I thus will have to change its configuration in order to add additional bandwidth to the current allocation. Is this possibe?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13574229
>Serial1/0
Is connected to the existing T1

>adding another T1 line today and was wondering what I would need to do in order to do this.
Depends. What kind of T1? Another frame-relay port?

>I am under the impression that the other T1 interface was configured for a previous configuration and is now administrativey shutdown. I thus will have to change its configuration in order to add additional bandwidth to the current allocation. Is this possibe?
Correct, correct, and absolutely possible
Need to know details on this new T1 connection. Is it another frame-relay T1? Are you going to attempt to setup multi-link frame-relay, or two independent T1's? If it's another point-to-point frame-relay T1, we need to know the DLCI number and what IP address you want to assign. You might want to consider enabling a dynamic routing protocol like EIGRP....
0
 

Author Comment

by:ITHCI
ID: 13574375
The T1 connection will be another Frame Relay. Not sure what I need either multi-link or two independent, we are just getting another line to have more bandwidth, I imagine that I will be getting the DLCI number soon from the telcom company. Also do I need to use EIGRP? Also can I use the same IP address that is already in use as the external IP address?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13583850
If both T1's are going to the same place, no need to enable any dynamic routing, but it would be a good idea to set it with an IP address and add a static route. Keep it simple with dual connections.
Are these both Internet connections? Are they from the same ISP?

Example:
 
Interface Serial 1/1
 encapsulation frame-relay IETF
 no ip address

interface Serial1/1.1 point-to-point
 ip address xx.xx.xx.x 255.255.255.252
 frame-relay interface-dlci 500

interface Serial1/0.1 point-to-point
 ip unnumbered fast 0/0 <== change this to a /30 IP address if you can get from your telco
 ip address xx.xx.x.y 255.255.255.252
 frame-relay interface-dlci XXX

//-- it appears that your existing frame connection is an Internet connection?
ip route 0.0.0.0 0.0.0.0 Serial1/0.1
//-- add another default route out the new serial sub-interface
ip route 0.0.0.0 0.0.0.0 Serial1/1.1
0
 

Author Comment

by:ITHCI
ID: 13586737
Would this enable me to have about 3.0 mbs of bandwidth or will this just provide a failover configuration. In other words will traffic flow out both pipes for load balancing etc..?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13586774
Yes, it will load-balance *and* provide failover - but only if they are both from the same ISP.
0
 

Author Comment

by:ITHCI
ID: 13591372
1. What would I need the other Fast Ethernet connection for that seems to be installed on the WIC card?

2. Also what is the connection next to it used for? it looks like a serial, or monitor type connection?

3. By just adding what you specified including the default route how does the traffic know which interface to leave on? will t he system provide load balancing? in other words will it use both T1 connections for the traffic flow, since there will be two default routes provided.

THanks,

Bill

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13591614
1. If you have two FastEthernet interfaces, it is completely up to you what you use them for. Apparently one of them is just not being used, and that's OK.

2. I'm assuming you're talking about the Console port or the Aux port. The AUX port (black) is an async serial port, most often used to connect a modem for dial-up backup. It's been a long time since a 56k analog modem could possibly be good enough for a backup link, but some people use it as a single dail-in capability, especially for administrative access. The light blue Console port is to connect your light blue console cable to a laptop/terminal and use hyperterm to access the router. This is the primary means of connecting to and configuring a router. If you are telnetting to the router, you stand a chance to lose your telnet session depending on what type changes you make.

3. That depends. You have not yet answered the basic question - are both lines to the same ISP?
If the answer is yes, then having two equal-cost default routes will automatically load-balance packet-by-packet. You have the option to enable CEF and change that load-balancing to per-connection.

ip route 0.0.0.0 0.0.0.0 Serial1/0.1  <== 1st packet goes out this interface
ip route 0.0.0.0 0.0.0.0 Serial1/1.1  <== 2nd packet goes out this interface


0
 

Author Comment

by:ITHCI
ID: 13591707
2. I see the aux and console port but those are on the Cisco box itself the connection that I am talking about seems to be on the wic card and I guess is about 15 pin female connection. next to ethernet 0.

3. Also the lines are both from the same ISP.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13592752
2. OK. This is an AUI port. Seldom used any more, but I've seen something like a Fiber transceiver with AUI interface connected to this. Old 2500 series routers only had an AUI port for Ethernet and you had no choice but to plug in a transceiver. Haven't seen one in ages..
On the 3660, this may be some other type of proprietary interface, but I've never seen it used nor have I ever seen a cable for it. It's an either/or connection. Cat5 cable directly into the RJ45 port, or some other cable/transceiver to this interface

3. OK. You should be good to go then. I would ask the ISP for a "/30" IP address for each of your two serial interfaces, then you can use IP addresses in your route statements vs interface id's.

Example:
  interface serial 1/0.1
   ip address 12.34.5.6 255.255.255.252
  interface serial 1/1.1
   ip address 12.34.5.10 255.255.255.252

ip route 0.0.0.0 0.0.0.0 12.34.5.5
ip route 0.0.0.0 0.0.0.0 12.34.5.9

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question