Cisco 3845 Router, SSH, Secure HTTP & CS-MARS

Similar Messages

• Configuring QoS on Cisco 3845 router for Polycom Video Conferecing

  Dear All,
  We have implemented a Polycom Video Conferecing solution at our Head Office. Using this we communicate with other branch offices through WAN (2mbps, MPLS).
  The problem is that this WAN link is also used for data. When the traffic is high on the link, the voice and the video quality goes down drastically and we experience connection drops.
  At the moment we have configured our Polycom box to communicate at 512kbps speed and we would like to reserve it in our WAN link. In case, video conferencing is not happening we would like it to be utilised by other traffic.
  Can we configure QoS on our Cisco 3845 router to do this? I'm not a Cisco expert and have pressures from Management to correct this before the next conference.
  I have already googled a fair bit but couldn't find something for me.
  Could someone please tell me the exact commands that need to be given on our router to achieve this.
  I'll be very thankful for this help.
  Best Regards.

  Hi,
  You can use something like the following to guarantee 5122k of bandwidth to your video-conferencing bandwidth but to allow that bandwidth to be used by other traffic when it is not being used for video-conferencing:
  class-map VDOConf
  match ip dscp af41
  policy-map WANPolicy
  class VDOConf
  bandwidth 512
  interface
  service-policy output WANPolicy
  Note that the above assumes that your video conferencing traffic is being marked to AF41. If that is not the case, you can always match on the IP address of your polycom device using an ACL:
  class-map VDOConf
  match access-group 101
  access-list 101 permit ip .....
  Hope that helps - pls rate the post if it does.
  Paresh

• Cisco cme paging security 3845 router password for paging access voip

  Hi,
  We have a Cisco 3845 router running CME, ephones and ephone-dn are configured, there is ephone-dn is configured for paging. The system and paging work fine. We want to give password for those who make announcement. There are currently more than 30 extensions but we only want to give paging access to three users. How can we do this?
  Thank you

  Sure. Using the same (or similar) example:
  Extensions: 2XXX
  Primary Phone: 2025552000
  We can address the need with the following:
  voice translation-rule 10
  rule 1 /^2...$/ /2025552000/
  voice translation-profile cme-to-itsp
  translate calling 10
  dial-p v 100 voip
  description Example Egress Dial Peer to ITSP
  destination-patt
  translation-profile out cme-to-itsp
  HTH.
  -Bill (http://ucguerrila.com)

• Setting up SSH on a 3845 router?

  Greetings everyone!
  Just curious, how does one set up SSH on a cisco 3845 router? Specifically, how does one generate the RSA keys?
  It seems to be missing the "generate" subcommand for crypto. When I type crypto key the only sub-commands are lock and unlock. I'm unfamiliar with this and don't want to mess around too much since it's a production box.
  I'm running c3845-spservicesk9-mz.124-11.T2.bin so I should have the ability, yes? Any guidance would be appreciated. I really would prefer not to use telnet.

  you have k9 image , it should support crypto commands, are you sure you were at the configuration mode?
  try again.., here is a link for setting up ssh in IOS.
  http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
  way to do it is open two telnet sessions to the router, in one session be in the enable mode and leave the session opened. On the other telnet session work with the SSH configuration implementation. When finished do not save the config , exit the session and open a new session using ssh to ensure you can connect and login to the router via ssh... if for any reason fails you still have the other telnet session opened to undo the ssh changes or correct them.
  also for making sure your telnet sessions do not time out while working with configs permit yourself more time by entering exec-time out 60 <-- one hour for your vty lines.
  line vty 0 4
  exec-timeout 60
  you can also do the complete ssh implementation via console port as well.
  Regards
  PLS rate any helpful posts if it helps

• SIP over UDP routing in Cisco 3845

  dear friends,           
  How can we configure the SIP over UDP protocol by Cisco 3845 router?
  For more details please fine the attachment.

  Yes I tried but that is not helpful for me
  How can I contact those people (engage a reputable consultant, or Cisco partner)?
  Also I tried this commands in below.
  voice class codec 1
  codec preference 1 g711alaw
  dial-peer voice 3250 voip
  destination-pattern 3250
  session protocol sipv2
  session target ipv4:10.156.67.6
  session transport udp
  codec g711ulaw
  sip-ua
  retry invite 2
  retry response 2
  retry bye 2
  retry cancel 2
  no inband-alerting
  sip-server ipv4:10.156.67.6
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.157.67.1
  ip route 10.157.67.0 255.255.255.0 10.167.67.225 
  access-list 101 permit ip host 10.156.67.1 host 10.156.67.100
  access-list 101 deny   udp any eq rip any
  access-list 101 deny   udp any any eq rip
  access-list 101 deny   udp any eq isakmp any
  access-list 101 deny   udp any any eq isakmp
  access-list 101 permit ip any any
  snmp-server engineID local 000000090200003094202740
  snmp-server community public RW

• Does Cisco 3845 with NM-16A/S support OIR feature or Hot swap for this NM.

  Dear Sir
  My customer would like to implement Cisco 3845 with NM-16A/S x 4. I found that Cisco 3845 support OIR function but I am not sure OIR function that Cisco 3845 support, it support with which NM models. Can anyone tell me that NM-16A/S on Cisco 3845 support OIR function on this NM or not.
  Thank you very much
  Wisit

  Hi,
  From what I have read from the following document.
  http://www.cisco.com/en/US/products/ps5855/products_installation_guide_chapter09186a00802ccf1d.html
  Network Modules
  Network modules install directly into slots in the rear of the router. The Cisco 3845 router supports online insertion and removal (OIR, or hot swap) of network modules. The Cisco 3825 router does not support OIR.
  Caution The Cisco 3845 router supports OIR with similar modules only. If you remove a network module, along with any installed WAN or voice interface cards, install another module and card combination exactly like it.
  Interface Cards
  Cisco 3800 series routers do not support OIR (hot swap) of interface cards inserted directly into router slots. You must turn off the router before installing or removing an interface card.
  The Cisco 3825 router and the Cisco 3845 router each provide four interface card slots, labeled on the rear panel by HWIC and a number. Each slot can be occupied by one single-wide WIC, VIC, VWIC, or HWIC.
  Hope this helps
  Sarb

• Will on-board Gigabit Ethernet ports on a Cisco 3845 support a 100 Mb SFP?

  Hi,
  This is a very specific question - hopefully someone has tested this or run into this scenario...
  I was trying to connect a Cisco 3845 router to a 100 Mbps circuit. Specifically, I was trying to connect this circuit to the on-board Gigabit Ethernet port (Gig 0/0). This is the port that can be used as either an RJ45 or SFP slot. The only SFP I had was a multi-mode 100 Mbps SFP. When I hooked it up to Gi0/0, I got a message saying the SFP type wasn't supported on the chassis.
  I was able to deploy the 3845 and since then I haven't had the correct hardware to recreate the exact scenario. Has anyone experienced this? Is it simply because Gigabit interface on a 3845 won't support a Fast Ethernet (100 Mbps) SFP?
  Thanks.

  Not all SFP's will just plug in and work. Here are the SFP's that are considered compatible with the 3800 series ISR's.
  GLC-LH-SM= Gigabit Ethernet SFP, LC connector, LX/LH transceiver
  GLC-SX-MM= Gigabit Ethernet SFP, LC connector, SX transceiver
  GLC-ZX-SM= 1000BASE-ZX SFP
  CWDM-SFP-1470= Coarse wavelength-division multiplexing (CWDM) 1470-nm SFP Gigabit Ethernet and 1G/2G Fibre Channel (FC)
  CWDM-SFP-1490= CWDM 1490-nm SFP Gigabit Ethernet and 1G/2G FC
  CWDM-SFP-1510= CWDM 1510-nm SFP Gigabit Ethernet and 1G/2G FC
  CWDM-SFP-1530= CWDM 1530-nm SFP Gigabit Ethernet and 1G/2G FC
  CWDM-SFP-1550= CWDM 1550-nm SFP Gigabit Ethernet and 1G/2G FC
  CWDM-SFP-1570= CWDM 1570-nm SFP Gigabit Ethernet and 1G/2G FC
  CWDM-SFP-1590= CWDM 1590-nm SFP Gigabit Ethernet and 1G/2G FC
  CWDM-SFP-1610= CWDM 1610-nm SFP Gigabit Ethernet and 1G/2G FC
  http://www2.bt.com/static/i/media/pdf/cisco_3800_routers_faq.pdf

• 3845 router and ios 15.1(4)m9

  Who can tell me if it is needed to purchase a license for IOS 15.1(4)M9 which is going to be installed on cisco 3845 router?

  Dear Customer,
  Unfortunately your question was raised in the wrong supportforum.
  Cisco ServiceGrid is part of Software Enabled Services. We provide Integration Services.
  However, you can raise your question in the right forum: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
  Our hardware professionals will be happy to provide you any answer you need.
  thanks
  Patrick

• CISCO 3845 - WIC-1B-S/T NOT RECOGNIZED

  Dear Sir,
  We have Cisco 3845 Router.I inserted the WIC-1B-S/T - 1 port isdn bri card to the HWIC Slot.but it it not recognized.
  Kindly help me to find out the solution.
  Thanks in advance.
  regards
  nagarajan
  hyundai motor india

  Hello Nagarajan,
  looking at the data sheet (see link below) it appears that the WIC-1B-S/T is not supported on the 3845, you need the WIC-1B-S/T-V3, as well as IOS 12.3(11)T...
  Cisco 3800 Series Integrated Services Routers
  Data Sheet
  http://www.cisco.com/en/US/products/ps5855/products_data_sheet09186a0080091b87.html
  HTH,
  GP

• Cisco 3845 Onboard VP Module Capability

  I have a Cisco 3845 router with on-board VPN module. I wonder whether I can use it for IpSec encryption of my 50 Mbps ethernet line. What is the maximum capacity of the on-board VPN module? When I send "sh crypto eli" command, it says mx IKE session is 700 and max IPSEC-Session is 1400. Any comment will be highly appreciated.

  Yes you can use the VPN module and it's maximum throughput is 180Mbps. Here's a link for reference.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns710_Networking_Solutions_Brochure.html
  Hope that helps.

• 3845 router failing to look up routes from routing table correctly!

  Hi all,
  Got a really strange issue which I am wondering if someone can point me in the right direction for. Facts of the issue:
  - Some customers, all with a specific ISP, cannot access a hosted service we host internally
  - External user can reach service but never gets a response - hence focussing on reachability of their public IP
  - Cisco 3845 router used, peers with service provider over BGP - receives full internet routing tables
  - All affected customers receive dynamic IP addresses within the same /10 public IP range
  I received an example IP address and when doing "show ip route x.x.x.x" for this IP, the router responds "Subnet not in table". When trying to traceroute to the IP, the router doesnt even go to the next hop. However, the subnet is definitely in the routing table with the correct next hop (and, for complete information, is also within the BGP updates). Before anyone asks the question :) - yes I have definitely verified that the hosts are within this subnet.
  If I put a static /32 route in for this specific IP address, everything works fine - then fails again once its taken out.
  I literally cannot understand why the router is not correctly performing the lookup for the hosts within this subnet. I can understand a lot of potential reasons why the BGP received route wouldnt be placed in the routing table, but that is not the case here. 
  Some other factors (if applicable):
  - Nothing showing in the logs
  - Plenty memory available (despite the high number of routes)
  - Plenty CPU resource available
  - No default route is ran
  I am going to restart the router and really expect this to resolve the issue (would log a TAC but this one is a bit time precious) - but it is frankly doing my head in and I assume I am missing something!
  Any help or guidance would be appreciated!

  Hi all,
  Got a really strange issue which I am wondering if someone can point me in the right direction for. Facts of the issue:
  - Some customers, all with a specific ISP, cannot access a hosted service we host internally
  - External user can reach service but never gets a response - hence focussing on reachability of their public IP
  - Cisco 3845 router used, peers with service provider over BGP - receives full internet routing tables
  - All affected customers receive dynamic IP addresses within the same /10 public IP range
  I received an example IP address and when doing "show ip route x.x.x.x" for this IP, the router responds "Subnet not in table". When trying to traceroute to the IP, the router doesnt even go to the next hop. However, the subnet is definitely in the routing table with the correct next hop (and, for complete information, is also within the BGP updates). Before anyone asks the question :) - yes I have definitely verified that the hosts are within this subnet.
  If I put a static /32 route in for this specific IP address, everything works fine - then fails again once its taken out.
  I literally cannot understand why the router is not correctly performing the lookup for the hosts within this subnet. I can understand a lot of potential reasons why the BGP received route wouldnt be placed in the routing table, but that is not the case here. 
  Some other factors (if applicable):
  - Nothing showing in the logs
  - Plenty memory available (despite the high number of routes)
  - Plenty CPU resource available
  - No default route is ran
  I am going to restart the router and really expect this to resolve the issue (would log a TAC but this one is a bit time precious) - but it is frankly doing my head in and I assume I am missing something!
  Any help or guidance would be appreciated!

• Cisco router + SSH ?

  Does a Cisco router support SSH? How to configure?

  Cisco routers support SSH. However, you need to have an IPSEC encryption image running on the router. Configuring SSH on a router is a simple process.
  Use this link to configure SSH:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7d5.html#wp1007881
  HTH
  Sundar

• I am loosing configuration when I power off my Cisco 857 router

  I bought new Cisco 857 router from the shop. Router must have been used before as I couln't go in with default username/password cisco/cisco.
  Well I followed instruciton and reset password to username and password. Now I finally connected to the Cisco CP express over my IE browser.
  I found out that somebody was using a router from the shop so this is why I coun't log to it in the first place. Anyway problem is that when I changed configuration and applied settings it remembers it until I power it off. When I power it on again it remembers all settings from that shop.
  It reverts everything back: IP address, previous level 15 account and password - everything like after password reset.
  I tried it again and it again lost settings. So I found following instruction:
  http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800a65a5.shtml
  I followed it and changed again all settings on the router. My settings are again lost after power off/on. I noticed that when I do first bit it does show
  0x2102 not 0x2142 like they think that is password reset mode.
  Here is my output from Hyper Terminal:
  =============================
  Cisco#enableCisco#show startUsing 3359 out of 131072 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!logging buffered 51200 warningsenable secret 5 $1$hpKF$Rc1tl6r45J8iHG7EN5jSk.!no aaa new-model!crypto pki trustpoint TP-self-signed-3185909327 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3185909327 revocation-check none rsakeypair TP-self-signed-3185909327!!crypto pki certificate chain TP-self-signed-3185909327 certificate self-signed 01 nvram:IOS-Self-Sig#5.cerdot11 syslogno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1!ip dhcp pool ccp-pool   import all   network 10.10.10.0 255.255.255.248   default-router 10.10.10.1   lease 0 2!!ip cefno ip domain lookupip domain name molinary.com!!!username admin privilege 15 secret 5 $1$jD3j$r6ROikgGsIlcMTGjkxFQ6.username username privilege 15 password 0 password!!archive log config  hidekeys!!!!!interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto!interface ATM0.1 point-to-point description $ES_WAN$ ip nat outside ip virtual-reassembly pvc 0/38  encapsulation aal5mux ppp dialer  dialer pool-member 1 !!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$ ip address 10.10.10.1 255.255.255.248 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452!interface Dialer0 ip address dhcp encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname [email protected] ppp chap password 0 netgear01 ppp pap sent-username [email protected] password 0 netgear01!ip forward-protocol nd!ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 1 interface ATM0.1 overload!access-list 1 remark INSIDE_IF=Vlan1access-list 1 remark CCP_ACL Category=2access-list 1 permit 10.10.10.0 0.0.0.7dialer-list 1 protocol ip permitno cdp run!control-plane!banner exec ^C% Password expiration warning.-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this deviceand it provides the default username "cisco" for  one-time use. If you havealready used the username "cisco" to login to the router and your IOS imagesupports the "one-time" user option, then this username has already expired.You will not be able to login to the router with this username after you exitthis session.It is strongly suggested that you create a new username with a privilege levelof 15 using the following command.username <myuser> privilege 15 secret 0 <mypassword>Replace <myuser> and <mypassword> with the username and password youwant to use.-----------------------------------------------------------------------^Cbanner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C!line con 0 login local no modem enableline aux 0line vty 0 4 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000endCisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#show versionCisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARECisco uptime is 20 minutesSystem returned to ROM by power-onSystem image file is "flash:c850-advsecurityk9-mz.124-15.T12.bin"This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)Configuration register is 0x2102Cisco#Cisco#Cisco#Cisco#endTranslating "end"% Unknown command or computer name, or unable to find computer addressCisco#reloadProceed with reload? [confirm]*Mar  1 01:19:27.786: %SYS-5-RELOAD: Reload requested  by username on console. Reload Reason: Reload Command.System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARETechnical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.C850 series (Board ID: 2-149) platform with 65536 Kbytes of main memoryBooting flash:/c850-advsecurityk9-mz.124-15.T12.binSelf decompressing the image : ############################################## [OK]              Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.           cisco Systems, Inc.           170 West Tasman Drive           San Jose, California 95134-1706Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamImage text-base: 0x8002007C, data-base: 0x814E7240This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)no ip dhcp use vrf connected               ^% Invalid input detected at '^' marker.SETUP: new interface NVI0 placed in "shutdown" statePress RETURN to get started!*Mar  1 00:00:03.952: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized*Mar  1 00:00:03.960: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled*Mar  1 00:00:07.244: %LINK-3-UPDOWN: Interface FastEthernet0, changed state toup*Mar  1 00:00:08.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up*Mar  1 00:00:08.821: %SYS-5-CONFIG_I: Configured from memory by console*Mar  1 01:19:27.072: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up*Mar  1 01:19:27.352: %SYS-5-RESTART: System restarted --Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_team*Mar  1 01:19:27.352: %SNMP-5-COLDSTART: SNMP agent on host Cisco is undergoinga cold start*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.540: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to down*Mar  1 01:19:28.072: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up*Mar  1 01:19:28.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up*Mar  1 01:19:28.484: %LINK-5-CHANGED: Interface ATM0, changed state to administratively down*Mar  1 01:19:28.848: %LINK-5-CHANGED: Interface NVI0, changed state to administratively down*Mar  1 01:19:28.932: %LINK-3-UPDOWN: Interface FastEthernet3, changed state toup*Mar  1 01:19:28.936: %LINK-3-UPDOWN: Interface FastEthernet2, changed state toup*Mar  1 01:19:28.940: %LINK-3-UPDOWN: Interface FastEthernet1, changed state toup*Mar  1 01:19:29.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down*Mar  1 01:19:29.932: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down*Mar  1 01:19:29.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down*Mar  1 01:19:29.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down*Mar  1 01:19:29.948: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to upAuthorized access only!===========================================
  Please help me as I am stuck and can't go any further....

  Hi David White,
  Alternatively, after password recovery you can modify the configuration to be what you want, and then issue:
     write memory
  to save the configuration.  You can then verify that your changes have been saved to the startup config by issuing:
     show startup-config"
  The only good thing is that when I switch off a router it erase configuration except my new password which I created after password reset. Everything else is getting vanished (ADSL settings, DHCP, routing ) everything. Even new admin accounts I created.
  Well have a question to your above comments. I am new in Cisco so please put as much detail as you can for me to understand. When you say modify configuration do you mean to go to Cisco CP Express graphical interface and then connect router to hyper terminal and execute above commands?
  Why router doesn't remember this anyway. There must be some option to change in configuration to make thing permanent when I hit apply changes in Cisco CO Express otherwise it is pointless to heve it.
  Phillip
  write memory
  is
  copy running-config startup-config"
  Can't this be done via Cisco CP Express or set up router to copy this every time I change this in graphical interface rather going to command line to achnoledge it?
  I understand your concern about this router and somebodie's configuration details as you want things to be un-used when you buy them - true. ADSL details belongs to the shop which sold me the router so that is why I don't make a big problem about this. We take most of hardware from this shop and have discount and many good deals with them so I think they have been just testing it and forgot to erease their config. It might be that someone has returned router to the shop and they have repaired it and tested it.
  I hope this is a normal behaviour of this router as I have option to replace it in case this is a fault.
  Could you please write me step by step guide how can I make changed options stay permanently on router?
  thank you
  Dragan

• Cisco 877W router and external ADSL modem

  Cisco 877W router and external ADSL modem
  In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
  The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
  The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
  If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxxxxxxxxx
  boot-start-marker
  boot-end-marker
  logging buffered 4096 warnings
  enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa group server radius sdm-vpn-server-group-2
  aaa group server radius rad_eap
   server 192.168.253.1 auth-port 1812 acct-port 1813
   server 192.168.253.1 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone PCTime 0
  clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-2834265337
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2834265337
   revocation-check none
   rsakeypair TP-self-signed-2834265337
  crypto pki certificate chain TP-self-signed-2834265337
   certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
  dot11 syslog
  dot11 ssid GuestAP
     vlan 101
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 113B162712001F4A2D2B25
  dot11 ssid LanAP
     vlan 100
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     mbssid guest-mode
  no ip source-route
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.252.1 192.168.252.8
  ip dhcp excluded-address 192.168.252.15 192.168.252.254
  ip dhcp pool sdm-pool1
     import all
     network 192.168.252.0 255.255.255.0
     domain-name XXX.Local
     dns-server xxx.xxx.xxx.xxx
     default-router 192.168.252.254
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  no ip bootp server
  no ip domain lookup
  ip domain name XXX.Local
  ip name-server xxx.xxx.xxx.xxx
  ip name-server xxx.xxx.xxx.xxx
  ip reflexive-list timeout 120
  vpdn enable
  vpdn-group 1
   request-dialin
    protocol pppoe
  username administrator privilege 15 secret 5 £££££££££££££££££££££
  class-map type inspect match-any IN_to_OUT_CLASS
   match protocol tcp
   match protocol udp
   match protocol icmp
  class-map type inspect match-any OUT_to_IN_CLASS
   match protocol https
   match protocol smtp extended
  class-map type inspect match-any DMZ_to_IN_CLASS
   match protocol http
   match protocol https
   match protocol smtp extended
  policy-map type inspect DMZ_to_IN_POL
   class type inspect DMZ_to_IN_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect IN_to_OUT_POL
   class type inspect IN_to_OUT_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect OUT_to_IN_POL
   class type inspect OUT_to_IN_CLASS
    inspect
   class class-default
    drop log
  zone security INSIDE
  zone security OUTSIDE
  zone security DMZ
  zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
   service-policy type inspect OUT_to_IN_POL
  zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_IN source DMZ destination INSIDE
   service-policy type inspect DMZ_to_IN_POL
  bridge irb
  interface Loopback0
   no ip address
  interface Null0
   no ip unreachables
  interface ATM0
   no ip address
   shutdown
   no atm ilmi-keepalive
   dsl operating-mode auto
  interface FastEthernet0
   description Outside Interface (PPPoE)
  interface FastEthernet1
   description Inside Interface
   switchport access vlan 10
  interface FastEthernet2
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface FastEthernet3
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface Dot11Radio0
   no ip address
   no ip route-cache cef
   no ip route-cache
   encryption vlan 100 mode ciphers aes-ccm tkip
   encryption vlan 101 mode ciphers aes-ccm tkip
   ssid GuestAP
   ssid LanAP
   mbssid
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   channel 2437
   station-role root
  interface Dot11Radio0.100
   description LanAP
   encapsulation dot1Q 100
   no ip route-cache
   no cdp enable
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  !interface Dot11Radio0.101
  ! description GuestAP
  ! encapsulation dot1Q 101
  ! no ip route-cache
  ! no cdp enable
  ! bridge-group 1
  ! bridge-group 1 subscriber-loop-control
  ! bridge-group 1 spanning-disabled
  ! bridge-group 1 block-unknown-source
  ! no bridge-group 1 source-learning
  ! no bridge-group 1 unicast-flooding
  interface Vlan1
   description $ES_LAN$
   no ip address
   ip virtual-reassembly
   pppoe enable group global
   pppoe-client dial-pool-number 1
   bridge-group 1
  interface Vlan10
   no ip address
   ip virtual-reassembly
   bridge-group 10
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly
   zone-member security OUTSIDE
   encapsulation ppp
   ip route-cache flow
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname XXXXXXX
   ppp chap password 7 xxxxxxxxxxxxxxxxxxx
   ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
   ppp ipcp dns request
   ppp ipcp wins request
   hold-queue 224 in
  interface Dialer0
   no ip address
  interface BVI10
   description Inside Interface
   ip address 192.168.253.254 255.255.255.0
   ip access-group 101 in
   ip helper-address 192.168.253.1
   ip nat inside
   ip virtual-reassembly
   zone-member security INSIDE
  interface BVI1
   description DMZ Interface
   ip address 192.168.252.254 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   zone-member security DMZ
  ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http access-class 1
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
  ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
  ip access-list extended DMZ_to_IN_POL
   remark SDM_ACL Category=128
   permit ip any any
  ip access-list extended Inside_Clients_NAT
   remark SDM_ACL Category=2
   permit ip 192.168.253.0 0.0.0.255 any
  logging 192.168.253.10
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 remark SDM_ACL Category=1
  access-list 1 permit 192.168.253.0 0.0.0.255
  access-list 100 remark VTY Access-class list
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit ip 192.168.253.0 0.0.0.255 any
  access-list 100 deny   ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark SDM_ACL Category=1
  access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
  access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
  access-list 101 deny   tcp any host 192.168.253.254 eq telnet
  access-list 101 deny   tcp any host 192.168.253.254 eq 22
  access-list 101 deny   tcp any host 192.168.253.254 eq www
  access-list 101 deny   tcp any host 192.168.253.254 eq 443
  access-list 101 deny   tcp any host 192.168.253.254 eq cmd
  access-list 101 deny   udp any host 192.168.253.254 eq snmp
  access-list 101 permit ip any any
  access-list 199 permit ip any host 10.1.1.1
  dialer-list 1 protocol ip permit
  no cdp run
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
  radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
  radius-server vsa send accounting
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 10 protocol ieee
  bridge 10 route ip
  banner login C Border Router
  line con 0
   no modem enable
   transport output telnet
  line aux 0
   transport output telnet
  line vty 0 4
   access-class 100 in
   privilege level 15
   length 0
   transport input telnet ssh
  scheduler max-task-time 5000
  scheduler interval 500
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  sntp server xxx.xxx.xxx.xxx
  end

  Hi Jody,
  Apologies delay in replying. I have done the following:
  Made two of the FE ports vlan1,BVI1 (for LAN traffic)
  Left one port as VLAN10 as the pppoe client conected to the externalmodem
  Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
  I have DHCP configured to serve the DMZ  addresses.
  This all works for LAN clients and also works for a client attachedto that physical DMZ port.
  When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
  I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
  If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
  I cannot add another VLAN due to the 2 vlan limit in this image.
  Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
  Think I am about to give upon this.
  Regards,

• Issues with 3845 Router

  I have a 3845 Router that my company just purchased. Once I log in, it says the SDM is installed on it, but I cant enable SSH on it. (2), When I configured it via the console, it did prompt for enable password, but since i took it to a region, it does not prompt for enable password again, it simply takes me to the enable mode, with the username password. I configured the enable password as ********, but it does not prompt for it. Can any one help me with these two issues? Thanks in advance.

  RICK,
  Thank you very much for your prompt response to my request. Pls find below the reports of the various "shows" that i performed.
  Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version 12.4(3g), RELEASE SOFTWARE (fc
  2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2006 by Cisco Systems, Inc.
  Compiled Mon 06-Nov-06 05:34 by alnguyen
  ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
  ROUTER uptime is 22 hours, 33 minutes
  System returned to ROM by reload at 01:06:07 UTC Wed Mar 17 1993
  System restarted at 01:06:57 UTC Wed Mar 17 1993
  System image file is "flash:c3845-ipbase-mz.124-3g.bin"
  Cisco 3845 (revision 1.0) with 222208K/39936K bytes of memory.
  Processor board ID FCZ110471QE
  2 Gigabit Ethernet interfaces
  4 Serial interfaces
  4 Channelized E1/PRI ports
  DRAM configuration is 64 bits wide with parity enabled.
  479K bytes of NVRAM.
  62720K bytes of ATA System CompactFlash (Read/Write)
  Configuration register is 0x2102
  #show crypto key mypubkey rsa ?
  % Unrecognized command
  #show crypto key mypubkey rsa
  ^
  % Invalid input detected at '^' marker.
  #sh line vty 0 15
  Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
  * 450 450 VTY - - - - 23 2 0 0/0 -
  451 451 VTY - - - - 23 0 0 0/0 -
  452 452 VTY - - - - 23 0 0 0/0 -
  453 453 VTY - - - - 23 0 0 0/0 -
  454 454 VTY - - - - 23 0 0 0/0 -
  455 455 VTY - - - - 23 0 0 0/0 -
  456 456 VTY - - - - 23 0 0 0/0 -
  457 457 VTY - - - - 23 0 0 0/0 -
  458 458 VTY - - - - 23 0 0 0/0 -
  459 459 VTY - - - - 23 0 0 0/0 -
  460 460 VTY - - - - 23 0 0 0/0 -
  461 461 VTY - - - - 23 0 0 0/0 -
  462 462 VTY - - - - 23 0 0 0/0 -
  463 463 VTY - - - - 23 0 0 0/0 -
  464 464 VTY - - - - 23 0 0 0/0 -
  465 465 VTY - - - - 23 0 0 0/0 -