Tuesday, April 23, 2013

FAQs: Cisco 1800, 2800, and 3800 Integrated Services Routers EOL Announcement

Cisco announced the end-of-sale and end-of-life dates for the Cisco Integrated Services Router G1. Every Cisco lover and user knows what Cisco ISR G1 REALLY is. For its greater performance, reliability and good price, Cisco Integrated Services Routers G1 won a lot of supporters. But now Cisco 1800, Cisco 2800, Cisco 3800, even Cisco 800 series will exit markets, and the Cisco ISR G2 will be a good successor to help Cisco routers users build a greater network world.

Here, we will list some FAQs to let Cisco ISR G1 users know what they need pay attention to while Cisco ISR G1 is exiting the Cisco market.

Q. When are Cisco Integrated Services Router 1800, 2800, and 3800 Series going End of Sale, End of Life?
A. The End of Sale (EoS) and End of Life (EoL) of the Cisco Integrated Services Routers (ISR) 1841, 2800, and 3800 Series public announcement date is on Nov. 1, 2010, with an effective End-of-Sale date of Nov. 1, 2011. Per Cisco policy, the Cisco will provide an additional 5 years of support from the End-of-Sale date. The last day of support is Nov 1, 2016.

Table 1. Integrated Services Routers G1 Key End-of-Sale and End-of-Support dates:
Key Dates
Nov. 1st, 2010
Public EoS Announcement for the Cisco 1841, 2800 and 3800 Series
March 2011
Cisco IOS 15.1(4)M release. No new software features (bug-fixes only until End of Software Maintenance).
Oct. 31, 2011
Cisco 1841, 2800 and 3800 Series End of Sale date
January 30, 2012
Hardware last ship date
Oct. 31, 2014
End of Software Maintenance
Oct. 31, 2015
Last date for SMARTnet renewal
Oct. 31, 2016
Last date of Hardware support

Q. Will all the products within the 1841, 2800 and 3800 Series go End of Sale at the same time?
A. The following modular Integrated Services Routers and their associated bundles will go End of Sale on Nov. 1, 2011:
• Cisco 1841
• Cisco 2801
• Cisco 2811
• Cisco 2821
• Cisco 2851
• Cisco 3825
• Cisco 3845
*Note: For select countries in Asia and Latin America there will be other replacement products available-Please contact your local Cisco representative for further details.

Q. Is the 1861 going End of Sale at the same time as the 1841?
A. No, the 1861 and associated bundles are not going End of Sale at the same time as the 1841. The 1861 was introduced later than the 1841 and is still a key product in the 1800 portfolio, offering unique functionality at strategic price points.

Q. Are the 1800 Fixed routers going End of Sale at the same time as the 1841?
A. No, the 1800 fixed routers (1801,1802,1803,1805) are not going End of Sale at this time. When End-of-Sale notifications for these products are announced, they will be sent out according to Cisco's end of life policy.
Future End-of-Sale announcements for these products will be posted at:
The End-of-Sale announcements for Cisco 1811 and 1812 routers have been announced and can be found at: http://www.cisco.com/en/US/products/ps5853/prod_eol_notices_list.html

Q. What is the reason for the End-of-Life announcement?
A. Integrated Services Router 1841, 2800, and 3800 Series product families have lead the access routing market for the past 6 years; however with greater demands in the branch for higher performance for next-generation WAN connectivity, increased media collaboration, video and virtualization applications, Services on Demand, and greater improvements in energy savings, a new generation of Integrated Services Routers platforms are required.

Built on 25 years of innovation and product leadership along with broad market acceptance, the Integrated Service Routers Generation 2 continues to optimize service integration to transform the branch office experience with the speed, scale, and flexibility to deliver tomorrow's services transparently at a low cost of ownership.

Q. What are the recommended migration paths for Cisco 1800, 2800, and 3800 Series?
A. It is recommended that customers migrate to the Integrated Service Routers Generation 2 (ISR G2) 1900, 2900, and 3900 Series. The ISR G2's offer from 3x to 8x performance improvements over the current generation. The ISR G2 platforms are architected to enable the next phase of branch-office evolution, providing rich media collaboration and virtualization to the branch while maximizing operational cost savings. The new Integrated Services Routers Generation 2 are future-enabled with support for new high capacity DSPs (Digital Signal Processors) for future enhanced video capabilities, high powered service modules with improved availability, multi-core CPUs, Gigabit Ethernet switching with enhanced POE, and new energy visibility and control capabilities while enhancing overall system performance.

Additionally, a new Cisco IOS Software Universal image and Services Ready Engine module enable you to decouple the deployment of hardware and software, providing a flexible technology foundation which can quickly adapt to evolving network requirements. Overall, the Cisco 3900 Series offer unparalleled total cost of ownership savings and network agility through the intelligent integration of market leading security, unified communications, wireless, and application services.

The Cisco 2900 and 3900 Series Integrated Services Routers extend this leadership in total cost of ownership by offering Services on Demand, reducing initial capital outlays by decoupling the delivery of software from hardware on optional service modules. In addition, customers receive a Universal IOS image, capable of enabling all of Cisco's rich IOS features allowing you to quickly deploy new services without having to download a new IOS image.

The Cisco 1900, 2900 and 3900 architecture has been designed with higher efficiency power supplies that provide energy-savings features that include intelligent power management, allowing customers to control power to a specific module based on time of day, with full Cisco Energy Wise feature support in the future. The 3945E, 3925E, 3945 and 3925 routers exclusively support dual power supplies with AC, DC or POE options. This enables power supply redundancy for branch or retail environments running mission critical applications.

Overall, the Cisco ISR G2 Series offers unparalleled operational savings and network agility through the continued intelligent integration of market leading security, unified communications, wireless, and application optimization services.

The recommended product migration path for base chassis and bundles is captured in the 1841, 2800 and 3800 End-of-Life and End of Sale Notices located at:
• 1800 Series EOL7249:
• 2800 Series EOL7237:
• 3800 Series EOL7247:

Q. What IOS releases will be supported on the Cisco Integrated Services Router 1800, 2800, and 3800 Series until End of Software maintenance period?
A. IOS release 15.1(4)M will be the long term IOS release supported on the 1800, 2800, and 3800 Series through the end of software maintenance. Software maintenance on 15.1(4)M will be offered until Nov. 1, 2014.

Q. What options do I have for software support if I cannot migrate to 15.1(4)M because of insufficient memory on my Cisco Integrated Services Router 1800, 2800 or 3800?
A. Software maintenance of IOS release 12.4(24)T will be extended through Oct 2012 for those customers who cannot migrate to 15.1(4)M. Customers desiring software support on 1800, 2800 or 3800 from Oct 2012 through the EoSM date (Oct 2014) must migrate to 15.1(4)M.

Q. What is the core value propositions offered on the Integrated Services Routers?
A. The key value propositions of the ISR G2 portfolio are:
• Industry leading end-to-end architectures and features
– Borderless Networks, EnergyWise, Medianet
– Routing, Voice/Video, Security, WAN optimization
• Integration reduces Total Cost of Ownership
– Interoperability, higher availability
– Lower energy use, fewer service contracts
• Evolving as business changes
– Services on-demand
– Continuous development of new software and hardware features
Table 2. Cisco ISR G2 key benfits over the ISR G1
Key Benefits
Cisco ISR
Cisco ISR G2
WAN Performance
Up to 45Mbps with Services
Up to 350Mbps with Services
Network Processor
Single Core
Service Module Performance and Capacity
Up to 160GB storage
Up to 7X with dual core and 1TB of storage
On-board DSPs
Voice + Video
Integrated Switching
Fast Ethernet with POE. Based on Catalyst 3560/3750
FE/GE Ethernet with EPOE Based on Catalyst 3560X /2960S
IOS Image
Single Universal IOS image
Service Delivery
Hardware Coupled
Services On-Demand
Single Motherboard
Field upgradeable Motherboards (3900 Series), Redundant power supplies
Key Benefits[?]
EnergyWise with slot based controls

Q. What are some of the key reasons customers choose to migrate from the ISR G1 to ISR G2 platforms today?
A. Key elements driving the migration to the ISR G2's today are:
Video in the Network: Designed to deliver video to remote locations - enable video streaming, conferencing, transcoding, trans-rating using PVDM3 DSPs
Services On-Demand: Offers a flexible model to deploy applications in the branch without a separate truck-roll, decoupling purchase cycles for router and Services Ready Engine (SRE) module from the application
Migration to Ethernet WAN: ISR G2s offer 3-8x higher performance than previous generation ISR platforms and the broadest range of WAN options
Increasing scale of UC deployments: ISR G2 roughly double the scale of CME and SRST support up to 450 and 1,500 phones & up to 24 T1/E1s for voice gateway functions
Optimizing WAN usage: With WAAS on SRE or Wide-Area Application Services (WAAS) Express, enhancing application performance and richer-media experience in remote locations with low-speed links
SIP Trunking: ISR G2 routers with CUBE features act as Session Border Controllers to allow customers to migrate from TDM to SIP trunking environments, scaling up to 2,500 SIP sessions
Securing the Branch: Delivers most comprehensive architectures for VPN deployment between sites along with Stateful Firewall and UTM capabilities for remote locations

Q. What are some of the key business drivers for migration at the Branch office?
A. Some of the key business drivers are:
• Geographical expansion/consolidation including mergers or reorganization
• Regulatory compliance-PCI, HIPPA, SOX, physical security, etc
• New business models-innovative service, production process, QA projects
• Increased employee productivity initiatives, cost savings
• Training, distance learning or e-learning projects
• Green initiatives to reduce energy use and promote sustainability

Q. What are some of the key technical drivers for migration at the Branch office?
A. Some of the key technical drivers are:
• Current and near future End of Software and hardware support for Cisco 1600, 1700, 2600, 3600, 3700 Series routers
• Planned deployment of video & rich-media collaboration in the Branch
• Data center consolidation (support remote office application performance)
• Pervasive wireless or new types of mobile devices requiring 802.11n coverage
• New security initiatives such as threat defense, video surveillance

Q. I would like to learn more about the difference between the Integrated Services Router 1900, 2900 and 3900 Series products, where can I find this information?
A. Detailed comparisons are located in the ISR G2 At-a-Glance document located at http://www.cisco.com/en/US/products/ps10537/product_at_a_glance_list.html
For more information on the ISR G2 products and the latest innovations please refer to the URL below: http://www.cisco.com/en/US/products/ps10906/Products_Sub_Category_Home.html

Q. Will the spare DRAM and Compact Flash memory, power supplies, rack mounts and cables go End of Sale at the same time?
A. No, spare DRAM and Compact Flash memory for field upgrades, AC, AC-IP, DC power supplies, rack mount kits, and specific cables will be orderable until Nov. 1, 2012.

More Related EOS and EOL for Cisco Routers and Modules:
Cisco 1800 Series: EoS and EoL Announcement for the Cisco 1841 Value Edition Modular Router with 2xFE, 2 WAN Slots
Cisco 1800: EOS and EOL Announcement for the Cisco 1800 ISR-Cisco 1803 Fixed Configuration Models
Cisco 2800 Series: EOL and EOS Announcement for the Cisco 2800 Routers-Select Accessories and Bundle
Cisco 2800 Series: EoS and EoL Announcement for the Cisco Integrated Services Router G1 Modules
Cisco 3800: EoS and EoL Announcement for the Select Ethernet Modules for Cisco ISR
Cisco 3800: EoS and EoL Announcement for the Cisco 4-Port Inline Power Module for High-Speed WAN Interface Cards
Cisco 800 Series: EoS and EoL Announcement for the Cisco 881G Global 3G Fast Ethernet and Cisco 888G Global 3G ATM G.SHDSL Security Router Bundle with Advanced IP Services

Tuesday, April 16, 2013

How to Configure Static and Dynamic Port Security?

In this topic we will cover Switch Port Security, as a required topic for the Cisco CCNA exam. We will also give you hands-on examples on how to configure static and dynamic port security.

An unsecured switch port allows an attacker to attach a device to it and use it to attacks and information gathering. Leaving an unused port unsecured must be avoided in real life. You definitely don’t want an authorized person to get sensitive information, such as usernames, passwords, credit cards or even the configuration of your devices, from your network. Therefore, before you deploy your switch in the production environment, make sure you took all the security measures.

Switch port security limits the number of valid MAC addresses allowed on a port. When a MAC address or a group of MAC addresses are configured to enable switch port security, the switch will forward packets only to the devices using those MAC addresses. Any packet coming from other device is discarded by the switch as soon as it arrives on the switch port.

If you limit the number of allowed MAC addresses allowed on a port to only one MAC address, only one device will be able to connect to that port and will get the full bandwidth of the port.

If the maximum number of secure MAC addresses has been reached, a security violation occurs when a devices with a different MAC addresses tries to attach to that port. In most of today’s scenarios when the switch detects a security violation, the switch automatically shuts down that port. A switch can be configured to only protect or restrict that port. We will discuss theses security violation modes a little bit later.

Secure MAC addresses are of three types:
  • Static secure MAC addresses – configured manually with switchport port-security mac-address mac-address. These MAC addresses are stored in the address table and in the running configuration of the switch.
  • Dynamic secure MAC addresses – are dynamically learned by the switch and stored in its MAC address table. They are removed from the configuration when the switch restarts.
  • Sticky secure MAC addresses – like Dynamic secure MAC addresses, MACs are learned dynamically but are saved in the running configuration.

Sticky secure MAC addresses have these characteristics:
  • Are learned dynamically then converted to sticky secure MAC addresses and stored in the running configuration.
  • When you disable the sticky learning, the learned addresses remain part of the MAC address table but are removed from the configuration.
  • When you disable port security, the sticky secure MAC addresses remain in the running configuration.
  • If you save the addresses in the configuration file, when a restarts or the interface shuts down, the switch does not need to relearn the addresses.

In a Cisco switch, you are able to configuration three types of security violation modes. A security violation occurs when the maximum number of MAC addresses has been reached and a new device, whose MAC address is not in the address table attempts to connect to the interface or when a learned MAC address on an interface is seen on another secure interface in the same VLAN.

Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:
  • protect – when the maximum number of secure MAC addresses has been reached, packets from devices with unknown source addresses are dropped until you remove the necessary number of secure MAC addresses from the table. In this mode, you are not notified when a security violation occurs.
  • restrict – is identical with protect mode, but notifies you when a security violation occurs. Specifically, a SNMP trap is sent, a syslog message is logged and the violation counter increments.
  • shutdown – this is the default behavior on a switch. In this mode, the switch ports shuts down when the violation occurs. Also, a SNMP trap is sent and the message is logged. You can enable the port again with the no shutdown interface configuration command.

The default configuration of a Cisco switch has port security disabled. If you enable switch port security, the default behavior is to allow only 1 MAC address, shutdown the port in case of security violation and sticky address learning is disabled.
Next, we will enable dynamic port security on a switch.
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security

As you can see, we did not specify an action to be taken if a security violation occurs, neither how many MAC addresses are allowed on the port. Recalling from above, the default behavior is to shut down the port and allow only one MAC address.

Let’s now configure a sticky port security, to allow 10 MAC addresses on the interface. If a violation occurs, you want the port to be configured in restrict mode.
Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config)if)#switchport port-security maximum 10
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security violation restrict

Good. After you have configured port security in the desired mode on a switch, it’s time to verify the configuration and the learned MAC addresses with the show port-security interface interface-id and with show port-security address.
Switch#show port-security interface FastEthernet 0/1
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0
Switch#show port-security address

          Secure Mac Address Table
Vlan    Mac Address       Type                Ports   Remaining Age
—-    ———–       —-                —–   ————-
11    0050.BAA6.0001    SecureDynamic       Fa0/1      -
Total Addresses in System: 0
Max Addresses limit in System: 8320

Now, you may wonder  what to do with an unused interface. Securing an unused interface is important too and it’s much simpler. The only thing you have to do is to put all unused interfaces in shutdown state with the shutdown interface configuration command.
Switch(config)#interface FastEthernet 0/2

In this CCNA certification topic we have covered Switch Port Security. Knowing what switch port security is and how to implement it is important. Not only you may encounter questions about this topic when you take the Cisco CCNA certification exam, but you will see switches configured with port security in almost all real-life environments. Companies and service providers are using port security to prevent attacks and unauthorized access to their networks. We hope you found this article helpful in your preparation for the CCNA exam, as well as for your day to day activities.

More Related Topics:

Friday, April 12, 2013

Example to Set up DynDNS on a Cisco IOS Router

How to set up no-ip.com DDNS on your Cisco IOS router that actually works!

Normally we try to setup static IP addresses for our managed routers. However in this case the router was residential and in Singapore. Getting a static IP address was actually impossible.

I started the project by researching DDNS providers. Many of the DDNS providers that were free in the past are no-longer free. However no-ip.com still offers a free version of DDNS. The free version is under the section of their website for personal. At this time I could not find any statements on their site restricting the service to personal use. Here is a link to their site.

This procedure is easy to perform but due to lack of proper documentation and a lot of incorrect documentation, including that in the no-ip.com knowledgebase, it is more difficult than it should be.

This article assumes you have a basic knowledge of Cisco routers and know how to get into config mode and how to save your configuration.

There are three primary steps to setting up DDNS on a Cisco IOS router.
  1. Set up and confirm DNS resolution works.
  2. Set up a DDNS method to be called.
  3. Set up the external DHCP interface to call the DDNS update method.

Set up DNS resolution.
Confirm your router can ping something by name properly. A simple 'ping google.com' is an effective test. If it does not work you can setup you router DNS to use Google's public DNS servers with these two config lines:
  • ip dns server
  • ip name-server

Set up the DDNS method.
The method tells the router how to contact the DDNS provider, login and send the proper update command. It also controls the minimum and maximum time between DDNS updates. Do not set the maximum time too short. Many DDNS providers will lock you out if you update too frequently. I typically use one day but you need to check with your provider.

Create and name the DDNS update method.
  • ip ddns update method ddns-noip
Set the update mode to HTTP
  • HTTP

Create the ADD URL. The URL contains some special characters mainly the'?' that is problematic to enter because the router interprets it as a call for help. Use CTRL-V just before typing the '?' and the router will place it properly. Replace [username] and password with your no-ip credentials. You will need to enter your username as an email address including the '@' 
<h>&myip=<a> is a macro replaced by the router during the update with hostname and ip. i.e. hostname=myhostname.no-ip.org&myip='
  • add http://[username]:[Password]@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
update minimum every 5 minutes maximum 1 day.
  • interval maximum 1 0 0 0
  • interval minimum 0 0 5 0

 Apply the update to the external DHCP interface.
Select the external interface and apply the update command to call the method you just created. For the Cisco 871 router used in this configuration it is Fast Ethernet 4. Replace it with your proper interface. For PPPoE it is likely interface Dialer 0.

Substitute your DDNS method name and the hostname to update at your DDNS provider with your specific details..
  • interface FastEthernet4
  • ip ddns update hostname [DDNS hostname]
  • ip ddns update ddns-noip

Unfortunately I have not figured out a way to force a DDNS update NOW. What you can do is set your maximum update time short like 5 minutes. Turn on debugging with: debug ip ddns update.

You will get some very useful debug information. Make sure all the parameters are correct on the calls.

You may need to reload your router. I have round that changing the add command did not update properly after some changes until after a reload.

Sample Debugging Output for a working update.
*Aug 00 00:00:55.433 EDT: DYNDNSUPD: Adding DNS mapping for myhostname.no-ip.org <=>
*Aug 00 00:00:55.433 EDT: HTTPDNS: Update add called for myhostname.no-ip.org <=>
*Aug 00 00:00:55.433 EDT: HTTPDNSUPD: Session ID = 0x7
*Aug 00 00:00:55.433 EDT: HTTPDNSUPD: URL =
*Aug 00 00:00:55.433 EDT: HTTPDNSUPD: Sending request
*Aug 00 00:00:56.441 EDT: HTTPDNSUPD: Response for update myhostname.no-ip.org <=>
*Aug 00 00:00:56.441 EDT: HTTPDNSUPD: DATA START nochg
*Aug 00 00:00:56.445 EDT: HTTPDNSUPD: DATA END, Status is Response data recieved,
*Aug 00 00:00:56.445 EDT: HTTPDNSUPD: Call returned SUCCESS, update of
myhostname.no-ip.org <=> succeeded
*Aug 00 00:00:56.445 EDT: DYNDNSUPD: Another update completed (outstanding=0, total=0)
*Aug 00 00:00:56.445 EDT: HTTPDNSUPD: Clearing all session 7 info

More Related DDNS Setup on a Cisco IOS Router