Startup Configuration

The Startup Configuration windows guide you through the basic configuration of the router. After you complete the basic configuration, the router will be available on the LAN.

Note The Startup Configuration wizard does not support Cisco 7000 series routers.

Welcome

This wizard guides you through a basic configuration that will help you do the following:

•

If applicable, allows you to obtain a router configuration from a remote Cisco CNS server.

Cisco Network Services (CNS) Option

The Cisco Network Services ( CNS) Option screen gives you the option of obtaining a configuration from an external Cisco Networking Services (CNS) server. If your service provider has provided you CNS server information, choose Use CNS. When you choose this option, the Startup Wizard collects information about your CNS server and then displays the WAN configuration windows so that you can configure the WAN connection that will connect to the CNS server and obtain the configuration. If your service provider has not provided CNS server information, or you want to configure the router using SDM choose Do not use CNS.

Reasons why you may not be able to use CNS

•

Your router has no installed WAN interfaces, or the router has a WAN interface that SDM does not support. SDM must be able to configure a WAN interface in order for the router to obtain the CNS configuration file. If SDM determines that it cannot configure a WAN interface, it will display an error message informing you that you cannot use CNS. If there are no WAN interfaces installed on the router, and you still want to use CNS, click Cancel to leave the Startup wizard, and close SDM. Then, install an SDM-supported WAN interface card, restart SDM, and select Use CNS in the Startup wizard. See for a list of SDM-supported interface cards.

•

You selected Do not use CNS, and configured a LAN and a WAN interface using the Startup wizard, and then returned to the Cisco Network Services (CNS) Options window and selected Use CNS. If you really want to use CNS, click Cancel to leave the Startup wizard, and close SDM. Then restart SDM and select Use CNS.

CNS Server Information

This window lets you to enter the CNS server information provided by your service provider. Enter the IP address and login information of the CNS server so that SDM can retrieve configuration information for your router. After you enter this information and press Next, the Startup Wizard will help you configure a single WAN connection on the router so that you can connect to the CNS server and retrieve the router configuration.

Enter the CNS Server IP Address / Hostname

Enter either the IP address or host name of the CNS server on your network. If you enter a hostname, you will have to provide the IP address of a DNS server able to resolve the hostname to an IP address.

Enter the CNS ID String

Enter the device ID required to obtain the configuration file from the CNS server.

Enter the CNS Password

Enter the password used to log in to the CNS server with the user ID entered above.

Basic Configuration

The Basic Configuration screen lets you name the router that you are configuring, enter the domain name for your organization, and control access to Cisco Router and Security Device Manager (SDM) and the command-line interface (CLI).

Host Name

Domain Name

Enter the domain name for your organization. An example of a domain name is cisco.com, but your domain name might end with a different suffix, such as .org or .net.

Date and Time Settings

Synchronize router with my local PC settings is checked by default. If you do not want to set the router's date and time using the current settings for the PC on which you are running SDM, you need to uncheck this box.

Username and Passwords

Set the username and password that SDM users and Telnet users must use to access the router.

Note You will use the username and password you set in this window the next time you use SDM, and thereafter, unless you change it. You should make it difficult to guess, and you should write it down when you enter it in case you forget it later.

User Name

Enter New Password

Enter the new password in this field. The password must be at least 6 characters long.

Reenter New Password

Enable Secret Password

The enable secret password controls access to the router's privileged mode interface by users who are accessing the router by means of Telnet or the console port. In privileged mode, users can make configuration changes and have access to other commands not available outside of this mode. Enter the enable secret password in the Enter Password field, and reenter it in the Re-Enter Password field for confirmation. The password must be at least 6 characters long.

Note Write down the enable secret password so that you do not forget it. You will not be able to read it by viewing the configuration file because it is stored in encrypted form.

LAN Interface Configuration

This window lets you configure the LAN Ethernet interface's IP address and subnet information.

If you need to change the LAN Ethernet interface's IP address and subnet information after completing the Startup wizard, you can do so in the Edit Interfaces and Connections window.

IP Address

Enter the IP address for the LAN interface in dotted-decimal format. This can be a private IP address if you intend to use Network Address Translation ( NAT) or Port Address Translation ( PAT). For more information about IP addresses, see IP Addresses and Subnet Masks.

Note Make a note of this address. When you complete the startup wizard and restart the router, this address is the one you will use to run SDM, not the address that was provided in the Quick Start Guide for the router.

Subnet Mask

Enter the subnet mask for the network. Obtain this value from your network administrator or service provider. The subnet mask enables the router to determine how much of the IP address is used to define the network and subnet portion of the address. See IP Addresses and Subnet Masks for more information. The value of the subnet mask also determines the number of hosts that can be on the LAN to which this router is connected.

Subnet bits

Alternatively, enter the number of bits used to define the network and subnet portion of the IP address. Your network administrator or service provider may provide the subnet mask information in this form.

DHCP Server Configuration

The Dynamic Host Configuration Protocol ( DHCP) is a simple form of addressing that is used when static addressing is not necessary and when you don't need to use port numbers for specific services. DHCP dynamically allocates an IP address to a host when it logs on to the network, and reclaims the address when it logs off. In this way, addresses can be reused when hosts no longer need them. Use DHCP for assigning addresses to resources (such as PCs) on your internal network.

Enable DHCP server on LAN interface

Check this box to allow the router to assign private IP addresses to devices on the LAN. When enabled in this window, the DHCP server leases IP addresses to hosts for a period of one day. If you want to change the lease value after the startup configuration is delivered to the router, you can do so after completing the Startup Wizard in the Edit Interfaces and Connections window.

Start IP Address

SDM enters the lowest address in the IP address range in this field, based on the IP address and subnet mask that you gave the LAN interface. You can change this value to a higher address value if you want to make the DHCP address pool smaller, but you must enter an address in the same subnet as the address of the LAN interface, or SDM displays a message informing you that the address is invalid.

Note If you are configuring a Cisco 1711 or a Cisco 1712 router, you must use a Start address in the 10.10.10.0 subnet, such as 10.10.10.1 or higher. If you want to change the IP address of the VLAN 1 interface, you can do so after completing the Startup wizard. If you do change the VLAN 1 IP address to a different subnet, you must also change the DHCP pool Start address and End address to be in the same subnet.

End IP Address

SDM enters the highest valid address in the IP address range in this field, based on the IP address and subnet mask that you gave the LAN interface. You can change this value to a lower address value if you want to make the DHCP address pool smaller, but you must enter an address in the same subnet as the address of the LAN interface, or SDM displays a message informing you that the address is invalid.

Domain Name Server

The Domain Name System ( DNS) maintains a list of hostnames on the Internet along with their IP addresses. DNS enables users to connect to hosts by entering their host names instead of entering their IP addresses, which are harder to remember.

Primary Domain Name Server

Enter the IP address of the primary DNS server that the router will use. Your network administrator or service provider will provide you with the IP address.

The primary DNS server is the server that the router contacts first when attempting to resolve an IP address.

Note If you entered a host name to identify a CNS server, you must provide the IP address of at least one DNS server in this window. Your router relies on the DNS server to resolve hostnames to IP addresses, and DNS servers must be identified by IP address.

Secondary Domain Name Server

Enter the IP address of the secondary DNS server that the router will use, if one is available. Your network administrator or service provider will provide you with the IP address.

The secondary DNS server is the server that the router contacts if the primary server is not available.

Use these DNS values for DHCP clients

This box is available if a DHCP server has been enabled on the LAN interface. Check this box if you want the router's DHCP clients to be able to use the DNS servers whose IP addresses you enter in this window.

WAN Connection Configuration

The WAN Connection Configuration screen lets you select and configure one of the SDM-supported WAN interfaces on your router. Once configured, this interface will be available for connecting to the Internet or your corporate network, and can be used by the Startup Wizard to configure a basic firewall. Note that while the Startup wizard will configure only one of the WAN interfaces on your router, you can use the WAN Wizard to configure the rest of your WAN interfaces later.

Create New WAN Connection

Choose one of the WAN interfaces listed here to configure, or choose I don't want to configure a WAN connection to bypass WAN interface configuration. Choosing an interface will start the WAN Wizard to configure the interface. If you do not configure a WAN interface, the Startup Wizard will not be able to configure a basic firewall during a later stage in the Startup process.

WAN Wizard Summary

The Wizard Completed window enables you to review the basic configuration that you gave the router and to make any changes before leaving the wizard. It shows the name you gave the router, the LAN interface and its IP address and subnet mask, the starting and ending addresses of the DHCP address pool, and the WAN interface configuration, and it identifies which interfaces were configured as inside interfaces and outside interfaces on the basic firewall.


If you want to:	Do this:
Save the basic configuration to the router's configuration file and complete the wizard	Click Next.
Edit part of the configuration you gave the router	Use the back buttons to return to the screen you want, and make the changes. Then return to the Wizard Complete window and save the configuration by clicking Finish.

WAN Connection Configuration - No Supported Interface

The Startup Wizard displays this screen if it cannot detect a supported WAN interface on your router. In this case, you must use the router CLI to configure an unsupported WAN interface for connection to the Internet or your corporate network. Click Next to continue the initial configuration.

Basic Firewall Configuration

The Basic Firewall Configuration screen gives you the option of letting the Startup Wizard configure a basic firewall on your WAN and LAN interfaces.

Note This feature is available if the Cisco IOS image running on your router supports the Firewall feature set.

•

Apply default access rules to inside and outside interfaces—SDM creates and applies a list of default access rules that, among other things, permit DNS and HTTP traffic and deny the private IP address space. You can display a list of the SDM default rules after completing the Startup Wizard by clicking Additional Tasks/ACL Editor.

•

Apply default inspection rules to outside interface—SDM creates and applies a list of default inspection rules. You can display a list of the SDM default inspection rules after completing the Startup Wizard by clicking Additional Tasks/Inspection Rule Editor.

•

Enable IP Unicast Reverse-Path Forwarding (RPF) on the outside interface—IP Unicast RPF is a feature that causes the router to check the source address of any packet against the interface through which the packet entered the router. If the input interface is not a feasible path to the source address according to the routing table, the packet will be dropped. This source address verification is used to defeat IP spoofing.

If you choose to let the Startup Wizard configure the basic firewall, you will be able to modify the firewall configuration later using the Firewall wizard and the SDM Advanced Firewall configuration. If you choose not to have a basic firewall configured, you can configure one later using the Firewall Wizard.

Security Configuration

This window lets you disable features that are on by default in the Cisco IOS software, but that can create security risks, or make the router send messages at such a high volume that it would use up its available memory. You should leave the boxes checked unless you know that your requirements are different.

If you allow SDM to make these settings and you later want to change any of them, you can do so. For example if you want to allow more hosts on the network to be able to access SDM, you can create access rule entries to permit additional hosts to log on to SDM.

Disable SNMP Services on Your Router

Check this box to disable the SNMP service on your router. For an explanation of why SNMP should be disabled, see the help topic Disable SNMP.

Disable Services that Involve Security Risks

Check this box to disable the following services on the router. For an explanation of why these services should be disabled, click the links below:

Enable Services for Enhanced Security on the Router/Network

Check this box to enable the following security-enhancing features and services on your router. For an explanation of these services and features, click the links below:

Enhance Security on Router Access

Check this box to implement the following security-enhancing configurations on your router. For an explanation of these services and features, click the links below:

Note After completing the Startup wizard, you must enable an SSH key in the System Properties SSH window in Additional Tasks/Router Access/SSH in order to fully enable SSH access.

Encrypt Passwords

Startup Wizard Completed

Click Finish to save the data you entered to the router's configuration file.

Note

•

When you click Finish, you will lose the connection to SDM because you have given the LAN interface a new IP address. To be able to reconnect to SDM, you must ensure that the PC remains in the same subnet as the router. If you configured the router as a DHCP server, you must configure the PC to obtain an IP address automatically, and then open a command window and enter the ipconfig /release command followed by the ipconfig /renew command. If the router is not configured as a DHCP server, you must give the PC a static IP address in the same subnet as thee router.

•

After preparing the PC, you must reconnect your browser to SDM by entering the new IP address that you gave the router's LAN interface in the browser (http://new IP address). For example, if you changed the LAN IP address to 10.20.20.1, you would enter http://10.20.20.1 in the web browser to start SDM again.

Table Of Contents