|
|
This chapter describes how to configure the Cisco uBR905 cable access router for data operation with features beyond those supported in the default operation mode of plug-and-play DOCSIS bridging. The following configurations are described:
Depending on the Cisco IOS software image being used and the feature sets it supports, these configurations could be combined.
 |
Tips Use the commands shown in this chapter to set up a typical Cisco uBR905 router for the desired feature. Then save the configuration into a configuration file that can be downloaded to the router during power-on or reset. |
 |
Caution Incorrectly configuring the Cisco uBR905 cable access router can cause loss of network connectivity. Before attempting to reconfigure the router, print the last working configuration, and ensure remote configuration is enabled for the site. If the router does not connect to the network after you have reconfigured it, enter the cable downstream saved frequency from the printout, and then clear the interface. Power off and then power on the router. If powering off the router does not correct the problem after a few minutes, give the write erase and copy startup-config running-config commands. If network connectivity is not restored, contact your network management, provisioning, or billing system administrator to reload the software applicable to your network. |
The Cisco uBR905 router must be configured for routing mode to use advanced features such as IPsec encryption and firewall protection. The routing mode is also required if the PCs attached to the Cisco uBR905 router are on a private network or on a different subnet than the subnet used by the CMTS.
To configure the routing mode on the Cisco uBR905 router, complete the following steps:
To configure the Cisco uBR905 router, log in to the router, enter global configuration mode, and enter the following commands:
| Command | Purpose | |
|---|---|---|
Step 1 | ubr905(config)# int c 0 | Enters interface configuration mode for the cable interface. |
Step 2 | ubr905(config-if)# no cable-modem compliant bridge | Disables DOCSIS-compliant bridging. |
Step 3 | ubr905(config-if)# no bridge group number | Removes the bridge group. |
Step 4 | ubr905(config-if)# ip address docsis | Configures the cable interface to receive an IP address from the DHCP server. |
Step 5 | ubr905(config-if)# exit | Returns to global configuration mode. |
Step 6 | ubr905(config)# int e 0 | Enters interface configuration mode for Ethernet 0. |
Step 7 | ubr905(config-if)# no bridge group number | Removes the bridge group. |
Step 8 | ubr905(config-if)# ip address ip-address subnet-mask | Enters the Ethernet interface's IP address and subnet mask. |
Step 9 | ubr905(config-if)# exit | Returns to global configuration mode. |
Step 10 | ubr905(config)# ip routing | Enables IP routing for the router. |
Step 11 | To use RIPv2: ubr905(config)# router rip ubr905(config-router)# version 2 ubr905(config-router)# network cable-network-number ubr905(config-router)# network Ethernet-network-number ubr905(config-router)# exit | Enters router configuration mode. Enables RIP v2 routing. Enables routing on the cable interface's IP network. Enables routing on the Ethernet interface's IP network. Returns to global configuration mode. |
Step 12 | ubr905(config)# n o cdp run | (Optional) Disables the Cisco Discovery Protocol (CDP) on the router. CDP is a proprietary protocol for the discovery of Cisco routers running protocols other than TCP/IP. Because DOCSIS cable data networks are primarily TCP/IP networks, CDP is not necessary on the Cisco uBR905 router. |
Step 13 | ubr905(config)# ip default-gateway ip-address | Sets the default gateway for routing (typically, this is the CMTS). |
Step 14 | ubr905(config)# ip classless | (Optional) Enables the forwarding of packets that are destined for unrecognized subnets to the best supernet route. |
Step 15 | ubr905(config)# ip route 0.0.0.0 0.0.0.0 ip-address | (Optional) Establishes a static route so that all packets without an established route are forwarded to the default gateway (typically the ip-address should be the IP address for the CMTS), regardless of any routing metrics. |
Step 16 | ubr905(config-if)# Ctrl-z | Returns to privileged EXEC mode. |
Step 17 | ubr905# copy running-config startup-config | Saves the configuration to nonvolatile memory so that it will not be lost in the event of a reset, power cycle, or power outage. |
Step 18 | ubr905# show startup-config | Displays the configuration file that was just created. |
To verify that routing is enabled, enter the show startup-config command. The following example shows a sample configuration file for basic data-only routing mode; the relevant commands are shown in bold.
version 12.1 service config no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! clock timezone - 4 ip subnet-zero ! voice-port 0 ! voice-port 1 ! interface Ethernet0 ip address 172.16.0.1 255.255.0.0 no ip directed-broadcast ip rip send version 2 ip rip receive version 2 ! interface cable-modem0 ip address docsis no ip directed-broadcast ip rip send version 2 ip rip receive version 2 no cable-modem compliant bridge ! router rip version 2 network 10.0.0.0 network 172.16.0.0 ! ip classless no ip http server no service finger ! ! line con 0 transport input none line vty 0 4 ! end
 |
Note The above configuration assumes that the DHCP server assigns an IP address to the cable interface that is in the class A private network (10.0.0.0). |
When in routing mode, the Cisco uBR905 router can act as a DHCP server for the CPE devices it is connecting to the cable network. A service provider then does not have to be concerned about providing IP addresses to all of the PCs at a subscriber's site; instead, the provider supplies a pool of IP addresses that the Cisco uBR905 router then allocates to the PCs as needed.
|
Note The Cisco uBR905 router must be configured for routing mode to act as a DHCP server. If in bridging mode, you can configure the router to proxy DHCP client requests to the DHCP server at the headend by giving the cable-modem helper-address dhcp-server-ip-address host interface configuration command. (The ip helper-address and ip forward-protocol interface configuration commands can also be used for this purpose.) |
To configure the Cisco uBR905 router to act as a DHCP server, log in to the router, enter global configuration mode, and enter the following commands:
| Command | Purpose | |
|---|---|---|
Step 1 | ubr905(config)# ip dhcp pool pool-name | Creates an address pool for the DHCP server named pool-name and enters DHCP configuration mode. |
Step 2 | ubr905(config-dhcp)# network IP-network-number subnet-mask | Specifies the network number and subnet mask for the IP address pool. These IP addresses should be part of the subnet provided by the CMTS cable interface. For example, network 10.17.91.0 255.255.255.0 reserves the IP addresses 10.17.91.1-10.17.91.254 for CPE devices. |
Step 3 | ubr905(config-dhcp)# domain-name domain-name | Specifies the domain name to be assigned to CPE devices (for example, cisco.com). |
Step 4 | ubr905(config-dhcp)# dns-server ip-address | Specifies the IP address for the DNS server provided by the service provider that services the DNS requests from the CPE devices. More than one DNS server can be specified. |
Step 5 | ubr905(config-dhcp)# default-router ip-address | Specifies the IP address for the default router for the CPE devices (typically, this is the CMTS). More than one default router can be specified. |
Step 6 | ubr905(config-dhcp)# exit | Returns to global configuration mode. |
Step 7 | ubr905# show startup-config | Displays the configuration file that was just created. |
To verify that the DHCP server is enabled, enter the show startup-config command. The following example shows a sample configuration file for a Cisco uBR905 router acting as a DHCP server. The relevant commands are shown in bold.
version 12.1 service config no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! clock timezone - 4 ip subnet-zero ! ip dhcp pool Clients network 192.168.100.0 255.255.255.0 domain-name cisco.com dns-server 192.168.100.17 default-router 192.168.101.1 ! voice-port 0 ! voice-port 1 ! interface Ethernet0 ip address 192.168.100.1 255.255.0.0 no ip directed-broadcast ip rip send version 2 ip rip receive version 2 ! interface cable-modem0 ip address docsis no ip directed-broadcast ip rip send version 2 ip rip receive version 2 no cable-modem compliant bridge ! router rip version 2 network 10.0.0.0 network 192.168.100.0 ! ip classless no ip http server no service finger ! ! line con 0 transport input none line vty 0 4 ! end
|
Note The above configuration assumes that the DHCP server assigns an IP address to the cable interface that is in the class A private network (10.0.0.0). |
When using a Cisco IOS image that supports the Easy IP feature, the Cisco uBR905 router supports Network Address Translation (NAT) and Port Address Translation (PAT). This allows a private network that is connected to the router to use the same IP address when communicating through the cable interface to the Internet or other public networks.
When NAT/PAT are enabled on the Cisco uBR905 router, the "inside" network is the private network connected to the router's Ethernet interface, and the "outside" network is the network accessed through the cable network (such as the Internet or a company's larger network). The inside addresses are translated to an external IP address that is valid in the outside network.
|
Note NAT/PAT can be used in either DOCSIS-bridging or routing mode. |
The following commands show a typical configuration:
| Command | Purpose | |
|---|---|---|
Step 1 | ubr905(config)# ip nat inside source list list-id interface cable-modem0 overload | Enables translation of the inside source addresses—the "inside" addresses are translated before being presented to the "outside" network. The list-id specifies an access-list that defines the IP addresses that will be used, and overload specifies that multiple inside IP addresses can use the same outside IP address (but using different port numbers to unique identify each inside host). |
Step 2 | ubr905(config)# interface Ethernet0 | Enters interface configuration mode for the router's Ethernet interface. |
Step 3 | ubr905(config-if)# ip nat inside | Specifies that the Ethernet is the "inside" of the NAT/PAT translation. |
Step 4 | ubr905(config-if)# exit | Exits interface configuration mode. |
Step 5 | ubr905(config)# interface cable-modem0 | Enters interface configuration mode for the router's cable interface. |
Step 6 | ubr905(config-if)# ip nat outside | Specifies that the cable interface is the "outside" of the NAT/PAT translation. |
Step 7 | ubr905(config-if)# exit | Exits interface configuration mode. |
Step 8 | ubr905(config)# access-list list-id permit any | Creates the access list specified by the list-id parameter in the ip nat inside source command. (This particular example specifies that all IP addresses should be accepted; the filter can be as complex as needed to include or exclude any combination of IP addresses.) |
Step 9 | ubr905# copy running-config startup-config | Saves the configuration to nonvolatile memory so that it will not be lost in the event of a reset, power cycle, or power outage. |
Step 10 | ubr905# show startup-config | Displays the configuration file that was just created. |
|
Note Additional options, such as static IP address translation, are possible when using NAT/PAT. For more information about the Easy IP and NAT/PAT feature set, see the Dial-Related Addressing Services documentation, available on CCO and the Documentation CD-ROM. |
The following configuration shows an example of a Cisco uBR905 router in DOCSIS-bridging mode that performs NAT/PAT translation on all IP addresses connected to the router's Ethernet interface. The external IP address is overloaded so that multiple IP addresses on the internal network can use the same external IP address over the cable interface. Different port numbers are used to uniquely identify each device on the Ethernet interface. The relevant commands are shown in bold.
version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname uBR905 ! ! ip nat inside source list 1 interface cable-modem0 overload clock timezone - -4 ! ! interface Ethernet0 ip address 10.1.1.1 255.255.255.0 ip nat inside ! interface cable-modem0 ip address docsis ip nat outside no keepalive no cable-modem compliant bridge ! ip default-gateway 192.168.100.2 ip classless no ip http server no service finger ip route 0.0.0.0 0.0.0.0 192.168.100.2 access-list 1 permit any ! ! line con 0 line vty 0 4 login ! end
|
Note The above configuration assumes that the DHCP server assigns an IP address to the cable interface that is in the class C private network (192.168.100.0). |
IPsec encryption provides end-to-end encryption of IP traffic across unprotected public networks such as the Internet. To use IPsec, the Cisco uBR905 cable access router must meet the following prerequisites:
|
Note Images that support encryption are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States may require an export license. Contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com. |
|
Note The Cisco uBR905 cable access router does not support GRE IP tunnels. |
The configuration of the Cisco uBR905 router for IPsec encryption depends on the application involved, such as whether the IPsec encryption is part of a virtual private network (VPN) and whether the Cisco uBR905 router should encrypt traffic to one or more than one peer end-point. A technique that works well for a small network might not scale well for a large network. For example, using pre-shared authentication keys works for networks of up to 10 or so nodes, but larger networks should use RSA public key signatures and digital certificates.
|
Note For more information about IPsec, as well as related topics such as Internet Key Exchange (IKE), Internet Security Association Key Management Protocol/Oakley variation (ISAKMP/Oakley), and digital certificates, see the "Additional Documentation" section. |
To configure the Cisco uBR905 router for IPsec encryption with one peer router and pre-shared keys, enter the following commands:
| Command | Purpose | |||
|---|---|---|---|---|
Step 1 | ubr905(config)# crypto isakmp enable | Enables the use of ISAKMP/IKE on the Cisco uBR905 router. | ||
Step 2 | ubr905(config)# crypto isakmp policy priority-number | Creates an IKE policy with the specified priority-number (1-10000, where 1 is the highest priority) and enters ISAKMP policy configuration command mode. | ||
Step 3 | ubr905(config-isakmp)# encryption des | Specifies that 56-bit DES encryption is used to encrypt the data. | ||
Step 4 | ubr905(config-isakmp)# hash md5 | Specifies the MD5 (HMAC variant) hash algorithm for packet authentication. | ||
Step 5 | ubr905(config-isakmp)# group 1 | Specifies the 768-bit Diffie-Hellman group for key negotiation. | ||
Step 6 | ubr905(config-isakmp)# authentication pre-share | Specifies that the authentication keys are pre-shared, as opposed to dynamically negotiated using RSA public key signatures. | ||
Step 7 | ubr905(config-isakmp)# lifetime seconds | Defines how long each security association should exist before expiring (60 to 86,400 seconds). | ||
Step 8 | ubr905(config-isakmp)# exit | Exits ISAKMP policy configuration command mode. | ||
Step 9 | ubr905(config)# crypto isakmp key shared-key address ip-address | Specifies the pre-shared key that should be used with the peer at the specific IP address. The key can be any arbitrary alphanumeric key up to 128 characters long—the key is case-sensitive and must be entered identically on both routers.
| ||
Step 10 | ubr905(config)# crypto isakmp identity hostname | Sets the ISAKMP identity of the router to its host name concatenated with the domain name (for example, ubr905.cisco.com). | ||
Step 11 | ubr905(config)# crypto ipsec transform-set transform-set-name transform1 transform2 transform3 | Establishes the transform set to be used for IPsec encryption. As many as three transformations can be specified for a set, such as ah-md5-hmac esp-des esp-md5-hmac. | ||
Step 12 | ubr905(config)# crypto map crypto-map-name local-address cable-modem0 | Creates the specified crypto map and applies it to the cable interface. | ||
Step 13 | ubr905(config)# crypto map crypto-map-name 10 ipsec-isakmp | Creates a crypto map numbered 10 and enters the crypto map configuration mode. | ||
Step 14 | ubr905(config-crypto)# set peer ip-address | Identifies the IP address for the destination peer router. | ||
Step 15 | ubr905(config-crypto)# set transform-set transform-set-name | Sets the crypto map to use the transform set created previously. | ||
Step 16 | ubr905(config-crypto)# match address access-list-number | Sets the crypto map to use the access list that will specify the type of traffic to be encrypted.
| ||
Step 17 | ubr905(config-crypto)# exit | Exits crypto map configuration mode. | ||
Step 18 | ubr905(config)# int c 0 | Enters interface configuration mode for the cable interface. | ||
Step 19 | uBR905 (config-if)# crypto map crypto-map-name | Applies the crypto map created above to the cable interface. | ||
Step 20 | uBR905 (config-if)# access-list access-list-number permit ip host uBR905-ip-address peer-ip-address filter-mask | Creates an access list to identify the traffic that will be encrypted. (This should match the access list created above.) | ||
Step 21 | ubr905(config-if)# Ctrl-z | Returns to privileged EXEC mode. | ||
Step 22 | ubr905# copy running-config startup-config | Saves the configuration to nonvolatile memory so that it will not be lost in the event of a reset, power cycle, or power outage. | ||
Step 23 | ubr905# show startup-config | Displays the configuration file that was just created. |
|
Note To use IPsec encryption, the peer router must also be configured for IPsec encryption, using the identical parameters used on the Cisco uBR905 router. |
The following configuration shows a typical IPsec configuration using these parameters:
|
Note IPsec encryption on the Cisco uBR905 cable access router automatically uses the router's advanced hardware accelerator. |
IPsec-related commands are shown in bold.
version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! clock timezone - 0 6 ip subnet-zero no ip domain-lookup ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 5000 crypto isakmp key 1234567890 address 30.1.1.1 crypto isakmp identity hostname ! crypto ipsec transform-set test-transform ah-md5-hmac esp-des esp-md5-hmac ! crypto map test-ipsec local-address cable-modem0 crypto map test-ipsec 10 ipsec-isakmp set peer 30.1.1.1 set transform-set test-transform match address 200 ! interface Ethernet0 ip address 192.168.100.1 255.255.255.0 no ip directed-broadcast ! interface cable-modem0 ip address docsis no ip directed-broadcast no keepalive no cable-modem compliant bridge crypto map test-ipsec router rip version 2 network 10.0.0.0
network 192.168.100.0 ! ip classless no ip http server no service finger ! access-list 200 permit ip host 10.1.0.25 30.1.1.0 0.0.0.255 ! line con 0 exec-timeout 0 0 transport input none line vty 0 4 login ! end
|
Note The above configuration assumes that the DHCP server assigns an IP address to the cable interface that is in the class A private network (10.0.0.0). |
Establishing IPsec encryption between two or more end-points requires a thorough understanding of the Internet Key Exchange (IKE) mechanism, which is a form of the ISAKMP/Oakley (Internet Security Association Key Management Protocol) that is used for IPsec encryption. Digital certificates must also be understood if this mechanism is going to be used for authentication. Finally, if IPsec is used as part of a virtual private network (VPN), those concepts must also be understood.
For general information on these subjects, see the following information in the product literature and IP technical tips sections on CCO :
The following technical documents, available on CCO and the Documentation CD-ROM, also provide more in-depth configuration information:
|
Note Additional documentation on IPsec becomes available on CCO and the Documentation CD-ROM as new features and platforms are added. Cisco Press also publishes several books on this subject— go to http://www.cisco.com/cpress/home/home.htm for more information. |
The IPsec 3DES encryption feature set is identical to the IPsec encryption feature set except that it supports the 168-bit Triple DES (3DES) standard in addition to the standard 56-bit IPsec encryption. The 168-bit encryption feature set requires a Cisco IOS image that supports the 3DES feature set; this level of encryption provides a level of security suitable for highly sensitive and confidential information such as financial transactions and medical records.
|
Note Cisco IOS images with strong encryption (including, but not limited to, 168-bit [3DES] data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States may require an export license. Customer orders may be denied or subject to delay due to United States government regulations. When applicable, the purchaser or user must obtain local import and use authorizations for all encryption strengths. Contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com. |
Configuration for 3DES encryption is identical to that for standard IPsec, except that the transformation set should specify esp-3des instead of esp-des. For example, the following configuration is identical to the configuration shown in "IPsec (56-bit) Example" section, except for the line in bold:
version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! clock timezone - 0 6 ip subnet-zero no ip domain-lookup ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 5000 crypto isakmp key 1234567890 address 30.1.1.1 crypto isakmp identity hostname ! crypto ipsec transform-set test-transform ah-md5-hmac esp-3des esp-md5-hmac ! crypto map test-ipsec local-address cable-modem0 crypto map test-ipsec 10 ipsec-isakmp set peer 30.1.1.1 set transform-set test-transform match address 200 ! interface Ethernet0 ip address 192.168.100.1 255.255.255.0 no ip directed-broadcast ! interface cable-modem0 ip address docsis no ip directed-broadcast no keepalive no cable-modem compliant bridge crypto map test-ipsec router rip version 2 network 10.0.0.0
network 192.168.100.0 ! ip classless no ip http server no service finger ! access-list 200 permit ip host 10.1.0.25 30.1.1.0 0.0.0.255 ! line con 0 exec-timeout 0 0 transport input none line vty 0 4 login ! end
|
Note The previous configuration assumes that the DHCP server assigns an IP address to the cable interface that is in the class A private network (10.0.0.0). |
When the Cisco uBR905 router is using a software image that supports the Layer 2 Tunnel Protocol (L2TP), the router can function as an L2TP network server (LNS), which is one part of a virtual private dialup network (VPDN). In this configuration, the router creates a secure connection with another router that is functioning as an L2TP access concentrator (LAC). Traffic that is sent between the two routers is protected from interception or modification, even when it travels across public networks such as the Internet.
|
Note The computer connected to the Cisco uBR905 router must be running software, such as Windows 98, that supports VPDN connections. |
Configuration of a VPDN can be very complex, depending on the networks being used and how many peer devices will be establishing VPDN connections. The following table shows the minimum configuration needed for a typical VPDN configuration on a Cisco uBR905 router using the L2TP protocol (the LAC must be similarly configured).
|
Note The Cisco uBR905 cable access router does not support GRE IP tunnels. |
| Command | Purpose | |
|---|---|---|
Step 1 | ubr905(config)# vpdn enable | Enables VPDN services so that the router will look for tunnel definitions. |
Step 2 | ubr905(config)# vpdn-group 1 | Creates a unique VPDN group (1-3000) to which VPDN attributes can be assigned, and enter VPDN configuration mode. |
Step 3 | ubr905(config-vpdn)# accept dialin l2tp virtual-template 1 remote L2TP_LAC | Configures the VPDN group to accept a incoming request using the L2TP protocol from the remote peer named L2TP_LAC. |
Step 4 | ubr905(config-vpdn)# l2tp ip tos reflect | (Optional) Preserves the type of service (TOS) bits in the original packets. |
Step 5 | ubr905(config-vpdn)# exit | Returns to global configuration mode. |
Step 6 | ubr905(config)# no l2tp tunnel authentication | Disables L2TP tunnel authentication. |
Step 7 | ubr905(config)# interface Virtual-Template1 | Creates a virtual access interface from the virtual template and enters interface configuration mode. |
Step 8 | ubr905(config-if)# ip unnumbered Ethernet0 | Enables IP traffic on the virtual access interface without requiring a specific IP address for the interface. |
Step 9 | ubr905(config-if)# no ip directed-broadcast | Disables the forwarding of directed broadcasts on this interface to prevent some common hacker attacks. |
Step 10 | ubr905(config-if)# peer default ip address pool dialup | Obtains an IP address from the default dialup IP address pool. |
Step 11 | ubr905(config-if)# ppp authentication chap | Enables the Challenge Handshake Authentication Protocol (CHAP) on the interface to allow verification of the remote end. |
Step 12 | ubr905(config-if)# Ctrl-z | Returns to privileged EXEC mode. |
Step 13 | ubr905# copy running-config startup-config | Saves the configuration to nonvolatile memory so that it is not lost in the event of a reset, power cycle, or power outage. |
Step 14 | ubr905# show startup-config | Displays the configuration file that was just created. |
|
Note For more details on the L2TP feature, see the Layer 2 Tunnel Protocol and L2TP Dialout feature modules, available on CCO and the Documentation CD-ROM. |
The following example shows a sample configuration for the Cisco uBR905 router acting as the LNS. The relevant commands are in bold.
version 12.1 no service pad service timestamps debug uptime service timestamps log uptime ! hostname Router ! class-map class-default match any ! ! clock timezone - 0 1 ip subnet-zero ip tftp source-interface cable-modem0 no ip domain-lookup ! vpdn enable ! vpdn-group 1 accept dialin l2tp virtual-template 1 remote L2TP_LAC no l2tp tunnel authentication ! ! interface Ethernet0 ip address 192.168.100.1 255.255.255.0 no ip directed-broadcast ! interface Virtual-Template1 ip unnumbered Ethernet0 no ip directed-broadcast peer default ip address pool dialup ppp authentication chap ! interface cable-modem0 ip address docsis no ip directed-broadcast no cable-modem compliant bridge ! router rip version 2 network 10.0.0.0 network 192.168.100.0 ! ip local pool dialup 192.168.100.100 ip classless no ip http server no service finger ! line con 0 transport input none line vty 0 4 login ! end
|
Note This configuration assumes that the DHCP server assigns an IP address to the cable interface that is in the class A private network (10.0.0.0). |
Posted: Fri Sep 15 15:12:49 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.