Cisco 870 DMZ

Mission: establish one of the my Cisco 870 ports as a DMZ port.

The above is what I am trying to accomplish. This is a quote from Cisco's web site regarding the Cisco 870: "Allows multiple devices to be connected in a small office, with the ability to designate a port as network DMZ." How is this accomplished? I have been pouring over documentation concerning VLAN's, but this seems much more involved than what I had in mind. Can't I just configure one port of the Cisco router to act as a DMZ? This sounds like a trivial task, but I cannot find any documentation that would lead me to believe what Cisco claims can be done can actually be done. Thanks for your help.

-Vincent

Reply to
Vincent
Loading thread data ...

Try using the Security Device Manager (SDM) to configure DMZ port

Reply to
Merv

There is an option to select a DMZ interface via the Advanced Firewall Wizard in the SDM. However, the option is greyed out and I cannot select it. Any ideas?

-V> Try using the Security Device Manager (SDM) to configure DMZ port

Reply to
Vincent

This is a a guess & I could be wrong, but you may only be able to configure a DMZ with the Advanced IP Services IOS image. If that version isn't loaded on your router that may explain why it is unavailable to you.

Reply to
gray.wizard

On the 830 series there is a weird so called DMZ facility that allows a perfectly normal second internal network.

Ethernet 0 --> Switch ports Fa 1 - 3 Ethernet 2 --> Switch port Fa 4

This works OK.

The 870 has been brought into the fold though and is quite like say the 4500 switch/routers.

You use VLANS.

By default VLAN 1 is defined and all 4 LAN ports are in it.

To create a second internal subnet you could perhaps:-

Router#vlan database vlan 2 name YourName exit

Router# conf t int vlan 2 ip address ..... int fa 3 sw mode access switchport access vlan 2 end

Warning - I made the above up and have not tested it it is I think along the right lines though.

Reply to
anybody43

Yep, you're exactly right and that's what I was basing my reply on. Unless you use the more featureful Advanced IP Services IOS image you are limited to one VLAN on the 870 series.

Reply to
gray.wizard

You guys are exactly right. After doing some more searching, I found that you do indeed require the Advanced IP Services IOS. In addition, you require 24 MB of flash memory. This is 4 MB more than is provided by default. Something seems amiss about this, but oh well. Thanks.

-V> On 14 Jul 2006 05:49:58 -0700, snipped-for-privacy@hotmail.com wrote: >

Reply to
Vincent

No...you've got your numbers twisted. The Advanced IP Services IOS requires 28 MB of flash which is 4 MB more than is provided by default. If you purchase your router with the Advanced IP Services IOS then the router will come with the extra flash memory.

However, the 870 series of routers are odd little birds. The flash memory is split between the mainboard and an Intel StrataFlash flash card. There is 20 MB on the mainboard & 4 MB on a card in the stock configuration. Therefore, if you wish to upgrade to 28 MB you will need to buy an 8 MB StrataFlash card as you will have to take out the

4 MB card and replace it with the new one.

My advice is if you are going to stick with this router for a long while don't upgrade your flash with anything less than a 16 MB StrataFlash card. It'd be silly to buy an 8 MB card now & then have to buy a larger card later when the IOS images grow larger than what can be contained in 28 MB.

Some people were having great luck running some of the earlier versions of the Advanced IP Services image on the stock 24 MB configuration, but I don't think that's possible with the latest images as the file size took a pretty big jump with the 12.4.6 and

12.4.9 releases.

While we're on the subject of 870 series memory I may as well warn you about the caveat when it comes to upgrading the RAM as well. If you upgrade the RAM on the unit make sure you buy a low-profile memory module or you won't be able to close the case back up.

Reply to
gray.wizard

Thanks, that is interesting.

ALso, if you did not need/want the SDM thingy,

12.4.9T Advanced IP services is only about 16M.
Reply to
anybody43

With the newer versions of SDM one can run it completely on a Windows PC and not have anything SDM-related on the router at all.

Reply to
gray.wizard

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.