Cisco 870 Reference Configuration

The Cisco 870-Series Integrated Services Router is ancient by today’s standards. However, it is a good lab platform as it supports most routing functions in a small form factor. Cisco C871 Front

It has a special place in my lab as one of my first Enterprise-grade routers/firewalls for my lab. Cisco C871 Back

It should be noted that while the ISR platform is capable of doing nearly everything, nearly everything is also handled by the CPU. The CPU in the 870 is a Motorolla MCP8272 running at 266MHz and with most features disabled, it will top out around 35Mb/s. Cisco C871 Inside

Below is a reference configuration for the Cisco 870 Integrated Services Router (ISR) using Context Based Access Control (CBAC) using IP Inspect. As the configuration relies on upstream DHCP, the outside-in ACL allows the BOOTPC response from the DHCP server.

version 15.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Cisco-Example
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.151-4.M6.bin
boot-end-marker
!
logging buffered 16384
enable secret 0 super-secret-password
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local 
!
aaa session-id common
!
clock timezone PST -8 0
clock summer-time PDT recurring
clock save interval 8
crypto pki token default removal timeout 0
!
dot11 syslog
ip source-route
!
ip cef
!
ip inspect name Outside-Out tcp router-traffic
ip inspect name Outside-Out udp router-traffic
ip inspect name Outside-Out icmp router-traffic
!
ip domain name davissystem.net
ip name-server 1.1.1.1
ip name-server 1.0.0.1
no ipv6 cef
!
multilink bundle-name authenticated
!
spanning-tree portfast bpduguard
spanning-tree vlan 1 priority 0
username admin privilege 15 secret 0 super-secret-password
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp
 ip access-group Outside-In in
 ip nat outside
 ip inspect Outside-Out out
 ip virtual-reassembly in
 no ip redirects
 no ip proxy-arp
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 no autostate
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list RFC1918 interface FastEthernet4 overload
!
ip access-list standard RFC1918
 permit 10.0.0.0 0.255.255.255
 permit 172.0.0.0 0.240.255.255
 permit 192.168.0.0 0.0.255.255
!
ip access-list extended Outside-In
 permit udp any any eq bootpc
 deny   ip any any log
!
control-plane
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input ssh
!
scheduler max-task-time 5000
ntp server 1.us.pool.ntp.org
ntp server 0.us.pool.ntp.org
ntp server 2.us.pool.ntp.org
end

DavisSystem

Consolidated Notes From the Desk of Sean Davis.

Reference Configuration for the Cisco 870 ISR

By Sean, 2024-10-18