To show some different conditions, our connected Level3 router is also the BGP router, but Sprint BGP router has been located 3 hops away.

! We are starting with router command with our ASN like EIGRP/OSPF configuration
router bgp 6767
! We have one router in our case and we don’t need IGP / BGP synchronization it is default in newest IOSes
no synchronization
! To have some idea about our peering history we are recording events
bgp log-neighbor-changes
! We are announcing our network
network 193.93.93.0
! Our first neighbor is Sprint, we have to define neighbor ASN
neighbor 122.22.33.1 remote-as 1239
! Descriptions are always helpful
neighbor 122.22.33.1 description Sprint
! Our bgp neighbor in Sprint 3 hops away
neighbor 122.22.33.1 ebgp-multihop 3
! Sprint will use our Loopback IP (193.93.94.1) for us as the neighbor
neighbor 122.22.33.1 update-source Loopback 0
! If we have enough memory, we can prevent BGP session resets on inbound updates
neighbor 122.22.33.1 soft-reconfiguration inbound
! We won’t announce any network other than ourselves
neighbor 122.22.33.1 filter-list 1 out
! Now the Level 3
neighbor 111.11.11.1 remote-as 3356
neighbor 111.11.11.1 description LevelThree
neighbor 111.11.11.1 soft-reconfiguration inbound
neighbor 111.11.11.1 filter-list 1 out
no auto-summary
!
! Sprint BGP bridgehead is not directly connected to our router
! We must add necessary routing
ip route 122.22.33.1 255.255.255.255 122.22.22.1
!
! This filter means we are not announcing Sprint networks to Level3 or vice versa.
ip as-path access-list 1 permit ^$
!

In the end, if you are not on the middle of the Internet, BGP configuration is not a big issue.

The LAN connection is also redundant with two build-in Gigabit Ethernet interfaces. The good thing the GE 0/0 interface has SFP option. You can reach the far LAN Edge points on a Campus LAN. Another alternative is to use it for Metro Ethernet.

High capacity memory is another powerful feature of this router when compared with 2700 series routers. This router comes with 256 MB memory and you can upgrade it up to 1 GB. This really costs too much if you use original Cisco memory, but OEM alternatives exists in the market.

There is one integrated Virtual Private Network (VPN) Module. This module is added for the performance of encryption and not mandatory for VPN, but as Cisco says, it increases the speed 10 times. I did not use VPN on this router, but it looks capable of handling higher loads.

There are 4 HWIC slots and 4 NM slots. It has almost every kind of modules (Etherswitch, wireless controller, ATM, T1/E1, NAM !!! ,FXS,FXO etc.)

My Experience
I use one of these routers for the Internet access with Advanced Enterprise IOS. BGP running on it with full table, cef enabled, Reflexive IP access list exist on the router. I also use it as a router firewall (Security guys call it as choke point). The CPU utilization is just about %2 – 3. I have to accept that this router was a bit oversized for my needs. I could have saved $3,500 (from list prices) if I use Cisco 3825 router.

You have to ask below mentioned questions before decide to buy a Cisco 3845 Integrated Services Router.
- Do I need more than 256 MB memory?
- Do I have several voice clients?
- How much concurrent VPN connection is expected?
- Do I need speeds like E3/T3?
- Do I need different kind of functionalities on one router (e.g. Wireless, ATM, Etherswitch ports)?
It is waste to invest money unless your answers for more than two questions are in affirmative.

I had a chance to install a new Cisco 3845 with 1GB memory. Everything was fine except SSH access that I needed because of security policy. I searched the web and found “Configuring Secure Shell on Routers and Switches Running Cisco IOS” document on Cisco web site. It was a little bit different than current one. I made a configuration as explained, but it was not good enough and access to the router via SSH was not possible.

About one week later, I realized that

• SSH only supports authentication with username/password, but it does not support just access password like telnet
• So, I had to create a user and set a password with username command
• I had to enable aaa new-model OR issue login local command under line vty for username/password authentication.
• Also a hostname and a domain name were required to generate the keys, since router uses its FQDN as the label of the key pair.
• SSH is enabled by default and I do not need to enable it myself.

Necessary steps to enable SSH are mentioned below.

PRECONDITION: You need a K9 IOS (newer than 12.1) to enable SSH. Catalyst 2900 Series switches do not support SSH.

1) You MUST set a host name
hostname ciscolab

2) You MUST set a ip domain name
ip domain-name mydomain.com

3) You MUST enable aaa new-model OR set “login local” under vty configuration but not just “login”
aaa new-model

4) You MUST create a user
username sshtest password 0 sshpass

5) You MUST generate RSA keys
crypto key generate rsa

if you have RSA keys before you will receive a message, type yes
% You already have RSA keys defined named ciscolab.mydomain.com.
% Do you really want to replace them? [yes/no]: yes

it will ask for modulus size, 1024 is fine (it depends your security needs)
How many bits in the modulus [512]: 1024

6) You MUST set vty access method to all OR ssh (if you chose ssh telnet will be disabled)
line vty 0 4
  transport input ssh

7) By using SecureCRT (licensed) or Putty (free), chose SSH1 (SSH in Putty) for the protocol enter hostname or IP address and click connect (Open in Putty). It will ask for username and password. Do not touch the other settings, you do not need them.

If you are able to access your device with SSH and still have some other questions please have a look at Advanced SSH settings for Cisco IOS .