cisco router configuration AFNOG 2002 / track 2 # 1
Cisco Router Configuration Basics
cisco router configuration AFNOG 2002 / track 2 # 2
router components
Like a computer they are composed of –Operating System - IOS–Micro Processor to run the IOS–RAM main storage, dynamic configuration–NVRAM to store instruction for performing the self test of the device, backup of config
–Flash memory: erasable ROM, contain copy of IOS
cisco router configuration AFNOG 2002 / track 2 # 3
system startup
POST -> diagnostic on all ROM on all modules
configuration -> check and load IOS
load configuration files stored in NVRAM
cisco router configuration AFNOG 2002 / track 2 # 4
overview
router configuration controls the operation of the router:
interface address and netmask
routing information (static or dynamic)
booting and startup information
security (passwords)
cisco router configuration AFNOG 2002 / track 2 # 5
where is the configuration?
router always has two configurations:
running configurationin RAM, determines how the router is currently operatingis changed by using the configuration commandto see it: show running
startup confgurationin NVRAM, determines how the router will operate after
next reloadis changed using the copy commandto see it: show startup
cisco router configuration AFNOG 2002 / track 2 # 6
where is the configuration?
can also be stored in more permanent places:
external hosts, using TFTP to move it around
in flash memory in the router
copy command is used to move it aroundcopy run startcopy run tftpcopy start tftpcopy tftp startcopy flash startcopy start flash
cisco router configuration AFNOG 2002 / track 2 # 7
external Configuration Sources
Console/auxillary port
virtual terminals - telnets
TFTP Server
Network Management Software
cisco router configuration AFNOG 2002 / track 2 # 8
changing the configuration
configuration statements can be entered interactively - changes are made (almost) immediately, to the running configuration
can use direct serial connection to console port, or
telnet to vty’s (“virtual terminals”), or
modem connection to aux port
cisco router configuration AFNOG 2002 / track 2 # 9
changing configuration
or, edited in a text file and uploaded to the router at a later time via tftp;
some configuration statements, especially access lists, are very difficult to work with interactively, so editing and uploading the file is the only practical way to work;
also allows version control and auditing changes
cisco router configuration AFNOG 2002 / track 2 # 10
new router configuration process
load configuration parameters into RAM
personalize router identification
assign access passwords
configure interfaces
configure routing protocols
save configuration parameters to NVRAM
cisco router configuration AFNOG 2002 / track 2 # 11
router modes
User EXEC mode - limited examination of router–Router>
Privileged EXEC mode - detailed examination of router, debugging, testing, file manipulation–Router#
ROM Monitor - useful for password recovery
Setup Mode
cisco router configuration AFNOG 2002 / track 2 # 12
logging into the router
Connect router to console port or telnet to router–router>–router>enable–password–router#–router#?
Configuring the router–Terminal (entering the commands directly)
–router# configure terminal–router(config)#
USER MODE PROMPT
PRIVILEDGED MODE PROMPT
cisco router configuration AFNOG 2002 / track 2 # 13
configuring your router
Set the enable password:router(config)# enable password t2@afnog
If you see in your config file, you will see that the enable password is displayed in clear text -- that is not safe, you have to encrypt it.
router(config)# service password-encryptionrouter(config)# enable secret "your pswd"(MD5 encryption)
To configure interface you should go to interface config menu
router(config) interface ethernet0 (or 0/x)
router(config-if)#
Save your configuration router#copy running-config startup-config
cisco router configuration AFNOG 2002 / track 2 # 14
configuring your routerconfiguration statements have different contexts:
global: enable-password mysecret
interface:interface ethernet0
ip address 169.222.1.45 255.255.255.0
router: router ospf 1
network 169.222.31.0 0.0.0.255 area 0
line: line vty 04
cisco router configuration AFNOG 2002 / track 2 # 15
global configuration
global configuration statements are independent of any particular interface or routing protocol, e.g.:
hostname myrouter
enable-password mysecret
service password-encryption
logging facility local0logging 169.222.31.42
cisco router configuration AFNOG 2002 / track 2 # 16
global configuration
ip-specific global configuration statements:
ip classlessip name-server 169.222.31.42
static route creation:
ip route 169.222.16.0 255.255.248.0 169.229.31.1
cisco router configuration AFNOG 2002 / track 2 # 17
interface configuration
interfaces are named by type and position; e.g.:ethernet0, ethernet1,... ethernet5serial0, serial1 ... serial3
and can be abbreviated:ethernet0 or eth0 or e0serial0 or ser0 or s0
cisco router configuration AFNOG 2002 / track 2 # 18
interface configuration
ip address and netmask configuration, using interface commands (interactive configuration example, showing prompts):
router#configure terminalrouter(config)#interface e0router(config-if)#ip address 169.222.30.4 255.255.255.0router(config-if)#no shutdownrouter(config-if)#^Zrouter#
cisco router configuration AFNOG 2002 / track 2 # 19
interface configuration
administratively enable/disable the interfacerouter(config-if)#no shutdownrouter(config-if)#shutdown
descriptionrouter(config-if)#description ethernet link to admin building router
cisco router configuration AFNOG 2002 / track 2 # 20
Cisco global config should always include:
ip classless
ip subnet-zero
no ip domain-lookup
Cisco interface config should usually include:
no shutdown
no ip proxy-arp
no ip redirects
cisco router configuration AFNOG 2002 / track 2 # 21
looking at the configuration
use “show running-configuration” to see the current configuration
use “show startup-configuration” to see the configuration in NVRAM, that will be loaded the next time the router is rebooted or reloaded
cisco router configuration AFNOG 2002 / track 2 # 22
interactive configuration
enter configuration mode, using “configure term”
prompt gives a hint about where you are:
router#configure termrouter(config)#ip classlessrouter(config)#ip subnet-zerorouter(config)#int e3router(config-if)#ip addr 169.222.31.33 255.255.255.224router(config-if)#no shutrouter(config-if)#^Z
cisco router configuration AFNOG 2002 / track 2 # 23
storing the configuration on a host
requires: `tftpd’on a unix host; destination file must exist before the file is written and must be world writable...
copy run tftprouter#copy run tftpRemote host []? 169.222.31.42Name of configuration file to write [hostel-rtr-confg]?
/usr/local/tftpd/hostel-rtr-confg
Write file /usr/local/tftpd/hostel-rtr-confg on... host 169.222.31.42?
[confirm]Building configuration...
Writing /usr/local/tftpd/hostel-rtr-confg !![OK]
cisco router configuration AFNOG 2002 / track 2 # 24
restoring the configuration from a host
use ‘tftp’ to pull file from unix host, copying to running config or startup
router#copy tftp startAddress of remote host [255.255.255.255]? 169.222.31.42
Name of configuration file [hostel-rtr-confg]?Configure using hostel-rtr-confg from 169.222.31.42? [confirm]
Loading hostel-rtr-confg from 169.222.31.42 (via Ethernet0): !
[OK - 1005/128975 bytes][OK]hostel-rtr# reload
cisco router configuration AFNOG 2002 / track 2 # 25
getting help
IOS has a built-in help facility; use “?” to get a list of possible configuration statements
“?” after the prompt lists all possible commands:
router#?
“<partial command> ?” lists all possible subcommands, e.g.:
router#show ?router#show ip ?
cisco router configuration AFNOG 2002 / track 2 # 26
getting help
“<partial command>?” shows all possible command completions
router#con?configure connect
this is different:
hostel-rtr#conf ? memory Configure from NV memory network Configure from a TFTP network host overwrite-network Overwrite NV memory from TFTP...
network host
terminal Configure from the terminal <cr>
cisco router configuration AFNOG 2002 / track 2 # 27
getting help
this also works in configuration mode:
router(config)#ip a?accounting-list accounting-threshold accounting-transits address-pool alias as-path
router(config)#int e0router(config-if)#ip a?access-group accounting address
cisco router configuration AFNOG 2002 / track 2 # 28
getting help
can “explore” a command to figure out the syntax:
router(config-if)#ip addr ? A.B.C.D IP address
router(config-if)#ip addr 169.222.64.1 ? A.B.C.D IP subnet mask
router(config-if)#ip addr 169.222.64.1 255.255.255.0 ? secondary Make this IP address a secondary address <cr>
router(config-if)#ip addr 169.222.64.1 255.255.255.0router(config-if)#
cisco router configuration AFNOG 2002 / track 2 # 29
getting lazy help
TAB character will complete a partial wordhostel-rtr(config)#int<TAB>hostel-rtr(config)#interface et<TAB>hostel-rtr(config)#interface ethernet 0hostel-rtr(config-if)#ip add<TAB>hostel-rtr(config-if)#ip address ...
169.222.64.1 255.255.255.0
not really necessary; partial commands can be used:router#conf trouter(config)#int e0router(config-if)#ip addr 169.222...
cisco router configuration AFNOG 2002 / track 2 # 30
getting lazy
command history
IOS maintains short list of previously typed commands
up-arrow or ‘^p’ recalls previous command
down-arrow or ‘^n’ recalls next command
line editing
left-arrow, right-arrow moves cursor inside command
‘^d’ or backspace will delete character in front of cursor
cisco router configuration AFNOG 2002 / track 2 # 31
Connecting your Freebsd machine to console
Connect your machine to the console port using the serial cable provide
go to /etc/remote to see the device configured to be used with "tip”. you will see at the end, a line begin with cuaa0c… (you can change it to cisco)bash$ tip cuaa0c (or cisco)router>router>enablerouter#
cisco router configuration AFNOG 2002 / track 2 # 32
Exercise contd
look at your running configuration
Configure an IP address for e0/0 depending on your table - use 80.248.70.1 for table A etc
look at your running configuration and your startup configuration
what difference is there if any
cisco router configuration AFNOG 2002 / track 2 # 33
using access lists
Access Control Lists used to implement security in routers–powerful tool for network control–filter packets flow in or out of router interfaces
–restrict network use by certain users or devices
–deny or permit traffic–operate in sequential, logical order - top down
–goes down access list until match is found–inherent deny at the bottom of every list
cisco router configuration AFNOG 2002 / track 2 # 34
using access listsStandard Access Lists (1 - 99)–simpler address specifications–generally permits or denies entire protocol suite
Extended Access Lists (100 - 199)–more complex address specification–generally permits or denies specific protocols
cisco router configuration AFNOG 2002 / track 2 # 35
ACL format
Standard Access List Configuration format–access-list access-list-number {permit | deny} source {source-mask}
–ip access-group access-list-number {in | out}
Extended Access List Configuration format–access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask}
–ip access-group access-list-number {in | out}
cisco router configuration AFNOG 2002 / track 2 # 36
where to place IP access list
place standard access list close to destination
place extended access lists close to the source of the traffic you want to deny
cisco router configuration AFNOG 2002 / track 2 # 37
using access lists
Router(config)#Access-list access-list-number {permit|deny}{test conditions}
Router(config)#{protocol access-group access-list-number
e.g check for IP subnets 172.30.16.0 to 172.30.31.0
172.30.16.0
0001 0000
0000check
1111ignore
Address and Wilcard Mask:172.30.16.0 0.0.15.255
cisco router configuration AFNOG 2002 / track 2 # 38
wildcard bits indicate how to check corresponding address bit–0=check–1=ignore
Matching Any IP Address0.0.0.0 255.255.255.255or abbreviate the expression using the keyword any
Matching a specific host172.30.16.29 0.0.0.0or abbreviate the wildcard using the IP address preceded by the keyword host
cisco router configuration AFNOG 2002 / track 2 # 39
Permit telnet from my network only
access-list 1 permit 80.248.70.224 0.0.0.15
access-list 1 deny any
line vty 0 4access-class 1 in
cisco router configuration AFNOG 2002 / track 2 # 40
Standard Access Lists Example Permit my network only
Non 172.16.0.0
172.16.3.0 172.16.4.0
172.16.4.13E0 E1S0
Access-list 1 permit 172.16.0.0 0.0.255.255
Interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out
cisco router configuration AFNOG 2002 / track 2 # 41
extended access lists exampleDeny FTP for E0
Non 172.16.0.0
172.16.3.0 172.16.4.0
172.16.4.13E0 E1S0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255 interface ethernet 0ip access-group 101 out