Results 1 to 4 of 4

Thread: How to Configure Cisco 2500 Series routers

  1. #1
    Join Date
    Sep 2005
    Posts
    193

    How to Configure Cisco 2500 Series routers

    Cisco Routers firms are highly reliable equipment and and very easy to configure, at the author's opinion, superior to its competitors, though, and their value by 20% more than counterparts from other manufacturers in the class switches and routers for medium-level managers.

    The article will be considered on a logical division of the block of addresses allocated to the ISP subnet following the structure of the company's divisions, configuring Cisco 2500 series router for the organization of a small company to access to the Internet by connecting to a synchronous channel of approx. 256K from the ISP and IP packet filtering. Our router will have engaged one serial port to connect to the ISP (Serial 0) and one Ethernet port (P), looking into a network company, under which the ISP has allocated a network of 254 hosts.

    1. Initial configuration of a router.

    Cisco routers runs on a high-performance and it is created from scratch operating system clled IOS, which is located in non-volatile memory (flash). A typical 2500 series model has 1 Ethernet port, connected to the HUB-in or switch to the network through transceiver AUI-> UTP, and two serial ports for connecting to global channels (Serial 0, Serial 1). Interface names can be specified as Ethernet0 or e 0. A modular Catalyst switch indicates the type of interface at first, then the slot, and then port.
    For example, the 3rd card and 2 ethernet port on the motherboard is referred to as "e 3 / 2. In addition, there is a console port to configure the router (including the serial port of your computer) and an additional AUX port for connecting a modem. Configuring a router can be done either through the console port, AUX port, and a session of telnet.
    Newer versions of IOS allow you to work with the router via SSH session. But when you first time load anything, it requires to configure the router via the console port. To do this, you have to set the port speed Serial in 9600, starting in the terminal configuration program. By attaching a console cable (comes) to the router (port CON) and the other end through the adapter to the PC go to the console Cisco router. Then turn on the router and see that the first boot bootloader bootstrap:

    System Bootstrap, Version 5.2 (8a), RELEASE SOFTWARE
    Copyright (c) 1986-1995 by cisco Systems
    2500 processor with 16384 Kbytes of main memory
    F3: 3268680 +81304 +204996 at 0x3000060
    Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
    cisco Systems, Inc.
    170 West Tasman Drive
    San Jose, California 95134-1706
    Then boot loader loads the operating system IOS from flash (flash):
    Cisco Internetwork Operating System Software
    IOS (tm) 3000 Software (IGS-IL), Version 11.0 (4), RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-1995 by cisco Systems, Inc.
    Compiled Mon 18-Dec-95 17:49 by alanyu
    Image text-base: 0x0301C8DC, data-base: 0x00001000
    cisco in 2500 (68030) processor (revision D) with 16380K/2048K bytes of memory.
    Processor board ID 02413443, with hardware revision 00000000
    Bridging software.
    X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
    1 Ethernet / IEEE 802.3 interface.
    2 Serial network interfaces.
    32K bytes of non-volatile configuration memory.
    4096K bytes of processor board System flash (Read ONLY)
    Press RETURN to get started!
    Cisco Internetwork Operating System Software
    IOS (tm) 3000 Software (IGS-IL), Version 11.0 (4), RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-1995 by cisco Systems, Inc.
    Compiled Mon 18-Dec-95 17:49 by alanyu

    I must say that IOS can download not only from the FLASH, but from memory a router as well as the TFTP server. Since this is the first boot router we propose to pass the stages of configuring a router, (and the program runs as a setup). As you can see below the configuration process sufficiently transparent and simple. Once you answer the questions, the program will build config and write it into NVRAM and then it begins to restart. So, we begin configuring the interfaces in the program setup:

    --- System Configuration Dialog ---
    At any point you may enter a question mark '?' for help.
    Refer to the 'Getting Started' Guide for additional help.
    Use ctrl-c to abort configuration dialog at any prompt.
    Default settings are in square brackets'[]'.
    Would you like to enter the initial configuration dialog? [yes]: yes
    Review the list of interfaces on our router:
    First, would you like to see the current interface summary? [yes]:
    Any interface listed with OK? value "NO" does not have a valid configuration
    Interface IP-Address OK? Method Status Protocol
    Ethernet0 unassigned NO not set up up
    Serial0 unassigned NO not set down down
    Serial1 unassigned NO not set down down
    Configuring global parameters:
    The name of a router:
    Enter host name [Router]:
    Introduce the so-enable-secret access to configure the router:
    The enable secret is a one-way cryptographic secret used
    instead of the enable password when it exists.
    Enter enable secret: s1
    Then enter enable-password (reviewed for compatibility with older versions of IOS):
    The enable password is used when there is no enable secret
    and when using older software and some boot images.
    Enter enable password: s2
    Enter a password for virtual terminal:
    Enter virtual terminal password: s2
    Allow SNMP, so that we could get statistics:
    Configure SNMP Network Management? [yes]: yes
    Community string [public]: public1
    Our router has only support for IP (not IPX), which we and configure:
    Configure IP? [yes]: yes
    As with ISP, we will be static routing, we do not include routing protocols:
    Configure IGRP routing? [yes]: no
    Configure RIP routing? [no]:
    Specifies the IP address on Ethernet interface, leaving the interface Serial 0 as unnumbered (what is this, we will deal with it later):
    Configuring interface parameters:
    Configuring interface Ethernet0:
    Is this interface in use? [yes]:
    Configure IP on this interface? [yes]:
    IP address for this interface: 172.18.5.254 255.255.0.0
    This is a figment of your imagination.

  2. #2
    Join Date
    Sep 2005
    Posts
    193

    Re: How to Configure Cisco 2500 Series routers

    2. IP addressing and subnetting

    The system administrator must navigate freely in the IP address and how he should apply the subnet in practice. Large ISP in addition to addressing security resources of its network and customer base continues to control the direction of traffic sharing the network subnet, and I must say that worldwide 80% of the park routers are exactly based on Cisco Equipment. Let's get started. As you already know the address of any computer connected to the internet network consists of two parts: the network address and host address, such as a full Class C network address of the host looks like this: 233.233.233.113, where 233.233.233 - network address and 113 - host address. Of course, the router works with the addresses in binary representation (as a reason to take the number "2") and as discussed below. Full IP address occupies 32 bytes, or 4 octets of 8 bits each. For example, commonly used netmask 255.255.255.0 in binary is as follows:

    11111111 11111111 11111111 00000000

    Transformation addresses from binary to decimal is performed by counting significant (filled units) of bits in each octet, and the construction of this power of two. For example the number 255 is 2 in the eighth degree or completely filled with all eight bits in octet units (see above). The reverse is the process of converting addresses from decimal to binary - just remember the significance of each bit in the decimal system and through the operation "logical AND of the address and our template, we obtain a binary representation.

    7 6 5 4 3 2 1 0 degree 2
    -----------------------------------------
    128 64 32 16 8 4 2 1 to 2

    The top line shows the numbering of bits in the octet or a power of two in each position, the bottom line - the value of two in the degrees. For example take the address 233.233.233.111, and begin to translate into binary SS. 233 in decimal number system: the first 233 bytes is obtained the sum of the following terms, which we recruit from the bottom line:

    233 = 128+ 64 + 32 + 8 + 1

    where the positions of which were involved in the terms we write the units, the remaining zeros and get - "11101001". Host address (last octet) - decimal 113 is expanded as follows:

    64 + 32 + 16 + 1

    As a result, the full address will look like this:

    11101001 11101001 11101001 01110001

    Address the network depending on the first three bits of the network which is divided into Class A, B, C, and router bits for the first defines a class of this network, which speeds up the process of routing. Below is a table of networks, where AAA - part of the network address, BBB - part of the address of the host.

    Network class A (the first bit "0):

    AAA.HHH.HHH.HHH (AAA range from 1 to 127), for example: 63.12.122.12

    Network Class B (the first two bits 10):

    AAA.AAA.HHH.HHH (AAA range from 128 to 191), eg 160.12.234.12

    Network class C (the first three bits 110):

    AAA.AAA.AAA.HHH (AAA range from 192 to 223), for example 200.200.200.1

    Accordingly, the number of nodes in the network of class A (16 777 214) more than nodes in a network of class B (65534) and very few stations in the network can determine the class C - total 254. Why not 256 - you ask? The fact that the two addresses containing only zeros and only a few in reserve and the number of addresses or subtract 2 addresses 256-2 = 254. The same is true of network addresses: the network of class A, you can create 128-1_7 networks, as a zero network address that is used to specify a default route when static routing, networks, class B can be 2 to 14 degrees = 16384 (2 octets for 8 bits = 16 bits - 2 First of reserved bits = 14), class C networks, there are 2 to 21 degrees (3 octets of 8 bits = 24 bits - the first 3 reserved bits = 21).
    Another example. There netmask 255.255.224.0 and it should be represented in binary form. Remembering that 255 in binary notation, there are 8 units, we write:

    11111111 11111111 ???????? 00000000

    The number 224 is expanded according to the template on the following factors:

    128 + 64 + 32 = 224 units and filling the position from which we have used the terms and unused positions with zeros, we obtain a full address in binary: we get the binary number 11111111 11111111 1110000 00000000

    Now return to understanding how the same subnet are formed by the example of a network of class C. The concept of a subnet need to save and clear ordering of the address space in the company, as to give each department its address space to 256 hosts on each network there is no need for, and expensive to be similar to the ISP. In addition, reduced network traffic because the router can now send packets directly to the correct subnet (defining the division of the company) and not the entire network.
    In order to divide a network into subnets use some bits of the address space that describes the host address with a subnet mask. For example, a Class C network, we can use the last octet (8 bits), or rather part of it. Now Let's take the logical structure of the company. The company has 10 divisions with the number of computers in each department not more than 12. For such a structure suitable for subnet mask of 255.255.255.240. Why do we ask? If you submit a mask in binary:

    1111111 11111111 11111111 11110000

    We see that the last octet is composed of 4-ones and zeros. Since 4 bits is taken from the network address for the subnet mask, then we are left with 2 in the fourth degree addresses (2xx4 - addresses). But according to RFC use zero address and consisting of units is not recommended, then the 16 addresses we subtract 2 addresses = 14 addresses in each subnet. Similarly, we can calculate the number of subnetworks equal to:
    2 in 4-th degree = 16 - 2 reserved address Total 14 subnets.
    Using this technique, we can calculate the address space is organized according to the company structure, in our case, each department will have to 14 addresses with a mask of 255.255.255.240 with a number of divisions to 14. But the system administrator must knowing more and a range of addresses assigned to them in every department. This is done by subtracting the first subnet (16) of the subnet number 256, ie, 256-160, 24 "0-16" 4 ... and so until until you have a number less than 16. The valid host addresses lie in the range between subnets, as in the table below:

    Subnet 16 (17-30)
    Subnet 32 (33-46)
    Subnet 48 (49-62)
    Subnet 64 (65 -..)
    ...
    ...
    Subnet 224 (225-238)

    In the first subnet 16 you can see that the range of addresses located within the boundaries of 17 to 30. "31" address (To be more exact part of the address excluding the subnet bits) consists of units (using the last 4 bits for host address we will get the broadcast address) and we can not use it, the sheer number 31 in binary = 00011111. Always convert binary numbers in the s / s or using the tables, because the router received the wrong mask or host address will not be able to deliver the packets back to the host. So the first subnet, we can distinguish the secretariat division where each host must have a subnet mask of 255.255.255.240. When working with routers, you should note that using the zero subnet mask 255.255.255.128 in the RFC is not recommended, but you can solve this problem by typing in the ip classless global configuration of the router.
    This is a figment of your imagination.

  3. #3
    Join Date
    Sep 2005
    Posts
    193

    Re: How to Configure Cisco 2500 Series routers

    3. Create access lists (ACL)

    Access lists on the Cisco router to work and build as well as filtering rules in the popular IPFW or IPF based on FreeBSD. The rules are read in sequence and as soon as is pattern matching route packet is determined by this rule. You can create access lists in the global config (command access list) and then build a list for any interface. You can create the following access lists:

    Router # configure terminal
    Enter configuration commands, one per line. End with CNTL / Z.
    Router (config) # access-list?
    <1-99> IP standard access list
    <100-199> IP extended access list
    <1100-1199> Extended 48-bit MAC address access list
    <200-299> Protocol type-code access list
    <700-799> 48-bit MAC address access list


    We will consider the example of a line list to work on resolving the SMTP protocol to all employees of the company:

    Extension number list take arbitrary, 110:
    Router (config) # access-list 110?
    deny Specify packets to reject
    permit Specify packets to forward

    Allow passage of packages:
    Router (config) # access-list 110 permit?
    <0-255> An IP protocol number
    eigrp Cisco's EIGRP routing protocol
    gre Cisco's GRE tunneling
    icmp Internet Control Message Protocol
    igmp Internet Gateway Message Protocol
    igrp Cisco's IGRP routing protocol
    ip Any Internet Protocol
    ipinip IP in IP tunneling
    nos KA9Q NOS compatible IP over IP tunneling
    ospf OSPF routing protocol
    tcp Transmission Control Protocol
    udp User Datagram Protocol

    Enter protocol:
    Router (config) # access-list 110 permit tcp?
    A.B.C.D Source address
    any Any source host
    host A single source host

    Enter the source address (in our example, "any" means any host or network):
    Router (config) # access-list 110 permit tcp any?
    A.B.C.D Destination address
    any Any destination host
    eq Match only packets on a given port number
    gt Match only packets with a greater port number
    host A single destination host
    lt Match only packets with a lower port number
    neq Match only packets not on a given port number
    range Match only packets in the range of port numbers

    Enter destination address:
    Router (config) # access-list 110 permit tcp any any?
    eq Match only packets on a given port number
    established Match established connections
    gt Match only packets with a greater port number
    log Log matches against this entry
    lt Match only packets with a lower port number
    neq Match only packets not on a given port number
    precedence Match packets with given precedence value
    range Match only packets in the range of port numbers
    tos Match packets with given TOS value


    Indicates that we want only one criterion - the port number equal smtp (eq):
    Router (config) # access-list 110 permit tcp any any eq?
    <0-65535> Port number
    bgp Border Gateway Protocol (179)
    chargen Character generator (19)
    cmd Remote commands (rcmd, 514)
    daytime Daytime (13)
    discard Discard (9)
    domain Domain Name Service (53)
    echo Echo (7)
    exec Exec (rsh, 512)
    finger Finger (79)
    ftp File Transfer Protocol (21)
    ftp-data FTP data connections (used infrequently, 20)
    gopher Gopher (70)
    hostname NIC hostname server (101)
    irc Internet Relay Chat (194)
    klogin Kerberos login (543)
    kshell Kerberos shell (544)
    login Login (rlogin, 513)
    lpd Printer service (515)
    nntp Network News Transport Protocol (119)
    pop2 Post Office Protocol v2 (109)
    pop3 Post Office Protocol v3 (110)
    smtp Simple Mail Transport Protocol (25)
    sunrpc Sun Remote Procedure Call (111)
    syslog Syslog (514)
    tacacs TAC Access Control System (49)
    talk Talk (517)
    telnet Telnet (23)
    time Time (37)
    uucp Unix-to-Unix Copy Program (540)
    whois Nicname (43)
    www World Wide Web (HTTP, 80)

    And enter the port smtp (you can enter and 25):
    Router (config) # access-list 110 permit tcp any any eq smtp
    Now enter the remaining lines of the access list for our tasks.
    Allow to work with POP3 servers, the company's employees:
    access-list 110 permit tcp any any eq pop3
    Includes access to our proxy server (200.200.200.2) on port 8080
    access-list 120 permit tcp 200.200.200.0 0.0.0.255 host 200.200.200.2 eq 8080
    access-list 110 permit tcp host 200.200.200.2 any


    On our proxy server we configure Squid to cache queries from staff on FTP and HTPP protocols but do not give employees access directly to the WWW server has been reconfigured. Allow all traffic on the local network (the standard access list):

    access-list 10 permi ip 200.200.200.0 0.0.0.255
    200.200.200.0 0.0.0.255


    If you need to share access to departments of the company that you can use a subnet mask to handle traffic on a local network, such as access to the server 200.200.200.50 accounts should be restricted to the accounting department (200.200.200.48 255.255.255.240) and the management of the company (200.200.200.224 255.255. 255.240):

    access-list 110 permi ip 200.200.200.48 0.0.0.240 200.200.200.224 0.0.0.240

    If you plan to limit traffic by means of servers you have to allow all IP traffic on a local network (using a standard access list):

    access-list 10 permit 200.200.200.0 0.0.0.255 200.200.200.0 0.0.0.255

    Once you've mastered access and a complete list of access-list-s you should make them bind to the interface in our case, Ethernet 0:

    Router # configure terminal
    Router (config) # int e0
    ! Allow incoming traffic on the proxy server
    Router (config) # access-group 120 in
    ! Allow outgoing trayik from the proxy server and
    Router (config) # access-group 110 in
    ! Allow all local traffic
    Router (config) # access-group 10 in
    Router (config) # exit
    Router # wr mem


    As you noticed, we specify filtering rules implemented in the e0 interface for all incoming packets.
    This is a figment of your imagination.

  4. #4
    Join Date
    Sep 2005
    Posts
    193

    Re: How to Configure Cisco 2500 Series routers

    4. Protecting access to the router

    Now we will deal with password protected access to the three external sources of configuring a router:

    - console router
    - additional ports for connecting a modem (AUX)
    - access to telnet session

    In order to prevent access to the console log in the router configuration mode
    Router # config terminal
    and enter the command set the password:
    Router (config) # line console 0
    Router (config) # password your_password
    Router (config) # login
    Router (config) # exit
    Router # wr mem

    Setting a password on the AUX port is defined as:
    Router (config) # line aux 0
    Router (config) # password your_password
    Router (config) # login
    Router (config) # exit
    Router # wr mem

    And finally the password for telnet sessions:
    Router (config) # line vty 0 4
    Router (config) # password your_password
    Router (config) # login
    Router (config) # exit
    Router # wr mem


    Note that when you set the password for the telnet session, you specify the number of allowed sessions is 4-m. Attempting to gain access to any of the following methods to gain access to the router, you will receive an invitation of this kind: "Enter password:" When a large number of routers use AAA acounting to specify the mechanism of single sign-on all devices to create a user command:

    Router (config) # username vasya password pipkin_password
    Router (config) # exit
    Router # wr term

    As the team snow config we see that our password is encrypted and it is difficult to solve:
    username alfred password 7 737192826282927612
    Then include in the global config AAA accounting:
    aaa new-model
    aaa authentication login default local
    aaa authentication login CONSOLE none
    aaa authorization exec local if-authenticated

    Then configure the AUX, Console, telnet session to get a result in the config file:
    line con 0
    login authentication CONSOLE
    line aux 0
    transport input none
    line vty 0 4

    ! Now when you try to login we get the following prompt (the password is not displayed):
    User Access Verification
    Username: alfred
    Password:
    Router>


    5. Collecting statistics with the router

    To do this you need any UNIX host that is mounted with a package and create the MRTG configuration file using cfgmaker:

    cfgmaker community_name @ name_your_router,
    where SNMP community_name (mode tolo reading) you specify on the router command:
    Routet (config) # snmp-server community community_name RO
    and on the UNIX host, you specify the processing of barley script configuration file:
    Workdir: / usr / local / www / docs
    Interval: 5
    Refresh: 60
    WriteExpires: Yes
    Background [router.victim.com.1]: # CFCFCF
    Options [router.victim.com.1]: bits, growright
    Target [router.victim.com.1]: 1: community_name@victim.com
    MaxBytes [router.victim.com.1]: 1250000
    Title [router.victim.com.1]: router.victim.com: Ethernet0
    PageTop [router.victim.com.1]: <H1> Traffic Analysis for Ethernet0
    </ H1>
    <TABLE>
    <TR> <TD> System: </ TD> <TD> router.victim.com in </ TD> </ TR>
    <TR> <TD> Maintainer: </ TD> <TD> </ TD> </ TR>
    <TR> <TD> Interface: </ TD> <TD> Ethernet0 (1) </ TD> </ TR>
    <TR> <TD> IP: </ TD> <TD> router.victim.com (200.200.200.1) </ TD> </ TR>
    <TR> <TD> Max Speed: </ TD>
    <TD> 1250.0 kBytes / s (ethernetCsmacd) </ TD> </ TR>
    </ TABLE>
    # # # Serial 0 # # #
    Background [router.victim.com.2]: # CFCFCF
    Options [community_name@victim.com.2]: bits, growright
    Target [community_name@victim.com.2]: 2: community_name@victim.com
    MaxBytes [community_name@victim.com.2]: 8000
    Title [community_name@victim.com.2]: MTO 64K: Serial0
    PageTop [community_name@victim.com.2]: <H1> Traffic Analysis for Serial0
    </ H1>
    <TABLE>
    <TR> <TD> System: </ TD> <TD> router.victim.com </ TD> </ TR>
    <TR> <TD> Maintainer: </ TD> <TD> </ TD> </ TR>
    <TR> <TD> Interface: </ TD> <TD> Serial0 (2) </ TD> </ TR>
    <TR> <TD> IP: </ TD> <TD> () </ TD> </ TR>
    <TR> <TD> Max Speed: </ TD>
    <TD> 8000.0 Bytes / s (propPointToPointSerial) </ TD> </ TR>
    </ TABLE>

    Every five minutes (with crond), which will generate reports on traffic in the directory / usr / local / www / data in the form of HTML pages with graphics. You need to run at this host WWW server Apache for the publication of statistics on internal traffic (router.victim.com.html) on Ethernet interface and traffic on Serail 0 (router.victim.com.2.html) interface.

    Conclusion

    Despite the seeming simplicity of the commands in EXEC mode, Cisco routers are a powerful tool for the diagnosis of faults in global and local networks. Click debug (assistance is available at the command "debug?"), You can listen to the traffic on the local network on any supported version, by your version of IOS Protocol (IPX, IP, Appletalk) or by using cdp to obtain information about neighboring Cisco routers.
    This is a figment of your imagination.

Similar Threads

  1. Cisco 2500 Configuration to Access Remotly
    By cisco training in forum Guides & Tutorials
    Replies: 1
    Last Post: 20-12-2010, 08:19 AM
  2. Cisco 800 Series Routers
    By Jagadamba in forum Networking & Security
    Replies: 3
    Last Post: 22-07-2009, 05:58 PM
  3. Replies: 0
    Last Post: 19-01-2009, 10:41 AM
  4. Monitoring Network Traffic on Cisco 1800 series Routers
    By Sloane in forum Networking & Security
    Replies: 1
    Last Post: 20-11-2008, 12:27 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,660,560.70531 seconds with 17 queries