How to Configure Cisco 2500 Series routers

Cisco Routers firms are highly reliable equipment and and very easy to configure, at the author's opinion, superior to its competitors, though, and their value by 20% more than counterparts from other manufacturers in the class switches and routers for medium-level managers.

The article will be considered on a logical division of the block of addresses allocated to the ISP subnet following the structure of the company's divisions, configuring Cisco 2500 series router for the organization of a small company to access to the Internet by connecting to a synchronous channel of approx. 256K from the ISP and IP packet filtering. Our router will have engaged one serial port to connect to the ISP (Serial 0) and one Ethernet port (P), looking into a network company, under which the ISP has allocated a network of 254 hosts.

1. Initial configuration of a router.

Cisco routers runs on a high-performance and it is created from scratch operating system clled IOS, which is located in non-volatile memory (flash). A typical 2500 series model has 1 Ethernet port, connected to the HUB-in or switch to the network through transceiver AUI-> UTP, and two serial ports for connecting to global channels (Serial 0, Serial 1). Interface names can be specified as Ethernet0 or e 0. A modular Catalyst switch indicates the type of interface at first, then the slot, and then port.
For example, the 3rd card and 2 ethernet port on the motherboard is referred to as "e 3 / 2. In addition, there is a console port to configure the router (including the serial port of your computer) and an additional AUX port for connecting a modem. Configuring a router can be done either through the console port, AUX port, and a session of telnet.
Newer versions of IOS allow you to work with the router via SSH session. But when you first time load anything, it requires to configure the router via the console port. To do this, you have to set the port speed Serial in 9600, starting in the terminal configuration program. By attaching a console cable (comes) to the router (port CON) and the other end through the adapter to the PC go to the console Cisco router. Then turn on the router and see that the first boot bootloader bootstrap:

System Bootstrap, Version 5.2 (8a), RELEASE SOFTWARE
Copyright (c) 1986-1995 by cisco Systems
2500 processor with 16384 Kbytes of main memory
F3: 3268680 +81304 +204996 at 0x3000060
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Then boot loader loads the operating system IOS from flash (flash):
Cisco Internetwork Operating System Software
IOS (tm) 3000 Software (IGS-IL), Version 11.0 (4), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1995 by cisco Systems, Inc.
Compiled Mon 18-Dec-95 17:49 by alanyu
Image text-base: 0x0301C8DC, data-base: 0x00001000
cisco in 2500 (68030) processor (revision D) with 16380K/2048K bytes of memory.
Processor board ID 02413443, with hardware revision 00000000
Bridging software.
X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
1 Ethernet / IEEE 802.3 interface.
2 Serial network interfaces.
32K bytes of non-volatile configuration memory.
4096K bytes of processor board System flash (Read ONLY)
Press RETURN to get started!
Cisco Internetwork Operating System Software
IOS (tm) 3000 Software (IGS-IL), Version 11.0 (4), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1995 by cisco Systems, Inc.
Compiled Mon 18-Dec-95 17:49 by alanyu

I must say that IOS can download not only from the FLASH, but from memory a router as well as the TFTP server. Since this is the first boot router we propose to pass the stages of configuring a router, (and the program runs as a setup). As you can see below the configuration process sufficiently transparent and simple. Once you answer the questions, the program will build config and write it into NVRAM and then it begins to restart. So, we begin configuring the interfaces in the program setup:

--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Refer to the 'Getting Started' Guide for additional help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets'[]'.
Would you like to enter the initial configuration dialog? [yes]: yes
Review the list of interfaces on our router:
First, would you like to see the current interface summary? [yes]:
Any interface listed with OK? value "NO" does not have a valid configuration
Interface IP-Address OK? Method Status Protocol
Ethernet0 unassigned NO not set up up
Serial0 unassigned NO not set down down
Serial1 unassigned NO not set down down
Configuring global parameters:
The name of a router:
Enter host name [Router]:
Introduce the so-enable-secret access to configure the router:
The enable secret is a one-way cryptographic secret used
instead of the enable password when it exists.
Enter enable secret: s1
Then enter enable-password (reviewed for compatibility with older versions of IOS):
The enable password is used when there is no enable secret
and when using older software and some boot images.
Enter enable password: s2
Enter a password for virtual terminal:
Enter virtual terminal password: s2
Allow SNMP, so that we could get statistics:
Configure SNMP Network Management? [yes]: yes
Community string [public]: public1
Our router has only support for IP (not IPX), which we and configure:
Configure IP? [yes]: yes
As with ISP, we will be static routing, we do not include routing protocols:
Configure IGRP routing? [yes]: no
Configure RIP routing? [no]:
Specifies the IP address on Ethernet interface, leaving the interface Serial 0 as unnumbered (what is this, we will deal with it later):
Configuring interface parameters:
Configuring interface Ethernet0:
Is this interface in use? [yes]:
Configure IP on this interface? [yes]:
IP address for this interface: 172.18.5.254 255.255.0.0

2. IP addressing and subnetting

The system administrator must navigate freely in the IP address and how he should apply the subnet in practice. Large ISP in addition to addressing security resources of its network and customer base continues to control the direction of traffic sharing the network subnet, and I must say that worldwide 80% of the park routers are exactly based on Cisco Equipment. Let's get started. As you already know the address of any computer connected to the internet network consists of two parts: the network address and host address, such as a full Class C network address of the host looks like this: 233.233.233.113, where 233.233.233 - network address and 113 - host address. Of course, the router works with the addresses in binary representation (as a reason to take the number "2") and as discussed below. Full IP address occupies 32 bytes, or 4 octets of 8 bits each. For example, commonly used netmask 255.255.255.0 in binary is as follows:

11111111 11111111 11111111 00000000

Transformation addresses from binary to decimal is performed by counting significant (filled units) of bits in each octet, and the construction of this power of two. For example the number 255 is 2 in the eighth degree or completely filled with all eight bits in octet units (see above). The reverse is the process of converting addresses from decimal to binary - just remember the significance of each bit in the decimal system and through the operation "logical AND of the address and our template, we obtain a binary representation.

7 6 5 4 3 2 1 0 degree 2
-----------------------------------------
128 64 32 16 8 4 2 1 to 2

The top line shows the numbering of bits in the octet or a power of two in each position, the bottom line - the value of two in the degrees. For example take the address 233.233.233.111, and begin to translate into binary SS. 233 in decimal number system: the first 233 bytes is obtained the sum of the following terms, which we recruit from the bottom line:

233 = 128+ 64 + 32 + 8 + 1

where the positions of which were involved in the terms we write the units, the remaining zeros and get - "11101001". Host address (last octet) - decimal 113 is expanded as follows:

64 + 32 + 16 + 1

As a result, the full address will look like this:

11101001 11101001 11101001 01110001

Address the network depending on the first three bits of the network which is divided into Class A, B, C, and router bits for the first defines a class of this network, which speeds up the process of routing. Below is a table of networks, where AAA - part of the network address, BBB - part of the address of the host.

Network class A (the first bit "0):

AAA.HHH.HHH.HHH (AAA range from 1 to 127), for example: 63.12.122.12

Network Class B (the first two bits 10):

AAA.AAA.HHH.HHH (AAA range from 128 to 191), eg 160.12.234.12

Network class C (the first three bits 110):

AAA.AAA.AAA.HHH (AAA range from 192 to 223), for example 200.200.200.1

Accordingly, the number of nodes in the network of class A (16 777 214) more than nodes in a network of class B (65534) and very few stations in the network can determine the class C - total 254. Why not 256 - you ask? The fact that the two addresses containing only zeros and only a few in reserve and the number of addresses or subtract 2 addresses 256-2 = 254. The same is true of network addresses: the network of class A, you can create 128-1_7 networks, as a zero network address that is used to specify a default route when static routing, networks, class B can be 2 to 14 degrees = 16384 (2 octets for 8 bits = 16 bits - 2 First of reserved bits = 14), class C networks, there are 2 to 21 degrees (3 octets of 8 bits = 24 bits - the first 3 reserved bits = 21).
Another example. There netmask 255.255.224.0 and it should be represented in binary form. Remembering that 255 in binary notation, there are 8 units, we write:

11111111 11111111 ???????? 00000000

The number 224 is expanded according to the template on the following factors:

128 + 64 + 32 = 224 units and filling the position from which we have used the terms and unused positions with zeros, we obtain a full address in binary: we get the binary number 11111111 11111111 1110000 00000000

Now return to understanding how the same subnet are formed by the example of a network of class C. The concept of a subnet need to save and clear ordering of the address space in the company, as to give each department its address space to 256 hosts on each network there is no need for, and expensive to be similar to the ISP. In addition, reduced network traffic because the router can now send packets directly to the correct subnet (defining the division of the company) and not the entire network.
In order to divide a network into subnets use some bits of the address space that describes the host address with a subnet mask. For example, a Class C network, we can use the last octet (8 bits), or rather part of it. Now Let's take the logical structure of the company. The company has 10 divisions with the number of computers in each department not more than 12. For such a structure suitable for subnet mask of 255.255.255.240. Why do we ask? If you submit a mask in binary:

1111111 11111111 11111111 11110000

We see that the last octet is composed of 4-ones and zeros. Since 4 bits is taken from the network address for the subnet mask, then we are left with 2 in the fourth degree addresses (2xx4 - addresses). But according to RFC use zero address and consisting of units is not recommended, then the 16 addresses we subtract 2 addresses = 14 addresses in each subnet. Similarly, we can calculate the number of subnetworks equal to:
2 in 4-th degree = 16 - 2 reserved address Total 14 subnets.
Using this technique, we can calculate the address space is organized according to the company structure, in our case, each department will have to 14 addresses with a mask of 255.255.255.240 with a number of divisions to 14. But the system administrator must knowing more and a range of addresses assigned to them in every department. This is done by subtracting the first subnet (16) of the subnet number 256, ie, 256-160, 24 "0-16" 4 ... and so until until you have a number less than 16. The valid host addresses lie in the range between subnets, as in the table below:

Subnet 16 (17-30)
Subnet 32 (33-46)
Subnet 48 (49-62)
Subnet 64 (65 -..)
...
...
Subnet 224 (225-238)

In the first subnet 16 you can see that the range of addresses located within the boundaries of 17 to 30. "31" address (To be more exact part of the address excluding the subnet bits) consists of units (using the last 4 bits for host address we will get the broadcast address) and we can not use it, the sheer number 31 in binary = 00011111. Always convert binary numbers in the s / s or using the tables, because the router received the wrong mask or host address will not be able to deliver the packets back to the host. So the first subnet, we can distinguish the secretariat division where each host must have a subnet mask of 255.255.255.240. When working with routers, you should note that using the zero subnet mask 255.255.255.128 in the RFC is not recommended, but you can solve this problem by typing in the ip classless global configuration of the router.

3. Create access lists (ACL)

Access lists on the Cisco router to work and build as well as filtering rules in the popular IPFW or IPF based on FreeBSD. The rules are read in sequence and as soon as is pattern matching route packet is determined by this rule. You can create access lists in the global config (command access list) and then build a list for any interface. You can create the following access lists:

Router # configure terminal
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # access-list?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<200-299> Protocol type-code access list
<700-799> 48-bit MAC address access list

We will consider the example of a line list to work on resolving the SMTP protocol to all employees of the company:

Extension number list take arbitrary, 110:
Router (config) # access-list 110?
deny Specify packets to reject
permit Specify packets to forward
Allow passage of packages:
Router (config) # access-list 110 permit?
<0-255> An IP protocol number
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Enter protocol:
Router (config) # access-list 110 permit tcp?
A.B.C.D Source address
any Any source host
host A single source host
Enter the source address (in our example, "any" means any host or network):
Router (config) # access-list 110 permit tcp any?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
Enter destination address:
Router (config) # access-list 110 permit tcp any any?
eq Match only packets on a given port number
established Match established connections
gt Match only packets with a greater port number
log Log matches against this entry
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
tos Match packets with given TOS value

Indicates that we want only one criterion - the port number equal smtp (eq):
Router (config) # access-list 110 permit tcp any any eq?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (used infrequently, 20)
gopher Gopher (70)
hostname NIC hostname server (101)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
And enter the port smtp (you can enter and 25):
Router (config) # access-list 110 permit tcp any any eq smtp
Now enter the remaining lines of the access list for our tasks.
Allow to work with POP3 servers, the company's employees:
access-list 110 permit tcp any any eq pop3
Includes access to our proxy server (200.200.200.2) on port 8080
access-list 120 permit tcp 200.200.200.0 0.0.0.255 host 200.200.200.2 eq 8080
access-list 110 permit tcp host 200.200.200.2 any

On our proxy server we configure Squid to cache queries from staff on FTP and HTPP protocols but do not give employees access directly to the WWW server has been reconfigured. Allow all traffic on the local network (the standard access list):

access-list 10 permi ip 200.200.200.0 0.0.0.255
200.200.200.0 0.0.0.255

If you need to share access to departments of the company that you can use a subnet mask to handle traffic on a local network, such as access to the server 200.200.200.50 accounts should be restricted to the accounting department (200.200.200.48 255.255.255.240) and the management of the company (200.200.200.224 255.255. 255.240):

access-list 110 permi ip 200.200.200.48 0.0.0.240 200.200.200.224 0.0.0.240

If you plan to limit traffic by means of servers you have to allow all IP traffic on a local network (using a standard access list):

access-list 10 permit 200.200.200.0 0.0.0.255 200.200.200.0 0.0.0.255

Once you've mastered access and a complete list of access-list-s you should make them bind to the interface in our case, Ethernet 0:

Router # configure terminal
Router (config) # int e0
! Allow incoming traffic on the proxy server
Router (config) # access-group 120 in
! Allow outgoing trayik from the proxy server and
Router (config) # access-group 110 in
! Allow all local traffic
Router (config) # access-group 10 in
Router (config) # exit
Router # wr mem

As you noticed, we specify filtering rules implemented in the e0 interface for all incoming packets.

4. Protecting access to the router

Now we will deal with password protected access to the three external sources of configuring a router:

- console router
- additional ports for connecting a modem (AUX)
- access to telnet session

In order to prevent access to the console log in the router configuration mode
Router # config terminal
and enter the command set the password:
Router (config) # line console 0
Router (config) # password your_password
Router (config) # login
Router (config) # exit
Router # wr mem
Setting a password on the AUX port is defined as:
Router (config) # line aux 0
Router (config) # password your_password
Router (config) # login
Router (config) # exit
Router # wr mem
And finally the password for telnet sessions:
Router (config) # line vty 0 4
Router (config) # password your_password
Router (config) # login
Router (config) # exit
Router # wr mem

Note that when you set the password for the telnet session, you specify the number of allowed sessions is 4-m. Attempting to gain access to any of the following methods to gain access to the router, you will receive an invitation of this kind: "Enter password:" When a large number of routers use AAA acounting to specify the mechanism of single sign-on all devices to create a user command:

Router (config) # username vasya password pipkin_password
Router (config) # exit
Router # wr term
As the team snow config we see that our password is encrypted and it is difficult to solve:
username alfred password 7 737192826282927612
Then include in the global config AAA accounting:
aaa new-model
aaa authentication login default local
aaa authentication login CONSOLE none
aaa authorization exec local if-authenticated
Then configure the AUX, Console, telnet session to get a result in the config file:
line con 0
login authentication CONSOLE
line aux 0
transport input none
line vty 0 4
! Now when you try to login we get the following prompt (the password is not displayed):
User Access Verification
Username: alfred
Password:
Router>

5. Collecting statistics with the router

To do this you need any UNIX host that is mounted with a package and create the MRTG configuration file using cfgmaker:

cfgmaker community_name @ name_your_router,
where SNMP community_name (mode tolo reading) you specify on the router command:
Routet (config) # snmp-server community community_name RO
and on the UNIX host, you specify the processing of barley script configuration file:
Workdir: / usr / local / www / docs
Interval: 5
Refresh: 60
WriteExpires: Yes
Background [router.victim.com.1]: # CFCFCF
Options [router.victim.com.1]: bits, growright
Target [router.victim.com.1]: 1: community_name@victim.com
MaxBytes [router.victim.com.1]: 1250000
Title [router.victim.com.1]: router.victim.com: Ethernet0
PageTop [router.victim.com.1]: <H1> Traffic Analysis for Ethernet0
</ H1>
<TABLE>
<TR> <TD> System: </ TD> <TD> router.victim.com in </ TD> </ TR>
<TR> <TD> Maintainer: </ TD> <TD> </ TD> </ TR>
<TR> <TD> Interface: </ TD> <TD> Ethernet0 (1) </ TD> </ TR>
<TR> <TD> IP: </ TD> <TD> router.victim.com (200.200.200.1) </ TD> </ TR>
<TR> <TD> Max Speed: </ TD>
<TD> 1250.0 kBytes / s (ethernetCsmacd) </ TD> </ TR>
</ TABLE>
# # # Serial 0 # # #
Background [router.victim.com.2]: # CFCFCF
Options [community_name@victim.com.2]: bits, growright
Target [community_name@victim.com.2]: 2: community_name@victim.com
MaxBytes [community_name@victim.com.2]: 8000
Title [community_name@victim.com.2]: MTO 64K: Serial0
PageTop [community_name@victim.com.2]: <H1> Traffic Analysis for Serial0
</ H1>
<TABLE>
<TR> <TD> System: </ TD> <TD> router.victim.com </ TD> </ TR>
<TR> <TD> Maintainer: </ TD> <TD> </ TD> </ TR>
<TR> <TD> Interface: </ TD> <TD> Serial0 (2) </ TD> </ TR>
<TR> <TD> IP: </ TD> <TD> () </ TD> </ TR>
<TR> <TD> Max Speed: </ TD>
<TD> 8000.0 Bytes / s (propPointToPointSerial) </ TD> </ TR>
</ TABLE>

Every five minutes (with crond), which will generate reports on traffic in the directory / usr / local / www / data in the form of HTML pages with graphics. You need to run at this host WWW server Apache for the publication of statistics on internal traffic (router.victim.com.html) on Ethernet interface and traffic on Serail 0 (router.victim.com.2.html) interface.

Conclusion

Despite the seeming simplicity of the commands in EXEC mode, Cisco routers are a powerful tool for the diagnosis of faults in global and local networks. Click debug (assistance is available at the command "debug?"), You can listen to the traffic on the local network on any supported version, by your version of IOS Protocol (IPX, IP, Appletalk) or by using cdp to obtain information about neighboring Cisco routers.