cisco router configuration afnog 2002 / track 2 # 1 cisco router configuration basics

41
cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

Upload: beatrix-merritt

Post on 18-Jan-2016

248 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 1

Cisco Router Configuration Basics

Page 2: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 2

router components

Like a computer they are composed of –Operating System - IOS–Micro Processor to run the IOS–RAM main storage, dynamic configuration–NVRAM to store instruction for performing the self test of the device, backup of config

–Flash memory: erasable ROM, contain copy of IOS

Page 3: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 3

system startup

POST -> diagnostic on all ROM on all modules

configuration -> check and load IOS

load configuration files stored in NVRAM

Page 4: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 4

overview

router configuration controls the operation of the router:

interface address and netmask

routing information (static or dynamic)

booting and startup information

security (passwords)

Page 5: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 5

where is the configuration?

router always has two configurations:

running configurationin RAM, determines how the router is currently operatingis changed by using the configuration commandto see it: show running

startup confgurationin NVRAM, determines how the router will operate after

next reloadis changed using the copy commandto see it: show startup

Page 6: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 6

where is the configuration?

can also be stored in more permanent places:

external hosts, using TFTP to move it around

in flash memory in the router

copy command is used to move it aroundcopy run startcopy run tftpcopy start tftpcopy tftp startcopy flash startcopy start flash

Page 7: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 7

external Configuration Sources

Console/auxillary port

virtual terminals - telnets

TFTP Server

Network Management Software

Page 8: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 8

changing the configuration

configuration statements can be entered interactively - changes are made (almost) immediately, to the running configuration

can use direct serial connection to console port, or

telnet to vty’s (“virtual terminals”), or

modem connection to aux port

Page 9: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 9

changing configuration

or, edited in a text file and uploaded to the router at a later time via tftp;

some configuration statements, especially access lists, are very difficult to work with interactively, so editing and uploading the file is the only practical way to work;

also allows version control and auditing changes

Page 10: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 10

new router configuration process

load configuration parameters into RAM

personalize router identification

assign access passwords

configure interfaces

configure routing protocols

save configuration parameters to NVRAM

Page 11: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 11

router modes

User EXEC mode - limited examination of router–Router>

Privileged EXEC mode - detailed examination of router, debugging, testing, file manipulation–Router#

ROM Monitor - useful for password recovery

Setup Mode

Page 12: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 12

logging into the router

Connect router to console port or telnet to router–router>–router>enable–password–router#–router#?

Configuring the router–Terminal (entering the commands directly)

–router# configure terminal–router(config)#

USER MODE PROMPT

PRIVILEDGED MODE PROMPT

Page 13: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 13

configuring your router

Set the enable password:router(config)# enable password t2@afnog

If you see in your config file, you will see that the enable password is displayed in clear text -- that is not safe, you have to encrypt it.

router(config)# service password-encryptionrouter(config)# enable secret "your pswd"(MD5 encryption)

To configure interface you should go to interface config menu

router(config) interface ethernet0 (or 0/x)

router(config-if)#

Save your configuration router#copy running-config startup-config

Page 14: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 14

configuring your routerconfiguration statements have different contexts:

global: enable-password mysecret

interface:interface ethernet0

ip address 169.222.1.45 255.255.255.0

router: router ospf 1

network 169.222.31.0 0.0.0.255 area 0

line: line vty 04

Page 15: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 15

global configuration

global configuration statements are independent of any particular interface or routing protocol, e.g.:

hostname myrouter

enable-password mysecret

service password-encryption

logging facility local0logging 169.222.31.42

Page 16: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 16

global configuration

ip-specific global configuration statements:

ip classlessip name-server 169.222.31.42

static route creation:

ip route 169.222.16.0 255.255.248.0 169.229.31.1

Page 17: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 17

interface configuration

interfaces are named by type and position; e.g.:ethernet0, ethernet1,... ethernet5serial0, serial1 ... serial3

and can be abbreviated:ethernet0 or eth0 or e0serial0 or ser0 or s0

Page 18: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 18

interface configuration

ip address and netmask configuration, using interface commands (interactive configuration example, showing prompts):

router#configure terminalrouter(config)#interface e0router(config-if)#ip address 169.222.30.4 255.255.255.0router(config-if)#no shutdownrouter(config-if)#^Zrouter#

Page 19: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 19

interface configuration

administratively enable/disable the interfacerouter(config-if)#no shutdownrouter(config-if)#shutdown

descriptionrouter(config-if)#description ethernet link to admin building router

Page 20: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 20

Cisco global config should always include:

ip classless

ip subnet-zero

no ip domain-lookup

Cisco interface config should usually include:

no shutdown

no ip proxy-arp

no ip redirects

Page 21: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 21

looking at the configuration

use “show running-configuration” to see the current configuration

use “show startup-configuration” to see the configuration in NVRAM, that will be loaded the next time the router is rebooted or reloaded

Page 22: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 22

interactive configuration

enter configuration mode, using “configure term”

prompt gives a hint about where you are:

router#configure termrouter(config)#ip classlessrouter(config)#ip subnet-zerorouter(config)#int e3router(config-if)#ip addr 169.222.31.33 255.255.255.224router(config-if)#no shutrouter(config-if)#^Z

Page 23: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 23

storing the configuration on a host

requires: `tftpd’on a unix host; destination file must exist before the file is written and must be world writable...

copy run tftprouter#copy run tftpRemote host []? 169.222.31.42Name of configuration file to write [hostel-rtr-confg]?

/usr/local/tftpd/hostel-rtr-confg

Write file /usr/local/tftpd/hostel-rtr-confg on... host 169.222.31.42?

[confirm]Building configuration...

Writing /usr/local/tftpd/hostel-rtr-confg !![OK]

Page 24: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 24

restoring the configuration from a host

use ‘tftp’ to pull file from unix host, copying to running config or startup

router#copy tftp startAddress of remote host [255.255.255.255]? 169.222.31.42

Name of configuration file [hostel-rtr-confg]?Configure using hostel-rtr-confg from 169.222.31.42? [confirm]

Loading hostel-rtr-confg from 169.222.31.42 (via Ethernet0): !

[OK - 1005/128975 bytes][OK]hostel-rtr# reload

Page 25: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 25

getting help

IOS has a built-in help facility; use “?” to get a list of possible configuration statements

“?” after the prompt lists all possible commands:

router#?

“<partial command> ?” lists all possible subcommands, e.g.:

router#show ?router#show ip ?

Page 26: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 26

getting help

“<partial command>?” shows all possible command completions

router#con?configure connect

this is different:

hostel-rtr#conf ? memory Configure from NV memory network Configure from a TFTP network host overwrite-network Overwrite NV memory from TFTP...

network host

terminal Configure from the terminal <cr>

Page 27: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 27

getting help

this also works in configuration mode:

router(config)#ip a?accounting-list accounting-threshold accounting-transits address-pool alias as-path

router(config)#int e0router(config-if)#ip a?access-group accounting address

Page 28: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 28

getting help

can “explore” a command to figure out the syntax:

router(config-if)#ip addr ? A.B.C.D IP address

router(config-if)#ip addr 169.222.64.1 ? A.B.C.D IP subnet mask

router(config-if)#ip addr 169.222.64.1 255.255.255.0 ? secondary Make this IP address a secondary address <cr>

router(config-if)#ip addr 169.222.64.1 255.255.255.0router(config-if)#

Page 29: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 29

getting lazy help

TAB character will complete a partial wordhostel-rtr(config)#int<TAB>hostel-rtr(config)#interface et<TAB>hostel-rtr(config)#interface ethernet 0hostel-rtr(config-if)#ip add<TAB>hostel-rtr(config-if)#ip address ...

169.222.64.1 255.255.255.0

not really necessary; partial commands can be used:router#conf trouter(config)#int e0router(config-if)#ip addr 169.222...

Page 30: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 30

getting lazy

command history

IOS maintains short list of previously typed commands

up-arrow or ‘^p’ recalls previous command

down-arrow or ‘^n’ recalls next command

line editing

left-arrow, right-arrow moves cursor inside command

‘^d’ or backspace will delete character in front of cursor

Page 31: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 31

Connecting your Freebsd machine to console

Connect your machine to the console port using the serial cable provide

go to /etc/remote to see the device configured to be used with "tip”. you will see at the end, a line begin with cuaa0c… (you can change it to cisco)bash$ tip cuaa0c (or cisco)router>router>enablerouter#

Page 32: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 32

Exercise contd

look at your running configuration

Configure an IP address for e0/0 depending on your table - use 80.248.70.1 for table A etc

look at your running configuration and your startup configuration

what difference is there if any

Page 33: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 33

using access lists

Access Control Lists used to implement security in routers–powerful tool for network control–filter packets flow in or out of router interfaces

–restrict network use by certain users or devices

–deny or permit traffic–operate in sequential, logical order - top down

–goes down access list until match is found–inherent deny at the bottom of every list

Page 34: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 34

using access listsStandard Access Lists (1 - 99)–simpler address specifications–generally permits or denies entire protocol suite

Extended Access Lists (100 - 199)–more complex address specification–generally permits or denies specific protocols

Page 35: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 35

ACL format

Standard Access List Configuration format–access-list access-list-number {permit | deny} source {source-mask}

–ip access-group access-list-number {in | out}

Extended Access List Configuration format–access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask}

–ip access-group access-list-number {in | out}

Page 36: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 36

where to place IP access list

place standard access list close to destination

place extended access lists close to the source of the traffic you want to deny

Page 37: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 37

using access lists

Router(config)#Access-list access-list-number {permit|deny}{test conditions}

Router(config)#{protocol access-group access-list-number

e.g check for IP subnets 172.30.16.0 to 172.30.31.0

172.30.16.0

0001 0000

0000check

1111ignore

Address and Wilcard Mask:172.30.16.0 0.0.15.255

Page 38: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 38

wildcard bits indicate how to check corresponding address bit–0=check–1=ignore

Matching Any IP Address0.0.0.0 255.255.255.255or abbreviate the expression using the keyword any

Matching a specific host172.30.16.29 0.0.0.0or abbreviate the wildcard using the IP address preceded by the keyword host

Page 39: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 39

Permit telnet from my network only

access-list 1 permit 80.248.70.224 0.0.0.15

access-list 1 deny any

line vty 0 4access-class 1 in

Page 40: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 40

Standard Access Lists Example Permit my network only

Non 172.16.0.0

172.16.3.0 172.16.4.0

172.16.4.13E0 E1S0

Access-list 1 permit 172.16.0.0 0.0.255.255

Interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out

Page 41: Cisco router configuration AFNOG 2002 / track 2 # 1 Cisco Router Configuration Basics

cisco router configuration AFNOG 2002 / track 2 # 41

extended access lists exampleDeny FTP for E0

Non 172.16.0.0

172.16.3.0 172.16.4.0

172.16.4.13E0 E1S0

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255 interface ethernet 0ip access-group 101 out