Cisco Router Configuration Basics Presented By Mark Tinka
Cisco Router Configuration Basics Presented By Mark Tinka (Uganda) Cisco Router Configuration Af. NOG 2003 / Track 2 # 1
Router Components äBootstrap – stored in ROM microcode – brings router up during initialisation, boots router and loads the IOS. äPOST – Power On Self Test - stored in ROM microcode – checks for basic functionality of router hardware and determines which interfaces are present äROM Monitor – stored in ROM microcode – used for manufacturing, testing and troubleshooting äMini-IOS – a. k. a RXBOOT/boot loader by Cisco – small IOS ROM used to bring up an interface and load a Cisco IOS into flash memory from a TFTP server; can also do a few other maintenance operations Cisco Router Configuration Af. NOG 2003 / Track 2 # 2
Router Components äRAM – holds packet buffers, ARP cache, routing table, software and data structure that allows the router to function; running-config is stored in RAM, as well as the decompressed IOS in later router models äROM – starts and maintains the router äFlash memory – holds the IOS; is not erased when the router is reloaded; is an EEPROM [Electrically Erasable Programmable Read-Only Memory] created by Intel, that can be erased and reprogrammed repeatedly through an application of higher than normal electric voltage äNVRAM – Non-Volatile RAM - holds router configuration; is not erased when router is reloaded Cisco Router Configuration Af. NOG 2003 / Track 2 # 3
Router Components äConfig-Register – controls how router boots; value can be seen with “show version” command; is typically 0 x 2102, which tells the router to load the IOS from flash memory and the startup-config file from NVRAM Cisco Router Configuration Af. NOG 2003 / Track 2 # 4
Why Modify The Config-Register äReasons why you would want to modify the configregister: – – – – Force the router into ROM Monitor Mode Select a boot source and default boot filename Enable/Disable the Break function Control broadcast addresses Set console terminal baud rate Load operating software from ROM Enable booting from a TFTP server Cisco Router Configuration Af. NOG 2003 / Track 2 # 5
System Startup äPOST – loaded from ROM and runs diagnostics on all router hardware äBootstrap – locates and loads the IOS image; default setting is to load the IOS from flash memory äIOS – locates and loads a valid configuration from NVRAM; files is called startup-config; only exists if you copy running-config to NVRAM äStartup-config – if found, router loads it and runs embedded configuration; if not found, router enters setup mode Cisco Router Configuration Af. NOG 2003 / Track 2 # 6
Overview äRouter configuration controls the operation of the router’s: äInterface IP address and netmask äRouting information (static, dynamic or default) äBoot and startup information äSecurity (passwords) Cisco Router Configuration Af. NOG 2003 / Track 2 # 7
Where Is The Configuration? äRouter always has two configurations: äRunning configuration äIn RAM, determines how the router is currently operating äIs modified using the configure command äTo see it: show running-config äStartup confguration äIn NVRAM, determines how the router will operate after next reload äIs modified using the copy command äTo see it: show startup-config Cisco Router Configuration Af. NOG 2003 / Track 2 # 8
Where Is The Configuration? äCan also be stored in more permanent places: ä External hosts, using TFTP (Trivial File Transfer Protocol) ä In flash memory in the router äCopy command is used to move it around copy run start copy copy run tftp start flash start flash Cisco Router Configuration Af. NOG 2003 / Track 2 # 9
Router Access Modes äUser EXEC mode - limited examination of router – Router> äPrivileged EXEC mode - detailed examination of router, debugging, testing, file manipulation – Router# äROM Monitor - useful for password recovery & new IOS upload session äSetup Mode – available when router has no startup -config file Cisco Router Configuration Af. NOG 2003 / Track 2 # 10
External Configuration Sources äConsole – direct PC serial access äAuxilliary port – Modem access äVirtual terminals – Telnet access äTFTP Server – copy configuration file into router RAM äNetwork Management Software - Cisco. Works Cisco Router Configuration Af. NOG 2003 / Track 2 # 11
Changing The Configuration äConfiguration statements can be entered interactively changes are made (almost) immediately, to the running configuration äCan use direct serial connection to console port, or äTelnet to vty’s (“virtual terminals”), or äModem connection to aux port äOr, edited in a text file and uploaded to the router at a later time via tftp; copy tftp start or config net Cisco Router Configuration Af. NOG 2003 / Track 2 # 12
Logging Into The Router äConnect router to console port or telnet to router – router>enable – password – router#? äConfiguring the router USER MODE PROMPT PRIVILEDGED MODE PROMPT – Terminal (entering the commands directly) – router# configure terminal – router(config)# Cisco Router Configuration Af. NOG 2003 / Track 2 # 13
Connecting Your Free. BSD Machine To The Router’s Console Port äConnect your machine to the console port using the rollover serial cable provide äGo to /etc/remote to see the device configured to be used with "tip”. you will see at the end, a line begin with com 1 bash$ tip com 1 <enter> router>enable router# Cisco Router Configuration Af. NOG 2003 / Track 2 # 14
Address Allocation SWITCH . 1 A . 2 B 81. 199. 108. 80/28 81. 199. 108. 96/28. 3 81. 199. 108. 0/28 C 81. 199. 108. 112/28. 5 E 81. 199. 108. 144/28. 7 G 81. 199. 108. 176/28. 9 I 81. 199. 108. 208/28 Cisco Router Configuration . 4 D 81. 199. 108. 128/28. 6 F 81. 199. 108. 160/28. 8 H 81. 199. 108. 192/28. 10 J 81. 199. 108. 224/28 Af. NOG 2003 / Track 2 # 15
New Router Configuration Process äLoad configuration parameters into RAM äRouter#configure terminal äPersonalize router identification äRouter#(config)hostname Router. A äAssign access passwords äRouter. A#(config)line console 0 äRouter. A#(config-line)password cisco äRouter. A#(config-line)login Cisco Router Configuration Af. NOG 2003 / Track 2 # 16
New Router Configuration Process äConfigure interfaces äRouter. A#(config)interface ethernet 0/0 äRouter. A#(config-if)ip address n. n m. m äRouter. A#(config-if)no shutdown äConfigure routing/routed protocols äSave configuration parameters to NVRAM äRouter. A#copy running-config startup-config or write memory Cisco Router Configuration Af. NOG 2003 / Track 2 # 17
Router Prompts – How To Tell Where You Are On The Router ä You can tell in which area of the router’s configuration you are, by looking at the router prompts: Router> - USER prompt mode Router# - PRVILEDGED EXEC prompt mode Router(config) – terminal configuration prompt Router(config-if) – interface configuration prompt Router(config-subif) – sub-interface configuration prompt Router(config-route-map) – route-map configuration prompt Cisco Router Configuration Af. NOG 2003 / Track 2 # 18
Router Prompts – How To Tell Where You Are On The Router(config-router) – router configuration prompt Router(config-line) – line configuration prompt rommon 1> - ROM Monitor mode Cisco Router Configuration Af. NOG 2003 / Track 2 # 19
Configuring Your Router ä Set the enable password: router(config)# enable password t 2@afnog ä If you see in your config file, using “show running-config”, you will see that the enable password is displayed in clear text -- that is not safe, you have to encrypt it. router(config)# service password-encryption router(config)# enable secret "your pswd"(MD 5 encryption) ä To configure interface you should go to interface configuration prompt router(config) interface ethernet 0 (or 0/x) router(config-if)# ä Save your configuration router#copy running-config startup-config (or write memory) Cisco Router Configuration Af. NOG 2003 / Track 2 # 20
Configuring Your Router äConfiguration statements have different contexts: äGlobal: enable-password t 2@afnog äInterface: interface ethernet 0/0 ip address n. n m. m äRouter: router ospf 1 network n. n w. w area 0 äLine: line vty 0 4 Cisco Router Configuration Af. NOG 2003 / Track 2 # 21
Global Configuration äGlobal configuration statements are independent of any particular interface or routing protocol, e. g. : hostname track 2 -afnog enable-password track 2 service password-encryption logging facility local 0 logging n. n Cisco Router Configuration Af. NOG 2003 / Track 2 # 22
Global Configuration äIP-specific global configuration statements: ip classless ip name-server n. n äStatic route creation: Ip route n. n m. m g. g n. n = network block m. m = network mask denoting block size g. g = next hop gateway destination packets are sent to Cisco Router Configuration Af. NOG 2003 / Track 2 # 23
The NO Command äUsed to reverse or disable commands e. g äip domain-lookup äno ip domain-lookup ärouter ospf 1 äno router ospf 1 äip address 1. 1 255. 0 äno ip address Cisco Router Configuration Af. NOG 2003 / Track 2 # 24
Interface Configuration äInterfaces are named by slot/type; e. g. : ethernet 0, ethernet 1, . . . Ethernet 5/1 Serial 0/0, serial 1. . . serial 3 äAnd can be abbreviated: ethernet 0 or eth 0 or e 0 Serial 0/0 or ser 0/0 or s 0/0 Cisco Router Configuration Af. NOG 2003 / Track 2 # 25
Interface Configuration äIP address and netmask configuration, using interface commands (interactive configuration example, showing prompts): router#configure terminal router(config)#interface e 0/0 router(config-if)#ip address n. n m. m router(config-if)#no shutdown router(config-if)#^Z router# Cisco Router Configuration Af. NOG 2003 / Track 2 # 26
Interface Configuration äAdministratively enable/disable the interface router(config-if)#no shutdown router(config-if)#shutdown äDescription router(config-if)#description ethernet link to admin building router Cisco Router Configuration Af. NOG 2003 / Track 2 # 27
Global Configuration Commands äCisco global config should always include: ip classless ip subnet-zero no ip domain-lookup äCisco interface config should usually include: no shutdown no ip proxy-arp no ip redirects Cisco Router Configuration Af. NOG 2003 / Track 2 # 28
Looking At The Configuration äUse “show running-configuration” to see the current configuration äUse “show startup-configuration” to see the configuration in NVRAM, that will be loaded the next time the router is rebooted or reloaded Cisco Router Configuration Af. NOG 2003 / Track 2 # 29
Interactive Configuration äEnter configuration mode, using “configure term” äPrompt gives a hint about where you are: router#configure term router(config)#ip classless router(config)#ip subnet-zero router(config)#int e 0/1 router(config-if)#ip addr n. n m. m router(config-if)#no shut router(config-if)#^Z Cisco Router Configuration Af. NOG 2003 / Track 2 # 30
Storing The Configuration On A Host ä Requires: `tftpd’on a unix host; destination file must exist before the file is written and must be world writable. . . copy run tftp router#copy run tftp Remote host []? n. n Name of configuration file to write [hostel-rtr-confg]? /usr/local/tftpd/hostel-rtr-confg Write file /usr/local/tftpd/hostel-rtr-confg on. . . Host n. n? [confirm] Building configuration. . . Writing /usr/local/tftpd/hostel-rtr-confg !![OK] Cisco Router Configuration Af. NOG 2003 / Track 2 # 31
Restoring The Configuration From A Host äUse ‘tftp’ to pull file from UNIX host, copying to running config or startup router#copy tftp start Address of remote host [255. 255]? n. n Name of configuration file [hostel-rtr-confg]? Configure using hostel-rtr-confg from n. n? [confirm] Loading hostel-rtr-confg from n. n(via Ethernet 0/0): ! [OK - 1005/128975 bytes] [OK] hostel-rtr# reload Cisco Router Configuration Af. NOG 2003 / Track 2 # 32
Getting Online Help äIOS has a built-in help facility; use “? ” to get a list of possible configuration statements ä“? ” after the prompt lists all possible commands: router#? ä “<partial command> ? ” lists all possible subcommands, e. g. : router#show ? router#show ip ? Cisco Router Configuration Af. NOG 2003 / Track 2 # 33
Getting Online Help ä“<partial command>? ” shows all possible command completions router#con? configure connect äThis is different: hostel-rtr#conf ? memory network overwrite-network terminal <cr> Cisco Router Configuration Configure from NVRAM Configure from a TFTP network host Overwrite NV memory from TFTP. . . network host Configure from the terminal Af. NOG 2003 / Track 2 # 34
Getting Online Help äThis also works in configuration mode: router(config)#ip a? accounting-list accounting-threshold accounting-transits address-pool alias as-path router(config)#int e 0/0 router(config-if)#ip a? access-group accounting Cisco Router Configuration address Af. NOG 2003 / Track 2 # 35
Getting Online Help äCan “explore” a command to figure out the syntax: router(config-if)#ip addr ? A. B. C. D IP address router(config-if)#ip addr n. n ? A. B. C. D IP subnet mask router(config-if)#ip addr n. n m. m ? secondary Make this IP address a secondary address <cr> router(config-if)#ip addr n. n m. m router(config-if)# Cisco Router Configuration Af. NOG 2003 / Track 2 # 36
Getting Lazy Help äTAB character will complete a partial word hostel-rtr(config)#int<TAB> hostel-rtr(config)#interface ethernet 0 hostel-rtr(config-if)#ip add<TAB> hostel-rtr(config-if)#ip address. . . n. n m. m äNot really necessary; partial commands can be used: router#conf t router(config)#int e 0/0 router(config-if)#ip addr n. n Cisco Router Configuration Af. NOG 2003 / Track 2 # 37
Getting Lazy Online Help äCommand history ä IOS maintains short list of previously typed commands ä up-arrow or ‘^p’ recalls previous command ä down-arrow or ‘^n’ recalls next command äLine editing ä left-arrow, right-arrow moves cursor inside command ä ‘^d’ or backspace will delete character in front of cursor ä Ctrl-a takes you to start of line ä Ctrl-e takes you to end of line Cisco Router Configuration Af. NOG 2003 / Track 2 # 38
Connecting Your Free. BSD Machine To The Router’s Console Port äLook at your running configuration äConfigure an IP address for e 0/0 depending on your table - use n. n for table A etc äLook at your running configuration and your startup configuration äWhat difference is there if any Cisco Router Configuration Af. NOG 2003 / Track 2 # 39
Deleting Your Router’s Configuration äTo delete your router’s configuration Router#erase startup-config OR Router#write erase Router#reload Router will startup again, but in setup mode, since startup -config file does not exists Cisco Router Configuration Af. NOG 2003 / Track 2 # 40
Using Access Control Lists äAccess Control Lists used to implement security in routers – powerful tool for network control – filter packets flow in or out of router interfaces – restrict network use by certain users or devices – deny or permit traffic Cisco Router Configuration Af. NOG 2003 / Track 2 # 41
Rules Followed When Traffic Is Compared To An Access Control List äIs done in sequential order; line 1, line 2, line 3 e. t. c äIs compared with the access list until a match is made; then NO further comparisons are made äThere is an implicit “deny” at the end of each access list; if a packet does not match in the access list, it will be discarded Cisco Router Configuration Af. NOG 2003 / Track 2 # 42
Using Access Control Lists äStandard IP Access Lists (1 - 99) – simpler address specifications – generally permits or denies entire protocol suite äExtended IP Access Lists (100 - 199) – more complex address specification – generally permits or denies specific protocols Cisco Router Configuration Af. NOG 2003 / Track 2 # 43
Access Control List Syntax äStandard IP Access List Configuration Syntax – access-list-number {permit | deny} source {source-mask} – ip access-group access-list-number {in | out} äExtended IP Access List Configuration Syntax – access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} – ip access-group access-list-number {in | out} Cisco Router Configuration Af. NOG 2003 / Track 2 # 44
Where To Place Access Control Lists äPlace Standard IP access list close to destination äPlace Extended IP access lists close to the source of the traffic you want to manage Cisco Router Configuration Af. NOG 2003 / Track 2 # 45
What Are Wild Card Masks äAre used with access lists to specify a host, network or part of a network äTo specify an address range, choose the next largest block size e. g. – – – to specify 34 hosts, you need a 64 block size to specify 18 hosts, you need a 32 block size to specify 2 hosts, you need a 4 block size Cisco Router Configuration Af. NOG 2003 / Track 2 # 46
What Are Wild Card Masks äAre used with the host/network address to tell the router a range of addresses to filter äExamples: – to specify a host: 81. 199. 108. 1 0. 0 – to specify a small subnet: 81. 199. 108. 8 – 81. 199. 108. 15 (would be a /29) – Block size is 8, and wildcard is always one number less than the block size – Cisco access list then becomes: 81. 199. 108. 8 0. 0. 0. 7 Cisco Router Configuration Af. NOG 2003 / Track 2 # 47
What Are Wild Card Masks äExamples cont’d: – to specify all hosts on a Class C network: 81. 199. 108. 0 0. 0. 0. 255 Cisco Router Configuration Af. NOG 2003 / Track 2 # 48
What Are Wild Card Masks äShort cut method to a quick calculation of a network subnet to wildcard: – 255 – {netmask bits on subnet mask} – to create wild card mask for 81. 199. 108. 160 255. 240 81. 199. 108. 160 0. 0. 0. 15 {255 – 240} – to create wild card mask for 81. 199. 108. 0 255. 252. 0 81. 199. 108. 0 0. 0. 3. 255 Cisco Router Configuration Af. NOG 2003 / Track 2 # 49
Access Control List Example ä Router(config)#Access-list access-list-number {permit|deny}{test conditions} ä Router(config)#{protocol} access-group access-list-number ä e. g check for IP subnets 81. 199. 108. 80 to 81. 199. 108. 95 81. 199. 108. 80 0001 0000 check Cisco Router Configuration Address and Wilcard Mask: 81. 199. 108. 80 0. 0. 0. 15 1111 ignore Af. NOG 2003 / Track 2 # 50
Access Control List Example äWildcard bits indicate how to check corresponding address bit – 0=check or match – 1=ignore äMatching Any IP Address 0. 0 255 or abbreviate the expression using the keyword any äMatching a specific host 81. 199. 108. 8 0. 0 or abbreviate the wildcard using the IP address preceded by the keyword host Cisco Router Configuration Af. NOG 2003 / Track 2 # 51
Permit Telnet Access For My Network Only access-list 1 permit 81. 199. 108. 192 0. 0. 0. 15 access-list 1 deny any line vty 0 4 access-class 1 in Cisco Router Configuration Af. NOG 2003 / Track 2 # 52
Standard IP Access Control Lists Example Permit Only My Network 81. 199. 108. 1 81. 199. 108. 81 Non 81. 199. 108. 0 E 0 S 0 E 1 81. 199. 108. 82 Access-list 1 permit 81. 199. 108. 80 0. 0. 0. 15 Interface ethernet 0 ip access-group 1 out interface ethernet 1 ip access-group 1 out Cisco Router Configuration Af. NOG 2003 / Track 2 # 53
Extended IP Access Control Lists Example Deny FTP Access Through Interface E 0 81. 199. 108. 10 81. 199. 108. 225 Non 81. 199. 108. 0 E 0 S 0 E 1 81. 199. 108. 226 access-list 101 deny tcp 81. 199. 108. 0 0. 0. 0. 15 81. 199. 108. 225 0. 0. 0. 15 eq 21 access-list 101 deny tcp 81. 199. 108. 0 0. 0. 0. 15 81. 199. 108. 225 0. 0. 0. 15 eq 20 access-list 101 permit ip 81. 199. 108. 225 0. 0. 0. 15 0. 0 255 interface ethernet 0 ip access-group 101 out Cisco Router Configuration Af. NOG 2003 / Track 2 # 54
Prefix Lists äCisco first introduced prefix lists in IOS 12. 0 + äGenerally used to filter routes, and can be combined with route maps for route filtering and manipulation äAre more scalable and flexible than access control lists and distribute lists äUnlike access control lists, you don’t have to delete the entire access list when adding or deleting entries äPrefix lists use sequence numbers for this to happen äPrefix lists scale as the network grows Cisco Router Configuration Af. NOG 2003 / Track 2 # 55
Prefix Lists äPrefix lists have an implicit “deny” at the end of them, like access control lists äAre quicker to process than regular access control lists äIf you do have IOS 12. 0 +, it would be a better idea to use prefix lists rather than distribute or access lists, for route filtering and manipulation Cisco Router Configuration Af. NOG 2003 / Track 2 # 56
Prefix List Configuration Syntax äPrefix list configuration syntax config t ip prefix-list-name {seq seq-value} {permit|deny} network/len {ge ge-value} {le le-value} list-name – name to use for the prefix list seq-value – numeric value of the sequence; optional network/len – CIDR network address notation Cisco Router Configuration Af. NOG 2003 / Track 2 # 57
Prefix List Configuration Syntax äPrefix list configuration Syntax ge-value – “from” value of range; matches equal or longer prefixes (more bits in the prefix, smaller blocks of address space) le-value – “to” value of range; matches equal or shorter prefixes (less bits in the prefix, bigger blocks of address space) Cisco Router Configuration Af. NOG 2003 / Track 2 # 58
Prefix List Configuration Example ä Prefix list configuration example ip prefix-list t 2 afnog seq 10 deny 81. 199. 108. 192/28 To accept prefixes with a prefix length of /8 up to /24: ip prefix-list test 1 seq 5 permit 81. 0. 0. 0/0 ge 8 le 24 To deny prefixes with a mask greater than 25 in 81. 199. 108. 0/24: ip prefix-list test 2 seq 10 deny 81. 199. 108. 0/24 ge 25 Cisco Router Configuration Af. NOG 2003 / Track 2 # 59
Prefix List Configuration Example To allow all routes: ip prefix-list test 3 seq 15 permit 0. 0/0 le 32 Cisco Router Configuration Af. NOG 2003 / Track 2 # 60
Disaster Recovery – ROM Monitor äROM Monitor is very helpful in recovering from emergency failures such as: – – – Password recovery Upload new IOS into router with NO IOS installed Selecting a boot source and default boot filename Set console terminal baud rate to upload new IOS quicker Load operating software from ROM Enable booting from a TFTP server Cisco Router Configuration Af. NOG 2003 / Track 2 # 61
Disaster Recovery – ROM Monitor äHow to get the router into ROM Monitor mode: äWindows using Hyper. Terminal for the console session – Ctrl-Break Cisco Router Configuration Af. NOG 2003 / Track 2 # 62
Disaster Recovery – ROM Monitor äHow to get the router into ROM Monitor mode: äFree. BSD/UNIX using Tip for the console session – – <Enter>, then ~# OR Ctrl-], then Break or Ctrl-C Cisco Router Configuration Af. NOG 2003 / Track 2 # 63
Disaster Recovery – ROM Monitor äHow to get the router into ROM Monitor mode: äLinux using Minicom for the console session – Ctrl-A F Cisco Router Configuration Af. NOG 2003 / Track 2 # 64
Disaster Recovery – How To Recover A Lost Password äConnect your PC’s serial port to the router’s console port äConfigure your PC’s serial port: 9600 baud rate No parity 8 data bits 1 stop bit No flow control Cisco Router Configuration Af. NOG 2003 / Track 2 # 65
Disaster Recovery – How To Recover A Lost Password äYour configuration register should be 0 x 2102; use “show version” command to check äReboot the router and apply the Break-sequence within 60 seconds of powering the router, to put it into ROMMON mode Rommon 1>confreg 0 x 2142 Rommon 2>reset Router reboots, bypassing startup-config file Cisco Router Configuration Af. NOG 2003 / Track 2 # 66
Disaster Recovery – How To Recover A Lost Password Type Ctrl-C to exit Setup mode Router>enable Router#conf m or copy start run (only!!!) Router#show running or write terminal Router#conf t Router(config)enable secret forgotten Router(config)int e 0/0… Router(config-if)no shut Router(config)config-register 0 x 2102 Router(config)Ctrl-Z or end Router#copy run start or write memory Router#reload Cisco Router Configuration Af. NOG 2003 / Track 2 # 67
Using TFTP To Manage Your Router’s Software äEnable TFTP on your Free. BSD machine: #vi /etc/inetd. conf (uncomment the #tftp line) #killall –HUP inetd (restart INETD and load TFTPD) #netstat –an (check to see TFTP port is bound) #touch /tftpboot/cisco-router (create the router data for TFTP) #chmod 666 /tftp/cisco-router (make the data file world writeable) Cisco Router Configuration Af. NOG 2003 / Track 2 # 68
Using TFTP To Manage Your Router’s Software äYour router’s configuration Router#copy start tftp Router#copy tftp start Router#copy flash tftp Router#copy tftp flash Router#copy run tftp Cisco Router Configuration Af. NOG 2003 / Track 2 # 69
END Cisco Router Configuration Af. NOG 2003 / Track 2 # 70
- Slides: 70