Week 14-15 - Initial Routing Configuration PDF

Summary

This document provides notes on initial router configuration, covering topics such as router components, system startup, configuration, access modes, and more, in a lecture format.

Full Transcript

WEEK 14
(INITIAL ROUTING CONFIGURATION)

NET 102 -NETWORKING 2
 Explain how to configure router in a network
Understand how to configure and set routing in
a network.
Should be able to familiarized the command
used for routing

2
NETWORKING102 -
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Router Components
Bootstrap – stored in ROM microcode – brings router up during initialisation,
boots router and loads the IOS.
POST – Power On Self Test - stored in ROM microcode – checks for basic
functionality of router hardware and determines which interfaces are present
ROM Monitor – stored in ROM microcode – used for manufacturing, testing
and troubleshooting
Mini-IOS – a.k.a RXBOOT/boot loader by Cisco – small IOS ROM used to bring
up an interface and load a Cisco IOS into flash memory from a TFTP server; can
also perform a few other operations
3
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Router Components
Bootstrap – stored in ROM microcode – brings router up during initialisation,
boots router and loads the IOS.
POST – Power On Self Test - stored in ROM microcode – checks for basic
functionality of router hardware and determines which interfaces are present
ROM Monitor – stored in ROM microcode – used for manufacturing, testing
and troubleshooting
Mini-IOS – a.k.a RXBOOT/boot loader by Cisco – small IOS ROM used to bring
up an interface and load a Cisco IOS into flash memory from a TFTP server; can
also perform a few other operations
4
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Router Components
Config-Register
controls how router boots;
value can be seen with “show version” command;
is typically 0x2102, which tells the router to load the IOS from flash memory
and the startup-config file from NVRAM

5
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Purpose of the Config Register
Reasons why you would want to modify the config-register:
Force the router into ROM Monitor Mode
Select a boot source and default boot filename
Enable/Disable the Break function
Control broadcast addresses
Set console terminal baud rate
Load operating software from ROM
Enable booting from a TFTP server

6
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

System Startup
POST – loaded from ROM and runs diagnostics on all router hardware
Bootstrap – locates and loads the IOS image; default setting is to load
the IOS from flash memory
IOS – locates and loads a valid configuration from NVRAM; file is
called startup-config; only exists if you copy the
running-config to NVRAM
startup-config – if found, router loads it and runs embedded
configuration; if not found, router enters setup mode

7
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Overview
Router configuration controls the operation of the router’s:
Interface IP address and netmask
Routing information (static, dynamic or default)
Boot and startup information
Security (passwords and authentication)

8
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Where is the Configuration?
Router always has two configurations:
Running configuration
In RAM, determines how the router is currently operating
Is modified using the configure command
To see it: show running-config
Startup confguration
In NVRAM, determines how the router will operate after next reload
Is modified using the copy command
To see it: show startup-config

9
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Where is the Configuration?
Can also be stored in more permanent places:
External hosts, using TFTP (Trivial File Transfer Protocol)
In flash memory in the router
Copy command is used to move it around
copy run start copy run tftp
copy start tftp copy tftp start
copy flash start copy start flash
10
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Router Access Modes
User EXEC mode – limited examination of router
Router>
Privileged EXEC mode – detailed examination of router, debugging,
testing, file manipulation (router prompt changes to an octothorp)
Router#
ROM Monitor – useful for password recovery & new IOS upload
session
Setup Mode – available when router has no startup-config file

11
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

External Configuration Sources
Console
Direct PC serial access
Auxiliary port
Modem access
Virtual terminals
Telnet/SSH access
TFTP Server
Copy configuration file into router RAM
Network Management Software
e.g. CiscoWorks
12
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Changing the Configuration
Configuration statements can be entered interactively
changes are made (almost) immediately, to the running
configuration
Can use direct serial connection to console port, or
Telnet/SSH to vty’s (“virtual terminals”), or
Modem connection to aux port, or
Edited in a text file and uploaded to the router at a later time via tftp;
copy tftp start or config net

13
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Logging into the Router
Connect router to console port or telnet to router
router>
router>enable
password
router#
router#?
Configuring the router
Terminal (entering the commands directly)
router# configure terminal
router(config)#
14
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Connecting your FreeBSD Machine to the
Router’s Console Port
Connect your machine to the console port using the rollover serial
cable provide
Go to /etc/remote to see the device configured to be used with "tip”.
you will see at the end, a line begin with com1

bash$ tip com1
router>
router>enable
router#

15
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Address Assignments SWITCH.1.2
A B
196.200.220.16/2 196.200.220.32/2
8 8

196.200.220.0/2.3.4
C D
196.200.220.48/2 196.200.220.64/2
8 8.5.6
E F
196.200.220.80/2 196.200.220.96/2
8 8.7.8
G H

8
196.200.220.112/ 196.200.220.128/
28 28.9.10
I J
196.200.220.144/ 196.200.220.160/
28 28

16
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

New Router Configuration Process
Load configuration parameters into RAM
Router#configure terminal
Personalize router identification
Router#(config)hostname RouterA
Assign access passwords
RouterA#(config)line console 0
RouterA#(config-line)password cisco
RouterA#(config-line)login

17
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

New Router Configuration Process
Configure interfaces
RouterA#(config)interface ethernet 0/0
RouterA#(config-if)ip address n.n.n.n m.m.m.m
RouterA#(config-if)no shutdown
Configure routing/routed protocols
Save configuration parameters to NVRAM
RouterA#copy running-config startup-config
(or write memory)

18
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Router Prompts – How to tell where you are on
the router
You can tell in which area of the router’s configuration you are by
looking at the router prompts:
Router> – USER prompt mode
Router# – PRIVILEGED EXEC prompt mode
Router(config) – terminal configuration prompt
Router(config-if) – interface configuration prompt
Router(config-subif) – sub-interface configuration
prompt

19
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Router Prompts – How to tell where you are on
the router
You can tell in which area of the router’s configuration you are by
looking at the router prompts:
Router(config-route-map)# – route-map configuration
prompt
Router(config-router)# – router configuration prompt
Router(config-line)# – line configuration prompt
rommon 1> - ROM Monitor mode

20
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Configuring your Router
Set the enable (secret) password:
router(config)# enable secret “your pswd”
This MD5 encrypts the password
The old method was to use the enable password command.
But this is not secure (weak encryption) and is ABSOLUTELY NOT
RECOMMENDED. DO NOT USE!
Ensure that all passwords stored on router are (weakly) encrypted
rather than clear text:
router(config)# service password-encryption
21
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Configuring your Router
To configure interface you should go to interface configuration
prompt
router(config)# interface ethernet0 (or 0/x)
router(config-if)#
Save your configuration
router#copy running-config startup-config
(or write memory)

22
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Configuring your Router
Global:
enable secret e2@fnog
Interface:
interface ethernet 0/0
ip address n.n.n.n m.m.m.m
Router:
router ospf 1
network n.n.n.n w.w.w.w area 0
Line:
line vty 0 4
23
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Global Configuration
Global configuration statements are independent of any particular
interface or routing protocol, e.g.:

hostname e2-@fnog
enable secret tracke2
service password-encryption
logging facility local0
logging n.n.n.n

24
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Global Configuration
IP specific global configuration statements:
ip classless
ip name-server n.n.n.n
Static Route Creation
ip route n.n.n.n m.m.m.m g.g.g.g
n.n.n.n = network block
m.m.m.m = network mask denoting block size
g.g.g.g = next hop gateway destination packets are sent to

25
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

The NO Command
Used to reverse or disable commands e.g
ip domain-lookup
no ip domain-lookup

router ospf 1
no router ospf 1

ip address 1.1.1.1 255.255.255.0
no ip address

26
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Interface Configuration
Interfaces are named by slot/type; e.g.:
ethernet0, ethernet1,... Ethernet5/1
Serial0/0, serial1... serial3
And can be abbreviated:
ethernet0 or eth0 or e0
Serial0/0 or ser0/0 or s0/0

27
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Interface Configuration
Administratively enable/disable the interface
router(config-if)#no shutdown
router(config-if)#shutdown

Description
router(config-if)#description ethernet link to
admin building router

28
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Global Configuration Commands
Cisco global config should always include:
ip classless
ip subnet-zero
no ip domain-lookup
Cisco interface config should usually include:
no shutdown
no ip proxy-arp
no ip redirects

29
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Looking at the Configuration
Use “show running-configuration” to see the current
configuration

Use “show startup-configuration” to see the
configuration in NVRAM, that will be loaded the next time the router
is rebooted or reloaded

30
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Interactive Configuration
Enter configuration mode, using “configure terminal”
Often abbreviated to “conf t”
Prompt gives a hint about where you are:
router#configure terminal
router(config)#ip classless
router(config)#ip subnet-zero
router(config)#int e0/1
router(config-if)#ip addr n.n.n.n m.m.m.m
router(config-if)#no shut
router(config-if)#^Z
31
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Storing the Configuration on a Remote System
Requires: ‘tftpd’ on a unix host; destination file must exist before the file is
written and must be world writable...

router#copy run tftp
Remote host []? n.n.n.n
Name of configuration file to write
[hoste2-rtr-confg]? hoste2-rtr-confg
Write file hoste2-rtr-confg on Host n.n.n.n? [confirm]
Building configuration...

Writing hoste2-rtr-confg !![OK]
router#
32
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Restoring the Configuration from a Remote
System
Use ‘tftp’ to pull file from UNIX host, copying to running config or startup
router#copy tftp start
Address of remote host [255.255.255.255]? n.n.n.n
Name of configuration file [hoste2-rtr-confg]?
Configure using hostel-rtr-confg from n.n.n.n?
[confirm]
Loading hoste2-rtr-confg from n.n.n.n (via
Ethernet0/0): !
[OK - 1005/128975 bytes]
[OK]
hoste2-rtr# reload
33
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Getting Online Help
IOS has a built-in help facility;
use “?” to get a list of possible configuration statements
“?” after the prompt lists all possible commands:
router#?
“ ?” lists all possible subcommands, e.g.:
router#show ?
router#show ip ?

34
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Getting Online Help
“?” shows all possible command completions
router#con?
configure connect
This is different:
hostel-rtr#conf ?
memory Configure from NVRAM
network Configure from a TFTP network host
overwrite-network Overwrite NV memory from TFTP...
network host
terminal Configure from the terminal

35
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Getting Online Help
This also works in configuration mode:
router(config)#ip a?
accounting-list accounting-threshold
accounting-transits address-pool
alias as-path

router(config)#int e0/0
router(config-if)#ip a?
access-group accounting address

36
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Getting Online Help
Can “explore” a command to figure out the syntax:
router(config-if)#ip addr ?
A.B.C.D IP address
router(config-if)#ip addr n.n.n.n ?
A.B.C.D IP subnet mask
router(config-if)#ip addr n.n.n.n m.m.m.m ?
secondary Make this IP address a secondary address

router(config-if)#ip addr n.n.n.n m.m.m.m
router(config-if)#
37
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Getting Lazy Online Help
TAB character will complete a partial word
hostel-rtr(config)#int
hostel-rtr(config)#interface et
hostel-rtr(config)#interface ethernet 0
hostel-rtr(config-if)#ip add
hostel-rtr(config-if)#ip address n.n.n.n m.m.m.m

Not really necessary; partial commands can be used:
router#conf t
router(config)#int e0/0
router(config-if)#ip addr n.n.n.n
38
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Getting Lazy Online Help
Command history
IOS maintains short list of previously typed commands
up-arrow or ‘^p’ recalls previous command
down-arrow or ‘^n’ recalls next command
Line editing
left-arrow, right-arrow moves cursor inside command
‘^d’ or backspace will delete character in front of cursor
Ctrl-a takes you to start of line
Ctrl-e takes you to end of line
39
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Connecting your FreeBSD machine to the
Router’s Console port
Look at your running configuration
Configure an IP address for e0/0 depending on your table
use n.n.n.n for table A etc
Look at your running configuration and your startup configuration
Check what difference there is, if any

40
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Deleting your Router’s Configuration
To delete your router’s configuration

Router#erase startup-config
OR
Router#write erase
Router#reload

Router will start up again, but in setup mode, since startup-config
file does not exists

41
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Using Access Control Lists (ACLs)
Access Control Lists used to implement security in routers
powerful tool for network control
filter packets flow in or out of router interfaces
restrict network use by certain users or devices
deny or permit traffic

42
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Rules followed when comparing traffic with an
ACL
Is done in sequential order; line 1, line 2, line 3 etc
Is done in the direction indicated by the keyword in or out
Is compared with the access list until a match is made; then NO
further comparisons are made
There is an implicit “deny” at the end of each access list; if a packet
does not match in the access list, it will be discarded

43
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Using ACLs
Standard IP Access Lists
ranges (1 - 99) & (1300-1999)
simpler address specifications
generally permits or denies entire protocol suite
Extended IP Access Lists
ranges (100 - 199) & (2000-2699)
more complex address specification
generally permits or denies specific protocols
There are also named access-lists
Standard
Extended
44
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

ACL Syntax
Standard IP Access List Configuration Syntax
access-list access-list-number {permit | deny}
source {source-mask}
ip access-group access-list-number {in | out}
Extended IP Access List Configuration Syntax
access-list access-list-number {permit | deny}
protocol source {source-mask} destination
{destination-mask}
ip access-group access-list-number {in | out}
Named IP Access List Configuration Syntax
ip access-list {standard | extended} {name | number}
45
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Where to place ACLs
Place Standard IP access list close to destination
Place Extended IP access lists close to the source of the traffic you
want to manage

46
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

What are Wild Card Masks?
Are used with access lists to specify a host, network or part of a
network
To specify an address range, choose the next largest block size e.g.

to specify 34 hosts, you need a 64 block size
to specify 18 hosts, you need a 32 block size
to specify 2 hosts, you need a 4 block size

47
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

What are Wild Card Masks?
Are used with the host/network address to tell the router a range of addresses to
filter
Examples:
To specify a host:
196.200.220.1 0.0.0.0
To specify a small subnet:
196.200.220.8 – 196.200.220.15 (would be a /29)
Block size is 8, and wildcard is always one number less than the block size
Cisco access list then becomes 196.200.220.8 0.0.0.7
To specify all hosts on a /24 network:
196.200.220.0 0.0.0.255
48
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

What are Wild Card Masks?
Short cut method to a quick calculation of a network subnet to
wildcard:
255 – {netmask bits on subnet mask}
Examples:
to create wild card mask for 196.200.220.160 255.255.255.240
196.200.220.160 0.0.0.15 {255 – 240}
to create wild card mask for 196.200.220.0 255.255.252.0
196.200.220.0 0.0.3.255

49
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

ACL Example
Router(config)#access-list
{permit|deny} {test conditions}
Router(config)#int eth0/0
Router(config-if)#{protocol} access-group

e.g check for IP subnets 196.200.220.80 to 196.200.220.95
196.200.220.80 0.0.0.15

50
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

ACL Example
Wildcard bits indicate how to check corresponding address bit
0=check or match
1=ignore
Matching Any IP Address
0.0.0.0 255.255.255.255
or abbreviate the expression using the keyword any
Matching a specific host
196.200.220.8 0.0.0.0
or abbreviate the wildcard using the IP address preceded by the
keyword host
51
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Permit telnet access only for my network
access-list 1 permit 196.200.220.192 0.0.0.15
access-list 1 deny any
line vty 0 4
access-class 1 in

52
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Standard IP ACLs
Permit only my network

53
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION

Extended IP ACLs:
Deny FTP access through Interface E1

54
NET102 -NETWORKING 2
 Cisco
WEEK first
14-15 - INITIAL ROUTING CONFIGURATION
introduced prefix
Prefix
lists in Lists
IOS 12.0
Used to filter
routes, and can
be combined
with route maps
for route filtering
and manipulation
Provide much
higher
performance
than access
control lists and
distribute lists 55
NET102
Are -NETWORKING
much easier 2
 Prefix
WEEKlists have
14-15 - INITIAL ROUTING CONFIGURATION
an implicit “deny”
at the Prefix
end ofLists
them, like access
control lists
Are quicker to
process than
regular access
control lists
If you do have
IOS 12.0 or later,
it is STRONGLY
RECOMMENDED
to use prefix lists
rather than
access lists for 56
route filtering 2
NET102 -NETWORKING
 Prefix
WEEK list14-15 - INITIAL ROUTING CONFIGURATION
configuration
syntax
Prefix List Configuration Syntax

config t
ip
prefix-lis
t
list-name
{seq
seq-value}
{permit|de
ny}
network/le
n {ge
ge-value}
{le
le-value} 57
NET102 -NETWORKING 2
 Prefix
WEEKlist14-15 - INITIAL ROUTING CONFIGURATION
configuration
Prefix List Configuration Syntax
Syntax

ge-value –
“from” value
of range;
matches equal
or longer
prefixes (more
bits in the
prefix, smaller
blocks of
address space)

le-value – 58
“to”
NET102 value of 2
-NETWORKING
 To deny a single /28
WEEK 14-15 - INITIAL ROUTING CONFIGURATION
prefix:
ip Prefix List Configuration Example
prefix-list
t2afnog seq
5 deny
196.200.220.192/28
To accept prefixes
with a prefix length
of /8 up to /24:
ip
prefix-list
test1 seq 5
permit
196.0.0.0/8
le 24
To deny prefixes
59
with a mask
NET102 greater 2
-NETWORKING
 ROM
WEEK Monitor
14-15 -isINITIAL ROUTING CONFIGURATION
very helpful in
Disaster
recovering fromRecovery – ROM Monitor
emergency
failures such as:
Password
recovery
Upload new
IOS into router
with NO IOS
installed
Selecting a
boot source
and default
boot filename
Set console 60
terminal
NET102 baud2
-NETWORKING
 Windows
WEEK 14-15using- INITIAL ROUTING CONFIGURATION
HyperTerminal
Getting
for the consoleto the ROM Monitor
session
Ctrl-Break

FreeBSD/UNIX
using Tip for the
console session
, then
~# OR
Ctrl-], then
Break or Ctrl-C

Linux using 61
Minicom for the 2
NET102 -NETWORKING
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION
Disaster Recovery:
How to Recover a Lost Password

Connect your PC’s serial port to the router’s console port
Configure your PC’s serial port:

9600 baud rate
No parity
8 data bits
1 stop bit
No flow control

62
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION
Disaster Recovery:
How to Recover a Lost Password

Your configuration register should be 0x2102; use “show
version” command to check
Reboot the router and apply the Break-sequence within 60 seconds
of powering the router, to put it into ROMMON mode

Rommon 1>confreg 0x2142
Rommon 2>reset

Router reboots, bypassing startup-config file
63
NET102 -NETWORKING 2
 WEEK 14-15 - INITIAL ROUTING CONFIGURATION
Disaster Recovery:
How to Recover a Lost Password

Type Ctrl-C to exit Setup mode
Router>enable
Router#conf m OR copy start run (only!!!)
Router#show running OR write terminal
Router#conf t
Router(config)enable secret forgotten
Router(config)int e0/0…
Router(config-if)no shut
Router(config)config-register 0x2102
Router(config)Ctrl-Z or end
Router#copy run start OR write memory
Router#reload
64
NET102 -NETWORKING 2
65