Configuring IPX/SPX

Much like my prior article on Configuring TCP/IP, the process for configuring IPX/SPX on a cisco router is pretty much the same thing.

The first big ‘gottcha’ in the world of IPX is that it supports multiple frame types.  This winds up leading to all kinds of troubles when various people setup various servers.  It is inevitable that people pick their own and incompatible frame type.  The only to ‘fix’ this is for everyone to be on the same type.  I have heard of people using different frame types for different environments, much like using 802.1q (trunking) to separate various peoples traffic who do not want to see each-others resources.  But back when IPX was prevalent, people were still using HUBS which mirror all traffic, and primitive layer two switching at best.  Not to mention with the advent of Netware 4, you could have virtual NIC’s in the server and workstations, and bind to all possible frame types.

Things got messy, and quick.

But I digress, for this example I’m going to use the ‘default’ frame type of ETHERNET_802.2 or SAP is cisco speak.  Mostly because I don’t feel like fully configuring the MS-DOS client I managed to dig up, and mostly because at this point (2013) I really don’t care what frame type I use.

I’m going to setup the following IPX networks:

WAN C0000001
SERVER C0010001
USER C0010002

The first step is to enable the ipx protocol on the router.  This is done with the ‘ipx routing’ command.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#ipx routing
corertr1(config)#exit
corertr1#

Now the IPX protocol is enabled.  The next step is to configure the ethernet interfaces.  This is pretty straightfoward, we put in the network numbers, and assign the correct frame types.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#int eth1/0
corertr1(config-if)#ipx encapsulation SAP
corertr1(config-if)#ipx network c0010001
corertr1(config-if)#exit
corertr1(config)#int eth1/1
corertr1(config-if)#ipx encapsulation SAP
corertr1(config-if)#ipx network c0010002
corertr1(config-if)#exit
corertr1(config)#int fa0/0
corertr1(config-if)#ipx network c0000001
corertr1(config-if)#ipx encapsulation SAP
corertr1(config-if)#exit
corertr1(config)#exit
corertr1#

Now we can quickly check the interfaces that IPX is running on with the ‘show ipx interface brief’ command.  You should get something like this:

corertr1#show ipx interface brief
Interface IPX Network Encapsulation Status IPX State
FastEthernet0/0 C0000001 SAP up [up]
FastEthernet0/1 unassigned not config’d admin down n/a
Ethernet1/0 C0010001 SAP up [up]
Ethernet1/1 C0010002 SAP up [up]
Ethernet1/2 unassigned not config’d admin down n/a
Ethernet1/3 unassigned not config’d admin down n/a
Ethernet1/4 unassigned not config’d admin down n/a
Ethernet1/5 unassigned not config’d admin down n/a
Ethernet1/6 unassigned not config’d admin down n/a
Ethernet1/7 unassigned not config’d admin down n/a

So far, so good.  Now the next question is, does the router see the server?  And what kind of services are available on the network?  This can be found with the ‘sho ipx servers’ command.

corertr1#sho ipx servers
Codes: S – Static, P – Periodic, E – EIGRP, N – NLSP, H – Holddown, + = detail
U – Per-user static
3 Total IPX Servers

Table ordering is based on routing and server info

Type Name Net Address Port Route Hops Itf
P 4 FPNWDC_NW DEAD0001.0000.0000.0001:0451 2/01 1 Et1/0
P 444 VIRTUALLYFUN!FPNWDC DEAD0001.0000.0000.0001:84C8 2/01 1 Et1/0
P 640 FPNWDC DEAD0001.0000.0000.0001:E885 2/01 1 Et1/0

Everything is looking good!  As you can see my virtual Netware server (FPNW on NT 4.0) is type 4, and called FPNWDC_NW.  SAP types 444 and 640 are for Windows NT, with 444 being the NetBIOS Browser/Domain control service.

IPX is a rather chatty protocol, and it is easy for things to go wrong.  Another fun command is ‘show ipx traffic’ which will let you get some idea of what kind of chat is going on.

corertr1#show ipx traffic
System Traffic for 0.0000.0000.0001 System-Name: corertr1
Time since last clear: never
Rcvd: 149 total, 34 format errors, 0 checksum errors, 0 bad hop count,
100 packets pitched, 29 local destination, 0 multicast
Bcast: 126 received, 64 sent
Sent: 79 generated, 18 forwarded
0 encapsulation failed, 2 no route
SAP: 0 Total SAP requests, 0 Total SAP replies, 3 servers
0 SAP general requests received, 4 sent, 0 ignored, 0 replies
0 SAP Get Nearest Server requests, 0 replies
0 SAP Nearest Name requests, 0 replies
0 SAP General Name requests, 0 replies
18 SAP advertisements received, 15 sent, 0 Throttled
4 SAP flash updates sent, 0 SAP format errors
RIP: 2 RIP requests, 0 ignored, 2 RIP replies, 4 routes
9 RIP advertisements received, 30 sent 0 Throttled
7 RIP flash updates sent, 0 atlr sent
4 RIP general requests sent
0 RIP format errors
Echo: Rcvd 0 requests, 0 replies
Sent 10 requests, 0 replies
0 unknown: 0 no socket, 0 filtered, 0 no helper
0 SAPs throttled, freed NDB len 0
Watchdog:
0 packets received, 0 replies spoofed
Queue lengths:
IPX input: 0, SAP 0, RIP 0, GNS 0
SAP throttling length: 0/(no limit), 0 nets pending lost route reply
Delayed process creation: 0
EIGRP: Total received 0, sent 0
Updates received 0, sent 0
Queries received 0, sent 0
Replies received 0, sent 0
SAPs received 0, sent 0
Trace: Rcvd 0 requests, 0 replies
Sent 0 requests, 0 replies

In this brief guide, I’m not going to even get into all of this, however it is important to know that the router has sent things, and received things back.

Another thing that is different about IPX vs TCP/IP is that each server has it’s own internal network, where the services originate from.  You can see this with the show ipx route command

corertr1#show ipx route
Codes: C – Connected primary network, c – Connected secondary network
S – Static, F – Floating static, L – Local (internal), W – IPXWAN
R – RIP, E – EIGRP, N – NLSP, X – External, A – Aggregate
s – seconds, u – uses, U – Per-user static/Unknown, H – Hold-down

4 Total IPX routes. Up to 1 parallel paths and 16 hops allowed.

No default route known.

C C0000001 (SAP), Fa0/0
C C0010001 (SAP), Et1/0
C C0010002 (SAP), Et1/1
R DEAD0001 [02/01] via C0010001.5254.0012.3456, 10s, Et1/0

As you can see from the SAP advertisements above, and the route here, the server is configured for it’s internal network to be DEAD0001.  The router picked up the advertisement from C0010001.5254.0012.3456, which breaks down as c0010001 being the network the server is on (the server network), and 5254.0012.3456 being the MAC address of the server.

The real test comes from trying to use a client.

Screen Shot 2013-10-22 at 1.26.35 PM

Netware 3.12 client

As you can see, this MS-DOS client attached to the client vlan, can see and interoperate with the virtual NetWare server.

This pretty much covers the basics of getting IPX/SPX working.  Logically the next thing to do would be to configure routing and get IPX working throughout the WAN.  But I’m going to save that for a later time.

The more ‘advanced’ topics of IPX involve filtering, as it was a common problem in large networks where you could simply have too many servers, and they would be constantly talking among themselves.  Another problem is licensing, where some products are licensed in certain areas, and you want those licenses to stay in a geographic area.  Latency was another issue too, it was insane to say use a SNA server in Japan, to talk to a mainframe in Arizona when you were in Arizona.  Or if you had a 3rd party, and you only wanted them to connect to a print server, and a single file server, you would setup access-lists on your peer router, much in the same way that we setup firewalls in this fine modern age 😉

Adding some substance to my example network

So thanks to fakenamegenerator.com I thought I should add some people and setup various workstations around my fake network. With that said, here is my list:

name user id country PC
Hazel B. Forrest hforrest USA MS-DOS
James M. White jwhite USA Windows 3.1
Russell I. Ward rward USA
Valerie H. Shimp vshimp USA
Vera H. Williams vwilliams USA
Marie J. Brown mbrown UK Windows 95
Jason S. Seymore jseymore UK
Mingmei Hao mhao HK OS/2 1.21
Guang Huang ghuang HK
Wit Pawlak wpawlak PL WindowsNT 4.0
Fabio Napolitani fnapolitani IT

Which is enough to get me started in creating some users.

For starters I thought it would be fun to make up some applications the users can ‘use’ on this fine network.  A mainframe is a must, however Hercules doesn’t emulate SNA networks.  Which is kind of sad.  I did find an evaluation copy of Microsoft SNA Server 2.11 which runs great on NT 3.5 and higher.  However it is limited to two sessions, but to be honest back when I used a mainframe for work, Microsoft SNA server was honestly the best thing out there.  I had a NT 4.0 / SNA 2.11 install that had uptime in YEARS, while the later SNA 3.0, 4.0 and HIS stuff constantly had issues.

For email, I thought I’d go with something positively ancient, Microsoft Mail 2.1c.

Microsoft Mail

Microsoft Mail

Back then, email programs were just flat databases that allowed multiple people to read/write/lock files over a network. It is very reminisce of how BBS multiuser doors & databases work. MS Mail 2.1 includes clients for MS-DOS, Windows 3.X while the later 3.5 version included an OS/2 client that used the WLO libraries, which was a port of Windows 3.0 to run on top of OS/2.  I kind of covered this thing back here, although it was mostly geared to version 3.5, it basically is the same thing.

I’ve been using a Windows NT 4.0 server loaded up with the FPNW, so it looks like a NetWare server.  Although Netware 3.12 runs on Qemu 0.90, it is lacking UDP bridge support to communicate with dynagen/dynamips.  I did find out that VirtualBOX does support the UDP bridge, and will even run Netware 3.12, HOWEVER, after transferring a few megabytes, the server will stop responding, and dynamips will crash.  Not a very satisfactory solution.  So until I get around to backporting the UDP code, this NT server will serve as my virtual ‘Netware’ server for the time being.

I was also going to run SQL Server 4.21a on WindowsNT, however I did come across SQL Server for OS/2, so I will be installing an OS/2 machine complete with Lan Manager, and SQL Server.  The only downside is that LanManager relies on the non-routable NetBEUI protocol.  However it is just as awkward as bridging mainframe traffic, so I guess that is a hidden plus. While a program to talk to the database outside of the old isql stuff would be nice, I suspect that doing anything beyond Visual Basic + ODBC would take too much time, and honestly not really be all that worth it.

Also looking at this fine program, Stomper, which lets your share a modem over a network, I thought it would be fun to try in combination with rlfossil for some BBSing adventures.  Back before the internet was open to commercial ISPs it wasn’t uncommon for corporations to pool modems over a LAN.  Remote access was typically handled with specialized hardware appliances like the Shiva LanRover. As far as I know, the only real dialup server that Microsoft had was incorporated with Windows NT 3.5.

Once I get this networking operating correctly, then I’ll start to add things like redundancy via HSRP in my core site, backup network connections, an internet connection, upgrade to an exchange server, some BGP peering, and a VPN server.

Just like the real world!

Configuring TCP/IP

Cisco routers are born to do TCP/IP.  And looking at the networking world today, it is pretty safe to say that you will be on a TCP/IP network.  Luckily configuring TCP/IP on the router is pretty easy.  IP addresses are assigned per interface, as a typical router will have many ip addresses.

As always it does help to have a ‘plan’ for what ip addresses will go where in your network.

I’m using the network that I described earlier, here.

From my corertr1 router I’m going to setup 3 networks, a server network, a user network, and finally a network to connect to my WAN router.  The IP networks that I’m going to use are the following:

WAN 138.1.0.0/24
SERVER 138.1.1.0/24
USER 138.1.10.0/24

The first thing I want to do is examine the existing configuration of the FastEthernet 0/0 port which will be my ‘wan’ network port.

corertr1#sho run int fa0/0
Building configuration…

Current configuration : 83 bytes
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
end

As you can see it is shut down, and has no ip address assigned.  We can also check the ethernet’s status with a show interface fa0/0

corertr1#sho interfaces fastEthernet 0/0
FastEthernet0/0 is administratively down, line protocol is down
Hardware is i82543 (Livengood), address is ca00.383b.0008 (bia ca00.383b.0008)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:30, output 00:01:40, output hang never
Last clearing of “show interface” counters 00:00:01
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

The important part here is this line:

FastEthernet0/0 is administratively down, line protocol is down

First the interface is ‘administratively down’ meaning that it is configured this way. In cisco speak this interface is ‘down, down’. This is different from a ‘up/down’ interface that is configured to be ‘up’ or operational, but is not working.  That will appear like this:

FastEthernet0/0 is administratively up, line protocol is down

Which indicates that there is a hardware problem.

The first thing we are going to do is turn the interface ‘on’.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#interface fastEthernet 0/0
corertr1(config-if)#no shut
corertr1(config-if)#exit
corertr1(config)#exit
corertr1#
16:41:01: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
16:41:01: %SYS-5-CONFIG_I: Configured from console by console
16:41:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
corertr1#

Notice that when we type in “interface fastEthernet 0/0” the prompt changes to (config-if) meaning that we are now configuring an interface.  Type in the question mark, and you can see all the possible options you have on this interface.  The physical interface is where you select things like speed, duplex, line encapsulation.  If the interface doesn’t have any ‘virtual’ members like 802.1Q, or frame relay as a few examples, you can put an ip address on the interface.  Also take note that when I typed in the first ‘exit’ the prompt changed back to (config) meaning we are no longer configuring the fastEthernet 0/0 interface.  The next exit then takes us out of the config mode all together.

The next thing that happens is that the router turns the interface on, and then generates a syslog event which is followed by a console message letting us know that that fastEthernet interface is now operational as its state is now up.

Now I’m going to go back into the configuration mode, and setup the IP address

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#interface fastEthernet 0/0
corertr1(config-if)# description WAN network
corertr1(config-if)# ip address 138.1.0.5 255.255.255.0
corertr1(config-if)#exit
corertr1(config)#exit
corertr1#

Notice that I also set a description on the interface.  This makes it easier to remember what goes where.  Always if possible put in descriptions! Now if we check the interface configuration we will now see:

corertr1#sho run interface fastEthernet 0/0
Building configuration…

Current configuration : 119 bytes
!
interface FastEthernet0/0
description WAN network
ip address 138.1.0.5 255.255.255.0
duplex auto
speed auto
end

Which looks fine.

Another GREAT feature of the cisco routers is the CDP protocol, or cisco discovery protocol.  CDP will broadcast on every interface a special packet that other cisco devices will pick up on, to let you know that who/what you are plugged into.  To take a look simply run the command show cdp neigh

corertr1#sho cdp neigh
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
corewan1 Fas 0/0 134 R 7206VXR Fas 0/0

This tells us that our Fast ethernet 0/0 is connected to a 7206VXR called corewan1 on it’s Fast ethernet 0/0.  You can get even more information with the command ‘show cdp neighbors detail’

corertr1#show cdp neighbors detail
————————-
Device ID: corewan1
Entry address(es):
Platform: cisco 7206VXR, Capabilities: Router
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/0
Holdtime : 129 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ 7200 Software (C7200-JS-M), Version 12.2(31), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 11-Aug-05 15:57 by tinhuang

advertisement version: 2
Duplex: full

As you can see this even tells us what version of software our neighbour is running. Sometimes you don’t want to tell people (like 3rd parties) what you are running so you can turn off CDP on the router, or just the interface that is connected to the 3rd party.

So with our first interface configured, I’m going to go and setup the rest of my interfaces, then I’m going to show an overview with the ‘sho ip interface brief’ command like this:

corertr1#sho ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 138.1.0.5 YES manual up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Ethernet1/0 138.1.1.1 YES NVRAM up up
Ethernet1/1 138.1.10.1 YES NVRAM up up
Ethernet1/2 unassigned YES NVRAM administratively down down
Ethernet1/3 unassigned YES NVRAM administratively down down
Ethernet1/4 unassigned YES NVRAM administratively down down
Ethernet1/5 unassigned YES NVRAM administratively down down
Ethernet1/6 unassigned YES NVRAM administratively down down
Ethernet1/7 unassigned YES NVRAM administratively down down

As you see this shows the interfaces that are capable of having an ip address, and which ones do have an ip address.  Now let’s configure the ‘WAN’ router with an IP address so we can do a ping. From dynagen bring up the corewan1 console:

=> console corewan1

You will probably want to setup the router much like how we did in the prior page.

corewan1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corewan1(config)#int fa0/0
corewan1(config-if)#desc WAN network
corewan1(config-if)#ip address 138.1.0.6 255.255.255.0
corewan1(config-if)#exit
corewan1(config)#exit

Notice that I gave it .6 not .5 as that would be a duplicate ip address!  CDP updates every 60 seconds by default, so after a minute this is what we now see from corertr1:

corertr1#show cdp neighbors detail
————————-
Device ID: corewan1
Entry address(es):
IP address: 138.1.0.6
Platform: cisco 7206VXR, Capabilities: Router
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/0
Holdtime : 124 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ 7200 Software (C7200-JS-M), Version 12.2(31), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 11-Aug-05 15:57 by tinhuang

advertisement version: 2
Duplex: full

Notice we now see the peer ip addres!  Now we can ping.

corertr1#ping 138.1.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 138.1.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms

Although it may not be important now, but ping has an incredible featureset on cisco routers.  Simply type in ping this time, and be amazed.  Google will lead you to what all these options mean for now, but just be aware this is one of the reason people buy cisco routers.

corertr1#ping
Protocol [ip]:
Target IP address: 138.1.0.6
Repeat count [5]:
Datagram size [100]: 1000
Timeout in seconds [2]: 3
Extended commands [n]: y
Source address or interface: 138.1.0.5
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]: y
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]: y
Sweep min size [36]: 500
Sweep max size [18024]: 600
Sweep interval [1]:
Type escape sequence to abort.
Sending 505, [500..600]-byte ICMP Echos to 138.1.0.6, timeout is 3 seconds:
Packet sent with a source address of 138.1.0.5
Packet sent with the DF bit set
Reply data will be validated
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!
Success rate is 100 percent (505/505), round-trip min/avg/max = 16/21/44 ms
corertr1#

Now that we can ping, we can even telnet to the wan router from the core router.

corertr1#138.1.0.6
Trying 138.1.0.6 … Open

|\ _,,,—,,_
/,`.-‘`’ -. ;-;;,_
|,4- ) )-,_..;\ ( `’-‘
‘—”(_/–‘ `-‘\_) Welcome to the corewan1

Authorized users ONLY!!!!

User Access Verification

Password:

We can even check to see who is ‘on’ the router with the who command.

corewan1>who
Line User Host(s) Idle Location
0 con 0 idle 00:00:17
* 2 vty 0 idle 00:00:00 138.1.0.5

Interface User Mode Idle Peer Address

corewan1>q

Wasn’t that simple?

Physical network topologies

This is part of my on going thing about cisco networking.

I guess I can go on about various serial port standards from the good old fashioned RS-232, and V.35.  Not to mention things like T1/E1/J1’s with HDLC, Frame relay, Ethernet, TokenRing, ATM….

 

And of course various virtual technologies like VPN’s, and tunnelling.

 

So for now, my placeholder will just contain one little gem of wisdom about V35 cables.

A bunch of V35 cables

A bunch of V35 cables

When you are connecting V35’s remember to slowly screw them in, and try to screw both screws in at the same time, or a little bit on each side.  If you try to screw one side in all at once, you could break the screw, or worse it’ll help you strip the other screw trying to go in as it’ll be all lopsided.

 

Frame Relay

Frame relay is a great ‘slow’ networking cloud solution from back in the day.  For people who were going to deploy global WAN solutions that were going to be sub T1/E1 speeds, frame relay was the way to go.  You would simply get a T1 port installed in each of the sites, then the provider will then create PVC’s from each of the sites.  What is great is you can (theoretically) quickly provision new sites, and change service classes as needed.  Sadly for frame relay it is hampered by the port speed being only a T1/E1, limiting it to 1.5MB/2MB.  But heck it is from the mid 1980’s, so what do you expect?

Configuration

On the Dynamips / Dynagen simulation configuring frame relay is pretty simple.  The Frame Relay switch is already configured in my example here:

[FRSW F1]]
1:102 = 2:201
1:103 = 3:301

Which just specifies that on my WAN router pvc 102 goes to pvc 201 in New York, and pvc 103 goes to pvc 301 in Hong Kong. For simplicity sakes, all the physical serial ports are S1/0. With this in mind, let us first configure the physical interfaces in all the routers.

So the first step is to set the encapsulation on the serial interface to frame-relay.  Then turn the interface on.

nycrtr1#config t

Enter configuration commands, one per line. End with CNTL/Z.
nycrtr1(config)#int s1/0
nycrtr1(config-if)#encapsulation frame-relay
nycrtr1(config-if)#no shut
nycrtr1(config-if)#^Z
nycrtr1#

Now we wait for the interface to transition.

nycrtr1#
00:18:43: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
00:18:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
nycrtr1#

Now we can check to see if the router see’s the PVC going to the core wan router.

nycrtr1#sho frame-relay pvc

PVC Statistics for interface Serial1/0 (Frame Relay DTE)

Active Inactive Deleted Static
Local 0 0 0 0
Switched 0 0 0 0
Unused 1 0 0 0

DLCI = 201, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0

input pkts 0 output pkts 0 in bytes 0
out bytes 0 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
switched pkts 0
Detailed packet drop counters:
no out intf 0 out intf down 0 no out PVC 0
in PVC down 0 out PVC down 0 pkt too big 0
shaping Q full 0 pkt above DE 0 policing drop 0
pvc create time 00:02:12, last time pvc status changed 00:02:02

Looks good!

Now lets configure the DLC on the frame relay sub interface

nycrtr1#config t
Enter configuration commands, one per line. End with CNTL/Z.

nycrtr1(config)#int s1/0.201 point-to-point
nycrtr1(config-subif)#frame-relay interface-dlci 201
nycrtr1(config-subif)#ip address 135.0.0.6 255.255.255.252
nycrtr1(config-subif)#^Z

nycrtr1#

Now for the ultimate test once the other side is configured.

corewan1#sho run int s1/0.102
Building configuration…

Current configuration : 140 bytes
!
interface Serial1/0.102 point-to-point
description NewYork
ip address 135.0.0.5 255.255.255.252
frame-relay interface-dlci 102
end

corewan1#ping 135.0.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 135.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms
corewan1#

And there we go, our Frame relay is up!

Getting started with a cisco router

To get started with a cisco router, you’ll first need a console cable.  The newer equipment uses USB, but needs a special driver for use under Microsoft Windows.  The older stuff uses the venerable RS232 protocol, however depending on the age of the equipment it could be a DB25 or a DB9, or perhaps even a RJ45 port in which you’ll need to plug into for the first time to configure the router.  They all start up a 9600 baud, no parity, eight databits, one stop bit (N81).  With newer computers getting a working RS232 port can be a challenge, so don’t throw away any computer that has a working RS232 port.  It may save your life one day.

Since I am using dynagen/dynamips for my example I open up my configuration with dynagen, then start all my routers like this

=> start /all
100-VM ‘nycrtr1’ started
100-VM ‘corewan1’ started
100-VM ‘corertr1’ started
100-VM ‘hkgrtr1’ started
=>

Then I can console to my selected router by typing in console (router)

=> console corertr1
=>

From there it will act like a real console port, just as if I had plugged in a serial console cable. With the console connected, and the router powered up you’ll eventually find the following question being asked:

% Please answer ‘yes’ or ‘no’.
Would you like to enter the initial configuration dialog? [yes/no]:

This is the first thing you’ll be greeted with on the console port of a virgin cisco router.  Honestly I don’t like the intial configuration, and prefer to do this all by myself.

From there the router will prompt you with the cheery:

Press RETURN to get started!

And once you press enter, a status of all the interfaces will be displayed, and you’ll be dumped at the router prompt.

Router>

From here we are in an unprivileged mode, only able to enter in some basic commands, but unable to change the configuration, or do anything really meaningful. You can view what commands are available by typing in a question mark (hit enter!), and the list will scroll by. To change to the enabled (supervisor) mode, we simply type in enable.

Router>enable
Router#

Notice how the prompt changed from > to #.  Now try the ‘?’ command again, and notice that we can do far more commands.

Some useful commands include

  • show version
  • show running-config
  • show log
  • who
  • dir

Take note that the ‘show’ command has many, many possible options to give it.  This will be the command you will use the most to figure out what is going on, inside of your network.

The ‘show running-config’ command will show us the current configuration that the router has.  Take note that it will ask you to hit ‘more’ as you go through the configuration as this has more than 24 lines to display.  This is because your ‘console’ is configured by default for 24 lines (show line 0).  Like everything else it too can be changed, but for now we’ll leave the paging function in.

This is what a ‘blank’ or empty configuration looks like:

Router#sho run
Building configuration…

Current configuration : 974 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
ip cef
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
interface Ethernet1/4
no ip address
shutdown
duplex half
!
interface Ethernet1/5
no ip address
shutdown
duplex half
!
interface Ethernet1/6
no ip address
shutdown
duplex half
!
interface Ethernet1/7
no ip address
shutdown
duplex half
!
ip classless
no ip http server
!
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
!
end

You may be thinking that for a ‘blank’ router there is a lot of things in here.  The important thing to notice right now is all the interfaces, and that they are currently in shutdown mode.  By default a router will have all of its interfaces turned OFF.  This is to prevent things from automatically “working” or screwing things up in spectacular ways. Also notice with ethernet interfaces they are typically configured at half duplex.  You very well may want to change this on a real router, emulated ones don’t matter, but if you connect a cisco router to a cisco switch, and the duplex is mismatched they will both let you know.  Quite a bit.  So do pay attention to things like that.  In between each bang (!) is a section of the configuration that can be altered by the user as you see fit.  But right now it just allows a console to plug in, and have full access.

So what are some basic things I like to setup on my routers?  Well to start a name is nice.  We enter the configuration mode from within the enable mode by typing in ‘configure terminal’.  From there we change the hostname by simply typing in hostname along with the name that we want to give the router.  Notice that the name of the router now appears on the prompt.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname corewan1
corewan1(config)#

We can now exit the configure mode by hitting CONTROL+Z.

corewan1(config)#^Z
corewan1#
02:26:53: %SYS-5-CONFIG_I: Configured from console by console

Notice that the router will trigger a syslog event, and display it on the console.  All of this is configurable but right now this is the factory default behaviour.

It is important to take note that cisco routers have two configurations, the running configuration, and the startup configuration. When you make changes to a live system, you alter the running configuration, not the startup configuration.  This is done this way that in the event that you lock yourself out of the router (removing ip routing, changing the WAN ip address, typoing the passwords.. mistakes happen) a simple power cycle will restore the router to the prior configuration.  It is imperative to test what you can when you make major changes from a second telnet console before saving the configuration.  It can take valuable time to track people down in remote countries, and walking them through a power cycle of the routers can be daunting as they usually don’t ever touch the routers.

To make this change now ‘permanent’ by committing it to the NVRAM, we can issue the command ‘copy running-config startup-config’

corewan1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
corewan1#

Take note that we *MUST* be out of the configuration mode to issue this command.

The ultimate test is to reboot the router, and verify that it does come up with the new configuration.  To reboot a router the command is simply reload. However with dynamips reloading the router will cause it to crash.

corertr1#reload
Proceed with reload? [confirm]y
00:20:13: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

ROM: reload requested…

%ALIGN-1-FATAL: Corrupted program counter
pc=0x0, ra=0xBFC011A4, sp=0x62B819D8

%ALIGN-1-FATAL: Corrupted program counter
pc=0x0, ra=0xBFC011A4, sp=0x62B819D8

But switching to dynagen we can quickly restart the router process.

=> stop corertr1
100-VM ‘corertr1’ stopped
=> start corertr1
100-VM ‘corertr1’ started
=> console corertr1
=>

And now we are booted into the router.

00:00:05: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:00:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
corertr1>

I should also point out that from dynagen I also save the router configuration, which will attach it to the network config file.

=> save corertr1
saved configuration from: corertr1
=>

It should be as easy as that.

Now let’s get to some nice things to add.

I always like banners to at least let you know where you are.  Some people like to have legal disclaimers warning against unauthorized access, or even ascii art.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#banner motd Z
Enter TEXT message. End with the character ‘Z’.
|\ _,,,—,,_
/,`.-‘`’ -. ;-;;,_
|,4- ) )-,_..;\ ( `’-‘
‘—”(_/–‘ `-‘\_) Welcome to the corertr1

Authorized users ONLY!!!!

Z
corertr1(config)#^Z
corertr1#
00:07:23: %SYS-5-CONFIG_I: Configured from console by console

Notice the ‘Z’ which is how I let it know that I’m done with my banner.

Passwords are also a good thing, for now I’m not going to put one on the console, but instead on the ‘vty’ ports which we will configure later for telnet access into the router.  Why not the console?  Well right now I’m operating under the idea that if you have physical access to the router, you are into the network anyways.  Obviously this may not meet your needs, but it is fine for my simple introduction.

I’m going to use a simple password of ‘cisco’.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#line vty 0 4
corertr1(config-line)#password 0 cisco
corertr1(config-line)#exit
corertr1(config)#enable password 0 cisco
corertr1(config)#^Z
corertr1#

First the vty part has the parameter 0 4 which gives the router the ability to handle five connected telnet sessions.  Maybe you want more, maybe you want less.  The next part is that after the password keyword, I’m using the number 0 which means the password is unencrypted.  It has been my experience that you ALWAYS ALWAYS ALWAYS configure the passwords using a 0, as some versions change things, and your encrypted strings may not work how you expected them to.

Another fun feature in IOS 12 is the pipe (|) which you can use to filter output from the show command.  Right now our passwords are in clear text, so we are going to encrypt them.  First to verify that they are clear:

corertr1#sho run | include password
no service password-encryption
enable password cisco
password cisco

Now we enable encryption, and re-run the command:

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#service password-encryption
corertr1(config)#^Z
corertr1#sho run | include password
00:11:36: %SYS-5-CONFIG_I: Configured from console by console
service password-encryption
enable password 7 060506324F41
password 7 121A0C041104
corertr1#

Now our passwords are not so obvious!  But be aware that there are ways to crack these simple passwords.

Screen Shot 2013-09-19 at 9.11.21 AM

My password was cracked!

You can check the site for more information on a more ‘secure’ approach to passwords, but for now it doesn’t matter.

With all of this done, we should save our configuration, and proceed to the next step.

Another popular thing to do is turn off DNS queries.  If you make a typo at the command line, the router will assume that you are trying to telnet to a host.  By default with no DNS servers specified, it will then do a broadcast twice trying to find a DNS server.  This can delay you for 30 seconds to a minute which when you are in a network downtime scenario is very annoying.  To disable this ‘feature’ simply add this to your configuration

no ip-domain lookup

And you’ll never have to worry about this!

cisco router guide

So from the last article I thought I’d go over some basic stuff about cisco routers…

And expect more to change as I go through this some more.

So I thought I’d go through something incredibly elaborate

and for the fun of it.

I’ve been playing with the latest release of dynamips (0.2.10), and very excitingly it can build for x86_64 OS X!  So I thought I’d build up a good sized network, much like what I first was exposed to when I started doing cisco networking back in the 1990’s.

Sadly I didn’t hold onto any IOS from back then, so I’m using something much newer, 12.2.  Back then I actually had some IGS stuff with version 9, and bunch of stuff on version 10 & 11.  For the most part I was lucky to use a 7513 as my wan core router, a 7200 for an access router, and 5500’s as my core route/switch fabric with ATM.  It was … very complicated for the day.

To get the ball rolling, I thought I would build out a core site, with a user & server VLAN (voip was a dream back then), and two sites connected via frame relay.  The protocols I most care about will be IPX/SPX and TCP/IP.  I was thinking of porting back the UDP patches for Qemu to version 0.90 so I could run Netware 3.12 in the mix, but honestly it is just easier to use the Netware file & print services for NT 4.0.

So along with the dynamips program, I’m using the obsolete (and easier to configure IMHO) dynagen program.

I’ve fed it a configuration like this:

autostart = False

[localhost]

[[7200]]
image = C7200-JS.BIN
npe = npe-400
ram = 160
idlepc = 0x60529c84
disk0 = 0
mmap = False
ghostios = True

[[ROUTER corertr1]]
model = 7200
slot1 = PA-8E
F0/0 = coresw1 1
E1/0 = coresw1 3
E1/1 = coresw1 8

[[ROUTER corewan1]]
model = 7200
slot1 = PA-8T
F0/0 = coresw1 2
s1/0 = F1 1
configuration = ”

[[ROUTER nycrtr1]]
model = 7200
slot1 = PA-4T+
f0/0 = nycsw1 1
s1/0 = F1 2
configuration = ”

[[ROUTER hkgrtr1]]
model = 7200
slot1 = PA-4T+
f0/0 = hkgsw1 1
s1/0 = F1 3
configuration = ”

#Frame relay switch
[[FRSW F1]]
1:102 = 2:201
1:103 = 3:301

#Core ethernet
#vlan 5 WAN
#vlan 6 server
# 4 FPNW-DC 138.1.1.10
#vlan 7 workstation
[[ethsw coresw1]]
1 = access 5
2 = access 5
3 = access 6
4 = access 6 NIO_udp:41300:127.0.0.1:51300
5 = access 6 NIO_udp:41301:127.0.0.1:51301
6 = access 6 NIO_udp:41302:127.0.0.1:51302
7 = access 6 NIO_udp:41303:127.0.0.1:51303
8 = access 7
9 = access 7 NIO_udp:41304:127.0.0.1:51304

[[ethsw nycsw1]]
1 = access 1
2 = access 1 NIO_udp:41305:127.0.0.1:51305

[[ethsw hkgsw1]]
1 = access 1
2 = access 1 NIO_udp:41306:127.0.0.1:51306

Screen Shot 2013-09-18 at 10.21.03 PM

Or something like this

Ok, now this may look complicated, but in all reality it really isn’t.  It is always a good thing to keep track of what network addresses you are going to use, so here is my chart:

 

Description IPX IP Mask
CORE
FA0/0 Wan Interconnect C0000001 138.1.0.5 255.255.255.0
Eth1/0 Server C0010001 138.1.1.1 255.255.255.0
Eth1/1 User C0010002 138.1.10.1 255.255.255.0
WAN
Fa0/0 Wan Interconnect C0000001 138.1.0.6 255.255.255.0
S1/0.102 New York PVC A0000001 135.0.0.5 255.255.255.252
S1/0.103 Hong Kong PVC A0000002 135.0.0.1 255.255.255.252
New York
Fa0/0 User C10000001 136.2.0.1 255.255.255.0
S1/0.201 Core PVC 201 A0000001 135.0.0.6 255.255.255.252
Hong Kong
Fa0/0 User C20000001 136.1.0.1 255.255.255.0
S1/0.301 Core PVC 301 A0000002 135.0.0.2 255.255.255.252

For simplicities sake for the routers & IOS I’m using 7200’s everywhere.  The 7200 is a good router with plenty of slots, so it fits my needs just fine.  I suppose I could track down a 2600 or 1700 IOS image, and use them for the access sites, but for now it doesn’t matter.  Mostly because of the ghostios image option where the same memory map can be shared between routers, and of course my Mac Pro has 16GB of RAM.

Now the exciting part of this configuration is that I can easily connect in Qemu 1.6.0 processes to this configuration, allowing me to test the network out in its entirety.  Even better thanks to it being UDP, I can reboot and restart the Qemu or router processes at will.

Naturally like any test scenario, I should spell out some goals, along with some applications that I hope to be able to run.  So to start, a simple setup with an NT 4.0 server with the FPNW services setup.  To run Qemu to attach to the first port on the server VLAN in the core switch I start Qemu like this:

./qemu/qemu-system-i386 -cpu pentium -L ./qemu/pc-bios/ -m 64 -hda FPNW-DC.vmdk -net nic,model=pcnet -net nic,model=ne2k_isa -net socket,udp=localhost:41300,localaddr=0.0.0.0:51300

And from there by changing the UDP numbers I can easily jump VLANs.  Fun.  The major thing is that each additional instance of Qemu will need a unique MAC address, so additional instances should be run like this…

./qemu/qemu-system-i386 -L ./qemu/pc-bios/ -m 16 -net nic,model=pcnet,macaddr=00:11:22:33:44:55 -net socket,udp=localhost:41304,localaddr=0.0.0.0:51304  -fda nwclient-pcnet.vfd

So maybe I should launch into some big diatribe on cisco routers, networking and the rest of the fun stuff.  And maybe I will.

I think the next article will be an anchor page for various topics of what I’m going to get into, and from there evolve my network from the mid 90’s before the internet craze into something far more modern.  And of course a page going over the scope of what I hope to create.