Configuring TCP/IP

Cisco routers are born to do TCP/IP.  And looking at the networking world today, it is pretty safe to say that you will be on a TCP/IP network.  Luckily configuring TCP/IP on the router is pretty easy.  IP addresses are assigned per interface, as a typical router will have many ip addresses.

As always it does help to have a ‘plan’ for what ip addresses will go where in your network.

I’m using the network that I described earlier, here.

From my corertr1 router I’m going to setup 3 networks, a server network, a user network, and finally a network to connect to my WAN router.  The IP networks that I’m going to use are the following:

WAN 138.1.0.0/24
SERVER 138.1.1.0/24
USER 138.1.10.0/24

The first thing I want to do is examine the existing configuration of the FastEthernet 0/0 port which will be my ‘wan’ network port.

corertr1#sho run int fa0/0
Building configuration…

Current configuration : 83 bytes
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
end

As you can see it is shut down, and has no ip address assigned.  We can also check the ethernet’s status with a show interface fa0/0

corertr1#sho interfaces fastEthernet 0/0
FastEthernet0/0 is administratively down, line protocol is down
Hardware is i82543 (Livengood), address is ca00.383b.0008 (bia ca00.383b.0008)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:30, output 00:01:40, output hang never
Last clearing of “show interface” counters 00:00:01
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

The important part here is this line:

FastEthernet0/0 is administratively down, line protocol is down

First the interface is ‘administratively down’ meaning that it is configured this way. In cisco speak this interface is ‘down, down’. This is different from a ‘up/down’ interface that is configured to be ‘up’ or operational, but is not working.  That will appear like this:

FastEthernet0/0 is administratively up, line protocol is down

Which indicates that there is a hardware problem.

The first thing we are going to do is turn the interface ‘on’.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#interface fastEthernet 0/0
corertr1(config-if)#no shut
corertr1(config-if)#exit
corertr1(config)#exit
corertr1#
16:41:01: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
16:41:01: %SYS-5-CONFIG_I: Configured from console by console
16:41:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
corertr1#

Notice that when we type in “interface fastEthernet 0/0” the prompt changes to (config-if) meaning that we are now configuring an interface.  Type in the question mark, and you can see all the possible options you have on this interface.  The physical interface is where you select things like speed, duplex, line encapsulation.  If the interface doesn’t have any ‘virtual’ members like 802.1Q, or frame relay as a few examples, you can put an ip address on the interface.  Also take note that when I typed in the first ‘exit’ the prompt changed back to (config) meaning we are no longer configuring the fastEthernet 0/0 interface.  The next exit then takes us out of the config mode all together.

The next thing that happens is that the router turns the interface on, and then generates a syslog event which is followed by a console message letting us know that that fastEthernet interface is now operational as its state is now up.

Now I’m going to go back into the configuration mode, and setup the IP address

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#interface fastEthernet 0/0
corertr1(config-if)# description WAN network
corertr1(config-if)# ip address 138.1.0.5 255.255.255.0
corertr1(config-if)#exit
corertr1(config)#exit
corertr1#

Notice that I also set a description on the interface.  This makes it easier to remember what goes where.  Always if possible put in descriptions! Now if we check the interface configuration we will now see:

corertr1#sho run interface fastEthernet 0/0
Building configuration…

Current configuration : 119 bytes
!
interface FastEthernet0/0
description WAN network
ip address 138.1.0.5 255.255.255.0
duplex auto
speed auto
end

Which looks fine.

Another GREAT feature of the cisco routers is the CDP protocol, or cisco discovery protocol.  CDP will broadcast on every interface a special packet that other cisco devices will pick up on, to let you know that who/what you are plugged into.  To take a look simply run the command show cdp neigh

corertr1#sho cdp neigh
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
corewan1 Fas 0/0 134 R 7206VXR Fas 0/0

This tells us that our Fast ethernet 0/0 is connected to a 7206VXR called corewan1 on it’s Fast ethernet 0/0.  You can get even more information with the command ‘show cdp neighbors detail’

corertr1#show cdp neighbors detail
————————-
Device ID: corewan1
Entry address(es):
Platform: cisco 7206VXR, Capabilities: Router
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/0
Holdtime : 129 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ 7200 Software (C7200-JS-M), Version 12.2(31), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 11-Aug-05 15:57 by tinhuang

advertisement version: 2
Duplex: full

As you can see this even tells us what version of software our neighbour is running. Sometimes you don’t want to tell people (like 3rd parties) what you are running so you can turn off CDP on the router, or just the interface that is connected to the 3rd party.

So with our first interface configured, I’m going to go and setup the rest of my interfaces, then I’m going to show an overview with the ‘sho ip interface brief’ command like this:

corertr1#sho ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 138.1.0.5 YES manual up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Ethernet1/0 138.1.1.1 YES NVRAM up up
Ethernet1/1 138.1.10.1 YES NVRAM up up
Ethernet1/2 unassigned YES NVRAM administratively down down
Ethernet1/3 unassigned YES NVRAM administratively down down
Ethernet1/4 unassigned YES NVRAM administratively down down
Ethernet1/5 unassigned YES NVRAM administratively down down
Ethernet1/6 unassigned YES NVRAM administratively down down
Ethernet1/7 unassigned YES NVRAM administratively down down

As you see this shows the interfaces that are capable of having an ip address, and which ones do have an ip address.  Now let’s configure the ‘WAN’ router with an IP address so we can do a ping. From dynagen bring up the corewan1 console:

=> console corewan1

You will probably want to setup the router much like how we did in the prior page.

corewan1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corewan1(config)#int fa0/0
corewan1(config-if)#desc WAN network
corewan1(config-if)#ip address 138.1.0.6 255.255.255.0
corewan1(config-if)#exit
corewan1(config)#exit

Notice that I gave it .6 not .5 as that would be a duplicate ip address!  CDP updates every 60 seconds by default, so after a minute this is what we now see from corertr1:

corertr1#show cdp neighbors detail
————————-
Device ID: corewan1
Entry address(es):
IP address: 138.1.0.6
Platform: cisco 7206VXR, Capabilities: Router
Interface: FastEthernet0/0, Port ID (outgoing port): FastEthernet0/0
Holdtime : 124 sec

Version :
Cisco Internetwork Operating System Software
IOS ™ 7200 Software (C7200-JS-M), Version 12.2(31), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Thu 11-Aug-05 15:57 by tinhuang

advertisement version: 2
Duplex: full

Notice we now see the peer ip addres!  Now we can ping.

corertr1#ping 138.1.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 138.1.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms

Although it may not be important now, but ping has an incredible featureset on cisco routers.  Simply type in ping this time, and be amazed.  Google will lead you to what all these options mean for now, but just be aware this is one of the reason people buy cisco routers.

corertr1#ping
Protocol [ip]:
Target IP address: 138.1.0.6
Repeat count [5]:
Datagram size [100]: 1000
Timeout in seconds [2]: 3
Extended commands [n]: y
Source address or interface: 138.1.0.5
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]: y
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]: y
Sweep min size [36]: 500
Sweep max size [18024]: 600
Sweep interval [1]:
Type escape sequence to abort.
Sending 505, [500..600]-byte ICMP Echos to 138.1.0.6, timeout is 3 seconds:
Packet sent with a source address of 138.1.0.5
Packet sent with the DF bit set
Reply data will be validated
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!
Success rate is 100 percent (505/505), round-trip min/avg/max = 16/21/44 ms
corertr1#

Now that we can ping, we can even telnet to the wan router from the core router.

corertr1#138.1.0.6
Trying 138.1.0.6 … Open

|\ _,,,—,,_
/,`.-‘`’ -. ;-;;,_
|,4- ) )-,_..;\ ( `’-‘
‘—”(_/–‘ `-‘\_) Welcome to the corewan1

Authorized users ONLY!!!!

User Access Verification

Password:

We can even check to see who is ‘on’ the router with the who command.

corewan1>who
Line User Host(s) Idle Location
0 con 0 idle 00:00:17
* 2 vty 0 idle 00:00:00 138.1.0.5

Interface User Mode Idle Peer Address

corewan1>q

Wasn’t that simple?

Physical network topologies

This is part of my on going thing about cisco networking.

I guess I can go on about various serial port standards from the good old fashioned RS-232, and V.35.  Not to mention things like T1/E1/J1’s with HDLC, Frame relay, Ethernet, TokenRing, ATM….

 

And of course various virtual technologies like VPN’s, and tunnelling.

 

So for now, my placeholder will just contain one little gem of wisdom about V35 cables.

A bunch of V35 cables

A bunch of V35 cables

When you are connecting V35’s remember to slowly screw them in, and try to screw both screws in at the same time, or a little bit on each side.  If you try to screw one side in all at once, you could break the screw, or worse it’ll help you strip the other screw trying to go in as it’ll be all lopsided.

 

Frame Relay

Frame relay is a great ‘slow’ networking cloud solution from back in the day.  For people who were going to deploy global WAN solutions that were going to be sub T1/E1 speeds, frame relay was the way to go.  You would simply get a T1 port installed in each of the sites, then the provider will then create PVC’s from each of the sites.  What is great is you can (theoretically) quickly provision new sites, and change service classes as needed.  Sadly for frame relay it is hampered by the port speed being only a T1/E1, limiting it to 1.5MB/2MB.  But heck it is from the mid 1980’s, so what do you expect?

Configuration

On the Dynamips / Dynagen simulation configuring frame relay is pretty simple.  The Frame Relay switch is already configured in my example here:

[FRSW F1]]
1:102 = 2:201
1:103 = 3:301

Which just specifies that on my WAN router pvc 102 goes to pvc 201 in New York, and pvc 103 goes to pvc 301 in Hong Kong. For simplicity sakes, all the physical serial ports are S1/0. With this in mind, let us first configure the physical interfaces in all the routers.

So the first step is to set the encapsulation on the serial interface to frame-relay.  Then turn the interface on.

nycrtr1#config t

Enter configuration commands, one per line. End with CNTL/Z.
nycrtr1(config)#int s1/0
nycrtr1(config-if)#encapsulation frame-relay
nycrtr1(config-if)#no shut
nycrtr1(config-if)#^Z
nycrtr1#

Now we wait for the interface to transition.

nycrtr1#
00:18:43: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
00:18:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
nycrtr1#

Now we can check to see if the router see’s the PVC going to the core wan router.

nycrtr1#sho frame-relay pvc

PVC Statistics for interface Serial1/0 (Frame Relay DTE)

Active Inactive Deleted Static
Local 0 0 0 0
Switched 0 0 0 0
Unused 1 0 0 0

DLCI = 201, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial1/0

input pkts 0 output pkts 0 in bytes 0
out bytes 0 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 0 out bcast bytes 0
switched pkts 0
Detailed packet drop counters:
no out intf 0 out intf down 0 no out PVC 0
in PVC down 0 out PVC down 0 pkt too big 0
shaping Q full 0 pkt above DE 0 policing drop 0
pvc create time 00:02:12, last time pvc status changed 00:02:02

Looks good!

Now lets configure the DLC on the frame relay sub interface

nycrtr1#config t
Enter configuration commands, one per line. End with CNTL/Z.

nycrtr1(config)#int s1/0.201 point-to-point
nycrtr1(config-subif)#frame-relay interface-dlci 201
nycrtr1(config-subif)#ip address 135.0.0.6 255.255.255.252
nycrtr1(config-subif)#^Z

nycrtr1#

Now for the ultimate test once the other side is configured.

corewan1#sho run int s1/0.102
Building configuration…

Current configuration : 140 bytes
!
interface Serial1/0.102 point-to-point
description NewYork
ip address 135.0.0.5 255.255.255.252
frame-relay interface-dlci 102
end

corewan1#ping 135.0.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 135.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms
corewan1#

And there we go, our Frame relay is up!

Getting started with a cisco router

To get started with a cisco router, you’ll first need a console cable.  The newer equipment uses USB, but needs a special driver for use under Microsoft Windows.  The older stuff uses the venerable RS232 protocol, however depending on the age of the equipment it could be a DB25 or a DB9, or perhaps even a RJ45 port in which you’ll need to plug into for the first time to configure the router.  They all start up a 9600 baud, no parity, eight databits, one stop bit (N81).  With newer computers getting a working RS232 port can be a challenge, so don’t throw away any computer that has a working RS232 port.  It may save your life one day.

Since I am using dynagen/dynamips for my example I open up my configuration with dynagen, then start all my routers like this

=> start /all
100-VM ‘nycrtr1’ started
100-VM ‘corewan1’ started
100-VM ‘corertr1’ started
100-VM ‘hkgrtr1’ started
=>

Then I can console to my selected router by typing in console (router)

=> console corertr1
=>

From there it will act like a real console port, just as if I had plugged in a serial console cable. With the console connected, and the router powered up you’ll eventually find the following question being asked:

% Please answer ‘yes’ or ‘no’.
Would you like to enter the initial configuration dialog? [yes/no]:

This is the first thing you’ll be greeted with on the console port of a virgin cisco router.  Honestly I don’t like the intial configuration, and prefer to do this all by myself.

From there the router will prompt you with the cheery:

Press RETURN to get started!

And once you press enter, a status of all the interfaces will be displayed, and you’ll be dumped at the router prompt.

Router>

From here we are in an unprivileged mode, only able to enter in some basic commands, but unable to change the configuration, or do anything really meaningful. You can view what commands are available by typing in a question mark (hit enter!), and the list will scroll by. To change to the enabled (supervisor) mode, we simply type in enable.

Router>enable
Router#

Notice how the prompt changed from > to #.  Now try the ‘?’ command again, and notice that we can do far more commands.

Some useful commands include

  • show version
  • show running-config
  • show log
  • who
  • dir

Take note that the ‘show’ command has many, many possible options to give it.  This will be the command you will use the most to figure out what is going on, inside of your network.

The ‘show running-config’ command will show us the current configuration that the router has.  Take note that it will ask you to hit ‘more’ as you go through the configuration as this has more than 24 lines to display.  This is because your ‘console’ is configured by default for 24 lines (show line 0).  Like everything else it too can be changed, but for now we’ll leave the paging function in.

This is what a ‘blank’ or empty configuration looks like:

Router#sho run
Building configuration…

Current configuration : 974 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
ip cef
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
interface Ethernet1/4
no ip address
shutdown
duplex half
!
interface Ethernet1/5
no ip address
shutdown
duplex half
!
interface Ethernet1/6
no ip address
shutdown
duplex half
!
interface Ethernet1/7
no ip address
shutdown
duplex half
!
ip classless
no ip http server
!
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
!
end

You may be thinking that for a ‘blank’ router there is a lot of things in here.  The important thing to notice right now is all the interfaces, and that they are currently in shutdown mode.  By default a router will have all of its interfaces turned OFF.  This is to prevent things from automatically “working” or screwing things up in spectacular ways. Also notice with ethernet interfaces they are typically configured at half duplex.  You very well may want to change this on a real router, emulated ones don’t matter, but if you connect a cisco router to a cisco switch, and the duplex is mismatched they will both let you know.  Quite a bit.  So do pay attention to things like that.  In between each bang (!) is a section of the configuration that can be altered by the user as you see fit.  But right now it just allows a console to plug in, and have full access.

So what are some basic things I like to setup on my routers?  Well to start a name is nice.  We enter the configuration mode from within the enable mode by typing in ‘configure terminal’.  From there we change the hostname by simply typing in hostname along with the name that we want to give the router.  Notice that the name of the router now appears on the prompt.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname corewan1
corewan1(config)#

We can now exit the configure mode by hitting CONTROL+Z.

corewan1(config)#^Z
corewan1#
02:26:53: %SYS-5-CONFIG_I: Configured from console by console

Notice that the router will trigger a syslog event, and display it on the console.  All of this is configurable but right now this is the factory default behaviour.

It is important to take note that cisco routers have two configurations, the running configuration, and the startup configuration. When you make changes to a live system, you alter the running configuration, not the startup configuration.  This is done this way that in the event that you lock yourself out of the router (removing ip routing, changing the WAN ip address, typoing the passwords.. mistakes happen) a simple power cycle will restore the router to the prior configuration.  It is imperative to test what you can when you make major changes from a second telnet console before saving the configuration.  It can take valuable time to track people down in remote countries, and walking them through a power cycle of the routers can be daunting as they usually don’t ever touch the routers.

To make this change now ‘permanent’ by committing it to the NVRAM, we can issue the command ‘copy running-config startup-config’

corewan1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
corewan1#

Take note that we *MUST* be out of the configuration mode to issue this command.

The ultimate test is to reboot the router, and verify that it does come up with the new configuration.  To reboot a router the command is simply reload. However with dynamips reloading the router will cause it to crash.

corertr1#reload
Proceed with reload? [confirm]y
00:20:13: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

ROM: reload requested…

%ALIGN-1-FATAL: Corrupted program counter
pc=0x0, ra=0xBFC011A4, sp=0x62B819D8

%ALIGN-1-FATAL: Corrupted program counter
pc=0x0, ra=0xBFC011A4, sp=0x62B819D8

But switching to dynagen we can quickly restart the router process.

=> stop corertr1
100-VM ‘corertr1’ stopped
=> start corertr1
100-VM ‘corertr1’ started
=> console corertr1
=>

And now we are booted into the router.

00:00:05: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:00:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
corertr1>

I should also point out that from dynagen I also save the router configuration, which will attach it to the network config file.

=> save corertr1
saved configuration from: corertr1
=>

It should be as easy as that.

Now let’s get to some nice things to add.

I always like banners to at least let you know where you are.  Some people like to have legal disclaimers warning against unauthorized access, or even ascii art.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#banner motd Z
Enter TEXT message. End with the character ‘Z’.
|\ _,,,—,,_
/,`.-‘`’ -. ;-;;,_
|,4- ) )-,_..;\ ( `’-‘
‘—”(_/–‘ `-‘\_) Welcome to the corertr1

Authorized users ONLY!!!!

Z
corertr1(config)#^Z
corertr1#
00:07:23: %SYS-5-CONFIG_I: Configured from console by console

Notice the ‘Z’ which is how I let it know that I’m done with my banner.

Passwords are also a good thing, for now I’m not going to put one on the console, but instead on the ‘vty’ ports which we will configure later for telnet access into the router.  Why not the console?  Well right now I’m operating under the idea that if you have physical access to the router, you are into the network anyways.  Obviously this may not meet your needs, but it is fine for my simple introduction.

I’m going to use a simple password of ‘cisco’.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#line vty 0 4
corertr1(config-line)#password 0 cisco
corertr1(config-line)#exit
corertr1(config)#enable password 0 cisco
corertr1(config)#^Z
corertr1#

First the vty part has the parameter 0 4 which gives the router the ability to handle five connected telnet sessions.  Maybe you want more, maybe you want less.  The next part is that after the password keyword, I’m using the number 0 which means the password is unencrypted.  It has been my experience that you ALWAYS ALWAYS ALWAYS configure the passwords using a 0, as some versions change things, and your encrypted strings may not work how you expected them to.

Another fun feature in IOS 12 is the pipe (|) which you can use to filter output from the show command.  Right now our passwords are in clear text, so we are going to encrypt them.  First to verify that they are clear:

corertr1#sho run | include password
no service password-encryption
enable password cisco
password cisco

Now we enable encryption, and re-run the command:

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#service password-encryption
corertr1(config)#^Z
corertr1#sho run | include password
00:11:36: %SYS-5-CONFIG_I: Configured from console by console
service password-encryption
enable password 7 060506324F41
password 7 121A0C041104
corertr1#

Now our passwords are not so obvious!  But be aware that there are ways to crack these simple passwords.

Screen Shot 2013-09-19 at 9.11.21 AM

My password was cracked!

You can check the site for more information on a more ‘secure’ approach to passwords, but for now it doesn’t matter.

With all of this done, we should save our configuration, and proceed to the next step.

Another popular thing to do is turn off DNS queries.  If you make a typo at the command line, the router will assume that you are trying to telnet to a host.  By default with no DNS servers specified, it will then do a broadcast twice trying to find a DNS server.  This can delay you for 30 seconds to a minute which when you are in a network downtime scenario is very annoying.  To disable this ‘feature’ simply add this to your configuration

no ip-domain lookup

And you’ll never have to worry about this!

cisco router guide

So from the last article I thought I’d go over some basic stuff about cisco routers…

And expect more to change as I go through this some more.

So I thought I’d go through something incredibly elaborate

and for the fun of it.

I’ve been playing with the latest release of dynamips (0.2.10), and very excitingly it can build for x86_64 OS X!  So I thought I’d build up a good sized network, much like what I first was exposed to when I started doing cisco networking back in the 1990’s.

Sadly I didn’t hold onto any IOS from back then, so I’m using something much newer, 12.2.  Back then I actually had some IGS stuff with version 9, and bunch of stuff on version 10 & 11.  For the most part I was lucky to use a 7513 as my wan core router, a 7200 for an access router, and 5500’s as my core route/switch fabric with ATM.  It was … very complicated for the day.

To get the ball rolling, I thought I would build out a core site, with a user & server VLAN (voip was a dream back then), and two sites connected via frame relay.  The protocols I most care about will be IPX/SPX and TCP/IP.  I was thinking of porting back the UDP patches for Qemu to version 0.90 so I could run Netware 3.12 in the mix, but honestly it is just easier to use the Netware file & print services for NT 4.0.

So along with the dynamips program, I’m using the obsolete (and easier to configure IMHO) dynagen program.

I’ve fed it a configuration like this:

autostart = False

[localhost]

[[7200]]
image = C7200-JS.BIN
npe = npe-400
ram = 160
idlepc = 0x60529c84
disk0 = 0
mmap = False
ghostios = True

[[ROUTER corertr1]]
model = 7200
slot1 = PA-8E
F0/0 = coresw1 1
E1/0 = coresw1 3
E1/1 = coresw1 8

[[ROUTER corewan1]]
model = 7200
slot1 = PA-8T
F0/0 = coresw1 2
s1/0 = F1 1
configuration = ”

[[ROUTER nycrtr1]]
model = 7200
slot1 = PA-4T+
f0/0 = nycsw1 1
s1/0 = F1 2
configuration = ”

[[ROUTER hkgrtr1]]
model = 7200
slot1 = PA-4T+
f0/0 = hkgsw1 1
s1/0 = F1 3
configuration = ”

#Frame relay switch
[[FRSW F1]]
1:102 = 2:201
1:103 = 3:301

#Core ethernet
#vlan 5 WAN
#vlan 6 server
# 4 FPNW-DC 138.1.1.10
#vlan 7 workstation
[[ethsw coresw1]]
1 = access 5
2 = access 5
3 = access 6
4 = access 6 NIO_udp:41300:127.0.0.1:51300
5 = access 6 NIO_udp:41301:127.0.0.1:51301
6 = access 6 NIO_udp:41302:127.0.0.1:51302
7 = access 6 NIO_udp:41303:127.0.0.1:51303
8 = access 7
9 = access 7 NIO_udp:41304:127.0.0.1:51304

[[ethsw nycsw1]]
1 = access 1
2 = access 1 NIO_udp:41305:127.0.0.1:51305

[[ethsw hkgsw1]]
1 = access 1
2 = access 1 NIO_udp:41306:127.0.0.1:51306

Screen Shot 2013-09-18 at 10.21.03 PM

Or something like this

Ok, now this may look complicated, but in all reality it really isn’t.  It is always a good thing to keep track of what network addresses you are going to use, so here is my chart:

 

Description IPX IP Mask
CORE
FA0/0 Wan Interconnect C0000001 138.1.0.5 255.255.255.0
Eth1/0 Server C0010001 138.1.1.1 255.255.255.0
Eth1/1 User C0010002 138.1.10.1 255.255.255.0
WAN
Fa0/0 Wan Interconnect C0000001 138.1.0.6 255.255.255.0
S1/0.102 New York PVC A0000001 135.0.0.5 255.255.255.252
S1/0.103 Hong Kong PVC A0000002 135.0.0.1 255.255.255.252
New York
Fa0/0 User C10000001 136.2.0.1 255.255.255.0
S1/0.201 Core PVC 201 A0000001 135.0.0.6 255.255.255.252
Hong Kong
Fa0/0 User C20000001 136.1.0.1 255.255.255.0
S1/0.301 Core PVC 301 A0000002 135.0.0.2 255.255.255.252

For simplicities sake for the routers & IOS I’m using 7200’s everywhere.  The 7200 is a good router with plenty of slots, so it fits my needs just fine.  I suppose I could track down a 2600 or 1700 IOS image, and use them for the access sites, but for now it doesn’t matter.  Mostly because of the ghostios image option where the same memory map can be shared between routers, and of course my Mac Pro has 16GB of RAM.

Now the exciting part of this configuration is that I can easily connect in Qemu 1.6.0 processes to this configuration, allowing me to test the network out in its entirety.  Even better thanks to it being UDP, I can reboot and restart the Qemu or router processes at will.

Naturally like any test scenario, I should spell out some goals, along with some applications that I hope to be able to run.  So to start, a simple setup with an NT 4.0 server with the FPNW services setup.  To run Qemu to attach to the first port on the server VLAN in the core switch I start Qemu like this:

./qemu/qemu-system-i386 -cpu pentium -L ./qemu/pc-bios/ -m 64 -hda FPNW-DC.vmdk -net nic,model=pcnet -net nic,model=ne2k_isa -net socket,udp=localhost:41300,localaddr=0.0.0.0:51300

And from there by changing the UDP numbers I can easily jump VLANs.  Fun.  The major thing is that each additional instance of Qemu will need a unique MAC address, so additional instances should be run like this…

./qemu/qemu-system-i386 -L ./qemu/pc-bios/ -m 16 -net nic,model=pcnet,macaddr=00:11:22:33:44:55 -net socket,udp=localhost:41304,localaddr=0.0.0.0:51304  -fda nwclient-pcnet.vfd

So maybe I should launch into some big diatribe on cisco routers, networking and the rest of the fun stuff.  And maybe I will.

I think the next article will be an anchor page for various topics of what I’m going to get into, and from there evolve my network from the mid 90’s before the internet craze into something far more modern.  And of course a page going over the scope of what I hope to create.