[Notes] Network Planning and Administration: Configuring Routers
Configuration and administration of routers.
There are basic routers commands here .
Basic Setup Wizard
The setup command starts a basic router configuration wizard (device name, passwords, configuration of one network adapter):
Router(config)# setup
To clear that setting:
Router(config)# erase startup-config
Rename
Router(config)# hostname Name
Set passwords
For administrator access to the router (assign password to the enable command):
Router(config)# enable secret Whatever
Router(config)# no enable secret
For access via Telnet:
Router(config)# line vty 0 4
Router(config-line)# password WhateverOtherOther
Router(config-line)#login
For access via console port:
Router(config)# line console 0
Router(config-line)# password WhateverOtherOther
Router(config-line)#login
Encrypt passwords
Router(config)# service password-encryption
Save configuration to NVRAM
Router# copy running-config startup-config
The same:
Router# do w
view configuration
Router# show running-config
Router# show startup-config
Copy configuration via FTP
Router# copy startup-config tftp
Router# copy running-config tftp
Router# copy tftp startup-config
Router# copy tftp running-config
(It will ask for the IP of the FTP server -it is created in a generic server, in Config> Services-, usr and pw)
Static routing
Add a static route to the router table:
Router(config)# ip route ipDeDestination mask ipAdapterNearOtherRouter
Router(config)# ipv6 route ipDeDestination mask ipAdaptadorClearOtroRouter
Examples
On router 172.16.1.1:
Router(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2
On router 172.16.1.2:
Router(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1
To specify the default route:
Router(config)# ip route 0.0.0.0 0.0.0.0 195.34.12.8
(this makes 195.34.12.8 the router’s gateway)
Show route table:
Router(config)# show ip route
ACL
After carrying out the previous planning, create each ACL in global configuration mode (config) of the router and identify it by a number in the corresponding range, then assign it(s) to the appropriate adapter:
Create standard ACL:
Router(config)# access-list number(1-99) {deny|permit} sourceIP wildsourcecard
And assign it to the adapter closest to where the filter will be applied:
Router(config)# int Fa0/1
Router(config-if)# ip access-group number {in|out}
(in for traffic coming into the router, out for traffic going out of the router)
Create extended ACL:
Router(config)# access-list number(100-199) {deny|permit} protocol sourceIP wildcardsource destinationIP wildcardDestination
And assign it to the adapter closest to where the filter will be applied:
Router(config)# int Fa0/1
Router(config-if)# ip access-group number {in|out}
(in for traffic coming into the router, out for traffic going out of the router)
Examples
Drop all packets whose source address is 10.0.0.1:
Router(config)# access-list 1 deny 10.0.0.1 0.0.0.0
(‘10.0.0.1 0.0.0.0’ is the same as ‘host 10.0.0.1’)
Allow messages whose source address is in the 192.168.32.0/20 subnet:
Router(config)# access-list 2 permit 192.168.32.0 0.0.15.255
Prohibit messages whose source address is in the 172.16.4.0/24 subnet:
Router(config)# access-list 3 deny 172.16.4.0 0.0.0.255
Allow hosts at 192.168.1.0/24 to send SSH packets (tcp port 22):
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 22
Deny all tcp traffic from 10.0.0.0/8 to well-known ports (<1024) of the 172.16.5.0/16 network:
Router(config)# access-list 101 deny tcp 10.0.0.0 0.255.255.255 172.16.5.0 0.0.255.255 lt 1024
Allow only computers on the 195.45.2.0/24 network to connect via Telnet to configure the router:
Router(config)# access-list 4 permit 195.45.2.0 0.0.0.255
Router(config)# access-list 4 deny any
Router(config)# line vty 0 4
Router(config-line)# ip access-class 4 in
Deny ping (ICMP traffic):
Router(config)# access-list 102 deny icmp any any
Deny packets originating from the 192.168.1.0/24 network, then allow any origin. Associate the ACL to the entry through the serial interface 2/0 of the router:
Router(config)# access-list 5 deny 192.168.1.0 0.0.0.255
Router(config)# access-list 5 permit any
Router(config)# interface Se2/0
Router(config-if)# ip access-group 5 in
Deny host 175.253.10.1 (“PC1”) access to port 80 of any destination network. Subsequently, all IP traffic is allowed. Associate the ACL to serial interface 0/1 as inbound:
Router(config)# access-list 103 deny tcp PC1 175.253.10.1 any eq 80
Router(config)# access-list 103 permit ip any any
Router(config)# interface Se0/1
Router(config-if)# ip access-group 103 in
Two-VLAN routing with router
Add a new normal router and connect (with the continuous black cable) the two FastEthernet ports of the router with the two FastEthernet ports of the normal switch.
On the router, for the 192.168.10.0/24 network:
Router(config)# interface Fa0/0
Router(config-if)# ip address 192.168.10.254 255.255.255.0
Router(config-if)# no shutdown
And for the 192.168.20.0/24 network:
Router(config)# interface Fa1/0
Router(config-if)# ip address 192.168.20.254 255.255.255.0
Router(config-if)# no shutdown
Two-VLAN routing with layer 3 switch
In the layer 3 switch called 3560-24PS (Multilayer) I create VLAN 10 for the 192.168.10.0/24 network:
Switch(config)# interface vlan10
Switch(config-if)# ip address 192.168.10.254 255.255.255.0
I create VLAN 20 for the 192.168.20.0/24 network:
Switch(config)# interface vlan20
Switch(config-if)# ip address 192.168.20.254 255.255.255.0
And, very important:
Switch(config)# ip routing
Two VLAN routing with two virtual interfaces (router on a stick)
We are supposed to create two virtual interfaces because there is only one free port left on the router. So, before, on the normal switch, I put the FastEthernet mouth that I will connect to the router (2/1) in trunk mode:
Switch(config)# interface Fa2/1
Switch(config-if)# switchport mode trunk
I add the normal router and connect (with continuous black cable) its so-called single FastEthernet mouth (0/0) with the FastEthernet mouth in trunk mode of the switch (2/1).
On the router, for the 192.168.10.0/24 network:
Router(config)# interface Fa0/0.10
Router(config-subif)# encapsulation dot1q 10
Router(config-subif)# ip address 192.168.10.254 255.255.255.0
And for the 192.168.20.0/24 network:
Router(config)# interface Fa0/0.20
Router(config-subif)# encapsulation dot1q 20
Router(config-if)# ip address 192.168.20.254 255.255.255.0
And I start the physical interface (0/0, not 0/0.10 or 0/0.20):
Router(config)# interface Fa0/0
Router(config-if)# no shutdown