Este contenido también está disponible en español: «[Apuntes] Planificación y administración de redes: Configuración de encaminadores»

[Notes] Network Planning and Administration: Configuring Routers

04/14/2021 Miguel Menéndez

Configuration and administration of routers.

There are basic routers commands here .

Basic Setup Wizard

The setup command starts a basic router configuration wizard (device name, passwords, configuration of one network adapter):

Router(config)# setup

To clear that setting:

Router(config)# erase startup-config

Rename

Router(config)# hostname Name

Set passwords

For administrator access to the router (assign password to the enable command):

Router(config)# enable secret Whatever

Router(config)# no enable secret

For access via Telnet:

Router(config)# line vty 0 4
Router(config-line)# password WhateverOtherOther
Router(config-line)#login

For access via console port:

Router(config)# line console 0
Router(config-line)# password WhateverOtherOther
Router(config-line)#login

Encrypt passwords

Router(config)# service password-encryption

Save configuration to NVRAM

Router# copy running-config startup-config

The same:

Router# do w

view configuration

Router# show running-config
Router# show startup-config

Copy configuration via FTP

Router# copy startup-config tftp
Router# copy running-config tftp
Router# copy tftp startup-config
Router# copy tftp running-config

(It will ask for the IP of the FTP server -it is created in a generic server, in Config> Services-, usr and pw)

Static routing

Add a static route to the router table:

Router(config)# ip route ipDeDestination mask ipAdapterNearOtherRouter
Router(config)# ipv6 route ipDeDestination mask ipAdaptadorClearOtroRouter

Examples

On router 172.16.1.1:

Router(config)# ip route 192.168.2.0 255.255.255.0 172.16.1.2

On router 172.16.1.2:

Router(config)# ip route 192.168.1.0 255.255.255.0 172.16.1.1

To specify the default route:

Router(config)# ip route 0.0.0.0 0.0.0.0 195.34.12.8

(this makes 195.34.12.8 the router’s gateway)

Show route table:

Router(config)# show ip route

ACL

After carrying out the previous planning, create each ACL in global configuration mode (config) of the router and identify it by a number in the corresponding range, then assign it(s) to the appropriate adapter:

Create standard ACL:

Router(config)# access-list number(1-99) {deny|permit} sourceIP wildsourcecard

And assign it to the adapter closest to where the filter will be applied:

Router(config)# int Fa0/1
Router(config-if)# ip access-group number {in|out}

(in for traffic coming into the router, out for traffic going out of the router)

Create extended ACL:

Router(config)# access-list number(100-199) {deny|permit} protocol sourceIP wildcardsource destinationIP wildcardDestination

And assign it to the adapter closest to where the filter will be applied:

Router(config)# int Fa0/1
Router(config-if)# ip access-group number {in|out}

(in for traffic coming into the router, out for traffic going out of the router)

Examples

Drop all packets whose source address is 10.0.0.1:

Router(config)# access-list 1 deny 10.0.0.1 0.0.0.0

(‘10.0.0.1 0.0.0.0’ is the same as ‘host 10.0.0.1’)

Allow messages whose source address is in the 192.168.32.0/20 subnet:

Router(config)# access-list 2 permit 192.168.32.0 0.0.15.255

Prohibit messages whose source address is in the 172.16.4.0/24 subnet:

Router(config)# access-list 3 deny 172.16.4.0 0.0.0.255

Allow hosts at 192.168.1.0/24 to send SSH packets (tcp port 22):

Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 22

Deny all tcp traffic from 10.0.0.0/8 to well-known ports (<1024) of the 172.16.5.0/16 network:

Router(config)# access-list 101 deny tcp 10.0.0.0 0.255.255.255 172.16.5.0 0.0.255.255 lt 1024

Allow only computers on the 195.45.2.0/24 network to connect via Telnet to configure the router:

Router(config)# access-list 4 permit 195.45.2.0 0.0.0.255
Router(config)# access-list 4 deny any
Router(config)# line vty 0 4
Router(config-line)# ip access-class 4 in

Deny ping (ICMP traffic):

Router(config)# access-list 102 deny icmp any any

Deny packets originating from the 192.168.1.0/24 network, then allow any origin. Associate the ACL to the entry through the serial interface 2/0 of the router:

Router(config)# access-list 5 deny 192.168.1.0 0.0.0.255
Router(config)# access-list 5 permit any
Router(config)# interface Se2/0
Router(config-if)# ip access-group 5 in

Deny host 175.253.10.1 (“PC1”) access to port 80 of any destination network. Subsequently, all IP traffic is allowed. Associate the ACL to serial interface 0/1 as inbound:

Router(config)# access-list 103 deny tcp PC1 175.253.10.1 any eq 80
Router(config)# access-list 103 permit ip any any
Router(config)# interface Se0/1
Router(config-if)# ip access-group 103 in

Two-VLAN routing with router

Add a new normal router and connect (with the continuous black cable) the two FastEthernet ports of the router with the two FastEthernet ports of the normal switch.

On the router, for the 192.168.10.0/24 network:

Router(config)# interface Fa0/0
Router(config-if)# ip address 192.168.10.254 255.255.255.0
Router(config-if)# no shutdown

And for the 192.168.20.0/24 network:

Router(config)# interface Fa1/0
Router(config-if)# ip address 192.168.20.254 255.255.255.0
Router(config-if)# no shutdown

Two-VLAN routing with layer 3 switch

In the layer 3 switch called 3560-24PS (Multilayer) I create VLAN 10 for the 192.168.10.0/24 network:

Switch(config)# interface vlan10
Switch(config-if)# ip address 192.168.10.254 255.255.255.0

I create VLAN 20 for the 192.168.20.0/24 network:

Switch(config)# interface vlan20
Switch(config-if)# ip address 192.168.20.254 255.255.255.0

And, very important:

Switch(config)# ip routing

Two VLAN routing with two virtual interfaces (router on a stick)

We are supposed to create two virtual interfaces because there is only one free port left on the router. So, before, on the normal switch, I put the FastEthernet mouth that I will connect to the router (2/1) in trunk mode:

Switch(config)# interface Fa2/1
Switch(config-if)# switchport mode trunk

I add the normal router and connect (with continuous black cable) its so-called single FastEthernet mouth (0/0) with the FastEthernet mouth in trunk mode of the switch (2/1).

On the router, for the 192.168.10.0/24 network:

Router(config)# interface Fa0/0.10
Router(config-subif)# encapsulation dot1q 10
Router(config-subif)# ip address 192.168.10.254 255.255.255.0

And for the 192.168.20.0/24 network:

Router(config)# interface Fa0/0.20
Router(config-subif)# encapsulation dot1q 20
Router(config-if)# ip address 192.168.20.254 255.255.255.0

And I start the physical interface (0/0, not 0/0.10 or 0/0.20):

Router(config)# interface Fa0/0
Router(config-if)# no shutdown

M02 PAR Networks

[Notes] Network Planning and Administration: Configuring Interconnect Devices [Notes] Network Planning and Administration: Simulation Tools

Comments

Found a bug? Do you think something could be improved? Feel free to let me know and I will be happy to take a look.

Follow me

RSS Follow me on Feedly Follow me on Facebook Follow me on LinkedIn Follow me on GitHub

Search

Recent articles

How to prevent the use of the memory swap area before the RAM runs out

How to install KVM for Android Studio in Manjaro

How to mount OneDrive on GNU Linux with rclone

How to mount a disk that comes from a RAID 1

How to mount a LUKS encrypted drive in Windows