Thursday 13 May 2010

Home Router Setup - Part 2: Interfaces & Services

In this post I'll be setting up my network interfaces and some network services, DNS and DHCP.

Below is a diagram of the lab I'll be using.




Part 2 - Interfaces and Services


Here I will set up the 2 network interfaces and remove CDP from the Test Network interface.

Router1(config)#interface ethernet 0
Router1(config-if)#ip address 10.0.2.254 255.255.255.0
Router1(config-if)#no cdp enable
Router1(config-if)#exit

Router1(config)#interface ethernet 1
Router1(config-if)#ip address 10.0.1.254 255.255.255.0
Router1(config-if)#no shut
Router1(config-if)#exit



I configure the router to use the Extreme router as it's default gateway. I will also configure it to use OpenDNS name servers and to resolve DNS queries for other network hosts.

Router1(config)#ip route 0.0.0.0 0.0.0.0 10.0.1.1
Router1(config)#ip domain-lookup
Router1(config)#ip name-server 208.67.222.222
Router1(config)#ip name-server 208.67.220.220
Router1(config)#ip dns server
Router1(config)#exit



Next I configure DHCP for the Test Network.

Router1(config)#service dhcp
Router1(config)#ip dhcp pool TEST_NETWORK_DHCP_POOL
Router1(dhcp-config)#network 10.0.2.0 /24
Router1(dhcp-config)#domain-name walliford.local
Router1(dhcp-config)#dns-server 10.0.2.254
Router1(dhcp-config)#default-router 10.0.2.254
Router1(dhcp-config)#lease 7
Router1(dhcp-config)#exit



I include exclusions so only 10.0.2.10 - 10.0.2.20 are used for DHCP clients.

Router1(config)#ip dhcp excluded-address 10.0.2.1 10.0.2.9
Router1(config)#ip dhcp excluded-address 10.0.2.21 10.0.2.255
Router1(config)#end

Wednesday 12 May 2010

Home Router Setup - Part 1: Ports

The next few posts will be a series about the setup of a Cisco 800 Series router as a home router. I will detail everything from setting up the interfaces, users, DNS, DHCP, SSH, NAT and more.

Below is a diagram that illustrates the network layout for this series of posts.





  • Lab Network - 10.0.1.0/24
  • Test Network - 10.0.2.0/24


Part 1 - Initial Configuration

In this part I will configure my ports and apply some security to the router.


I name the router, apply an enable password and create a banner.

Router#configure terminal
Router(config)#hostname Router1
Router1(config)#enable secret cisco123
Router1(config)#banner motd % No Unauthorised Access %



I create a local user.

Router1(config)#username bob secret cisco123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local



I set the domain, create SSH keys and apply some SSH settings.

Router1(config)#ip domain-name walliford.local
Router1(config)#crypto key generate rsa general-keys modulus 1024

The name for the keys will be: Router1.walliford.local
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Router1(config)#ip ssh time-out 120
Router1(config)#ip ssh version 2
Router1(config)#ip ssh authentication-retries 2



I create an ACL which I will be applying to my telnet ports

Router1(config)#ip access-list standard ADMIN_ACCESS
Router1(config-std-nacl)#permit 10.0.1.0 0.0.0.255 log
Router1(config-std-nacl)#deny any log
Router1(config-std-nacl)#exit



I configure the console port to use the local user account and apply some timeout values.

Router1(config)#line console 0
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#exit



I apply several settings to the Aux port so it cannot be used.

Router1(config)#line aux 0
Router1(config-line)#no password
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 0
Router1(config-line)#transport input none
Router1(config-line)#exit



I configure my telnet ports to use SSH and telnet only and the local user account. I apply some timeout values and apply the ACL so only hosts from the Lab network can access the router.

Router1(config)#line vty 0 4
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#transport input ssh telnet
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#access-class ADMIN_ACCESS in
Router1(config-line)#end


I prevent 3 of the 5 telnet ports from being used.

Router1(config)#line vty 2 4
Router1(config-line)#transport input none
Router1(config-line)#exit



I set the clock, timezone and daylight saving settings.

Router1(config)#clock timezone GMT 0
Router1(config)#clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
Router1(config)#end
Router1#clock set 21:24:00 12 May 2010



I apply timeout values to login attempts to prevent brute-force attacks.

Router1(config)#login block-for 20 attempts 3 within 20
Router1(config)#login delay 2

Sunday 9 May 2010

Frame Relay - Point to Point

In this post I will configure my lab to use frame relay in a point to point configuration. Below is a diagram of the lab I will be using.







R0

R0#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#interface serial 0/0
R0(config-if)#encapsulation frame-relay
R0(config-if)#exit

R0(config)#interface serial 0/0.100 point-to-point
R0(config-subif)#ip address 192.168.1.1 255.255.255.0
R0(config-subif)#frame-relay interface-dlci 100
R0(config-fr-dlci)#exit
R0(config-subif)#exit

R0(config)#interface serial 0/0.101 point-to-point
R0(config-subif)#ip address 192.168.2.1 255.255.255.0
R0(config-subif)#frame-relay interface-dlci 101
R0(config-fr-dlci)#exit
R0(config-subif)#exit

R0(config)#interface serial 0/0
R0(config-if)#no shut



R1

R1(config)#interface serial 0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#exit

R1(config)#interface serial 0/0.200 point-to-point
R1(config-subif)#ip address 192.168.1.2 255.255.255.0
R1(config-subif)#frame-relay interface-dlci 200
R1(config-fr-dlci)#exit
R1(config-subif)#exit

R1(config)#interface serial 0/0
R1(config-if)#no shutdown



R2

R2(config)#interface serial 0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#exit

R2(config)# interface serial 0/0.300 point-to-point
R2(config-subif)#ip address 192.168.2.2 255.255.255.0
R2(config-subif)#frame-relay interface-dlci 300
R2(config-fr-dlci)#exit
R2(config-subif)#exit

R2(config)#interface serial 0/0
R2(config-if)#no shutdown



Show Commands


R2#show frame-relay pvc
PVC Statistics for interface Serial0/0 (Frame Relay DTE)

Active Inactive Deleted Static
Local 1 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0

DLCI = 300, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0.300

input pkts 349 output pkts 358 in bytes 31010
out bytes 30951 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 344 out bcast bytes 29735
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 00:32:46, last time pvc status changed 00:31:55




R2#show frame-relay lmi
LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 25 Num Status msgs Rcvd 26
Num Update Status Rcvd 0 Num Status Timeouts 0
Last Full Status Req 00:00:56 Last Full Status Rcvd 00:00:56



R2# sh frame-relay map
Serial0/0.300 (up): point-to-point dlci, dlci 300(0x12C,0x48C0), broadcast
status defined, active



After configuring frame relay I am able to ping routers on the same network but not the other networks, so currently R2 cannot talk to R1.


R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


I have no route to the 192.168.1.0 network in my routing table.


R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.2.0/24 is directly connected, Serial0/0.300


To fix this problem I enable EIGRP on all my routers using the config below.


R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 10
R2(config-router)#network 192.168.0.0 0.0.255.255
R2(config-router)#end


Now I try again.


R2#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/12 ms


And my routing table shows the routes created by EIGRP.


R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
D 192.168.1.0/24 [90/2681856] via 192.168.2.1, 00:01:20, Serial0/0.300
C 192.168.2.0/24 is directly connected, Serial0/0.300

Friday 7 May 2010

Frame-Relay - Multipoint

In this post I'll detail the configuration used to set up frame-relay in a multipoint configuration for the lab shown in the diagram below.






R0

R0(config)#interface serial 0/0
R0(config-if)#ip address 192.168.1.1 255.255.255.0
R0(config-if)#encapsulation frame-relay
R0(config-if)#no shut

R0(config-if)#frame-relay map ip 192.168.1.2 100 broadcast
R0(config-if)#frame-relay map ip 192.168.1.3 101 broadcast
R0(config-if)#end


R1

R1(config)#interface serial 0/0
R1(config-if)#ip address 192.168.1.2 255.255.255.0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no shut

R1(config-if)#frame-relay map ip 192.168.1.1 200 broadcast
R1(config-if)#frame-relay map ip 192.168.1.3 200 broadcast
R1(config-if)#end


R2

R2(config)#interface serial 0/0
R2(config-if)#ip address 192.168.1.3 255.255.255.0
R2(config-if)#encapsulation frame-relay
R2(config-if)#no shut
R2(config-if)#exit

R2(config)#interface serial 0/0
R2(config-if)#frame-relay map ip 192.168.1.1 300 broadcast
R2(config-if)#frame-relay map ip 192.168.1.2 300 broadcast
R2(config-if)#end



Show Commands

R2#show frame-relay lmi

LMI Statistics for interface Serial0/0 (Frame Relay DTE) LMI TYPE = ANSI
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 168 Num Status msgs Rcvd 80
Num Update Status Rcvd 0 Num Status Timeouts 89
Last Full Status Req 00:00:04 Last Full Status Rcvd 00:00:04


R2#show frame-relay map
Serial0/0 (up): ip 192.168.1.1 dlci 300(0x12C,0x48C0), static,
broadcast,
CISCO, status defined, active
Serial0/0 (up): ip 192.168.1.2 dlci 300(0x12C,0x48C0), static,
broadcast,
CISCO, status defined, active



Debug Commands

R2#debug frame-relay lmi interface serial 0/0
Frame Relay LMI debugging is on
Displaying lmi data from interface Serial0/0 only
*Mar 1 00:58:02.583: Serial0/0(out): StEnq, myseq 100, yourseen 97, DTE up
*Mar 1 00:58:02.587: datagramstart = 0x7A019D4, datagramsize = 14
*Mar 1 00:58:02.587: FR encap = 0x00010308
*Mar 1 00:58:02.587: 00 75 95 01 01 01 03 02 64 61
*Mar 1 00:58:02.595:
*Mar 1 00:58:02.607: Serial0/0(in): Status, myseq 100, pak size 14
*Mar 1 00:58:02.607: RT IE 1, length 1, type 1
*Mar 1 00:58:02.607: KA IE 3, length 2, yourseq 98, myseq 100