Wednesday, 12 May 2010

Home Router Setup - Part 1: Ports

The next few posts will be a series about the setup of a Cisco 800 Series router as a home router. I will detail everything from setting up the interfaces, users, DNS, DHCP, SSH, NAT and more.

Below is a diagram that illustrates the network layout for this series of posts.





  • Lab Network - 10.0.1.0/24
  • Test Network - 10.0.2.0/24


Part 1 - Initial Configuration

In this part I will configure my ports and apply some security to the router.


I name the router, apply an enable password and create a banner.

Router#configure terminal
Router(config)#hostname Router1
Router1(config)#enable secret cisco123
Router1(config)#banner motd % No Unauthorised Access %



I create a local user.

Router1(config)#username bob secret cisco123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local



I set the domain, create SSH keys and apply some SSH settings.

Router1(config)#ip domain-name walliford.local
Router1(config)#crypto key generate rsa general-keys modulus 1024

The name for the keys will be: Router1.walliford.local
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Router1(config)#ip ssh time-out 120
Router1(config)#ip ssh version 2
Router1(config)#ip ssh authentication-retries 2



I create an ACL which I will be applying to my telnet ports

Router1(config)#ip access-list standard ADMIN_ACCESS
Router1(config-std-nacl)#permit 10.0.1.0 0.0.0.255 log
Router1(config-std-nacl)#deny any log
Router1(config-std-nacl)#exit



I configure the console port to use the local user account and apply some timeout values.

Router1(config)#line console 0
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#exit



I apply several settings to the Aux port so it cannot be used.

Router1(config)#line aux 0
Router1(config-line)#no password
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 0
Router1(config-line)#transport input none
Router1(config-line)#exit



I configure my telnet ports to use SSH and telnet only and the local user account. I apply some timeout values and apply the ACL so only hosts from the Lab network can access the router.

Router1(config)#line vty 0 4
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#transport input ssh telnet
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#access-class ADMIN_ACCESS in
Router1(config-line)#end


I prevent 3 of the 5 telnet ports from being used.

Router1(config)#line vty 2 4
Router1(config-line)#transport input none
Router1(config-line)#exit



I set the clock, timezone and daylight saving settings.

Router1(config)#clock timezone GMT 0
Router1(config)#clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
Router1(config)#end
Router1#clock set 21:24:00 12 May 2010



I apply timeout values to login attempts to prevent brute-force attacks.

Router1(config)#login block-for 20 attempts 3 within 20
Router1(config)#login delay 2
Posted by at
Labels: ,