User Tools

Site Tools


master:cnd:basic-setup

Basic Equipment Setup

Accessing the Routers & Switches

The overall architecture and the full address plan can be found in the IP Address Plan

Lab access instructions

There are eight Cisco devices on the table in front of you. They will be used in the following ways:

DeviceUsage
2901Border router
3750Core router
3560Layer 2 switches

The bottom two 3560 switches in each stack will be used as the Edge switches and the top 3560 as the Aggregation switch for the two buildings shown in the diagram above.

We will use the console cables to connect to the devices until we have configured them more fully.

You can download and install the drivers for the USB cable from:

http://www.ftdichip.com/Drivers/VCP.htm

Choose the correct drivers for your operating system and install them.

Connecting from Windows

You can use Putty which we installed earlier to connect to the serial port created when the USB adapter is plugged in.

On the Putty window choose the Serial option and then change the Serial line to COM6. Leave the Speed set to 9600.

Select Open

You can disconnect from the switch by closing the window.

Connecting from Linux or Mac

You can use the command line application cu to connect to the the serial port created when the USB adapter is plugged in. You can identify the name of the device using:

$ ls /dev/cu.usbserial*
/dev/cu.usbserial-FTDX4U8N

Then you can run:

$ sudo cu -9600 -l /dev/cu.usbserial-FTDX4U8N
Password:
Connected.

You can disconnect from the device by typing ~.

Once you are connected

You may need to hit Enter a few times to get a prompt from the ethernet switch which should look like:

Switch>

If you are connected to a router, the initial prompt you will get should look like:

Router>

If you are asked:

Would you like to enter the initial configuration dialog? [yes/no]:

the only correct answer is no!

Basic Device Configuration

Our campus network consists of two routers (r1-bdr-campusX and r1-core-campusX) as well as six switches (se1-b1-campusX, se2-b1-campusX, sd1-b1-campusX, se1-b2-campusX, se2-b2-campusX, and sd1-b2-campusX).

Hostname

Your Routers and Switches in your group should be given a basic configuration, as the following examples show:

Router> enable
Router# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router (config)# hostname r1-bdr-campusX
r1-bdr-campusX(config)#

Routers Only: Turn on IP routing

Real routers have IP Routing turned on by default. But we are using a Cisco Catalyst3750 device as our core router (it's called a Layer 3 Switch), and these don't have IP routing turned on by default:

r1-core-campusX(config)# ip routing

Do not turn on IP Routing on your access and distribution switches! Those are Layer 2 devices only (and may not even have support for Routing).

Turn Off Domain Name Lookups

Cisco devices will always try to look up the DNS for any name or address specified in the command line. You can see this when doing a trace on a router with no DNS server or a DNS server with no in-addr.arpa entries for the IP addresses. We will turn this lookup off for the labs for the time being to speed up traceroutes.

Router (config)# no ip domain-lookup

Set Workshop Domain Name

We need to set the Domain Name for each device in our campus network. We need to do the following command:

Router (config)# ip domain-name campusX.ws.nsrc.org  

Configure console and other ports

Router (config)# line con 0
Router (config-line)# transport preferred none
Router (config-line)# line vty 0 4
Router (config-line)# transport preferred none

Disable Source Routing

Unless you really believe there is a need for it, source routing should be disabled. This option, enabled by default, allows the router to process packets with source routing header options. This feature is a well-known security risk as it allows remote sites to send packets with different source address through the network (this was useful for troubleshooting networks from different locations on the Internet, but in recent years has been widely abused for miscreant activities on the Internet).

Router (config)# no ip source-route

Usernames and Passwords

All router usernames should be cndlab and all passwords should be lab-PW. Please do not change the username or password to anything else, or leave the password unconfigured (access to vty ports is not possible if no password is set). It is essential for a smooth operating lab that all participants have access to all routers.

Router (config)# username cndlab secret lab-PW
Router (config)# enable secret lab-PW
Router (config)# service password-encryption

The service password-encryption directive tells the router to encrypt all passwords stored in the router’s configuration (apart from enable secret which is already encrypted).

Note A: There is the temptation to simply have a username of cisco and password of cisco as a lazy solution to the username/password problem. Under no circumstances must any service provider operator ever use easily guessable passwords as these on their live operational network.

IMPORTANT: This sentence cannot be emphasized enough. It is quite common for attackers to gain access to networks simply because operators have used familiar or easily guessed passwords.

Note B: for IOS releases prior to 12.3, the username/secret pair is not available, and operators will have to configure username/password instead. The latter format uses type-7 encryption, whereas the former is the more secure md5 based encryption.

Enabling login access for other machines

In order to let you telnet into your router in future modules of this workshop, you need to configure a password for all virtual terminal lines.

Router1 (config)# aaa new-model
Router1 (config)# aaa authentication login default local
Router1 (config)# aaa authentication enable default enable

This series of commands tells the router to look locally for standard user login (the username password pair set earlier), and to the locally configured enable secret for the enable login. By default, login will be enabled on all vtys for other teams to gain access.

Configure system logging

A vital part of any Internet operational system is to record logs. The router by default will display system logs on the router console. However, this is undesirable for Internet operational routers, as the console is a 9600 baud connection, and can place a high processor interrupt load at the time of busy traffic on the network. However, the router logs can also be recorded into a buffer on the router – this takes no interrupt load and it also enables to operator to check the history of what events happened on the router. In a future module, the lab will configuration the router to send the log messages to a SYSLOG server.

Router1 (config)# no logging console
Router1 (config)# logging buffered 8192 debug

which disables console logs and instead records all logs in a 8192 byte buffer set aside on the router. To see the contents of this internal logging buffer at any time, the command “show log” should be used at the command prompt.

Using SSH for device access

The software images for the routers and switches you are using in this workshop have SecureShell support available in them. This step will enable SSH support for access to and from the devices. You can recognise an image which has SSH in it as it will have either “k4” or “k9” in the name, signifying 3DES crypto support; for example, c2600-advipservicesk9-mz.124-25a is a crypto service provider image for the 2600XM series routers. If you do a show version at the command prompt, you’ll see what IOS release the router is running.

To enable support for SSH on the router, first the key needs to be set. To do this enter the following IOS command in configuration mode:

crypto key generate rsa

which will generate an RSA crypto key for the router. The prompt asks what key modulus should be chosen, in a range from 360 (more or less useless) to 2048 (the best). This key will be automatically stored in a file in NVRAM – this file is not readable by any user on the router.

Next we only permit support of SSH version 2 - SSH version 1 has long been obsoleted due to security issues with it.

ip ssh version 2

And finally we restrict the VTY access (VTY are used when you use SSH or TELNET to connect from device to device). Notice below that we only permit SSH to be used for connections between devices - we turn off TELNET as it is a huge security risk (as passwords and all activities are sent in the clear).

line con 0
 transport output ssh
 transport preferred none
line aux 0
 transport output ssh
 transport input none
 transport preferred none
line vty 0 4
 transport input ssh
 transport output ssh
 transport preferred none

Login Banner

Cisco IOS by default has a simple welcome message when a new administrative connection to the router is opened. Most network operators tend to customise this banner to be appropriate to their business. We will now set up a login banner for the routers and switches in the workshop lab. Use an appropriate greeting. If you use an inappropriate greeting, expect the lab instructors to ask you to change it. Use the following example:

login banner ^
        Network Startup Resource Center
       Campus Network Design Workshop Lab
     
            Authorised Access Only
 Unauthorised users MUST disconnect IMMEDIATELY
^

Disable built-in http server

Cisco IOS comes with a built-in http server which is enabled by default (assists with simple installation for non-technical users). This server is not necessary for competent network operators, and being activated by default is actually a serious security risk. Disable it before the router or switch receives any IP address configuration:

no ip http server
no ip http secure-server

Save the Configuration.

With the basic configuration in place, save the configuration. To do this, exit from enable mode by typing “end” or “<ctrl> Z”, and at the command prompt enter “write memory”.

Router1(config)#^Z
Router1# write memory
Building configuration...
[OK]
Router1#

It is highly recommended that the configuration is saved quite frequently to NVRAM. If the configuration is not saved to NVRAM, any changes made to the running configuration will be lost after a power cycle or virtual machine failure

Log off the router by typing exit, and then log back in again. Notice how the login sequence has changed, prompting for a “username” and “password” from the user. Note that at each checkpoint in the workshop, you should save the configuration to memory – remember that powering the router off will result in it reverting to the last saved configuration in NVRAM.

master/cnd/basic-setup.txt · Last modified: 2016/02/03 05:04 (external edit)