The overall architecture and the full address plan can be found in the IP Address Plan
There are eight Cisco devices on the table in front of you. They will be used in the following ways:
|3560||Layer 2 switches|
The bottom two 3560 switches in each stack will be used as the Edge switches and the top 3560 as the Aggregation switch for the two buildings shown in the diagram above.
We will use the console cables to connect to the devices until we have configured them more fully.
You can download and install the drivers for the USB cable from:
Choose the correct drivers for your operating system and install them.
You can use Putty which we installed earlier to connect to the serial port created when the USB adapter is plugged in.
On the Putty window choose the Serial option and then change the Serial line to COM6. Leave the Speed set to 9600.
You can disconnect from the switch by closing the window.
You can use the command line application cu to connect to the the serial port created when the USB adapter is plugged in. You can identify the name of the device using:
$ ls /dev/cu.usbserial* /dev/cu.usbserial-FTDX4U8N
Then you can run:
$ sudo cu -9600 -l /dev/cu.usbserial-FTDX4U8N Password: Connected.
You can disconnect from the device by typing ~.
You may need to hit Enter a few times to get a prompt from the ethernet switch which should look like:
If you are connected to a router, the initial prompt you will get should look like:
If you are asked:
Would you like to enter the initial configuration dialog? [yes/no]:
the only correct answer is no!
Our campus network consists of two routers (r1-bdr-campusX and r1-core-campusX) as well as six switches (se1-b1-campusX, se2-b1-campusX, sd1-b1-campusX, se1-b2-campusX, se2-b2-campusX, and sd1-b2-campusX).
Your Routers and Switches in your group should be given a basic configuration, as the following examples show:
Router> enable Router# config terminal Enter configuration commands, one per line. End with CNTL/Z. Router (config)# hostname r1-bdr-campusX r1-bdr-campusX(config)#
Real routers have IP Routing turned on by default. But we are using a Cisco Catalyst3750 device as our core router (it's called a Layer 3 Switch), and these don't have IP routing turned on by default:
r1-core-campusX(config)# ip routing
Do not turn on IP Routing on your access and distribution switches! Those are Layer 2 devices only (and may not even have support for Routing).
Cisco devices will always try to look up the DNS for any name or address specified in the command line. You can see this when doing a trace on a router with no DNS server or a DNS server with no in-addr.arpa entries for the IP addresses. We will turn this lookup off for the labs for the time being to speed up traceroutes.
Router (config)# no ip domain-lookup
We need to set the Domain Name for each device in our campus network. We need to do the following command:
Router (config)# ip domain-name campusX.ws.nsrc.org
Router (config)# line con 0 Router (config-line)# transport preferred none Router (config-line)# line vty 0 4 Router (config-line)# transport preferred none
Unless you really believe there is a need for it, source routing should be disabled. This option, enabled by default, allows the router to process packets with source routing header options. This feature is a well-known security risk as it allows remote sites to send packets with different source address through the network (this was useful for troubleshooting networks from different locations on the Internet, but in recent years has been widely abused for miscreant activities on the Internet).
Router (config)# no ip source-route
All router usernames should be cndlab and all passwords should be lab-PW. Please do not change the username or password to anything else, or leave the password unconfigured (access to vty ports is not possible if no password is set). It is essential for a smooth operating lab that all participants have access to all routers.
Router (config)# username cndlab secret lab-PW Router (config)# enable secret lab-PW Router (config)# service password-encryption
The service password-encryption directive tells the router to encrypt all passwords stored in the router’s configuration (apart from enable secret which is already encrypted).
Note A: There is the temptation to simply have a username of cisco and password of cisco as a lazy solution to the username/password problem. Under no circumstances must any service provider operator ever use easily guessable passwords as these on their live operational network.
IMPORTANT: This sentence cannot be emphasized enough. It is quite common for attackers to gain access to networks simply because operators have used familiar or easily guessed passwords.
Note B: for IOS releases prior to 12.3, the username/secret pair is not available, and operators will have to configure username/password instead. The latter format uses type-7 encryption, whereas the former is the more secure md5 based encryption.
In order to let you telnet into your router in future modules of this workshop, you need to configure a password for all virtual terminal lines.
Router1 (config)# aaa new-model Router1 (config)# aaa authentication login default local Router1 (config)# aaa authentication enable default enable
This series of commands tells the router to look locally for standard user login (the username password pair set earlier), and to the locally configured enable secret for the enable login. By default, login will be enabled on all vtys for other teams to gain access.
A vital part of any Internet operational system is to record logs. The router by default will display system logs on the router console. However, this is undesirable for Internet operational routers, as the console is a 9600 baud connection, and can place a high processor interrupt load at the time of busy traffic on the network. However, the router logs can also be recorded into a buffer on the router – this takes no interrupt load and it also enables to operator to check the history of what events happened on the router. In a future module, the lab will configuration the router to send the log messages to a SYSLOG server.
Router1 (config)# no logging console Router1 (config)# logging buffered 8192 debug
which disables console logs and instead records all logs in a 8192 byte buffer set aside on the router. To see the contents of this internal logging buffer at any time, the command “show log” should be used at the command prompt.
The software images for the routers and switches you are using in this workshop have SecureShell support available in them. This step will enable SSH support for access to and from the devices. You can recognise an image which has SSH in it as it will have either “k4” or “k9” in the name, signifying 3DES crypto support; for example, c2600-advipservicesk9-mz.124-25a is a crypto service provider image for the 2600XM series routers. If you do a show version at the command prompt, you’ll see what IOS release the router is running.
To enable support for SSH on the router, first the key needs to be set. To do this enter the following IOS command in configuration mode:
crypto key generate rsa
which will generate an RSA crypto key for the router. The prompt asks what key modulus should be chosen, in a range from 360 (more or less useless) to 2048 (the best). This key will be automatically stored in a file in NVRAM – this file is not readable by any user on the router.
Next we only permit support of SSH version 2 - SSH version 1 has long been obsoleted due to security issues with it.
ip ssh version 2
And finally we restrict the VTY access (VTY are used when you use SSH or TELNET to connect from device to device). Notice below that we only permit SSH to be used for connections between devices - we turn off TELNET as it is a huge security risk (as passwords and all activities are sent in the clear).
line con 0 transport output ssh transport preferred none line aux 0 transport output ssh transport input none transport preferred none line vty 0 4 transport input ssh transport output ssh transport preferred none
Cisco IOS by default has a simple welcome message when a new administrative connection to the router is opened. Most network operators tend to customise this banner to be appropriate to their business. We will now set up a login banner for the routers and switches in the workshop lab. Use an appropriate greeting. If you use an inappropriate greeting, expect the lab instructors to ask you to change it. Use the following example:
login banner ^ Network Startup Resource Center Campus Network Design Workshop Lab Authorised Access Only Unauthorised users MUST disconnect IMMEDIATELY ^
Cisco IOS comes with a built-in http server which is enabled by default (assists with simple installation for non-technical users). This server is not necessary for competent network operators, and being activated by default is actually a serious security risk. Disable it before the router or switch receives any IP address configuration:
no ip http server no ip http secure-server
With the basic configuration in place, save the configuration. To do this, exit from enable mode by typing “end” or “<ctrl> Z”, and at the command prompt enter “write memory”.
Router1(config)#^Z Router1# write memory Building configuration... [OK] Router1#
It is highly recommended that the configuration is saved quite frequently to NVRAM. If the configuration is not saved to NVRAM, any changes made to the running configuration will be lost after a power cycle or virtual machine failure
Log off the router by typing exit, and then log back in again. Notice how the login sequence has changed, prompting for a “username” and “password” from the user. Note that at each checkpoint in the workshop, you should save the configuration to memory – remember that powering the router off will result in it reverting to the last saved configuration in NVRAM.