User Tools

Site Tools


master:cnd:basic-setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

master:cnd:basic-setup [2016/02/03 05:04] (current)
Line 1: Line 1:
 +====== Basic Equipment Setup ======
 +
 +===== Accessing the Routers & Switches =====
 +
 +The overall architecture and the full address plan can be found in the [[master:​cnd:​addressplan|IP Address Plan]]
 +
 +==== Lab access instructions ====
 +
 +There are eight Cisco devices on the table in front of you. They will be used in the following ways:
 +
 +<csv>
 +Device, Usage
 +2901, Border router
 +3750, Core router
 +3560, Layer 2 switches
 +</​csv>​
 +
 +The bottom two 3560 switches in each stack will be used as the **Edge** switches and the top 3560 as the **Aggregation** switch for the two buildings shown in the diagram above.
 +
 +We will use the console cables to connect to the devices until we have configured them more fully.
 +
 +You can download and install the drivers for the USB cable from:
 +
 +http://​www.ftdichip.com/​Drivers/​VCP.htm
 +
 +Choose the correct drivers for your operating system and install them.
 +
 +=== Connecting from Windows ===
 +
 +You can use **Putty** which we installed earlier to connect to the serial port created when the USB adapter is plugged in.
 +
 +On the Putty window choose the **Serial** option and then change the **Serial line** to **COM6**. Leave the **Speed** set to **9600**.
 +
 +Select **Open**
 +
 +You can disconnect from the switch by closing the window.
 +
 +=== Connecting from Linux or Mac ===
 +
 +You can use the command line application **cu** to connect to the the serial port created when the USB adapter is plugged in. You can identify the name of the device using:
 +
 +  $ ls /​dev/​cu.usbserial*
 +  /​dev/​cu.usbserial-FTDX4U8N
 +  ​
 +Then you can run:
 +
 +  $ sudo cu -9600 -l /​dev/​cu.usbserial-FTDX4U8N
 +  Password:
 +  Connected.
 +  ​
 +You can disconnect from the device by typing **~.**
 +
 +=== Once you are connected ===
 +
 +You may need to hit **Enter** a few times to get a prompt from the ethernet switch which should look like:
 +
 +  Switch>
 +
 +If you are connected to a router, the initial prompt you will get should look like:
 +
 +  Router>
 +
 +If you are asked:
 +
 +  Would you like to enter the initial configuration dialog? [yes/no]:
 +  ​
 +the only correct answer is **no**!
 +
 +===== Basic Device Configuration =====
 +
 +{{:​master:​cnd:​cnd_campus.png?​600|}}
 +
 +Our campus network consists of two routers (r1-bdr-campusX and r1-core-campusX) as well as six switches (se1-b1-campusX,​ se2-b1-campusX,​ sd1-b1-campusX,​ se1-b2-campusX,​ se2-b2-campusX,​ and sd1-b2-campusX).
 +
 +=== Hostname ===
 +
 +Your Routers and Switches in your group should be given a basic configuration,​ as the following examples show:
 +
 +  Router> enable
 +  Router# config terminal
 +  Enter configuration commands, one per line. End with CNTL/Z.
 +  Router (config)# hostname r1-bdr-campusX
 +  r1-bdr-campusX(config)#​
 +  ​
 +=== Routers Only: Turn on IP routing ===
 +
 +Real routers have IP Routing turned on by default. But we are using a Cisco Catalyst3750 device as our core router (it's called a Layer 3 Switch), and these don't have IP routing turned on by default:
 +
 +  r1-core-campusX(config)#​ ip routing
 +
 +Do not turn on IP Routing on your access and distribution switches! Those are Layer 2 devices only (and may not even have support for Routing).
 +
 +=== Turn Off Domain Name Lookups ===
 + 
 +Cisco devices will always try to look up the DNS for any name or address specified in the command line. You can see this when doing a trace on a router with no DNS server or a DNS server with no in-addr.arpa entries for the IP addresses. We will turn this lookup off for the labs for the time being to speed up traceroutes.
 +
 +  Router (config)# no ip domain-lookup
 +
 +=== Set Workshop Domain Name ===
 +
 +We need to set the Domain Name for each device in our campus network. We need to do the following command:
 +
 +  Router (config)# ip domain-name campusX.ws.nsrc.org  ​
 +
 +=== Configure console and other ports ===
 +
 +  Router (config)# line con 0
 +  Router (config-line)#​ transport preferred none
 +  Router (config-line)#​ line vty 0 4
 +  Router (config-line)#​ transport preferred none
 +
 +=== Disable Source Routing===
 +
 +Unless you really believe there is a need for it, source routing should be disabled. This option, enabled by default, allows the router to process packets with source routing header options. This feature is a well-known security risk as it allows remote sites to send packets with different source address through the network (this was useful for troubleshooting networks from different locations on the Internet, but in recent years has been widely abused for miscreant activities on the Internet).
 +
 +  Router (config)# no ip source-route
 +
 +=== Usernames and Passwords ===
 +
 +All router usernames should be **cndlab** and all passwords should be
 +**lab-PW**. Please do not change the username or password to anything else, or leave the password
 +unconfigured (access to vty ports is not possible if no password is set). It is essential for a smooth
 +operating lab that all participants have access to all routers.
 +
 +  Router (config)# username cndlab secret lab-PW
 +  Router (config)# enable secret lab-PW
 +  Router (config)# service password-encryption
 +
 +The service password-encryption directive tells the router to encrypt all passwords stored in the
 +router’s configuration (apart from enable secret which is already encrypted).
 +
 +**Note A:** There is the temptation to simply have a username of cisco and password of cisco as a
 +lazy solution to the username/​password problem. Under no circumstances must any service
 +provider operator ever use easily guessable passwords as these on their live operational network.
 +
 +**IMPORTANT:​ This sentence cannot be emphasized enough. It is quite common for attackers to gain access to networks simply because operators have used familiar or easily guessed passwords.**
 +
 +**Note B:** for IOS releases prior to 12.3, the username/​secret pair is not available, and operators will
 +have to configure username/​password instead. The latter format uses type-7 encryption, whereas
 +the former is the more secure md5 based encryption.
 +
 +=== Enabling login access for other machines ==== 
 +
 +In order to let you telnet into your router in future
 +modules of this workshop, you need to configure a password for all virtual terminal lines.
 +
 +  Router1 (config)# aaa new-model
 +  Router1 (config)# aaa authentication login default local
 +  Router1 (config)# aaa authentication enable default enable
 +
 +This series of commands tells the router to look locally for standard user login (the username
 +password pair set earlier), and to the locally configured enable secret for the enable login. By
 +default, login will be enabled on all vtys for other teams to gain access.
 +
 +===  Configure system logging ===
 +
 +A vital part of any Internet operational system is to record logs. The
 +router by default will display system logs on the router console. However, this is undesirable for
 +Internet operational routers, as the console is a 9600 baud connection, and can place a high
 +processor interrupt load at the time of busy traffic on the network. However, the router logs can
 +also be recorded into a buffer on the router – this takes no interrupt load and it also enables to
 +operator to check the history of what events happened on the router. In a future module, the lab
 +will configuration the router to send the log messages to a SYSLOG server.
 +
 +  Router1 (config)# no logging console
 +  Router1 (config)# logging buffered 8192 debug
 +
 +which disables console logs and instead records all logs in a 8192 byte buffer set aside on the
 +router. To see the contents of this internal logging buffer at any time, the command “show log”
 +should be used at the command prompt.
 +
 +=== Using SSH for device access ===
 +
 +The software images for the routers and switches you are using in this workshop have SecureShell support available in them. This step will enable SSH support for access to and from the devices. You can recognise an image which has SSH in it as it will have either “k4” or “k9” in the name, signifying 3DES crypto support; for example, c2600-advipservicesk9-mz.124-25a is a crypto service provider image for the 2600XM series routers. If you do a ***show version*** at the command prompt, you’ll see what IOS release the router is running.
 +
 +To enable support for SSH on the router, first the key needs to be set. To do this enter the following IOS command in configuration mode:
 +
 +  crypto key generate rsa
 +
 +which will generate an RSA crypto key for the router. The prompt asks what key modulus should be chosen, in a range from 360 (more or less useless) to 2048 (the best). This key will be automatically stored in a file in NVRAM – this file is not readable by any user on the router.
 +
 +Next we only permit support of SSH version 2 - SSH version 1 has long been obsoleted due to security issues with it.
 +
 +  ip ssh version 2
 +  ​
 +And finally we restrict the VTY access (VTY are used when you use SSH or TELNET to connect from device to device). Notice below that we only permit SSH to be used for connections between devices - we turn off TELNET as it is a huge security risk (as passwords and all activities are sent in the clear).
 +
 +  line con 0
 +   ​transport output ssh
 +   ​transport preferred none
 +  line aux 0
 +   ​transport output ssh
 +   ​transport input none
 +   ​transport preferred none
 +  line vty 0 4
 +   ​transport input ssh
 +   ​transport output ssh
 +   ​transport preferred none
 +
 +=== Login Banner ===
 +
 +Cisco IOS by default has a simple welcome message when a new administrative connection to the router is opened. Most network operators tend to customise this banner to be appropriate to their business. We will now set up a login banner for the routers and switches in the workshop lab. Use an appropriate greeting. If you use an inappropriate greeting, expect the lab instructors to ask you to change it. Use the following example:
 +
 +  login banner ^
 +          Network Startup Resource Center
 +         ​Campus Network Design Workshop Lab
 +       
 +              Authorised Access Only
 +   ​Unauthorised users MUST disconnect IMMEDIATELY
 +  ^
 +
 +=== Disable built-in http server ===
 +
 +Cisco IOS comes with a built-in http server which is enabled by default (assists with simple installation for non-technical users). This server is not necessary for competent network operators, and being activated by default is actually a serious security risk. Disable it before the router or switch receives any IP address configuration:​
 +
 +  no ip http server
 +  no ip http secure-server
 +
 +=== Save the Configuration. ===
 + 
 +With the basic configuration in place, save the configuration. To do this,
 +exit from enable mode by typing “end” or “<​ctrl>​ Z”, and at the command prompt enter “write
 +memory”.
 +
 +  Router1(config)#​^Z
 +  Router1# write memory
 +  Building configuration...
 +  [OK]
 +  Router1#
 +  ​
 +It is highly recommended that the configuration is saved quite frequently to NVRAM. If the
 +configuration is not saved to NVRAM, any changes made to the running configuration will be lost
 +after a power cycle or virtual machine failure
 +
 +Log off the router by typing exit, and then log back in again. Notice how the login sequence has
 +changed, prompting for a “username” and “password” from the user. Note that at each checkpoint
 +in the workshop, you should save the configuration to memory – remember that powering the
 +router off will result in it reverting to the last saved configuration in NVRAM.
  
master/cnd/basic-setup.txt · Last modified: 2016/02/03 05:04 (external edit)