Cisco Routers (2600/11)

1. Overview
1.1 High-End Routers There are basically four series of routers in the Cisco high-end product line: 7000 series, 7200 series, 7500 series and recently released 12000 series routers. Those are ore co ple!, ultiple interface routers, which include lar"e variety of features and activities, providin" hi"h fle!ibility and powerful decisions. They are out of scope of that docu ent, thus they will not be discussed here. 1.2 Remote Access Routers There are any series of routers in the Cisco access product line: ultiple service on one #$5%00&'00&200 series, (000 , )000, '%00, '(00 ,2(00 ,2500 and 1000 series. Cisco access servers are popular because they support bo!. They also support ultilin* +++ , the ability to bond two dial-in calls ultilin* +++ across devices. This the

between the sa e two devices into one pipe. #nother nice feature of the Cisco access servers is their ability to support eans that even if the sa e access server does not answer two calls fro sa e re ote user, the two calls can still be bonded. 1.3 Internetworking Operating System IOS! .ost of Cisco routers /includin" 2(00&110 run a version of the Cisco 1nternetwor*in" Operatin" $yste . The current ainstrea version of the 1O$ is release 11. 1ts intended audience classifies each release of the Cisco 1O$. There are currently three active sub , versions of the 11.0 1O$ strain: 11.1, 11.2 and 11.'. These three sub , versions are used on the different Cisco products and offer different feature sets. Cisco has co bined the features and hardware support of all three of the 1O$ sub , versions into their release 12.0 of the 1O$. The Cisco 1O$ also includes all the specific hardware drivers that ay be needed for certain interface line cards. 2ou should review the docu entation included with 2(00&113s router to be sure that 1O$ you plan to run on it is sufficient to support the hardware you plan to install in it.

The Cisco 1O$ is also offered with different feature support. $o e different versions of 1O$, that support different features or hardware, are available for download. 2. Router "on#iguration Cisco routers co e with no default confi"uration. 4efore usin" a Cisco router on a networ*, you to do this. 2.1 Initia$ Router Setup 2.1.1 Startup script #s a Cisco router is first powered on and the bootstrap 5O. has loaded the basic 1O$ i a"e into 5#., the nonvolatile 5#. /675#.0 is chec*ed for a pree!istin" confi"uration. 1f no confi"uration file is found, the bootstrap pro"ra script fro e!ecutes the setup 5O.. This setup script as*s a series of 8uestions that are ust pro"ra it with the confi"uration to acco plish your predefined tas*s. The followin" section will show you how

used to "enerate in initial router confi"uration. 9ach 8uestion as*ed has a default answer associated with it. The default choice is displayed in brac*ets at the end of the pro pt. #fter you3ve answered all the 8uestions, the setup pro"ra "enerates the confi"uration file that used to pro"ra atches the answers you provided. 2ou are then as*ed whether this confi"uration should be the router. The answer is re8uired /no default0. Once the confi"uration has been loaded, the router displays the user E%E" ode pro pt test & r1'. $o e of the features of the 1O$ has to be confi"ured either throu"h the privile"ed 9:9C or fro 2.1.2 /not available in 2(00&110. (anua$ con#iguration eans that all options you .anual confi"uration of a Cisco router enco passes buildin" the router confi"uration piece by piece. This want to enable need to be pro"ra interactive setup pro"ra . ed without the use of an ode co anually and , line interface

a prebuilt confi"uration file on a T;T+ server or flash card

This section outlines the Cisco 1O$ co followin" is a co pete list of the co Cisco 1O$: <ser 9:9C ode ode /enable ode ode ode ode ode <ser privile"ed 9:9C =lobal confi"uration 1nterface confi"uration Controller confi"uration >ub confi"uration ode .ap-list confi"uration .ap-class confi"uration ?ine confi"uration 5outer confi"uration ode ode ode ode ode ode and

and

odes. The

odes available in the

ode0

1+:-router confi"uration 5oute- ap confi"uration @ey chain confi"uration 5O. onitor ode ode

@ey chain *ey confi"uration #++6 co and

?#69 database confi"uration 14. channel attach co and

ode ode and ode on a Cisco router can be ost often used

#ccess to the interactive co

achieved via a nu ber of different

eans. The

ethod is via the console port. The console port is a serial connection on the chassis of the router. #ny 7T100 or +C with a serial port and co unications software can be used to connect to the console port. #nother way to reach a Cisco router is via telnet fro a re ote ade on

host once the router is placed into a networ* and the appropriate confi"uration for the networ* interfaces and 7T2 lines is the router /for 7T!!! ter inal0. The basic pro pt "iven when you first connect to a Cisco router is the user 9:9C pro pt. 1t consists of the router na e followed by a

"reater , then sy bol /A0. 1f the router na e hasn3t been confi"ured, the pro pt is router'. 1n basic user 9:9C co co ands, you ode, a set of the Cisco 1O$ co ands is available for e!ecution. To "ain access to the full set of 1O$ ust enter user privile"ed 9:9C ode. The ena)$e ode. ode and is used to chan"e fro user to privile"ed 9:9C

1f there is ena)$e or secrete password confi"ured on the router the user is pro pted for the password before the privile"ed 9:9C pro pt is returned. The co privile"ed 9:9C 9:9C ode. ands available in basic user 9:9C para eters. They are accessed via ode don3t let you alter the syste

The router pro pt chan"es once you have entered privile"ed ode. The pro pt beco es the routers hostna e followed by ode, use the disa)$e or e+it co odes is possible fro and. privile"ed the pound sy bol /B0 or router*, if no hostna e is confi"ured. To return to user 9:9C 9:9C ode. #ccess to other confi"uration ,oca$ Area -etworking # local area networ* is any co bination of networ*in" se" ents that doesn3t re8uire the use of connections provided by a teleco ultiple co puters, we are interested in 9thernet. The 9thernet protocol was developed at the :ero! +#5C laboratory in 1C72. The 9thernet specification, as adopted by 1999, covers only the first one , and , a , half layers of the O$1 the odel, it can have odel /physical and .#C portion of data odules ridin" above it. layers0. #lthou"h the 9thernet specification define only the lowest portion of ultiple protocol Cisco offers a nu ber of 9thernet , based interfaces. $o e of the different flavors of 9thernet that Cisco offers are half , duple! 9thernet, full , duple! 9thernet, half and full , duple! ;ast9thernet. #s a "eneral rule, if your networ* interface cards support full , duple! operation, use it. 4asic end , user stations should use re"ular 9thernet interfaces, while servers should use ;ast9thernet. .ost id , to , hi"h , end servers co e standard with auto , sensin" 10&100.bps 9thernet interfaces. unications co pany. # nu ber of different types of protocols can be used to connect

The first tas* in confi"urin" an 9thernet interface is to specify which encapsulation type is re8uired. The followin" co the encapsulation type on an 9thernet interface: encapsu$ation type The type can be: #5+#, $#+ or $6#+. $pecifyin" #5+# /default0 si"nifies that you want to use the standard 9thernet version 2.0 encapsulationD $#+ , 1999 %02.' encapsulationD $6#+ , 1999 %02.2 encapsulation. .ostly you will use #5+# encapsulation. $#+ or $6#+ ones would be in a native 6ovell 6etEare 1+: networ*. To specify half /default0 or full , duple! interface nothin" should be done for the first type, to switch to the second issue the followin" co interface confi"uration ode: #u$$-dup$e+ To chan"e bac* to half , duple! use: no #u$$-dup$e+ The ne!t step is to enable the networ* layer protocols that you want to run on the 9thernet se" ent that this particular interface is attached to. 2ou 1+ address to the interface. The followin" interface confi"uration co used to specify an 1+ address: ip address FaddressA Fsubnet as*A The followin" e!a ple assi"ns the 1+ address 1C2.1(%.200.1 with a subnet as* of ei"ht bits to interface 9thernet 1&0: test-r1#conf t test-r1(config)#interface ethernet1/0 test-r1(config-if)#ip address 192.168.200.1 255.255.255.0 test-r1(config-if)#exit test-r1(config)#exit test-r1# /test-r1 is wor*in" router3s hostna e0 ;inally, to put the interface into an operational co and in interface confi"uration no shutdown ode: ode, e!ecute the followin" i"ht also want to run 1+ on the sa e interface. ;or doin" that you should assi"n an and is and in and is used to confi"ure

+uttin" an interface into an operational

ode without a networ* layer

protocol defined is not useful e!cept in a testin" environ ent. 6o routable networ* traffic will be passed on the interface. 2.2 "on#iguring .ynamic Routing /rotoco$s 2.3.1 .istance 0ector1 RI/ The 5outin" 1nfor ation +rotocol /51+0 is an old distance vector routin" protocol. 1t uses broadcast <G+ pac*ets to pass routin" infor ation. The co and to enable the 51+ routin" process on a Cisco router is: router rip 6e!t, enter networ* state ents for each interface that will be included in the 51+ routin" syste : network Fnetwor* addressA network address is the networ* nu ber for the 1+ address of the interface to be included in the 51+ routin" syste . 4ecause 51+ relies on <G+ broadcasts to e!chan"e routin" updates, specific nei"hbor addresses on a nonbroadcast 2.2.2 ,ink State1 OS/2 The Open $hortest +ath ;irst /O$+;0 routin" protocol was developed specifically with 1+ networ*s in ind. 4ecause O$+; is based on lin* states /the availability of lin* connectin" routers0 rather than hop count, there is no count to infinity proble . O$+; trans its no pac*ets unless a lin* state chan"e has occurred or '0 C1G5, route su ariHation, and redistribution fro inutes has "one since the last lin* state advertise ent /?$#0. O$+; supports and to other routin" processes. 1t also provides the ability to se"re"ate portions of the networ* into areas. The Cisco 1O$ supports processes on a sin"le router. The co routin" process on a Cisco router is: router osp# Fprocess idA ultiple O$+; and to enable an O$+; neigh)or Fip addressA ust be defined when 51+ is run ulti-access /64.#0 networ*:

O$+; supports the se" entin" of networ*s into areas. 9ach area can act as an autono ous syste within the lar"er O$+; networ*. The followin" e!a ple places the interface $erial0&0 into the bac*bone area, interface 9thernet0&0 into area 10, and interface 9thernet0&1 into area 20: interface Serial0/0 description % interface &thernet0/0 description 'ar#eting (!" Seg)ent ip address 192.168.20.1 255.255.255.0 % interface &thernet0/1 description *+, (!" Seg)ent ip address 192.168.21.1 255.255.255.252 % ro-ter ospf 1000 net.or# 192.168.10.0 0.0.0./ area 0 net.or# 192.168.20.0 0.0.0.255 area 10 net.or# 192.168.21.0 0.0.0.255 area 20 # "roup of routers can be defined as an area without a physical connection to the bac*bone area. 1n this case, a virtual lin* created fro the bac*bone area, as followin": area area-id 3irtua$-$ink router-id area-id is the area nu ber that will be used for transit between the two #45s. router-id is the 1G of the #45 that the virtual lin* ter inates on. #n area that has only one #45 can be defined as a stub area. 1n other words, any area that has only one lin* to the bac*bone area can be confi"ured as a stub area, as followin": area Farea idA stu) ust be an #rea 4order 5outers /#450 in the area to an #45 in !" lin# to $orporate ip address 192.168.10.1 255.255.255.252

O$+; allows the su an area, the followin" co

ariHation of networ* advertise ents and can be used in the O$+; process

between areas. 1f there are a nu ber of conti"uous networ*s within confi"uration on the #45s for that area to enable the advertise ent of only one networ* rather than all of its s aller co ponents: area area-if range address su as* ariHed route, area-id is the area nu ber that contains the networ*s to be ariHed, address is the 1+ networ* of the su mask is the 1+ net as* of the su su ariHed, as followin": summary-address address 2.2.3 Hy)rid1 EI4R/ The 9nhanced 1nterior =ateway 5outin" +rotocol /91=5+0 was developed by Cisco, it is called a hybrid protocol because it uses etrics fro The co both distance vector protocols and lin* state protocols. nu berA. and to define an 91=5+ routin" process on a Cisco router as* ery adcerise ent.

9!ternal routers bein" distributed into O$+; can also be

is router eigrp Fautono ous syste

Once the process has been defined, networ* state ents need to be added for the ports on the router that will send and receive 91=5+ updates, by followin" co 91=5+ allows the use of and: ultiple une8ual cost paths to reach a a*es for better use network F1+ networ* nu berA destination networ*. This type of load balancin" will be used only if its 7ariance is used as a

of available bandwidth. #n alternative route to a destination networ* etrics are within a predefined variance. ultiplier to the best local route. 1f the

alternative route to a destination networ* is e8ual to or lower than the etric of the local best path ti es the variance, it is a viable path to the networ*. To confi"ure the variance co 3ariance F ultiplierA ultiplier, use the followin" and in 91=5+ process so fi"uration:

2.2.5

E+terna$ Routing1 64/ The 4order =ateway +rotocol /4=+0 was developed to provide a way

to e!chan"e networ* reachability infor ation between autono ous syste s /#$0.4=+ allows between the is route su any different features, ost i portant ust enable ariHation or a""re"ation.

To add a Cisco router to a 4=+ autono ous syste , you

the 4=+ routin" protocol on the router by definin" a process 1G for 4=+ on the router. The process 1G is the #$6 for your particular co pany. The 1nternet #ssi"ned 6u bers #uthority /1#6#0 assi"ns #$6s. The followin" co The and enables the 4=+ routin" protocol for $ (5)00: router )gp 78599 ain purpose of usin" 4=+ is to e!chan"e networ* reachability ust be infor ation with other #ss. 1n order for your #$ to announce the reachability of your networ*s t your peer #ss, the networ*s confi"ured in your 4=+ process. The followin" co networ* for announce ent via 4=+: network 1C2.1(%.0.0 255.255.0.0 1n order for this networ* to be announced via 4=+, there ust be an underlyin" path for it in the routin" table. 2our 1=+ /1nterior =ateway +rotocol0 or a static route can provide this underlyin" path. <sually, a static route to the Cisco 6ull0 interface is used as an anchor route throu"h the followin" co and: ip route 1C2.1(%.0.0 255.255.0.0 6ull0 This is done to reduce the occurrence of route flappin" due to 1=+ instability. 4=+ has a da penin" feature that i"nores a networ* if it is flapped /announced and then withdrawn0 a predeter ined nu ber of ti es. To define another router as a 4=+ peer, you co and: neigh)or 1C2.1(%.100.5 remote-as (5500 1f the 1+ address of the nei"hbor is not a directly connected networ*, Cisco provides a feature called eb"p- ultihop that allows the nei"hbor ust specify the directly connected interface 1+ address as a nei"hbor usin" the followin" and defines a

address to be any 1+ address as lon" as there is a path to it in the routin" table. >ere is the for at of this co The last nu ber is the 2.3 Router as a 2irewa$$ 4y usin" a co bination of e!tended access list filterin" options, a Cisco router can be confi"ured to act as a firewall to a secure networ*. 1n the followin" confi"uration e!a ple the access list assi"ned to the 9thernet port that connects the internal ?#6 se" ents allows TC+ sessions that were established by hosts on the internal ?#6. 1nternet allowed fro ail protocol /$.T+0 is any host but only to a sin"le host, 1C2.1(%.10.10, the co pany3s a!i u and: hop count to reach the specified neigh)or 1C2.1(%.100.5 e)gp-mu$tihop 255 nei"hbor. 1t can be between 1 and 255.

ail server. #ll other traffic tryin" to "o out the 9thernet interface is dropped. inter#ace Ethernet9 description Interna$ ,A- segment ip address 1C2.1(%.10.1 255.255.255.0 ip access-group 100 out : access-$ist 100 permit tcp any any esta)$ished access-$ist 100 permit tcp any host 1C2.1(%.10.10 e; smtp access-$ist 100 deny any any 3 S-(/ Collectin" data fro of your networ*. The your routers is the *ey to understandin" the "rowth patterns ost co on ethod used to collect data fro a router is to

use $i ple 6etwor* .ana"e ent +rotocol /$6.+0. # nu ber of applications use $6.+ to access the .ana"e ent 1nfor ation 4ase /.140, for an $6.+ , enabled device. The .14 contains a "reat deal of infor ation about the device itself and each of the individual interfaces on the device. 9ach router in your networ* will need to be confi"ured to allow $6.+ before it will respond to $6.+ 8ueries. The Cisco 1O$ supports $6.+ versions 1 and 2. The version you need to enable depends on the usin". #ll co ana"e ent software that you will be ana"e ent software available supports $6.+ 1, but not all software

supports $6.+ 2. ;or the purpose of collectin" data, $6.+ is sufficient. The and synta! to enable $6.+v1 access for a Cisco router is:

snmp-ser3er community Fco

unity strin"A <RO=R>? Iaccess-listJ the router. The co unity strin" is caseunity strin" entered

community string is an #$C11 strin" that will be used as a sort of password for clients tryin" to retrieve $6.+ data fro sensitive. The RO and R> options specify whether the co

allows read-only or read-write access to the .14 table. The optional ar"u ent access-list is a basic 1+ address-list that can be used to restrict the 1+ hosts that can retrieve $6.+ data. The followin" e!a ple is a sa ple confi"uration that defines a read , only co unity strin", defines aread , write co unity strin", and li its access to one trusted host: snmp-se3er community public RO 5 snmp-ser3er community private R> 5 : access-$ist 5 permit 1C2.1(%.10.10 1t is possible to confi"ure To confi"ure ultiple co ultiple co unity strin"s for the sa e variable type. unity strin"s. ands into the router in "lobal confi"uration unity strin"s on the

This is useful when you3re chan"in" co ultiple sn p , server co ode. >ere are the co sa e router: snmp-ser3er community public RO snmp-ser3er community +u4l1c RO snmp-ser3er community p<bliC RO unity co

unity strin"s on the sa e router, si ply enter

ands to have three read , only co