You are on page 1of 51

Router...The Most Important Networking Device.

Contents

Pages

Chapter One
Introduction to Router---------------------------------------------------------------------2
1.1-What is a router? ---------------------------------------------------------------------------2
1.2-Router internal components. -----------------------------------------------------------4
1.3-Cisco router interfaces. -------------------------------------------------------------------6
1.4-Cisco 1760 router overview. -----------------------------------------------------------10
Chapter Two
Cisco Inter-network Operating System---------------------------------------------------13
2.1-Router boot sequence. --------------------------------------------------------------------13
2.2-Overview of router modes. --------------------------------------------------------------14
2.3-The Cisco file system. ---------------------------------------------------------------------17
Chapter Three
Router Configuration Language
(Router Instruction Set) -----------------------------------------------------------------------20
3.1- Basic Router Operations. ----------------------------------------------------------------20
3.2- Viewing Router Information. -----------------------------------------------------------21
3.3- Cisco Discovery Protocol. -----------------------------------------------------------------21
3.4- Managing Configuration Files. ---------------------------------------------------------22
3.5- Password. -------------------------------------------------------------------------------------22
3.6- Router Identification. ---------------------------------------------------------------------22
3.7- Auto-Install. ----------------------------------------------------------------------------------23
3.8- Configuring a Serial Interface. ---------------------------------------------------------23
3.9- TCP/IP. ----------------------------------------------------------------------------------------23
3.10- IPX/SPX. -------------------------------------------------------------------------------------24

3.11- Config-Reg. ----------------------------------------------------------------------------------24
3.12- Access-Lists. --------------------------------------------------------------------------------25
3.13- IP Standard Access-Lists [1-99] filter on Source Address Template. ---------------25
3.14- IP Extended Access-Lists [100-199] filter on Srce+Dest Address Template, Port,
Protocol. -----------------------------------------------------------------------------------------25
3.15- IPX Standard Access-Lists [800-899] filter
on Srce+Dest Address Template. -----------------------------------------------------------26
3.16- IPX Extended Access-Lists [900-999] filter
on Srce+Dest Address Template, Socket, Protocol. ----------------------------------26
3.17- IPX SAP Access-Lists [1000-1999] filter on Source, Port, Service Name. --26
3.18- Frame-Relay. ----------------------------------------------------------------------------26
3.17- PPP. ------------------------------------------------------------------------------------------27

Chapter Four
Configuring a Router --------------------------------------------------------------------------29
4.1-Configuring a router name. ------------------------------------------------------------29
4.2-Setting passwords. ------------------------------------------------------------------------29
4.3-Configuring a serial interface. --------------------------------------------------------30
4.4-Configuring an Ethernet interface. --------------------------------------------------31
4.5-Changing configuration. ----------------------------------------------------------------32
4.6-Host tables. ---------------------------------------------------------------------------------33
Chapter Five
Network Remote Access ----------------------------------------------------------------------35
5.1-PING. -----------------------------------------------------------------------------------------35
5.2-Traceroute. ----------------------------------------------------------------------------------38
5.3-Telnet. ----------------------------------------------------------------------------------------41
5.4-CDP. ------------------------------------------------------------------------------------------43
Chapter Six
Access Control Lists(ACLs) ------------------------------------------------------------------46
6.1-Introduction to ACLs. --------------------------------------------------------------------46
6.2-ACLs types. ---------------------------------------------------------------------------------48
6.3-Illustrative examples. --------------------------------------------------------------------51
6.4-Restricting virtual terminal access. -------------------------------------------------54

-2-

Chapter One: Introduction to Router
Chapter One
Introduction to Router.
1.1-What is a router?
1.2-Router internal components.
1.3-Cisco router interfaces.
1.4-Cisco 1760 router overview.

1.1-What is a router?
A router is a special type of computer. It has the same basic components as a standard
desktop PC. It has a CPU, memory, a system bus, and various input/output interfaces.
However, routers are designed to perform some very specific functions that are not typically
performed by desktop computers. For example, routers connect and allow communication
between two networks and determine the best path for data to travel through the connected
networks.
Just as computers need operating systems to run software applications, routers need the
Internetwork Operating System (IOS) software to run configuration files. These
configuration files contain the instructions and parameters that control the flow of traffic in
and out of the routers. Routers use routing protocols to determine the best path for packets.
The configuration file specifies all the information for the correct setup and use of the
selected, or enabled, routing
and routed protocols on a
router.

Figure
1.1.1

Routers can be used to segment LANs, but they are mainly used as WAN devices. Routers
have both LAN and WAN interfaces. WAN technologies are frequently used to connect
routers. Routers use WAN connections to communicate with each other. Routers are the
backbone devices of large intranets and of the Internet. They operate at Layer 3 of the OSI
-3-

model, making decisions based on network addresses. The two main functions of a router are
the selection of best path and the switching of packets to the proper interface. To accomplish
this, routers build routing tables and exchange network information with other routers.
An administrator can configure static routes to maintain routing tables. However, most
routing tables are maintained dynamically through the use of a routing protocol that
exchanges network topology information with other routers.

Figure 1.1.2
LAN segmentation.

Figure 1.1.3
Routers connected by WAN technologies.
-4-

1.2-Router internal components.
While the exact architecture of the router varies between router models, we will introduce
the major internal components as in Figure (1.2.1) that shows the internal components of
some of the Cisco router models.
The common components are covered below:
CPU – The Central Processing Unit (CPU) executes instructions in the operating system.
Among these functions are system initialization, routing functions, and network interface
control. The CPU is a microprocessor. Large routers may have multiple CPUs.
RAM – RAM is used for routing table information, fast switching caches, running
configurations, and packet queues. In most routers the RAM provides run time space for
executable Cisco IOS software and its subsystems. RAM is usually logically divided into
main processor memory and shared input/output (I/O) memory. Shared I/O memory is
shared among interfaces for temporary storage of packets. The contents of RAM are lost
when power is removed. RAM is generally dynamic random-access memory (DRAM) and
can be upgraded with the addition of dual in-line memory modules (DIMMs).
Flash – Flash memory is used for storage of a full Cisco IOS software image. The router
normally acquires the default IOS from flash. These images can be upgraded by loading a
new image into flash. The IOS may be in uncompressed or compressed form. In most routers
an executable copy of the IOS is transferred to RAM during the boot process. In other
routers the IOS may be run directly from flash. The flash single in-line memory modules
(SIMMs) or PCMCIA cards can be added or replaced to upgrade the amount of flash.
NVRAM – NVRAM is used to store the startup configuration. In some devices, EEPROMs
can be used to implement NVRAM. In other devices it is implemented in the same flash
device from which the boot code is loaded. In either case these devices retain contents when
power is removed.
Buses – Most routers contain a system bus and a CPU bus. The system bus is used to
communicate between the CPU and the interfaces or expansion slots. This bus transfers the
packets to and from the interfaces.
The CPU bus is used by the CPU for accessing components from router storage. This bus
transfers instructions and data to or from specified memory addresses.
ROM – ROM is used to permanently store the startup diagnostic code, which is called the
ROM monitor. The main tasks for ROM are hardware diagnostics during router bootup and
loading the Cisco IOS software from flash to RAM. Some routers also have a scaled down
version of the IOS that can be used as an alternative boot source. ROMs are not erasable.
They can only be upgraded by replacing the ROM chips in the sockets.
Interfaces – The interfaces are the router connections to the outside. The three types of
interfaces are LANs, WANs, and console or auxiliary (AUX). The LAN interfaces are
usually one of several different varieties of Ethernet or Token Ring. These interfaces have
controller chips that provide the logic for connecting the system to the media. The LAN
interfaces may be a fixed configuration or modular.
The WAN interfaces include serial, ISDN, and integrated CSUs. As with LAN interfaces,
WAN interfaces also have special controller chips for the interfaces. The WAN interfaces
may be a fixed configuration or modular.
-5-

The console and AUX ports are serial ports that are used primarily for the initial configuration of a router.2. such as adding memory. However in some situations. They are used for terminal sessions from the communication ports on the computer or through a modem.2. it can be very helpful.2) identifies the internal components of a 2600 router.1 It is not critical to know the location of the physical components inside the router to understand how to use the router.2 -6- .2. In some of the smaller routers the power supply may be external to the router. The exact components used and their location varies between router models. Figure(1. Figure 1. Figure 1. Larger routers may use multiple or modular power supplies. Power Supply – The power supply provides the necessary power to operate the internal components.

These asynchronous serial ports are not designed as networking ports.2-Management connections: There are two management port connections: console and auxiliary (AUX) ports. there are no networking parameters configured. Not all routers have an auxiliary port.1. the router may be directly connected to the service provider. and management ports. to the system console port. To prepare for initial startup and configuration. are LAN interfaces. an external device such as a CSU is required to connect the router to the local connection of the service provider. Then configuration commands can be entered to set up the router.3. The computer must run a terminal emulation program to provide a text-based session with the router. WAN interfaces. These are EIA-232 asynchronous serial ports. or attach the rollover cable to a personal computer running terminal emulating software such as HyperTerminal. They are connected to a communications port on a computer. With some types of WAN interfaces.3-Cisco router interfaces. This is usually some form of Ethernet. WANs provide connections through a service provider to a distant site or to the Internet. The three basic types of connections on a router.3. The function of management ports is different from the other connections. it could be some other LAN technology such as Token Ring or FDDI. LAN interfaces allow routers to connect to the LAN media. Figure 1.1 1. The console port is required for the configuration of the router. When the router is first put into service. With other types of WAN connections.1-Overview. The management port provides a text-based connection for the configuration and troubleshooting of the router. attach an RS-232 ASCII terminal. -7- . These may be serial connections or any number of other WAN interfaces. Therefore the router cannot communicate with any network. The LAN and WAN connections provide network connections through which packets are forwarded. 1. The common management interfaces are the console and auxiliary ports.3. Through this session the network administrator can manage the device. However.

Figure 1. while Figure(1. The console port is also preferred over the auxiliary port for troubleshooting. Figure(1.3.After the initial configuration is entered into the router through the console or auxiliary port.3.1 Figure 1. Therefore. the console port can be used for disaster and password recovery procedures. The console port can also be used when the networking services have not been started or have failed. the router can be connected to the network to troubleshoot or monitor it. and error messages by default.2 -8- .2) shows the auxiliary port connected to a modem. debugging. connected to the serial port at a computer.3.1) shows the console port (which is the most important). This is because it displays router startup. The router can also be remotely configured through the configuration port across an IP network using Telnet or by dialing to a modem connected to the console or auxiliary port on the router.3. Figures below show management port connections.

integrated CSU/DSU. Terminal emulation software such as HyperTerminal is usually used. RJ-48. The following are steps to connect a PC to a router: 1-Configure terminal emulation software on the PC for the following: The appropriate COM port 9600 baud 8 data bits No parity 1 stop bit No flow control 2-Connect the RJ-45 connector of the rollover cable to the router console port. 3-Connect the other end of the rollover cable to the RJ-45 to DB-9 adapter. -9- .More about console port: The console port is a management port that is used to provide out-of-band access to a router.3. which is RJ-45. A WAN uses many different technologies to make data connections across a broad geographic area.3. ISDN BRI. The PC or terminal must support VT100 terminal emulation. For this type of connection.3-Connecting LAN interfaces. WAN communication services are usually leased from service providers. a crossover cable is required. A 10BASE-TX or 100BASE-TX router interface requires Category 5. circuit-switched. or better. WAN connection types include leased line. AUX. If the wrong interface is connected. The router is a host that communicates with the LAN through a hub or a switch. 4-Attach the female DB-9 adapter to a PC. A straightthrough cable is used to make this connection. The correct interface must be used. In some cases the Ethernet connection of the router is connected directly to the computer or to another router. Perhaps the most commonly used router interfaces for WAN services are serial interfaces. 1.4-Connecting WAN interfaces. For example Ethernet. It is used to set up the initial configuration of a router and to monitor it. A router is usually connected to a LAN through an Ethernet or Fast Ethernet interface. console. it can damage the router or other networking devices. Many different types of connections use the same style of connector. and Token Ring interfaces use the same eight-pin connector. and packet-switched. unshielded twisted-pair (UTP) cable. regardless of the router type. Cisco supplies the necessary adapter to connect to the console port. The console port is also used for disaster recovery procedures. or RJ-49. 1. A rollover cable and an RJ-45 to DB-9 adapter are used to connect a PC to the console port.

1-Key features. 1DSU-56K4. 1B-U. and 1ENET. 2FXO. which can be configured and managed from a remote location. • Changes in WAN interface configuration can be made as your network requirements change.or 100-Mbps operation (with software override support).2 kbps. 2DID. 2FXO-M3.1. 2FXO-M2. • Supports autosensing for 10.1 1. Console port Supports router configuration and management from a connected terminal or PC.4-Cisco 1760 router overview. 2A/S. 2T. 2FXOEU. Figure 1.2 kbps. 2E&M.4.or half-duplex mode (with software override support). Feature One Fast Ethernet (10/100BASE-TX) port Description • Operates in full. 1DSU-T1. • Supports two slots (slots 2 and 3) for VICs only. . 1ADSL. • Supports the following WICs: 1T. Auxiliary port Supports modem connection to the router. Cisco interface cards • Supports two slots (slots 0 and 1) for either WICs or voice interface cards (VICs). • Supports the following VICs: 2FXS.01 - .4. Supports up to 115. 1B-S/T. and 2BRI-NT/TE. Supports up to 115. 2FXO-M1.

1.4.2 1 Interface Card Slot 0 (WIC/VIC) 2 Interface Card Slot 1 (WIC/VIC) 3 Console Port 4 Interface Card Slot 2 (VIC only) 5 Interface Card Slot 3 (VIC only) 6 Interface Card Slot 3 LEDs 7 Interface Card Slot 2 LEDs 8 Auxiliary Port 9 Ethernet Port 10 Ethernet LEDs 11 Interface Card Slot 1 LEDs 12 Interface Card Slot 0 LEDs 13 MOD OK LED 14 PVDM 0/1 OK LEDs 15 Router OK LED 16 Power LED .4.SNMP support Supports Simple Network Management Protocol (SNMP) to manage the router over a network.00 - . Figure 1.2-Ports and LEDs.

02 - . -Third step: router searches for an IOS image works properly.1. which is a small file (7 or 12 mega bytes at most or may differ in some types of routers). -Fourth step: router loads IOS image that it finds from flash memory to RAM.1 2. The operating system used in almost all Cisco devices is the Cisco IOS.3-The Cisco file system.Chapter Two Cisco Inter-network Operating System Chapter Two Cisco Inter-network Operating System.1.2 Figure 2. 2.1. the IOS is copied into and run from RAM. . The Cisco IOS is the software that allows the hardware to function as a router or switch. The two types of software required are operating systems and configuration. router decides where to go through many choices introduced by it. Flash memory provides non-volatile storage of an IOS that can be used as an operating system at startup. 2. in it router test the power and its memory state and other h/w to ensure that all is ok. 2. Figure 2. In many router architectures. The IOS is stored in a memory area called flash. The flash allows the IOS to be upgraded or stores multiple IOS files. (it depends on that if user interposed in boot process).1-Router boot sequence: Routers and switches depend on software for their operation.2-Overview of router modes. -Second step: here.1-Router boot sequence. 2. router loads and runs bootstrap code from ROM.1-Boot process: This process can be totalized in six main steps as the following: -First step: the step of turning the router on and POST (Power On Self Test) process.

2-Overview of router modes. The settings in the configuration register enable the following alternatives (Figure 2. physical connection through the console port.1.2): *Global configuration mode boot system commands can be specified to enter fallback sources for a router to use in sequence. The ROM monitor cannot be accessed through any of the network interfaces. It can only be accessed by way of a direct. the router will load the limited version Cisco IOS software image stored in ROM. A system administrator can use the configuration register setting to control the default startup mode for a router. or the router can use its own fallback sequence to load the software.2. -Sixth step: if the startup configuration file is found (that it is prepared to work on this router). a router will try to use TFTP server to load an IOS image from the network. a Cisco router normally loads into RAM and executes one of these operating environments. then it is run else router will enter the setup mode to be configured.1. 2. 2. *If NVRAM lacks boot system commands that a router can use. *If flash memory is empty. Most routers use the boot system commands saved in NVRAM.-Fifth step: router searches the NVRAM for a proper startup configuration file. 1-The ROM monitor performs the bootstrap process and provides low-level functionality and diagnostics. the system will use the Cisco IOS software in flash memory by default. The router will use these commands as needed when it restarts. Cisco IOS software allows several alternatives to be used.03 - . . The Cisco IOS devices have three distinct operating environments or modes: 1-ROM monitor 2-Boot ROM 3-Cisco IOS At startup. *If a TFTP server is unavailable.1-General description. It is used to recover from system failures and to recover a lost password. Other sources can be specified for the software.2-How a Cisco device locates and loads IOS: The default source for Cisco IOS software depends on the hardware platform. 2. (this case occurs if the router is to be configured for the first time or the old configuration file has been removed by the user). The router will use the configuration register value to form a filename from which to boot a default system image that is stored on a network server.

The Cisco IOS image can be modified in boot ROM with the copy tftp flash command. After the login steps have been completed. the enable secret command takes precedence. Boot ROM allows write operations to flash memory and is used primarily to replace the Cisco IOS image that is stored in flash. Normal operation. To enter commands and configure a Cisco router. This indicates that the privileged EXEC mode has been entered. If a password has been set. a user must log into the router to access the user interface. a Cisco router has two levels of access to commands: User EXEC mode – Typical tasks include commands that check the status of a router. 3-The normal operation of a router requires use of the full Cisco IOS image as stored in flash. The show flash command is used to verify that the system has sufficient memory to load a new Cisco IOS image. Some IOS images are stored in flash in a compressed format and have to be expanded when copied to RAM.2-When the router is running in boot ROM mode. This command copies an IOS image that is stored on a TFTP server into the flash memory of a router. The following are specific modes that can also be accessed from the global configuration mode: -Interface -Subinterface -Line . If both commands are used. Flash image upgrade. Operating Environment (Mode) ROM Monitor Boot ROM Cisco IOS Prompt > or ROMMON> Router(boot)> Router> Usage Failure or password recovery. type enable at the > prompt. which also indicates the configuration register setting. The user EXEC mode prompt is displayed upon login to a router. enter it at the password: prompt.2.2-Cisco IOS mode of operation. However. The two commands that can be used to set a password for privileged EXEC mode are enable password and enable secret(we'll show how to set passwords to a router in chapter four). The global configuration mode can only be accessed from the privileged EXEC mode. In some devices. the prompt changes to a #. Table2. most Cisco routers require a copy of the IOS to be loaded into RAM and also executed from RAM. use the show version command. the IOS is executed directly from flash.04 - .2. For security purposes. Privileged EXEC mode –Typical tasks include commands that change the router configuration. To enter privileged EXEC mode.1 2. only a limited subset of the Cisco IOS feature set is available. Two commands can be used to set a password used to access privileged EXEC mode: enable password and enable secret. *To see the IOS image and version that is running.

These files are also stored in different types of memory. the IOS is copied into and run from RAM. The configuration in RAM is used to operate a router. the disable command may be entered. The flash allows the IOS to be upgraded or stores multiple IOS files.3-The Cisco file system. the network file systems. This is referred to as the startup configuration or startup config.1 2. A copy of the configuration file is stored in NVRAM to be used during startup.1-Overview: Each of the software components is stored in memory as a separate file. The IOS is stored in a memory area called flash. The IFS provides a single method to perform all the file system management for a router. 2. This includes the flash memory file systems.05 - .-Router -Route-map To return to the user EXEC mode from the privileged EXEC mode. and read or write . This is referred to as the Cisco IOS File System (IFS). Type exit or end or press Ctrl-Z to return to privileged EXEC mode from global configuration mode. It is referred to as the running configuration or running config.3. Version 12 and later releases of the IOS provide a single interface to all the file systems that a router uses. Figure 2.2. In many router architectures. such as TFTP and FTP. Ctrl-Z may also be used to return directly to the privileged EXEC mode from any sub-mode of global configuration. Flash memory provides non-volatile storage of an IOS that can be used as an operating system at startup.

The encryption designators for Cisco IOS Release 12. If the flash image is compressed. Each feature set contains a specific subset of Cisco IOS features.3. and Enterprise Plus Encryption .data. The fields include the hardware platform identification.2 and later —k9 .A 56-bit data encryption feature set. The IFS uses a common set of prefixes to specify file system devices.2-The IOS naming convention: To identify the different versions.3. Figure 2. the running configuration. It specifies if the IOS is stored in flash in a compressed format and whether the IOS is relocatable. This IOS naming convention uses different fields in the name. Here are some examples of feature-set categories: Basic . IP/FW Plus.A basic feature set plus additional features such as IP Plus.2 and later (3) The third part of the file name indicates the file format. (2) The second part of the IOS file name identifies the various features that a file contains. that is combined with a basic or plus feature set. the feature set identification.3.Less than or equal to 64-bit encryption in IOS version 12. A relocatable . and the numerical release. the IOS must be expanded during boot as it is copied to RAM. and ROM. (Figure 2. 2.1 (1) The first part of the Cisco IOS file name identifies the hardware platform for which an image is designed.2 or later are k8 and k9: —k8 . there is a naming convention for IOS files.06 - . These features are packaged in software images.Greater than 64-bit encryption in IOS version 12.1).A basic feature set for a hardware platform such as IP and IP/FW Plus . There are many different features to choose from. such as NVRAM. such as Plus 56. Examples include IP/ATM PLUS IPSEC 56 or Enterprise Plus 56.

. The numerical version number increases for newer versions of the IOS. (4) The fourth part of the file name identifies the release of the IOS.07 - . A non-relocatable image is run directly from flash.image is copied from flash into RAM to run.

3. 3. 3. 3. . Protocol.Auto-Install. 3.10.1.17.Cisco Discovery Protocol.08 - Address Address Address Name. 3.Chapter Three Router Configuration Language (Router Instruction Set) Chapter Three Router Configuration Language(Router Instruction Set).Managing Configuration Files.14.PPP.IPX/SPX.Configuring a Serial Interface.TCP/IP.Router Identification.Basic Router Operations. Service 3.9.IP Extended Access-Lists [100-199] filter on Srce+Dest Template.4.12. Protocol.Password.7.11.6. . 3.18.IP Standard Access-Lists [1-99] filter on Source Address Template.2.5.13. 3.Viewing Router Information.Config-Reg.8. 3. 3. 3.16.15.IPX SAP Access-Lists [1000-1999] filter on Source.3. 3.Frame-Relay. Port.Access-Lists. 3. 3. 3. Port . 3. 3.19. 3.IPX Extended Access-Lists [900-999] filter on Srce+Dest Template. Socket.IPX Standard Access-Lists [800-899] filter on Srce+Dest Template.

1.2. 3.3.Viewing Router Information. .Basic Router Operations.09 - .

21 - . 3.3.Cisco Discovery Protocol.5. 3.Password. .4.Managing Configuration Files.3.

7.20 - .Router Identification.8.3.6. 3.Configuring a Serial Interface. .TCP/IP. 3.Auto-Install.9. 3.

10.22 - .3.IPX/SPX. .

12.3. .Access-Lists.Config-Reg.11. 3.23 - .

3. 3. Service .IP Extended Access-Lists Template.14.IP Standard Access-Lists [1-99] filter on Source Address Template.13.IPX SAP Access-Lists [1000-1999] filter on Source.24 - Name.16. Protocol. [900-999] filter on Srce+Dest Address 3. Protocol.15. Port. Port . .IPX Extended Access-Lists Template. Standard [100-199] filter on Srce+Dest Address Access-Lists [800-899] filter on Srce+Dest Address 3. Socket.IPX Template.17. 3.

19. 3.Frame-Relay. .3.25 - .PPP.18.

6-Host tables. which is Basrah. Most Cisco routers support five vty lines numbered 0 through 4. a unique password can be set for one line to provide a fall-back entry to the router if the other four connections are in use. 4.1-Configuring a router name. Other hardware platforms support different numbers of vty connections. Passwords are also used to control access to privileged EXEC mode so that only authorized users may make changes to the configuration file. This task is accomplished in global configuration mode with the following command: Router(config)# hostname Basrah Basrah (config)# When the Enter key is pressed.26 - . The following commands are used to set a password on vty lines: Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password <password > The enable password and enable secret commands are used to restrict access to the privileged EXEC mode. 4. The following commands are used to set an optional but recommended password on the console line: Router(config)#line console 0 Router(config-line)#login Router(config-line)#password <password > A password must be set on one or more of the vty lines for users to gain remote access to a router through Telnet.2-Setting passwords. Passwords restrict access to routers.2-Setting passwords. 4. which is Router.5-Changing configuration. However. The same password is generally used for all vty lines. 4. 4. 4. 4. Passwords should always be configured for virtual terminal (vty) lines and the console line. the prompt will change from the default host name. A router should be given a unique name as one of the first configuration tasks.4-Configuring an Ethernet interface.Chapter Four: Configuring a Router Chapter Four Configuring a Router. to the newly configured host name. The enable password is only used if the enable secret has not been .3-Configuring a serial interface. 4.1-Configuring a router name.

To configure a serial interface follow these steps: 1-Enter global configuration mode. Skip this step if a DTE cable is connected. Figure 4. 3-Specify the interface address and subnet mask.3-Configuring a serial interface. This command is used to encrypt passwords in configuration output: Router(config)#service password-encryption The service password-encryption command applies a weak encryption to all unencrypted passwords.set. The enable secret command should be used because the enable secret command is encrypted. Configure the IP address with the following commands: Router(config)#interface serial 0/0 Router(config-if)#ip address <ip address > <netmask > . 5-Turn on the interface. 4-Set clock rate if a DCE cable is connected.1 4. The following commands are used to set the passwords: Router(config)#enable password <password > Router(config)#enable secret <password > Sometimes it is undesirable for passwords to be shown in clear text in the output from the show running-config or show startup-config commands.27 - . Each connected serial interface must have an IP address and subnet mask to route IP packets. The enable secret <password > command uses a strong MD5 algorithm for encryption.2. 2-Enter interface mode. The enable password command is not encrypted.

interfaces are turned off. 800000.4-Configuring an Ethernet interface. Cisco routers are DTE devices but they can be configured as DCE devices. 500000. If the variables displayed are not correct. To turn on or enable an interface. 148000. the shutdown command used to turn off the interface. 2-Enter interface configuration mode. By default. To configure an Ethernet interface follow these steps: 1-Enter global configuration mode. The commands that are used to set a clock rate and enable a serial interface are as follows: Router(config)#interface serial 0/0 Router(config-if)#clock rate 56000 Router(config-if)#no shutdown 4. 1000000. and issue the command no shutdown. enter interface mode. 2400. 9600. 4-Enable the interface.5-Changing configuration. If an interface needs to be disabled for maintenance or troubleshooting. or disabled. as in a lab environment. To turn on or enable an interface. 19200. a DCE device such as a CSU/DSU will provide the clock. If an interface needs to be administratively disabled for maintenance or troubleshooting. or disabled. the clockrate setting that will be used is 56000. or 4000000. By default. The available clock rates in bits per second are 1200. The clock is enabled and speed is specified with the clock rate command. Each Ethernet interface must have an IP address and subnet mask to route IP packets. By default. To verify changes. For example. Some bit rates might not be available on certain serial interfaces. On serial links that are directly interconnected. 3-Specify the interface address and subnet mask. . one side must be considered a DCE and provide a clocking signal. 56000. 125000. 38400. the command no shutdown is entered. This command will display the current configuration. 72000.Serial interfaces require a clock signal to control the timing of the communications. go to the appropriate mode and enter the proper command. if an interface must be enabled. 1300000. 64000. 2000000. This depends on the capacity of each interface. In most environments.28 - . enter global configuration mode. use the shutdown command to turn off the interface. use the show running-config command. the environment can be changed in the following ways: *Issue the no form of a configuration command. the command no shutdown is entered. 4. If a configuration requires modification. interfaces are turned off. In the lab environment.

1 Router(config)#ip host Cairo 192. In order to use host names to communicate with other IP devices.8. The following is an example of the configuration of the host table on a router: Router(config)#ip host Dubai 172. This cache speeds up the process of converting names to addresses. *Remove the startup configuration file with the erase startup-config.202. Host names. *Copy an archived configuration file from a TFTP server. network devices such as routers must be able to associate the host names with IP addresses. Each unique IP address can have a host name associated with it.16. are significant only on the router on which they are configured. A host table might include all devices in a network organization.1 Router(config)#ip host Tehran 10.53. The host table will allow the network administrator to type either the host name such as Basrah or the IP address to Telnet to a remote host.32. Host name resolution is the process that a computer system uses to associate a host name with an IP address.6-Host tables. restart the To save the configuration variables to the startup configuration file in NVRAM.*Reload the system to return to the original configuration file from NVRAM. The Cisco IOS software maintains a cache of host name-to-address mappings for use by EXEC commands. unlike DNS names. then router and enter setup mode.168. enter the following command at the privileged EXEC prompt: Router#copy running-config startup-config Figure 4.5.1 .1 4. A list of host names and their associated IP addresses is called a host table.29 - .

Conversely. TTL is a field in the IP packet header used by IP to provide a limitation on packet forwarding. 5. it will decrement the TTL value to 0 and the packet cannot be forwarded. The name "ping" is taken from the sonar operation to locate objects. *packet loss. 5. 5. .31 - . 5. if you can't Telnet to a host. The ping is successful only if: *the echo request gets to the destination. It uses a series of Internet Control Message Protocol (ICMP) echo messages to determine: *whether a remote host is active or inactive.3-Telnet. The ping command first sends an echo request packet to an address.2-Traceroute.1-PING.1. you won't be able to Telnet or FTP to that host. 5.1 The echo reply includes a timeto-live (TTL) value. An ICMP message may be generated and sent back to the source machine. then waits for a reply. it decreases the TTL value by one.1-PING. Figure 5. As each router processes the packet. When a router receives a packet with a TTL value of 1. Ping is often the starting point to determine what the problem is. The default value of this timeout is two seconds on Cisco routers. The ping command (which stands for "Packet Internetwork Groper") is a very common method for troubleshooting the accessibility of devices. Normally if you can't Ping a host.4-CDP. The Ping program was written by Mike Muuss and it tests whether another host is reachable. and *the destination is able to get an echo reply back to the source within a predetermined time called a timeout. and the undeliverable packet is dropped. *the round-trip delay in communicating with the host giving us some indication of how "far away" that host is.Chapter Five: Network Remote Access Chapter Five Network Remote Access.

1.1.2 Format of ICMP message for echo request and echo reply.1 . Most TCP/IP implementations support the Ping server directly in the kernel. and the host being pinged the server. The table below lists the possible output characters from the ping facility: Table 5. the server is not a user process. Figure 5.We call the ping program that sends the echo requests the client.30 - .

32 - . .Table 5.1.2 This table lists possible ICMPtype values.

0.0.2 (Serial0).487: IP: s=12. code=0 !--. rcvd 3 Jan 20 15:54:47.1 (Serial0). so there will be five !--.echo requests and five echo replies. len 100.0. .0.2-Traceroute.0.0. The traceroute command -traceroute program was written by Van Jacobson. 100-byte ICMP Echos to 12.is used to discover the routes that packets actually take when traveling to their destination.0. !--. Jan 20 15:54:47. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). Sending 5.0.0.491: ICMP type=8.2. each with a Time-To-Live (TTL) field value set to one. d=12.523: IP: s=12.2. code=0 !--.2 Type escape sequence to abort.0.0. !--. !--.0.0. this router then responds with an ICMP Time Exceeded Message (TEM) indicating that the datagram has expired.2. round-trip min/avg/max = 4/6/8 ms Router1# Jan 20 15:54:47.0.ICMP type=0 corresponds to the echo reply message.This is the ICMP packet 12. a router or a PC) sends out a sequence of User Datagram Protocol (UDP) datagrams to an invalid port address at the remote host.This is the answer we get from 12. 5.By default.2 (Serial0). Three datagrams are sent. len 100.1 sent to 12.0.0.0. d=12. The TTL value of 1 causes the datagram to "timeout" as soon as it hits the first router in the path.ICMP type=8 corresponds to the echo message. the repeat count is five times.527: ICMP type=0.Illustrative example: Consider the following network diagram: Router1#ping 12.1 (local). sending Jan 20 15:54:47.33 - . The device (for example.0.

0.4 16 msec * 16 msec . Since these datagrams are trying to access an invalid port at the destination host.4 1 12.0. ICMP Port Unreachable Messages are returned.0.2.0. The purpose behind this is to record the source of each ICMP Time Exceeded Message to provide a trace of the path the packet took to reach the destination.0.34 - . This process continues until the packets actually reach the other destination.2 4 msec 4 msec 4 msec 2 23. Tracing the route to 34.Another three UDP messages are now sent.0.0. Illustrative example: Consider the following network structure: Router1#traceroute 34. Table 5.3 20 msec 16 msec 16 msec 3 34. which causes the second router to return ICMP TEMs. this event signals the Traceroute program that it is finished.0.4 Type escape sequence to abort. indicating an unreachable port.0.1 IP Traceroute Text Characters.0. each with the TTL value set to 2.

679: UDP src=33420.1 (local).839: IP: s=12.0.0.3 (Serial0).0.4 (Serial0). d=34. len 28.3 (Serial0).1 (Serial0). The first router.0. d=34.35 - .743: IP: s=23. len 28.2 (Serial0).895: IP: s=12. code=0 Jan 20 16:42:48.643: IP: s=12. d=12.0.1 (Serial0). d=12. d=12.0.891: ICMP type=3. drops the packet and sends back to the source (12. in this case Router2 (12. sending Jan 20 16:42:51. dst=33437 Jan 20 16:42:48. d=12. code=0 The same process occurs for Router3 (23.0.0.0.0. sending Jan 20 16:42:48.711: UDP src=35734.0.0.843: UDP src=34327.0. d=34. dst=33440 Jan 20 16:42:48.0.795: IP: s=12.0.671: ICMP type=11. len 28.0.0. code=3 . len 56.1 (local). dst=33435 Jan 20 16:42:48.1) a type=11 ICMP message. Jan 20 16:42:48.0.1 (local). len 56.0. code=0 This is the first sequence of packets we send with a TTL=1. rcvd 3 Jan 20 16:42:48.899: UDP src=37181.4 (Serial0).0. len 56.0. len 28.0.0.0.0.747: ICMP type=11.0. rcvd 3 Jan 20 16:42:51.1 (Serial0).4 (Serial0).0.4 (Serial0). code=0 !--.751: IP: s=12.0. d=34.1 (Serial0).3) with a TTL=2: Jan 20 16:42:48.0.699: IP: s=12.4 (Serial0).827: IP: s=23.0.0.0.0.787: IP: s=23.0.703: ICMP type=11.635: IP: s=12.0.0. d=12.Jan 20 16:42:48.4 (Serial0). d=12. sending Jan 20 16:42:48.1 (local).667: IP: s=12. d=34. len 28. len 56.647: UDP src=34237. d=12. dst=33441 Jan 20 16:42:51.0.2).0. sending Jan 20 16:42:48.1 (local).0. sending Jan 20 16:42:48.0. code=3 !--. rcvd 3 Jan 20 16:42:48.1 (local).0.1 (local).4 (Serial0).0.615: UDP src=39911.899: UDP src=37534. len 28.799: UDP src=36561.0.887: IP: s=34. This corresponds to the Time Exceeded Message.707: IP: s=12.2 (Serial0).0. rcvd 3 Jan 20 16:42:48. code=0 !--.0.0.943: IP: s=34. len 28. rcvd 3 Jan 20 16:42:48. d=34.0.0.0.0.1 (Serial0). dst=33442 Jan 20 16:42:51.Port Unreachable message from Router4 Jan 20 16:42:48.0.791: ICMP type=11. dst=33436 Jan 20 16:42:48.1 (local).0. dst=33439 Jan 20 16:42:48.0. dst=33434 Jan 20 16:42:48.1 (Serial0). code=0 Jan 20 16:42:48. len 28.1 (Serial0). d=34.0.4 (Serial0).2 (Serial0).0.0. len 56. sending Jan 20 16:42:48. len 56. len 56.0. sending Jan 20 16:42:48.ICMP Time Exceeded Message from Router2 Jan 20 16:42:48.1 (Serial0).0.0.0.4 (Serial0). dst=33438 Jan 20 16:42:48.755: UDP src=36753.0.1 (local).675: IP: s=12.895: IP: s=12. sending Jan 20 16:42:48.0. rcvd 3 Jan 20 16:42:48. len 56.639: ICMP type=11.611: IP: s=12. d=34.3 (Serial0).831: ICMP type=11.0.0.0.0.4 (Serial0). rcvd 3 Jan 20 16:42:48.0.ICMP Time Exceeded Message from Router3 Jan 20 16:42:48. d=34. d=12.0.0.947: ICMP type=3.0.0. sending Jan 20 16:42:48. len 28.0.4 (Serial0). rcvd 3 Jan 20 16:42:48.0.0.

It allows connections to be made to remote hosts. a Destination Unreachable Message. Telnet is a virtual terminal protocol that is part of the TCP/IP protocol suite. we finally reach Router4. A router can have simultaneous incoming Telnet sessions. 5. and code=3 meaning port unreachable. Router4 sends back to Router1 an ICMP message with type=3. This is the most complete test mechanism available.3-Telnet.100.2 .With a TTL=3. since the port is not valid. Telnet functions at the application layer of the OSI model. This time.152 Basrah>telnet Dubai Figure 5.3. Telnet provides a network terminal or remote login capability. To initiate a Telnet session any of the following alternatives can be used: Basrah>connect Dubai Basrah>Dubai Basrah>131. Telnet depends on TCP to guarantee the correct and orderly delivery of data between the client and server.36 - .3. Telnet is an IOS EXEC command used to verify the application layer software between source and destination. The numbers zero through four are used to specify five vty or Telnet lines.1 Figure 5.108.

Figure5. if Telnet is used successfully to connect the York router to the Paris router. then at least one TCP/IP application can reach the remote router. Once the Telnet is completed. If Telnet to one router is successful. If remote access can be obtained through another router. or access permission problems. log off the host.A hostname table or access to DNS for Telnet must be present for a name to work. failure to another router is likely caused by addressing.3.37 - . A successful Telnet connection indicates that the upper-layer application functions properly.3 . Telnet can be used to determine if a remote router can be accessed. the IP address of the remote router must be entered. The Telnet connection will terminate after ten minutes of inactivity by default or when the exit command is entered at the EXEC prompt. which is covered later in this lesson. then a basic test of the network connection is successful. naming. The ping command can be used to test end-to-end connections at the network layer. As shown in Figure . The next step is to use the ping command. Otherwise. The problem may exist on the original router or on the router that failed as a Telnet target. This operation can be performed at either the user or privileged EXEC levels.

CDP is used to obtain information about neighboring Cisco devices. CDP is a Layer 2 protocol that connects lower physical media and upper network layer protocols. as shown in Figure(5.4. the router interfaces they are connected to. Each device also listens to periodic CDP messages that are sent by others to learn about neighbor devices. to directly connected Cisco devices. The network administrator can display the results of this CDP information exchange on a console that is connected to a local router. Figure 5. The advertisements also contain time-to-live or holdtime information.4. Each device that is configured for CDP sends periodic messages. which are known as advertisements. CDP operates at the data link layer and allows two systems to learn about each other. CDP transmits type length values .1) displays an example of how CDP delivers its collection of information to a network administrator.CDP (Cisco Discovery Protocol).4.1 When a Cisco device boots up.1). and the model numbers of the devices. The primary use of CDP is to discover all Cisco devices that are directly connected to a local device. CDP is media and protocol independent.4. such as the types of devices connected. even if they use different network layer protocols. CDP starts up automatically and allows the device to detect neighbor devices that use CDP. Each device advertises at least one address at which it can receive Simple Network Management Protocol (SNMP) messages. and runs on all Cisco equipment over the Subnetwork Access Protocol (SNAP). show cdp neighbors command displays CDP updates on the local device. the interfaces used to make the connections. which indicates the length of time that receiving devices should hold CDP information before they discard it.38 - . Figure(5. An administrator can use the show cdp neighbors command to display information about the networks that are directly connected to a router.5. Each router that uses CDP exchanges protocol information with its neighbors.

1) is not directly connected to the console router that is used by the administrator. By default.3 or higher.39 - . On Cisco IOS Release 10. Device TLVs displayed by the show cdp neighbors command include the following: -Device ID -Local Interface -Holdtime -Capability -Platform -Port ID Notice that the router at the bottom of Figure(5. The cdp enable command is used to enable CDP on a particular interface. CDP can be enabled on all device interfaces with the cdp enable command. the administrator would need to Telnet to a router that is directly connected to this device. CDP is enabled by default on all supported interfaces to send and receive CDP information.4. CDP is globally enabled. Figure 5.4. you can see chapter three).1 The cdp run command is used to enable CDP globally on a router.(TLVs) to provide information about each CDP neighbor device. . To obtain CDP information about this device. TLVs are blocks of information embedded in CDP advertisements. (For more CDP commands.

3-Illustrative examples.1-Introduction to ACLs. Figure 6. destination address.1 ACLs can be configured at the router to control access to a network or subnet. An ACL makes routing decisions based on source address.Chapter Six: Access Control Lists(ACLs) Chapter Six Access Control Lists(ACLs).1.4-Restricting virtual terminal access.1. ACLs enable management of traffic and secure access to and from a network. The router examines each packet and will forward or discard it based on the conditions specified in the ACL. 6. 6. protocols.1-Introduction to ACLs. 6. 6. . 6. 6. To filter network traffic. Acceptance and denial can be based on specified conditions. These lists tell the router what types of packets to accept or deny.2-ACLs types.1-What are ACLs? ACLs are lists of conditions used to test network traffic that tries to travel across a router interface.41 - . and upper-layer port numbers. ACLs determine if routed packets are forwarded or blocked at the router interfaces.

0. are used to block values. which is used to compare and see if a packet should be processed by this ACL statement. subnet. the inverse mask has a “1” bit. If the router has two interfaces configured for IP. This creates the match value.2-Wildcard mask. . Wildcard masks have no functional relationship with subnet masks. or per port basis. and vice versa.40 - . This mask is known as inverse because it works completely opposite from a standard subnet mask.1. or ones. times two for the number of ports. The mask in Figure(6. A zero indicates a value that will be checked. A wildcard mask is paired with an IP address. The result of the IP address and the wildcard mask must equal the match value of the ACL. an ACL must be defined for each protocol enabled on the interface. 6. is a 32-bit quantity that is divided into four octets. per direction.Figure 6. There would be one ACL for each protocol. AppleTalk. Where a standard subnet mask would have a “0” bit.3) would be written as 0. Every interface can have multiple protocols and directions defined. The term wildcard mask represents the ACL mask-bit matching process and comes from an analogy of a wildcard that matches any other card in the game of poker. and host portion of an IP address.1. ACLs control traffic in one direction at a time on an interface. The second part of the ACL process is that any IP address that is checked by a particular ACL statement will have the wildcard mask of that statement applied to it. Two separate ACLs must be created to control inbound and outbound traffic. The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits.1.255.255. The subnet mask and the wildcard mask represent two different things when they are compared to an IP address. times two for each direction. In the wildcard mask process. the IP address in the access-list statement has the wildcard mask applied to it. or sent to the next statement to be checked. 12 separate ACLs would be needed. Subnet masks use binary ones and zeros to identify the network. The Xs. Wildcard masks use binary ones and zeros to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address. To control traffic flow on an interface.2 ACLs must be defined on a per protocol. A wildcard mask (also known as an inverse mask). and IPX. They are used for different purposes and follow different rules.

The host option substitutes 0. Standard ACLs check the source address of IP packets that are routed. For example.(Figure 6.2.1-Standard access lists.1.4 6.0.4).0. Since no list is shown. and host addresses.0 for the mask. the any and host options.255 for the wildcard mask. The ACL will either permit or deny access for an entire protocol suite. 6. The full syntax of the standard ACL command is as follows: Router(config)#access-listaccess-list-number deny permit remarksource [source-wildcard ] [log] The remark keyword makes the access list easier to understand. The any option substitutes 0. The standard version of the access-list global configuration command is used to define a standard ACL with a number in the range of 1 to 99 (also from 1300 to 1999 in recent IOS).255.0.0. This option will match just one address.0. subnet. standard ACLs began using additional numbers (1300 to 1999) to provide a maximum of 798 possible standard ACLs. Each remark is limited to 100 characters.88 . These additional numbers are referred to as expanded IP ACLs.There are two special keywords that are used in ACLs. If they are permitted. The entire address must match or the router must check for a match in the next line in the ACL.69. In Cisco IOS Software Release 12. the packets are routed through the router to an output interface. packets that come in Fa0/0 are checked for their source addresses and protocols. Figure 6.2.1.2-ACLs types.0. If they are not permitted. In the first ACL statement.1.0 is used.1.0 for the IP address and 255.3 Figure 6. For example. This mask requires that all bits of the ACL address and the packet address match.42 - . they are dropped at the incoming interface.255. the default mask of 0. based on the network. notice that there is no wildcard mask. it is not immediately clear what the purpose of the following entry is: Router(config)#access-list 1 permit 171. This option will match any address that it is compared against.0.

equal (eq). Each statement should have the same access list number. There can be as many condition statements as needed.2-Extended access lists.43 - . The wildcards also have the option of using the host or any keywords in the command.2. not equal (neq).2. multiple statements may be configured. an administrator can specify a TCP or UDP port number.2.69.It is much easier to read a remark about the entry to understand its effect. An extended ACL can simultaneously allow e-mail traffic from Fa0/0 to specific S0/0 destinations and deny file transfers and Web browsing. and port addresses.0.1. The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. At the end of the extended ACL statement. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). Remember that only one ACL per interface. When packets are discarded. The extended ACL will perform these operations on specific protocols. In Cisco IOS Software Release 12. and less than (lt).1 6. the more statements there are. Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. Extended ACLs are used more often than standard ACLs because they provide a greater range of control. protocol type. to relate the statements to the same ACL. per protocol is allowed. For a single ACL. Logical operations may be specified such as.3). extended ACLs began using additional numbers (2000 to 2699) to provide a maximum of 799 possible extended ACLs. limited only by the available router memory.88 The no form of this command is used to remove a standard ACL. The format of the command is as follows: Router(config-if)#ip access-group access-list-number {in | out } . The syntax is as follows: Router(config)#no access-list access-list-number The ip access-group command links an existing standard ACL to an interface: Router(config-if)#ip access-group {access-list-number | access-list-name } {in | out } Figure 6.2. per direction. The well-known port numbers for TCP/IP are shown in Figure(6. some protocols send an echo packet to the sender. These additional numbers are referred to as expanded IP ACLs. Access can be permitted or denied based on where a packet originates. The ip access-group command links an existing extended ACL to an interface. its destination. as follows: Router(config)#access-list 1 remark Permit only Jones workstation through access-list 1 permit 171. Of course. This gives greater flexibility to describe what the ACL will check. the more difficult it will be to comprehend and manage the ACL. greater than (gt). stating that the destination was unreachable.

*Named ACLs provide the ability to modify ACLs without deletion and reconfiguration.2.3-Named access lists. However.2. *The IOS does not limit the number of named ACLs that can be configured.2. This places the user in the ACL configuration mode. 2-The same name may not be used for multiple ACLs. The following are advantages that are provided by a named access list: *Alphanumeric names can be used to identify ACLs. In ACL configuration mode. specify one or more conditions to be permitted or denied.3 6. This determines whether the packet is passed or dropped when the ACL statement matches.Figure 6. Named ACLs allow standard and extended ACLs to be given names instead of numbers.2 Figure 6.44 - .2.2. it is not permissible to specify both a standard and extended ACL named "Ali". For example. a named access list will only allow for statements to be inserted at the end of a list. It is a good idea to use a text editor to create named ACLs. A named ACL is created with the ip access-list command. The syntax is as follows: Some Notes: 1-Named ACLs are not compatible with Cisco IOS releases prior to Release 11. Example: . IP named ACLs were introduced in Cisco IOS Software Release 11.

Use Access-list number as 2 R1>enable R1#configure terminal R1(config)#access-list 1 permit 192. . Enter into Interface Configuration Mode.30.10. Description: Apply access-list 1 to interface ethernet 0 on R1.The configuration below creates a standard ACL named Internetfilter and an extended ACL named Basrah_University.1 deny any ip access-list extended Basrah_University permit tcp any 172.145.10. 3. 6. Instructions: 1. Description: Create an access-list and configure the same according to a given set of rules.0 255. ip access-list standard Internetfilter permit 10. It also shows how the named access lists are applied to an interface: ip interface ethernet0/5 ip address 192.255. Enter into Global Configuration Mode.168..0 ip access-group Internetfilter out ip access-group Basrah_University in .5.3.168. Use no shut down Command on Ehternet 0 Interface.255. Instructions: 1.1. Use 1 as IP access-list number.5 R1(config)#access-list 2 permit any 6.3-Illustrative examples.255.Use the interface Ehternet 0. Assuming that an access -list 1 is created. and deny all other traffic.1.1 255.3.45 - as an . 2. apply it to the interface Ethernet 0 inbound access-list. 4.255 eq telnet deny udp any any deny udp any 171.255. 2.5 R1(config)#access-list 2 deny 196..0.5.2-Applying an access list to an interface. Apply the access-list on both incoming and outgoing interfaces.30.1-Creating a standard access list.145. Create an IP access-list to permit traffic from address 192.25.25.255 lt 1024 deny ip any log 6.5.0. Type the command used for permitting packets from any IP Address. 3.168. Create an access-list 2 that blocks only the single IP address 196.0 255.

168. . Use the Show Command to see the Access -list. 3. Hosts on R3 should not be able to communicate with hosts on R1 e0.3.10. Host W32 on R3 can communicate only with other hosts on R3 e0.10. Hosts on R1 should not be able to communicate with hosts on R3 e0. R1>enable R1#configure terminal R1(config)#access-list 1 permit 192. Description: Configure a standard access-list according to a given set of conditions.168. Description: Configure standard access-list #1 to permit ip 192.4. Create an Access-list that permit traffic from address 192. Enter into Global Configuration Mode 2.168.5.5 R1(config)#exit R1#show access-list 6. Instructions: 1. 2.5 and view access-list entries by using appropriate show command. Use access-list number 1.3. 3. Apply an access-list 1 to interface Ethernet 0 as an outbound access-list R1>enable R1#configure terminal R1(config)#interface ethernet 0 R1(config-if)#no shutdown R1(config-if)#ip access-group 1 in R1(config-if)#ip access-group 1 out 6.46 - .10. Hosts on R1 can communicate with hosts on R2 e0. Exit from the global configuration mode .3-View access list entries.4-Applying a standard access list to a network diagram. 4. Instructions: 1.

0.3.255 R2(config)#deny any R1>enable R1#configure terminal R1(config)#access-list 10 permit 10.4. such as Fa0/0 and S0/0 on the router. For security purposes. by default. There is only one type of .1). which are numbered 0 through 4.2.1.1. as shown in Figure(6.0.1.0 0.1.255 R3(config)#access-list 30 deny host 10. users can be denied or permitted virtual terminal access to the router but denied access to destinations from that router.1.0. Just as there are physical ports or interfaces. They are not designed to block packets that originate within the router. There are five vty lines.1.0 0.47 - .4-Restricting virtual terminal access.0. Standard and extended access lists apply to packets that travel through a router.Figure 6.1 R3>enable R3#configure terminal R3(config)#access-list 30 deny 10.255 R1(config)#deny any 6. there are also virtual ports.0.0 0. The Telnet protocol can also be used to create a nonphysical vty connection to the router. The purpose of restricted vty access is increased network security.3 R3(config)#deny any R2>enable R2#configure terminal R2(config)#access-list 20 permit 10. These virtual ports are called vty lines. An outbound Telnet extended access list does not prevent router initiated Telnet sessions.0.3.

16.0.48 - . *Identical restrictions should be set on all the virtual terminal lines.1.0. Figure 6. because a user can attempt to connect to any of them.1 Creating the standard list: Rt1(config)# access-list 2 permit 172.4. Identical restrictions should be placed on all vty lines since it is not possible to control the line on which a user will connect.0.255 Rt1(config)# access-list 2 deny any Applying the access list: Rt1(config)# line vty 0 4 Rt1(config-line)# login Rt1(config-line)# password secret Rt1(config-line)# access-class 2 in .255 Rt1(config)# access-list 2 permit 172. applying the ACL to a terminal line requires the access-class command instead of the access-group command. *Only numbered access lists can be applied to virtual lines.vty access list.16.0.0 0.The process to create the vty access list is the same as described for an interface. However.0 0. The following should be considered when configuring access lists on vty lines: *A name or number can be used to control access to an interface.2.

CCNA Course 1-1 (Arabic). 5. 3. 6. switch simulator. 8-Ahmed Nabil.cisco.s www. 2. 9-Eng.W. and its lab. and others. Cisco Networks Guide (Arabic).49 - .CertExams.References: 1..Understanding the Ping and Traceroute Commands.com . Richard Stevens.. 170 West Tasman Drive San Jose. Inc.com 4. TCP/IP Illustrated.. The Protocols.Cisco 1760 Modular Access Router Hardware Installation Guide Corporate Headquarters Cisco Systems.Cisco Systems. Zanich. Basic Traffic Management with Access Lists. . Cisco Internetworking Revision Sheet.David J. Abdullah Alaasaad.Router simulator.. 7. CA 95134-1706 USA http://www. CCNA2 Curriculum. network designer program. Volume 1.Cisco Systems.

. These files work every time you visit Basrah. then files will be stored in the memory of browser and it will be lost as soon as site is closed.51 - .com (e. 1.com/'.Cookies: They are files sent by the visited site to your browser.'http://www. 2.g. we first open command prompt. How to execute it ? We can execute it as same as any DOS instruction.the site examines your hard disk if it contained Basrah's cookies files else it will send file to your hard disk . ?> The position of this code will be in the body. c:\\> telnet 88.Telnet: It is an application layer protocol._ now you are on the remote host and you can browse it using DOS instructions.). 2-Cookies.g.88. You may ask where and how these files work ? When you visit a site Basrah. It is not allocated for this duty . type "telnet" followed by destination IP then followed by port no. c-Current date any thing and you don't store a date for expire.com and it's important to refer that if you store a file you will store by one of three methods : a-Current date 26/6/2007 and you store files with expire to 28/6/2007 cookies will be deleted after two days . e.88.Basrah. The more important methods to hack remote devices: 1-Telnet.Appendix C: Hacking. Example: <? Setcookie('site'.time()+3600). <html> <head> <title> ALI&AMMAR </title> <head> <body> position of cookie . but to help sites to take a nice style without download/upload . b-Current date 26/6/2007 with expire to 20/6/2007 files will not be stored in hard disk .89 23 c. Notice that the previous dates at client side . 3-Trojan. it is one of DoD model protocols.it gives a signal to its sir sites about the number of sites you visited and how long you spent at every site you visit.. Cookies files which are not readable for other sites and they are disturbed codes because they may break your personality wall .

Now if computers A. at this crowded data and each data need to be directed. .) .50 - . the importance of opening channels will appear. Now tell me what will happen if computer B (server) contains danger codes and program in computer A handled by a bad person.g. B will receive it and will translate this code according to a protocol to know what must he does .B and A sent data to B which application in B will receive data? Data will contain a unique port number one application will deal with it . If A sent data to B (0xffabac e. After all that we knew that is no problem for computers to communicate . these channels are called "ports".</body> </html> 3-Trojan: Some basics: Networking is not intended for just a physical connection it is needed for applications to communicate with each other but you must assume a high number of applications waiting for communication with other high number of applications.