Guide to Cisco Router Configuration

Contents


Preface and Scope

This document is intended to instruct in the basics of Cisco router configuration and maintenance. It is by no means complete or authoritative. This document purposely omits many topics and assumes a foreknowledge of others. It is assumed that the reader has a preexisting knowledge of Internet protocols and an understanding of TCP/IP networking. Prior experience with Cisco router products will make this document easier to understand but is not required.

The commands and procedures detailed in this writing are consistent with Cisco's Internetwork Operating Software (IOS) version 11.0, 11.1, and 11.2. Cisco endeavors to maintain backwards compatability in their software however, there is no guarantee of such. Hence, the commands and procedures outlined herein should only be used as a guide when working with latter releases of IOS. References within this writing to IOS documentation refer to the manual set for IOS version 11.0.


Description of Cisco Router Products

There are several varieties of cisco routers. The relevant router models are the 2500, 4000, 7000, and 7500 series. Physically, each is as follows:

The 2501 (which is about the only router out of the 2500 series we use) has a console port and an aux port in the form of rj45 type connectors. There is one 10 megabit ethernet AUI type connector, and two high density 60 pin serial connectors. The serial connectors are used for the WAN connections.

The 4000 is the next step up in Cisco's product line. It has a console port and an aux port in the form of two db25 connectors. There are slots for various interfaces, however, they are not presented in a card/slot format, rather each card adds interfaces to those already in existance so it becomes possible to have, for example, interfaces Serial0 through Serial11 by using three cards.

One of the more recent generations of backbone routers is Cisco's 7000 series router. This router is quite large. It has room for a primary and redundant power supply. In the backplane, there are 7 slots that are used as follows. All the way on the right-hand side is a slot labeled for the Route processor (which holds two db25 connectors for console and aux.) It utilizes a Motorola 68040 for its processor and has internal slots for two flash modules and 4 30 pin simms. There is also a bank of pins for various jumpers. These control certain default settings that are read when the router is powered up. Factory default is almost ALWAYS correct and these jumpers should NOT be moved. To the left of this card is the switch processor. This card handles "fast switching" in this model router. "fast switching" will be explained later in this document. Finally, there are slots labeled 0 through 4. These are for interface cards.

There is also an upgraded processor card for the 7000 as well. The primary difference is the processor is MIPS based and the flash slots have been made external to accommodate a single removable PCMCIA flash module.

Finally, is the 7500 series. This is Cisco's latest router model. The processor is MIPS based and the backplane has been greatly enhanced. The 7505, which is our most common router, has a single power supply, a slot for the route/switch processor with two PCMCIA slots for flash cards (they are one card here instead of 2 because of changes made in the way that fast switching is done), and interface slots labeled 0 through 3. The on board memory is 4 72 pin simm slots using paritied RAM. The 7507 adds a redundant power supply and an additional interface slot, and room for a redundant processor card. The 7513 adds a blower for additional cooling and contains a route processor, switch processor, and can hold up to 11 interface cards in addition to the processors.


Cisco Interface Cards

There are several cards for use with the cisco 4000, 7000, 7200, and 7500 series routers. The 2500 series are fixed configurations. This section only describes the cards used with 7000 and 7500 series routers.

The first is the Fast Serial Interface Processor (FSIP) card. The FSIP is available with 4 or 8 serial ports. These are used for synchronous data connections such as T1s which are used in Wide Area Networks (WANs).

Ethernet Interface Processor (EIP) cards contain 2, 4 or 6 AUI type connectors for 10 megabit ethernet and are used for connecting the router to the low speed Local Area Network (LAN).

Fast Ethernet Interface processor (FEIP) cards contain two rj45 type modular connectors used for 100baseT connections.

ATM Interface Processor (AIP) cards are used for Asynchronous Transfer Mode (ATM) connections. There are a couple of varieties of ATM cards. Most commonly used is a DS3 interface which has two BNC type coaxial connectors (one for transmit and one for receive). This interface operates at 45 Mbps. In our Phoenix POP, we have installed a SONET interface card which makes use of a fiber optic connection to a lightstream 100 (which is an ATM switch essentially). This connection operates at OC3c speeds (155 Mbps).

Fiber Distributed Data Interface (FDDI) Processors (FIP) are used in These cards have two fiber optic connectors and may be connected by one or the other, or both connectors may be utilized to create a fiber ring for redundancy. This interface operates at 90 Mbps.

High Speed Serial Interface (HSSI) Processors (HIP) are used for DS3 level connections. These cards have a single connector for one T3.

Channelized T3 Interface Processors (CIP) are used to connect a muxed T3 into a router. This card has two BNC connectors for the transmit and receive of the T3. It also has 3 db9 connectors for T1 output and one db9 for output to a test set. Using this card, it is possible to configure 28 full or fractional T1 circuits in one slot within the router. This is a significant advantage over the use of external CSUs and multiple FSIP cards which occupy valuable rack and bus space, respectively. Built using the second generation Versatile Interface Processor design (VIP2), this card also supports distributed switching and can actually handle the same conventional load while using less of the router's primary processor. The outputs can be used to feed T1s to external devices of for connecting to a MIP card for channelized T1 processing.

Pack Over SONET Interface Processors (POSIP) are used to provide Point-To-Point connectivity between locations at the OC3 level. This interface operates at 155 Mbps, full duplex. It has one optical connection to receive an OC3 circuit.


Preparing for Configuration

There are several steps involved in commissioning a new router. The first is to determine physical configuration. Although any interface card may be placed in any slot, thought should go into how cards are arranged. For example, if you intend to have a large group of routers with more or less identical types and quantities of cards, it is easier to place the cards in a "standard" order. This way, there is no searching to find what card is in which slot. it is simply assumed that a given card will be in a given slot. This leaves less to remember and can cut critical time off diagnosing network problems.

Initial configuration is done from the console. There are a few caveats which will be explained later. The console should be connected via a straight through rs232 interface using either a standard rs232 cable or one of the appropriate adaptors provided with the 2501 (Note: the adaptors for the 2500 series routers are proprietary to cisco and do NOT contain standard pin-outs.) The connection operates at 9600 baud, 8 data bits, 1 stop bit and no parity. Boot the router and wait for the "press return to get started" prompt. When the router boots for the first time after being shipped from the manufacturer, you may enter the "setup" dialogue. In general, you don't want to use setup to initialize your router. You may exit out of this when prompts or you can type C-^ (caret), which is the cisco interrupt character, to break out of it.

You should end up at a "Router>" prompt. This is an unprivileged access mode known as "User EXEC Mode". There are several levels of access that can be configured within the router. This mode is privilege level 1. (You may use the "show privilege" command to find out what your current privilege level is.)

To enter a higher privilege mode, use "enable". The default privilege level is 15. If a password has been set, you will be prompted to enter it at this time. If no password has yet been set, you will not be prompted for a password, and instead immediately gain privileged access. Your prompt will now become "Router#".

At that point, you may prepare to enter configuration commands by typing "configure terminal". Your prompt will change to "Router (config)#". To exit the configuration, type "exit" or C-z. Once you are done, you need to store your configuration changes in non-volatile memory. Type "write" from the privileged EXEC prompt (Router#). It will take a few moments to build the configuration file and store it in memory.

As mentioned above, there are a few things to watch for when configuring cisco routers. Once logged into a router via a network connection, you cannot "enable" from the network connection if no enable password has been set. One of the most important things to remember is that ALL changes are IMMEDIATE. If you attempt to restart an interface by shutting it down and then turning it back up, if it is the interface you are coming in over, you will never be able to turn the interface back up unless you come in via an alternate path (such as logging in on console or by dialing up to a POP) or power cycle the router. Likewise, when configuring a packet filter, it is a good idea to remove the filter from the associated interface while updating it if at all feasible. This saves you from filtering yourself out of the router and possibly causing significant interruption of services for others. Also, for any given command, with only a few exceptions, placing a "no" in front of the command has the effect of "undoing" that operation.


Configuring the Router

The Cisco Internetwork Operating System (IOS) is extremely flexible and powerful. Hence, there are many subtleties to configuring certain services and many things that the router can do that you will never use. For the full description of the options that can be used with each of these commands, refer to the router configuration guide and command reference. These documents are available in printed form and via the World Wide Web as http://www.cisco.com/univercd/data/doc/software.htm. (hint: This is a good bookmark to place in Netscape.) From there, you may select the appropriate version of IOS to find the section you are looking for.

Cisco interfaces are named according to interface type and interface number. The 7000, 7200, and 7500 series routers also add a slot number. All interfaces and slots are indexed at zero. The first ethernet port on a model 2501 router would be identified as Ethernet0. The fourth serial port on a 7000 with a serial card in slot 2 would be Serial2/3.

* For the remainder of this section, it is assumed that the reader has entered the terminal configuration mode within the router via "configure terminal" from the privileged EXEC prompt.


Configuring Access Lists and Network Security

Once the router's interfaces are configured, a momment should be taken to determine if any of these interfaces connect to "secure" networks. These networks can be those that connect corporate workstations with the rest of your network or perhaps the rest of the internet. They could also be networks which house servers that provide specific services to the internet community but which you would like to protect as much as possible. A good example of such a server is a WWW server of SMTP gateway. The general public needs to be able to view your web page and send you mail but they do not need to be able to connect interractively to those servers. Other uses for access control could be in protecting parts of your corporate intra-net from other parts of your company. For example, if you have a Research and Development department, it is unlike that you'll be giving your sales staff access details on top secret projects. Likewise, you don't want your Research and Development department making some clever modifications to your accounting servers.

The traditional way of protecting such servers is with access lists. Access lists filter Internet traffic and determine if a packet is permitted to pass into or out of the network. Ideas about how access lists should be designed, where they should be placed, and how physical networks should be structured to allow propper filtering without overloading network links and the routers they connect varry considerably. Some corporations choose to invest in commercial "fire wall" products while others will implement minimal access controls at all. Still others will invest in the hardware necessary to service access lists at two levels (one router that blocks access to itself and the interrior router and a second, the interrior router, that blocks access to itself, is only accessible from inside or even only from its console, and provides primary access list control. This router generally does nothing else besides filtering packets and sending them to its default router or a local host.)

Which method you choose depends on your needed level of security, your budget, and the particular application for which the protection is needed. The decisions that lead to the various scenarios are beyond the scope of this document, however. This section intends to focus solely on access list design and implementation for the general case.

Cisco has created two different classes of access lists within its routers. The first, the standard access list, filters only on source address. If numbered access lists are being used (IOS 11.1 and earlier did not support named access lists), than these lists would be numbered from 1 to 99. The second type of access list, the extended access list, is numberes from 100 to 199 and is capable of filtering based on source address, destination address, protocol, protocol port number, and a myriad of other features not necessarily applicable to general IP traffic.

Once an access list is created, it must be tied to an interface in order to be used. The interface configuration considers a filter list to be an "access group". The access group can be applied either inbound or outbound with respect to the interface. For example:

 Interface Serial0
  ip access-group 101 in
  ip access-group 6 out

This group of commands specifies that traffic coming into Serial0 must be processed through extended access list number 101 and that outbound traffic must pass through standard access list 10 before leaving the interface.

Standard access lists are configured by specifying a list number, wether a match on this entry will result in traffic being permitted or denied, and the host or network which is being filtered and the mask associated with it (if it is a network or subnet).

 access-list 10 permit 234.5.6.12
 access-list 10 deny 5.10.10.32 0.0.0.31
 access-list 10 permit 5.10.0.0 0.0.255.255
 access-list 10 permit 123.234.0.0 0.0.0.255

The above example creates access list 10 and configured 4 entries. The first line permit all traffic with a source IP address of 234.5.6.12. Note that when a host IP address is listed, no mask needs to be associated with it. The second line denies all traffic from the subnet 5.10.10.32/27. One thing to observe about access lists is that instead of netmasks, they use what Cisco calls "wildcard masks." These masks function very similarly to netmasks with one important difference. Network masks operate from left to right. Wildcard masks operate from right to left. Therefore, when looking at the above configuration line, what the wildcard mask is matching is the 32 addresses that begin at 5.10.10.32. (Since zero is a valid mask, it counts as one address. Hence 31 is used in the mask instead of 32.)

The remaining two lines permit traffic from 5.10.10.0.0/16 and 123.234.0.0/24 respectively. On first glance, a newcommer to access lists might think that the only thing getting denied to this network is the second line and that the permit lines are unnecessary. Access lists, though, are designed to be selectively permissive, not to selectively deny traffic. As a result, an implicit deny exists at the end of this access list. (More propperly, anything that does not explicitly match an entry in the access list is dropped.)

There are a couple of other important things to consider when creating access lists. First, order is extremely important. Since access lists function through "short circuit" processing (bail out when a match is found), those entries that are most likely to match traffic should be listed first. IP access list processing is very processor intensive. By listing frequent matches first, processor utilization is kept to a minimum. Note also lines 2 and 3 of the above example. They state, collectively, that all traffic from 5.10.0.0/16 is to be permitted EXCEPT for those hosts in 5.10.10.32/27. If line 2 (the deny statement) were listed AFTER line 3, than the denial would have no effect. The traffic would be permitted as a result of line 3 and those hosts you intended to block would be allowed access. When you create access lists, you should review them very carefully to be certain that no mis-ordering has occured.

The second thing to watch for when creating access lists is the fact that changes to a cisco router take effect immediately upon entry. It is a fact that most access lists are not the stagnant, unchanging creatures we would like them to be. From time to time, they will require modification. Modifying an access list means deleting the existing list and recreating it with the appropriate changes. When an interface is configured to refference an access list that does not exist, the traffic will, by default, be permitted through. However, when you create that access list, the implicit denial at the end can result in your configuration session being filtered out. As a matter of policy, it is good practice to remove the refference to the access list from the interface before modifying the access list. (via "no ip access-group 123" or whatever access list you intend to refference.)

Building extended access lists is somewhat more complicated and requires a few more steps. Since extended access lists filter based on both the source and destination IP address, two parts to each entry are needed. The following is a brief example of an extended access list for IP.

 access-list 101 permit tcp any any established
 access-list 101 permit tcp any 204.34.5.25 host eq 80
 access-list 101 permit ip 203.45.34.0 0.0.0.255 204.34.5.0 0.0.0.255
 access-list 101 permit tcp 203.44.32.0 0.0.0.31 204.34.5.0 0.0.0.255 eq telnet
 access-list 101 permit tcp any 204.34.5.10 eq smtp

This access list allows all TCP connections with the established flag, allows any user to get to the host 204.34.5.25, tcp port 80 (which is the http port), all IP protocols from 203.45.34.0/24 to reach any host within the 204.34.5.0 class C, all hosts within 203.44.32.0/27 can telnet into any host on the 204.34.5.0, and allows all hosts to connect to the smtp port on host 204.34.5.10.

A few notes about this access list. The first line is important. It allows all packets which have had the TCP established flag set. This means two things. First, all outbound connections will be able to have the return traffic pass back through the access list. This is important. Since outbound tcp connections come from random ports above 1024, it is not possible to filter explicitly for outbound connections. The established field takes care of that. Second, an inbound TCP connection only needs to have the first packet pass beyond this point in the access list. Once the connection has been opened, the remaining traffic will have the established flag set and will not have to again pass through the entire access list.

The second line also demonstrates that when a source or destination is used, the wildcard mask can be replaced with the word "host" to indicate this. It also gives an example of filtering based on a destination port. The third line matches all IP protocols (TCP, UDP, ICMP, etc. Everything that gets encapsulated in an IP packet.) The source and destination network number and wildcard mask pairs function the same as in standard access lists. The fourth line shows that, on well known services, the port number can be replaced with the name of the service.

There is one last important thing to consider when creating access lists however. Many services depend on other services in order to function. For example, you can't just permit telnet connections without permitting DNS packets to get through as well. You often won't be able to telnet out unless telnet ident requests can come back into your network. If you wish to synchronize the clocks on your computer systems to other systems, you likely need to permit NTP packets (both TCP and UDP) to pass through. For this reason, carefull consideration is needed when creating access lists. It is all too easy to overlook one or two key services when creating lists. As network administrators gain experience with access controls, these omissions become more rare, but they still occur with annoying frequency. Access lists should be tested throroughly once they are in place. Both to be certain that necessary traffic is permitted through the list as well as to be certain that unwanted traffic does not.


Configuring Routing Protocols

Routing protocols serve one function: To let nearby routers know how to get to them and the networks they serve. There are two basic types of routing protocols: distance vector protocols and link state protocols.

The simplest protocols are perhaps those that classify as Distance Vector protocols. They base their routing decisions on the number of intermediate routers along a given path. This has the advantage of taking very few resources but has the disadvantages of not considering bandwidth or the load of the available link. They also suffer limitations when long distances are present. The path may be valid but because of the high metric, the routers decide that the remote host or network is unreachable. In addition, these types of protocols usually broadcast their entire routing tables at preset intervals. This can take quite a bit of time and consume considerable bandwidth. Protocols that fall under this classification are RIP, IGRP, and BGP.

Link State protocols function by maintaining a database of advertisements they have received from other routers called the link state database. This means that each router is wholly responsible for determining the best path to a given location from its point of view and already has an idea of an alternate path, if any, should the first path become unavailable.