Configuring The Router From The Console Port
Configuring The Router From The Console Port
Configuring The Router From The Console Port
Once you have the correct cable connected from your PC to the Cisco router or switch, you can
start HyperTerminal to create a console connection and configure the device. Set the
configuration as follows:
1. Open HyperTerminal and enter a name for the connection. It is irrelevant what you name it,
but I always use ttc. Then click OK.
2. Choose the communications port—either COM1 or COM2, whichever is open on your PC.
3. Now set the port settings. The default values (2400bps and no flow control hardware) will not
work; you must set the port settings
Notice that the bit rate is now set to 9600 and the flow control is set to None. At this point, you
can click OK and press the Enter key, and you should be connected to your Cisco device console
port.
1. The router performs a POST. The POST tests the hardware to verify that all components of
the device are operational and present. For example, the POST checks for the different
interfaces on the router. The POST is stored in and run from ROM (read-only memory).
2. The bootstrap then looks for and loads the Cisco IOS software. The bootstrap is a program in
ROM that is used to execute programs. The bootstrap program is responsible for finding where
each IOS program is located and then loading the file. By default, the IOS software is loaded
from flash memory in all Cisco routers.
3. The IOS software looks for a valid configuration file stored in NVRAM. This file is called
startup-config and is only there if an administrator copies the running-config file into NVRAM.
(Cisco’s new Integrated Services Router (ISR) has a small startup-config file preloaded.)
4. If a startup-config file is in NVRAM, the router will copy this file and place it in RAM and call
the file running-config. The router will use this file to run the router. The router should now be
operational. If a startup-config file is not in NVRAM, the router will broadcast out any interface
that detects carrier detect (CD) for a TFTP host looking for a configuration, and when that fails
(typically it will fail—most people won’t even realize the router has attempted this process), it
will start the setup mode configuration process.
The Command Line Interface (CLI)
To use the CLI, press ENTER after the router finishes booting up. It displays a
Router> (This is called the User mode. It is mostly used to view statistics but also a stepping
stone to logging in to privilege mode. Just type enable and it takes you to the
privilege mode)
Router> enable
Router# (This is called the Privilege mode. You can view or troubleshoot configurations done on
the router from this mode but from here we can move on the global configuration
mode where we can do any configuration on the router. Just type configure terminal
(or config t for short) and it take you to the global configuration mode)
Router# config t
Router(config)# (This is called the Global Configuration mode. Any configuration can be carried out
from this mode)
Router(config)#banner motd $[enter a message]$ - Used to create a banner that is displayed before you
log in to the user mode. Just type anything that you
want to display in between the $ signs.
Configuring Interfaces
There are two major types of interfaces seen on a router, which are the Serial interfaces and the
Ethernet interfaces (sometimes it can be Fast Ethernet interfaces).
The serial interface is used in connecting a router to a router. Most Cisco routers comes with two
serial interfaces. The names of the serial ports may be serial 0/0 (s0/0) and serial 0/1 (s0/1) or
just serial 0 (s0) and serial 1 (s1) depending on the names displayed on the router physically.
The Ethernet interface is used in connecting a router to a switch or even a host. Sometimes it
may be just an Ethernet interface called Ethernet 0 (e0) or Ethernet 0/0 (e0/0) or a Fast
Ethernet interface called Fast Ethernet 0 (f0) or Fast Ethernet 0/0 (f0/0).
These interfaces are actually acting as a gateway to a particular network. So these interfaces
have to be configured with an IP address that is in line with the network connected to it. By
default, each interface on the router is already shutdown (i.e. no access is allowed through it),
so we are supposed to specify a command “no shutdown” to bring up that interface.
- Configuring an Interface
Router(config)#interface [interface name] - Used to configure the interface chosen
Router(config-if)#ip address [ip address and subnet] - Assigning an IP address to the interface
Router(config-if)#clock rate [enter rate] - Used only with Serial interfaces (DCE)
Router(config-if)#no shutdown - Used to bring up the interface
Router(config-if)#exit - Used to exit the interface configuration mode
eg
Router(config)#interface f0/0
Router(config-if)#ip address 192.168.30.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Now physically, when connecting a Cisco router to another Cisco router, we will be using a
particular cable. On one end of this cable, there’s a label with DCE (Data communication
Equipment) and the other end, there’s a label with DTE (Data Terminal Equipment). When
connecting the serial interface of each router with this cable, notice the interface that you
plugged the DCE part of the cable to. You will have to set the clock rate of that interface on that
router so that it will provide clocking to the other router. An example is -
Router(config)#interface s0/0
Router(config-if)#ip address 192.168.50.1 255.255.255.0
Router(config-if)#clock rate 64000
Router(config-if)#no shutdown
Router(config-if)#exit
We are building a beauty but this is just the beginning (ha ha). Notice how great this looks but
routers can only make networks directly connected to it to communicate with each other alone.
So how do we make networks that are on the router to communicate with networks not
connected directly to the router? That’s a big question which leads us to the next topic.
IP Routing
IP routing is just simply sending a packet through a particular route to a remote network. There
are two protocols which can handle this;
Routing Protocol: This is what routers use in learning about routes to a remote network
Routed Protocol: This is what routers use in sending packets through a route already learnt by
a router.
Since we are after learning the routes to a remote network so that we can communicate with the
remote network, then we have to know more about Routing Protocols.
E.g. if a router wants to learn about a network 192.168.30.0 connected to another router, it can
be configured like this
(RIP)
Router(config)#router rip
Router(config)#router [network address]
Router(config)#version 2 - Used for VLSM/CIDR (optional)
(IGRP)
Router(config)#router igrp [AS no.]
Router(config)#router [network address]
(EIGRP)
aRouter(config)#router eigrp [AS no.]
Router(config)#router [network address]
(OSPF)
Router(config)#router ospf [PROCESS ID]
Router(config)#[network address] [wildcard mask] area [no.]
--------------------
So with any of these routing commands, we can learn about any remote network and at the end,
all the networks can communicate with each other.
Finally, we can move on, at least everything is in order now, whew! What else?
E.g.
So let us choose the interface we want to make the default gateway to our network and assign
that same IP address that we used as the default-router’s IP address.
Router(config)#interface f0/0
Router(config-if)#ip address 192.168.30.1 255.255.255.0
Router(config-if)#no shutdown
Explanation:
The first line creates a dhcp pool called wuse.
The second line now assigns a network address to the pool you created.
The third line is choosing an IP address to become the default gateway to the network.
The fourth line exits the dhcp configuration mode.
--------------------
By now all networks should be able to communicate with each other no matter how many
networks we have in the internetwork.
OK, let’s give this configuration a break, at least we can now configure the router to an extent.
Let’s look at something very important, Password Recovery.
Recovering Password
If you are locked out of a router because you forgot the password, you can change the
configuration register to help you get back on your feet.
Now before we jump into that, we need to understand something called configuration register.
Configuration registers are used to tell the router what to do when booting. By default, the
configuration register of a Cisco device is 0x2102 which tells the router to load the Cisco IOS
from flash memory, look for and load the valid configuration file (startup-config) from NVRAM.
Since all the configurations (even the passwords) we’ve made is saved on the startup-config file,
all we need to do is to ignore the NVRAM contents when the router is booting so that it will not
load the startup-config file. To do this, we have to change the configuration register settings.
Well, that’s it, here are the main steps to password recovery:
1. Boot the router and interrupt the boot sequence by performing a break (simply press
“Ctrl + Break” on your keyboard), which will take the router into Rom monitor mode.
2. Change the configuration register (type “confreg 0x2142” then hit enter).
4. After the router finishes booting, enter the privilege mode. Notice that you are not
asked for any passwords.
5. Copy the startup-config file to running-config (type “copy start run”). This copies all
the settings that you have made on the router before to the router but meanwhile you
have already bypassed all passwords.
7. Reset the configuration register to the default settings. On the global configuration
mode, simply type “config-register 0x2102” then hit enter.
8. Save the router configuration. On the privilege mode, type “copy run start”. This now
saves all the changes you have made on the router.
One of the most common and easiest to understand uses of access lists is filtering unwanted
packets when implementing security policies. For example, you can set them up to make very
specific decisions about regulating traffic patterns so that they’ll allow only certain hosts to
access web resources on the Internet while restricting others. With the right combination of
access lists, network managers arm themselves with the power to enforce nearly any security
policy they can invent.
Standard access lists This use only the source IP address in an IP packet as the condition test.
All decisions are made based on the source IP address. This means that standard access lists
basically permit or deny an entire suite of protocols. They don’t distinguish among any of the
many types of IP traffic such as web, Telnet, UDP, and so on. Standard Access List uses
numbers from 1 – 99.
Extended access lists Extended access lists can evaluate many of the other fields in the layer
3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses,
the protocol field in the Network layer header, and the port number at the Transport layer
header. This gives extended access lists the ability to make much more granular decisions when
controlling traffic. Extend Access List uses numbers from 100 – 199.
Wildcard Mask
Wildcards are used with access lists to specify and individual host, a network or a certain range
of a network or networks.
Wildcards are used with the host or network address to tell the router a range of available
addresses to filter. To specify a host, the address would look like this:
172.16.30.5 0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is present, it means that
octet in the address must match exactly. To specify that an octet can be any value, the value of
255 is used. As an example, here’s how a /24 subnet is specified with a wildcard:
172.16.30.0 0.0.0.255
This tells the router to match up the first three octets exactly, but the fourth octet can be any
value.
Applying Access List
What we have done so far is to create the access list. We are supposed to apply it to an interface
which we will use in filtering that packet. Before we apply it, there are some things we are
supposed to know;
Inbound Access List: When an access list is applied to inbound packets on an interface, those
packets are processed through the access list before being routed to the outbound interface. Any
packets that are denied won’t be routed because they’re discarded before the routing process is
provoked.
Outbound Access List: When an access list is applied to outbound packets on an interface,
those packets are routed to the outbound interface and then processed through the access list
before being queued.
That’s all there is to configure in Access List. We can view the all the access lists that we have
created by typing
Router#show access-list
Static NAT This type of NAT is designed to allow one-to-one mapping between local and global
addresses. Keep in mind that the static version requires you to have one real Internet IP address
for every host on your network.
Dynamic NAT This version gives you the ability to map an unregistered IP address to a
registered IP address from out of a pool of registered IP addresses. You don’t have to statically
configure your router to map an inside to an outside address as you would using static NAT, but
you do have to have enough real, bona fide IP addresses for everyone who’s going to be sending
packets to and receiving them from the Internet.
Overloading This is the most popular type of NAT configuration. Understand that overloading
really is a form of dynamic NAT that maps multiple unregistered IP addresses to a single
registered IP address—many-to-one—by using different ports. By using PAT (NAT Overload), you
get to have thousands of users connect to the Internet using only one real global IP address.
Configuring NAT
- Static NAT
Router(config)#ip nat inside source static [host address] [internet address]
E.g.
This is just saying that host 192.168.5.2 should connect to the internet with the IP address
217.10.10.2
- Dynamic NAT
Router(config)#ip nat pool [name for the pool] [first internet address] [last internet address]
netmask [subnet mask]
Router(config)#access-list [SAL no.] permit [source network address] [wildcard mask]
Router(config)#ip nat inside source list [same SAL no.] pool [same pool name created]
E.g.
1st Line - We created a pool of IP addresses 217.10.10.2 to 217.10.10.254 and we named it ttc
2nd Line - We created standard access list, permitting hosts in the 192.168.5.0 network
3rd Line - We applied the standard access list to the pool of IP addresses we created
- Overloading NAT
Router(config)#ip nat pool [name for the pool] [internet address] [same internet address]
netmask [subnet mask]
Router(config)#access-list [SAL no.] permit [source network address] [wildcard mask]
Router(config)#ip nat inside source list [same SAL no.] pool [same pool name created] overload
E.g.
1st Line - We created a pool of IP addresses 217.10.10.1 to 217.10.10.1 and we named it ttc
but in this pool, we are only using just one IP address since it is overloading
2nd Line - We created standard access list, permitting hosts in the 192.168.10.0 network
3rd Line - We applied the standard access list to the pool of we created and we are specifying
that it is an overloading nat.
- Configuring Interfaces for NAT
After creating the NAT, we have to apply it to the interfaces. The command follows;
E.g.
Router(config)#Interface f0/0
Router(config-if)#ip address 192.168.5.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit
Router(config)#interface s0/0
Router(config-if)#ip address 217.10.10.1 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Mostly, the gateway to your LAN is the inside source (in this case, we are talking about interface
f0/0) while the gateway to your WAN is the outside source (which is s0/0 here).
So, does this mean we no longer need routers? It really depends on what you want or what your
needs are. By default, hosts in a specific VLAN cannot communicate with hosts that are
members of another VLAN, so if you want inter-VLAN communication, the answer is that you still
need a router.
E.g.
Switch(config)#vlan 2
Switch(config-vlan)#name customer
Switchport Links
There are two different types of links in a switched environment.
Access Ports: An access port belongs to and carries the traffic of only one VLAN. It is also used
in assigning VLAN to a port
Trunk Ports: A trunk port carries the information of multiple VLANs. It is mostly used on a port
that connects a switch to other switches or a switch to a router.
- Assigning VLAN to an Interface
Switch(config)#interface [interface name]
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan [vlan no.]
That’s where VTP comes in. VTP is used to manage all configured VLANs across a switch
internetwork and to maintain consistency throughout that network. VTP is used to send VLAN
information to all switches by the creating a VTP Mode and VTP domain.
First of all the switch that you want to send out the VLAN information must be on VTP mode
Server and you create a domain for it. The Server can create, add or delete VLAN. Then the
other switches should be on client mode and also on the same domain with the Server so that
they can pick up the VLAN information from the Server. The Client cannot create, add or delete
VLAN. There’s also the transparent mode but it does not take part in the VLAN, it only forwards
the VLAN information to other switches.
To support 802.1Q routing on a Fast Ethernet interface, the router’s interface is divided into
logical interfaces—one for each VLAN. These are called subinterfaces. From a Fast Ethernet, you
can set the interface to trunk with the encapsulation command:
Router(config)#interface f0/0
Router(config-if)#no shutdown
Router(config-if)#int f0/0.1
Router(config-subif)#ip address [ip address] [subnet mask]
Router(config-subif)#encapsulate dot1q [vlan no.]
First of all, the interface on the router which we plugged the switch to, we select it and specify
the no shutdown command to bring it up. Then we create a subinterface on that interface, give it
an IP address and encapsulate it to a particular VLAN to become that VLAN’s gateway.