Add Book to My BookshelfPurchase This Book Online

Chapter 3 - Configuring Cisco Routers

Cisco TCP/IP Routing Professional Reference
Chris Lewis
  Copyright © 1999 The McGraw-Hill Companies, Inc.

Sources for Configuring a Router
A router can be configured from three sources:
  Manually, using a terminal connected to the console port (or logged in over a network via a Telnet session).
  Through commands stored in nonvolatile memory.
  Through commands stored in a file residing on a TFTP server somewhere on the network.
A summary of these commands is given in Table 3.1.
Configuring a Router Manually
When a router is configured manually, we can use the Cisco Setup utility, provided that the router does not have a configuration file already in existence. Alternatively, we can change an existing configuration using the configure terminal command.
Configuring a Router Using Setup.     This first example of configuring a router assumes that you are attaching a terminal to your router and configuring it for the first time.
Table 3.1: Configure Commands
Command
Description
configure terminal
Executes configuration commands from the terminal. Use this command to make changes to the configuration file from the console port or a telnet session. Once changes are entered press <Ctrl-Z> to end the update mode session. Note that the shortest unique command identifier may be used; in this case, configuration mode can be invoked by entering conf t.
Configure memory
Executes configuration commands stored in NVRAM.
Configure network
Retrieves configuration commands are stored in a network server and load that configuration into memory. You will be prompted for the IP address of the TFTP server to connect to, as well as the configuration filename.
When you connect a router to a terminal and power it up for the first time, the text displayed will be similar to that shown in Fig. 3-1. If this is a new router that has not been configured, there will be no configuration in memory and the router will go into the initial configuration dialog. If you wish to return a configured router to this state, type in write erase when in privileged user mode to erase the configuration in memory. In Fig. 3-1, the text in bold is that which was entered.
We will now explain all the entries and modify this to be a working configuration.
Deciphering the Initial Configuration File.     A router configuration file is plain ASCII text. This text file is read at boot time and put into effect as a working configuration by the router operating system, the IOS. By entering router configuration mode, commands can be entered that will add, modify, or delete configuration options while the router is running. Router configuration files can be saved as plain text on a TFTP server, modified by a full-screen text editor, and reloaded via TFTP.
Having completed the exercise for giving our new router a random configuration, let's take a more detailed look at what this configuration file means.
The first entry, hostname Router1, defines the text the router will use as a prompt; this router will generate a prompt Router1>.
The enable secret entry indicates that a secret password has been supplied to get into Enable mode. The password is encrypted and cannot be viewed from the configuration file.
The enable password enter tells us that the password "enter" can be used to get into Enable mode. On later versions of Cisco IOS, configuring both an enable secret and an enable password means that only the enable secret will allow you into Enable mode. Earlier versions of IOS did not recognize an enable secret and would allow entry to Enable mode with the enable password only.
Notice: NVRAM invalid, possibly due to write erase.
--- System Configuration Dialog --
At any point you may enter a question mark ? for help.
Refer to the Getting Started Guide for additional help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets [ ].
Would you like to enter the initial configuration dialog? [yes]:y
First, would you like to see the current interface summary? [yes]:y
Any interface listed with OK? value "NO" does not have a valid configuration
IP-AddressOK?MethodStatusProtocol
unassignedNOnot setupdown
unassignedNOnot setdowndown
unassignedNOnot setdowndown
Configuring global parameters
Enter host name [Router]: router1
The enable secret is a one-way cryptographic secret usedinstead of the enable password when it exists.
Enter enable secret: test
The enable password is used when there is no enable secretand when using older software and some boot images.
Enter enable password: enter
Enter virtual terminal password: access
Configure SNMP Network Management? [yes]: n
Configure IP? [yes]: n
Configure IGRP routing? [yes]: n
Configure RIP routing? [no]: n
Configuring interface parameters:
Configuring interface Ethernet0:
Is this interface in use? [yes]: y
Configure IP for this interface? [yes]: y
Configure IP Unnumbered on this interface? [no]: n
IP address for this interface: 123.45.45.45
Number of bits in subnet filed [0]: 0
Class A network is 123.0.0.0, 0 subnet bits; mask is 255.0.0.0
Configuring interface Serial0:
Is this interface in use? [yes]: y
Configure IP on this interface? [yes]: y
IP address for this interface: 122.22.22.22
Number of bits in subnet field [0]: 0
Class A network is 122.0.0.0, 0 subnet bits; mask is 255.0.0.0
Configuring interface Serial1:
Is this interface in use? [yes]: n
The following configuration command script was created:
hostname router1
enable secret 5 $1$UtL7$KqpczYUWglg4pnWYbNYD0.
enable password enter
line vty 0 4
password access
no snmp-server
!
ip routing
!
interface Ethernet0
ip address 123.45.45.45 255.0.0.0
!
interface Serial0
ip address 122.22.22.22 255.0.0.0
!
interface Serial1
shutdown
no ip address
!
end
Building configuration…yes/no]: y
Use the enabled mode "configure" command to modify this configuration.
Figure 3-1: The Cisco setup utility
The next entries that require explanation are those that refer to router access via virtual terminals (Telnet access). These entries are shown as follows:
line vty 0 4
password access
The first line defines five allowable Telnet accesses (numbered 0 through 4), and the next line states that a password "access" will be required before a command prompt is presented to any Telnet session requesting access to the system.
The next configuration command, no snmp-server, disables the Simple Network Management Protocol process on the router. SNMP is an Application level protocol that runs atop UDP, and will be covered in more detail in Chap. 7. Unless you are implementing a secure SNMP system, it is recommended that you disable SNMP on the router. If you enable the default SNMP process on a Cisco router, any intruder who knows SNMP will be able to retrieve the router configuration and enable password. The intruder then could cause serious disruption to your network, from which you might not be able to recover without physically replacing all the routers in the network.
The ip routing entry simply enables IP routing on the router. The next set of entries shown configures the Ethernet 0 port.
interface ethernet0
ip address 123.45.45.45 255.0.0.0
This configuration defines an IP address of 123.45.45.45 for the Ethernet 0 port, with a netmask of 255.0.0.0. This is the default mask for a class A network number and was selected by the router because we stated that 0 bits should be contained in the subnet field when the router was configured.
The next two lines define the basic configuration of the Serial 0 port to have an IP address of 122.22.22.22, again with a default class A netmask.
interface serial0
ip address 122.22.22.22 255.0.0.0
The next section defines the configuration for the Serial 1 port, which is not in use on this router. The shutdown entry defines this port as being closed and not in operation. The no ip address indicates that an IP address has not yet been assigned to this port.
interface serial1
shutdown
no ip address
The exclamation points shown in the configuration file are merely separators used to display router component configurations in sections.
Configuring Routers from the Command Prompt.     Now that we know how to give a router a basic configuration file and understand the contents of this configuration file, we can modify the file so that it becomes useful.
When configuring Cisco routers, you need to be aware that there are three classes of commands:
  Global  A single-line command that affects the function of the whole unit.
  Major  A command that indicates a particular interface or process that is being configured. Each major command must have at least one subcommand.
  Subcommand  Subcommands are used after a major command to configure a process or interface.
To display router configurations, the commands shown in Table 3.2 can be used.
Global commands.     The first class of command we will examine are global commands. Global commands normally appear at the top of the router configuration file, and are used to address configuration details that affect the operation of the router as a whole. The global commands defined in the configuration file above are as follows:
hostname router1
enable secret 5 $1$UtL7$KqpczYUWgIg4pnWYbNYD0
enable password enter
no snmp-server
ip routing
To modify a global parameter, type the following at the enable prompt:
Router1#conf t
The router will reply with the following:
Enter configuration commands, one per line. End with Ctrl/Z.
Router1(config)#
Table 3.2: Configuration Display Commands
Command Syntax
Command
Description
sh conf
Show Configuration
Displays the contents of NVRAM. The configuration file loaded at boot time is stored here. Upon boot, the router copies the configuration file from NVRAM into RAM. This is the configuration that the router was started with, or the configuration the last time the write mem command was executed, which writes the running configuration to NVRAM.
wri term
Write Terminal
Displays current configuration on the terminal that is running in memory.
You now can type configuration commands that affect global parameters on the router. When you press the Enter key at the end of a line, the command takes effect and is entered into the configura-tion file.
The following are examples of global commands you might wish to enter in the router configuration.
Router(config)#hostname Newname
Newname(config)#
The hostname command changes the hostname of the router and immediately is reflected in the prompt when the command is entered, as shown above.
The router can be told to configure at boot time from system ROM, flash memory, or a configuration file held on a TFTP server on the network. A router configuration file can list all three options and the router will try to boot from the source listed first. If that fails, it will try the second source, and so forth. The commands to boot from these sources are as follows:
  Boot System ROM  This indicates that the router will be booted from ROM chips on the Route Processor. These chips are read-only and cannot be written to. You can update these chips by requesting new ones from Cisco.
  Boot System Flash  The router will be booted from flash. Flash memory can contain more than one version of the IOS. Routers can be ordered with additional flash memory.
  Boot System Filename IP-Address  Boot from the network. The most typical option is to configure a 2500-series router to boot from flash, if available, or from ROM.
At the configuration prompts, type the following:
Newname(config)#boot system flash
Newname(config)#boot system rom
Press <Ctrl-Z> to exit configuration mode. This will enter the above commands in the sequence shown in the configuration file. The new configuration can be viewed with the write terminal command.
Another global command you will most likely want to enter is shown as follows:
Newname(config)#no ip domain-lookup
This command is useful, particularly if, like me, you are not the world's greatest typist. If you make a spelling mistake when trying to enter a command (when you are in View rather than Configuration mode), the router does not recognize the command. It will assume that this strange word is the name of a host on the network and that you wish to establish a Telnet session with it. The router will not find the strange hostname in its own host table and will try to find a Domain Name Server on the network in the hope that the DNS machine will know the IP address of the strange host. Either you do not have an available DNS machine or, if one is available, it will not have details of this strangely named host. The router, therefore, fails to establish a Telnet session. This takes some time. To stop an unnecessary search, enter the no IP domain-lookup command in Configuration mode. It just makes life easier.
Major Commands and Subcommands.     The thing that differentiates a global command from a major command on a router configuration file is that the global command is on one line. A major command is followed by, at the least, a one-line subcommand that relates to the major command.
The major commands in the initial configuration file are listed next, with the associated subcommands indented:
line vty 0 4
password access
interface Ethernet0
ip address 123.45.45.45 255.0.0.0
interface Serial0
ip address 122.22.22.22 255.0.0.0
interface Serial1
shutdown
no ip address
To experiment with configuring major commands, and their associated subcommands, we will look at configuring the following:
  Give the Ethernet port an IP address of 192.1.1.1, with a subnet mask of 255.255.255.192.
  Configure Serial 0 to have an unnumbered IP address.
  Configure Serial 1 with an IP address of 193.1.1.1 and a subnet mask of 255.255.255.0.
  Configure Serial 1 to have a secondary IP address of 194.1.1.1, with a netmask of 255.255.255.0.
At the Enable prompt, type the following:
Newname#conf t
Newname(configure)#int eo
Newname(config-if)#ip address 192.1.1.1  255.255.255.192
Newname (config-if)#<Ctrl-Z>
This completes the configuration for the Ethernet 0 port. Note that the prompt changes when you have entered a major command and are about to enter subcommands.
The IP unnumbered feature, which we are about to configure for the Serial 0 interface, is discussed in more detail in Chap. 7; however, a basic introduction is useful here. IP unnumbered is used on point-to-point links to reduce the number of subnets that need to be allocated on an internetwork. This is illustrated in Fig. 3-2.
Figure 3-2: Example of a point-to-point link used with IP unnumbered
Assuming that IGRP is the routing protocol used on this network, subnet mask information is not transmitted in routing updates; therefore all interfaces that have IP addresses assigned to them must use the same netmask in order for the routing tables to be updated properly. Let's say that at both site 1 and site 2 we want to apply a netmask that will allow 62 usable IP addresses in the subnet (remember the first and last address in a subnet cannot be assigned to a host or router interface). The netmask in this case will be 255.255.255.192.
If limited address space is available (meaning that the network has to use Internet-compatible addresses, which were assigned to a corporation by an Internet service provider), applying a netmask of 255.255.255.192 to both serial ports will waste 60 addresses on the internetwork. This is because a separate subnet is assigned to the link between router 1 and router 2, but only the serial ports on these routers need an IP address.
IP unnumbered gets around this problem by letting the router know that the serial port is on a point-to-point link, and allows each serial port to use the address of its respective router's Ethernet port for communications across the link. Using IP unnumbered in this fashion prevents us from having to allocate a whole subnet to a point-to-point link.
Newname#conf t
Newname(config)#int S0
Newname(config-if)#ip unnumbered E0
The Serial 1 line will be configured by entering the following:
Newname(config)#int S1
Newname(config-if)#ip address 193.1.1.1  255.255.255.0
Newname(config-if)#ip address 194.1.1.1  255.255.255.0 sec
A secondary IP address may be assigned to a router port if the number of host machines on that segment is about to exceed the number allowable by the current IP address and subnet scheme. By assigning a secondary IP address, new hosts may be added to that segment without the need to reconfigure all the host's IP addresses already on the segment.
Configuring a Router from a Network Server
What typically happens when a Cisco router network is being rolled out is that a base configuration for all routers is defined, and has the modified IP addresses for each location. It makes life easier if this base configuration can be loaded into each router from a network server each time a new router is installed. It is more time-efficient to modify an existing configuration than to create one from scratch.
There is a simple way to achieve this, using any machine that can act as a TFTP (Trivial File Transfer Protocol) server. Many of the more full-featured TCP/IP stacks available commercially provide TFTP server functionality. Any Unix machine also can act as a TFTP server.
TFTP is a simple file transfer protocol that is not as complex or as fully functional as FTP. TFTP has little in the way of security, user authentication, or end-to-end reliability, because it uses UDP rather than TCP as the layer 4 protocol.
Let's look at setting up a Unix machine as a TFTP server, saving the configuration file of a router to this TFTP server, and then reloading the configuration.
TFTP is called into action by the INETD daemon process whenever the server machine receives a request on UDP port 69, which is the port number permanently assigned to TFTP.
To have TFTP started in the "secure" mode, the appropriate line in the inetd.conf must be uncommented. In a standard inetd.conf file in a Unix machine, there are two TFTP entries, as shown below:
dgramudpwaitnouser/etc/tftpdtftpd
tftpdgramudpwaitroot/etc/tftpdtftpd-s/cisco
The line containing the tftpd-s is the one in which we are interested. The only modification you need make to this line is to specify which directory you want to become the TFTP secure directory. In this case, it is the /cisco directory. The only thing that makes this "secure" is that the specified directory is the only one that can be written to or read from; it does not offer user-level security in terms of usernames and passwords. These entries correctly show the insecure option for starting TFTP as commented out, by starting that line with the # character.
Once we have secure TFTP available, and a configuration similar to that shown in Fig. 3-3, we can store and retrieve configurations as plain ASCII text. In the last section we used the conf t command to configure from the terminal and the wri t command to display the running configuration on the terminal. Now we will look at the wri net command to write the configuration to a network server and the conf net command to configure the router from a network server.
Figure 3-3: Network configuration for storing and retrieving router configuration files
To successfully write a router configuration to a TFTP server, the file name  used to store the file must already exist in the secure directory and have read, write, and execute privileges. In the following example, the file router.conf must exist in the /cisco directory of the TFTP Unix server (which has address 209.1.1.1), with rwxrwxrwx rights. The following is taken from a Cisco router screen being told to save its configuration to a network server. Note the !!!! characters indicate a file transfer is occurring. Once the file router.conf is stored on the TFTP server, it can be edited and stored as any other file name, and is ready to be loaded into another computer.
Router1#wri net
Remote host[ ]? 209.1.1.1
Name of configuration file to write [router-confg]?router.conf
Write file router.conf on host 209.1.1.1 [confirm]? (press enter to confirm) Writing router.conf: !!!!! [OK]
To configure a router from a network server, the following commands have to be input to the router:
Router1#conf net
Host or network configuration file[host]? (press enter to accept default)
Address of remote host [255.255.255.255]?209.1.1.1
Name of configuration file [router-confg]?router.conf
Configure using router.conf from 209.1.1.1 [confirm]? (press enter to confirm)
Loading router.conf from 209.1.1.1 (via ethernet 0) !!!!!!!!!
Router#
The preceding discussion assumed that the router being configured from the network server had a largely blank configuration. This is not always the case. There are times when you will need to work on a new configuration for a router that is already in service, maybe test the configuration out in a lab, then load the new configuration onto the router in the field. Using the conf net command in this situation will not provide the results you want. If you do try to use conf net here, the new and existing router configurations are in fact merged.
In this situation the best thing to do is copy the new configuration from the network server to the router using the copy tftp startup-config command, then perform a reload on the router once the transfer has taken place. This process will completely replace the existing configuration with the one you loaded from the network server.
Configuring a Router Using Auto-Install
Auto-install is a feature of Cisco routers that was designed to enable a new router to come out of its box, get connected to a leased line at a site, download the correct configuration from a network TFTP server, and be up and running without any intervention from the remote site staff. This idea is useful for initial installation or maintenance replacement of faulty router hardware.
This is a very attractive idea for a typical organization that has centrally located network engineering staff responsible for connecting remote offices to the corporate network. In practice, it is not always a good idea to depend on this to work in a first-time installation. The reason has nothing to do with the Cisco implementation, but relates to the fact that telephone company leased lines tend to have problems when they are first installed.
If anything disrupts the process of configuration file download, such as a spike or some other interruption to service on the line, the configuration file will be corrupted (remember that TFTP uses UDP and therefore does not have error recovery or retransmissions). When a configuration file is corrupted, the newly installed router will not be reachable over the leased line network connection, and will not use the auto-configuration procedure at boot time once it has a configuration file.
Auto-configuration is useful for getting the correct configuration file to a replacement router. When a router is replaced in the field, it is assumed that the initial line problems have been solved and the configuration file will be safely transmitted over the line.
Let's discuss how auto-configuration works. It is assumed that a network configuration similar to that defined in Fig. 3-4 is available for this process. Step 1 is that the new router to receive the configuration is connected via a DTE/DCE cable to what we will call the staging router. In this configuration, the staging router Serial 0 port must be connected to the DCE end of the cable and be configured to supply a clock signal. (The details of this configuration are given later in this chapter when we build the lab environment.) When the new router is powered on, it will issue what is known as a broadcast SLARP request out of its serial port.
Figure 3-4: Using auto-install to configure a router
SLARP stands for Serial Line Address Resolution Protocol. When the staging router serial port receives the SLARP request, it replies by giving the new router its IP address. Once the new router receives this IP address, it will add 1 to it and take that IP address as its own. A word of caution: This works only for the first two addresses in a network or subnetwork. An example will clarify this.
Suppose the Serial 0 port on the staging router has address 1.1.1.1, and through the SLARP process, the serial port on the new router will configure itself to have address 1.1.1.2.
Once the new router has an IP address, the auto-configuration process configured into the IOS operating system will seek out a file named network-confg (located on the Cisco Works Unix machine), and reference a hostname associated with the 1.1.1.2 address. The new router does this by issuing a broadcast on UDP port 69. The staging router must have a
global command to forward UDP broadcasts, and the Serial 0 port must have an IP-helper entry on the serial port directing this broadcast to the IP address of the Cisco Works management station. The Forward Protocol command and the Serial 0 IP-helper command appear in the configuration of the staging router as follows (assume the management machine has an IP address of 151.3.5.5):
!
interface serial 0
ip address 1.1.1.1  255.0.0.0
ip-helper 151.3.5.5
!
ip forward-protocol udp
!
The effect of these two commands is to take a broadcast sent on the 1.0.0.0 network and direct it to the IP address 151.3.5.5.
The network-confg file lists entries similar to the following
newrouter1.1.1.2
Once the new router has found its hostname ("newrouter," for instance), for argument's sake it will issue a TFTP request for a configuration file named newrouter-config. The configuration file must be located in the TFTP directory on the Unix machine, as must the network-confg file. Assuming the appropriately named configuration file is there, the router will start downloading its configuration from the TFTP directory of the Cisco Works machine.

 


 
Books24x7.com, Inc © 2000 –  Feedback