Beruflich Dokumente
Kultur Dokumente
com/networking/9-steps-setting-cisco-router
REGISTER LOG IN
Windows Exchange Server SharePoint Virtualization Cloud Systems Management Training InfoCenters
HOME > SYSTEMS MANAGEMENT > NETWORKING > 9 STEPS TO SETTING UP A CISCO ROUTER
Advertisement
9 Steps to Setting Up a Cisco Router
Practical Networking and IOS
Michael Dragone | Windows IT Pro May 26, 2008
SHARE
SHARE Tweet Recommend 6 COMMENTS 3
Advertisement
Downloads
98740.zip
Executive Summary:
Working with a Cisco router and the Cisco Internetworking Operating System (IOS) is a
great way to experiment with networking concepts and gear and could be good for your
career development. You can get some hands-on IOS experience by setting up a Cisco
router at the Internet edge in your test lab at work or in your home office. A Cisco router
allows you greater flexibility (with more granular controls than the Linksys or NETGEAR Register now to get the best rates available!
hardware commonly used in home offices) if you later want to expand your setup to
include, say, a Microsoft ISA Server firewall on the back end.
Windows IT Pro Community
Let’s go through the basic steps of setting up a Cisco router to provide Internet access to a
Sign up for Windows IT Pro UPDATE newsletter.
small network. I’ll assume you have some basic IOS knowledge, including how to log on
and how to save and clear configurations. I’ll also assume that you have a solid email address
understanding of networking, including what Network Address Translation (NAT) is. I
Country
won’t cover items such as setting up Secure Shell (SSH) access and hardening access lists.
You can expand into those areas as you feel comfortable and want to experiment more. By clicking above, I agree to Penton’s Terms of Service
and Privacy Policy.
What You’ll Need
You need a Cisco router with at least two Ethernet interfaces. An 806, 836, 851, or 871 is
ideal for a home or small office setup—in fact, that’s what those models are geared
towards. You can buy an 851 for a few hundred dollars from various online retailers.
However, a 2610 works just as well, and you might have one sitting in the equipment bin
at your office that you can ask to borrow.
Windows Forums
Your router should have IOS 12.2 or later. This article is based on a Cisco 851W with IOS
12.4, including the IOS firewall feature set. The Windows IT Pro forums
are moving to
You also need a Cisco console cable (sometimes called a rollover cable). One end has an myITforum.com! Get answers
eight-position, eight-conductor modular jack to connect to the router; the other end has a to questions, share tips, and
DB-9 serial connector. In recent years, the console cables that Cisco has shipped with its engage with the IT
equipment have been light blue. professional community.
You need a computer with a DB-9 serial port. In my experience, USB-to-serial converters
work just fine for this application. You also need a computer with a terminal emulation
1 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ... http://windowsitpro.com/networking/9-steps-setting-cisco-router
program. Hilgraeve’s HyperTerminal is available with Windows XP, but it was removed
from Windows Vista. Vista users can download Hyper- Terminal Private Edition 6.3 at Featured Products
www.hilgraeve.com/htpe/download.html. Mac OS X users can Google for ZTerm, and
Linux users, for minicom. Manage Active Directory with
Windows PowerShell
1. Connect the router to the PC, and start a terminal emulation program Presented by Jeffery Hicks
Wednesday, August 20th
Connect your router to your PC with the console cable, and fire up your terminal Join Jeffrey Hicks to learn how to
emulation program. The port settings are 9600,8,N,1. If you’ve never before accessed a manage...
device directly via an asynchronous serial connection, you might want to ask a Cisco
Essential Skills for DBAs
veteran for some assistance.
Presented by Andrew J. Kelly
August 26th at 11am, 1pm, and 3pm
Start with the command enable to get into privileged EXEC mode. Then type the ET
command erase startup-config to get a blank configuration. Next, restart the router with ...
the reload command. Make sure to say no to an IOS prompt that asks if you’d like to enter SharePoint and Business
the initial configuration dialog. Intelligence: How to Manage the BI
Nirvana
These steps might sound confusing if you’ve worked only with Cisco devices that are up Presented by Randy Williams
August 27th at 11am, 1pm, and 3pm
and running in production. In that case, you’re probably more accustomed to using
ET
Telnet, or preferably SSH, to configure the equipment. That isn’t an option when you ...
want to start with a blank configuration, which will prevent any Telnet or SSH access to
VIEW CATALOG VIEW SHOPPING CART
the equipment for the time being.
Take a look at the back of your router and identify which Ethernet ports you’ll be using for
what. One will connect to your WAN device, such as a cable modem; another will connect
to your LAN. If you’re using an 851W, like me, you’ll notice that the ports are labeled for
you—FastEthernet4 is the WAN interface and FastEthernet0 through FastEthernet3 are
the LAN interfaces. The 851 includes a built-in four-port switch, hence the four LAN
interfaces.
If your router’s interfaces aren’t labeled, you can type the command
3. Configure IP addresses
Now you can begin the actual setup. You should still be in privileged EXEC mode (if not,
enter the enable command), and start terminal configuration mode by entering
configure terminal
no ip domain lookup
to prevent IOS from attempting to convert any spelling mistakes you make into domain
names. You can skip this step if you’re a perfect typist, I suppose.
no logging console
to prevent IOS from outputting syslog messages to the console as you’re working. These
can interfere greatly with your typing.
Now you’re ready to set up an IP address for the LAN interface. In the case of the 851W
that this article is based on, you do this on a virtual interface called BVI1 that relates to
the physical LAN interfaces. On other routers, you might do this on the actual physical
interface. Type
interface <interface_name>
to enter the configuration mode for that interface. For the 851W, the command was
interface BVI1
2 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ... http://windowsitpro.com/networking/9-steps-setting-cisco-router
I’m using 192.168.100.1 with a Class C mask, so my command looked like this:
ip address 192.168.100.1
255.255.255.0
(The command is on two lines for publication purposes, but be sure to enter it all on one
line.) You can also use Classless Inter-Domain Routing (CIDR) notation if you prefer,
which would look like this:
ip address 192.168.100.1/24
You’ll also need to set the WAN interface to use DHCP to obtain its IP address. To do this,
type
interface FastEthernet4
ip address dhcp
Next, you need to configure two access lists, both of which will be applied in the inbound
direction. Note that in the remainder of this article, I use the terms inbound and
outbound frequently. As Figure 1 shows, inbound refers to traffic entering the interface;
outbound refers to traffic leaving the interface.
Listing 1 shows the two access lists: The first will be applied to the LAN interface (in my
case, BVI1), and the second will be applied to the WAN interface (in my case,
FastEthernet4).
Access list 100 will be applied to the LAN interface. The first line sets up the access list
and places the router in access list configuration mode. The next line allows any IP traffic
matching the network (192.168.100.0/24) to pass into the interface. If the subnet mask
looks odd to you, that’s not a typo. IOS uses inverse subnet masks in its access lists. You
3 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ... http://windowsitpro.com/networking/9-steps-setting-cisco-router
can compute these manually quite easily by subtracting each octet of your standard mask
from 255. So mask 255.255.252.0 becomes 0.0.3.255, 255.252.0.0 becomes 0.3.255.255,
and so on.
The third line denies any other traffic from entering the LAN interface. Although all
access lists have an implicit deny all at the end, including an explicit deny line is a good
practice so that you know where your access list ends and to aid the readability of your
configuration. The final line takes the router out of access list configuration mode.
Access list 101 will be applied to the WAN interface. The first line sets up the access list
and places the router in access list configuration mode. I use a cable modem, so the next
line allows DHCP (bootps and bootpc) traffic to enter the WAN interface. Without this
entry, my WAN interface would never receive a public IP address, and I’d never get on the
Internet. You can use the same configuration in a test lab as long as you have a DHCP
server set up and your networking team is OK with what you’re doing. The third and
fourth lines allow any TCP and UDP traffic from any source destined for anywhere to
enter the WAN interface.
The fifth, sixth, and seventh lines allow any Internet Control Message Protocol (ICMP)
traffic that’s from any source; is headed for any destination; and is an echo-reply,
time-exceeded, or unreachable message to enter the WAN interface. You should be
cautious about which types of ICMP traffic you allow on your network because ICMP can
be used for various exploits, especially Denial of Service (DoS) attacks. However, you
need these three lines to use ping and traceroute for troubleshooting. The last two lines
are the same as in the LAN access list.
My IOS version includes the IOS firewall feature set. If yours does as well, you’ll definitely
want to use it. Although the IOS firewall doesn’t offer the deep application-layer
inspection that, say, an ISA Server firewall does, enabling it is a good idea for two reasons.
The first is to ensure that traffic which is claiming to be TCP, UDP, or ICMP is in fact TCP,
UDP, or ICMP. The second is that enabling this inspection also enables Context-Based
Access Control. CBAC allows IOS to create dynamic access list entries that allow return
traffic to flow through the router. Although our access lists above are very generic (e.g., all
TCP is allowed), once your setup is working, you’ll certainly want to harden them, set up
internal servers reachable from the Internet, and so on. After you’ve done that, CBAC will
allow return traffic to pass through the router. For example, if you browse to
Amazon.com, CBAC will dynamically place entries in the inbound access list applied to
your external (WAN) interface to allow return traffic from Amazon.com to enter the
router. When the connection is closed, these entries are dynamically removed.
First, set up a TCP SYN timeout threshold to help mitigate SYN flood DoS attacks:
ip tcp synwait-time 30
This command tells IOS to drop any TCP session that’s not established within 30 seconds.
Next, set up an inspection rule each for ICMP, TCP, and UDP:
Now, apply both the access lists and the inspection rules to the appropriate interfaces in
the inbound direction. For the WAN interface—in my case, FastEthernet4— first enter the
interface configuration mode:
interface FastEthernet4
ip access-group 101 in
(Note that you use access-group, not access-list here.) Then apply the inspection rule:
ip inspect InspectRule in
4 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ... http://windowsitpro.com/networking/9-steps-setting-cisco-router
exit
interface BVI1
ip access-group 100 in
ip inspect InspectRule in
exit
Some of you sharpies might be wondering if you could apply the IP inspection rule in the
outbound direction as well as or in place of the inbound direction. The answer is yes, you
can.
7. Set up NAT
You now need to set up NAT to translate addresses between the internal
192.168.100.0/24 network and the public Internet. First, set up an access list to be used
only for NAT:
ip access-list standard 10
permit 192.168.100.0 0.0.0.255
deny any
exit
As before, the first line places the router in access list configuration mode. Note that the
access list here is standard and not extended. Standard access lists allow only traffic from
specific IP addresses or networks to be permitted or denied. They don’t let you specify the
destination or type of traffic as extended access lists do. The second line identifies the
traffic that you want to translate. The above code allows any traffic on the internal LAN to
be translated for the Internet. The third line prevents any other traffic from being
translated, and the fourth line takes the router out of access list configuration mode.
interface BVI1
ip nat inside
exit
interface FastEthernet4
ip nat outside
exit
These lines tell IOS that the LAN interface, BVI1, will contain the addresses that need to
be translated, while the WAN interface, FastEthernet4, contains the external addresses to
which the internal addresses will be translated.
Finally, you enter the actual NAT statement (all on one line):
This command tells IOS to translate any address identified in access list 10 to the address
assigned to FastEthernet4. The overload keyword allows one public address to be shared
among several internal private addresses.
You’re almost ready to test your configuration. First, though, you need to ensure that each
interface is not in a shutdown state. To do so for FastEthernet4, type:
interface FastEthernet4
no shutdown
exit
At this point, you can disconnect the console cable and connect the PC to a LAN port on
the router with an Ethernet cable. You can then access the router by opening a Telnet
connection (preferably secured with SSH) to the router’s LAN IP address. Keep the
console cable handy, though, in case you make a configuration change that prohibits
Telnet access. A Telnet client is included with most OSs.
You also might want to disable Spanning Tree Protocol (STP) on your internal LAN
interface(s) if your router allows that. If you plan on setting up a complex network of
switches on your network, then don’t disable STP; but for a small network, disabling STP
5 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ... http://windowsitpro.com/networking/9-steps-setting-cisco-router
lets your internal LAN devices connect to your router up to 30 seconds faster. For each
LAN interface (in my case, FastEthernet0 through FastEthernet3), enter
interface FastEthernet0
spanning-tree portfast
exit
to save your work to nonvolatile memory and ensure that your configuration is retained
across router restarts, power outages, and so on.
show running-config
to output a copy of the configuration you just created to your screen. You can copy and
paste this configuration to a text editor for later reference. You can also edit the
configuration in a text editor and paste it into a terminal session to make changes to the
router. Your configuration should look similar to Listing 2 at this point. Note that Listing
2 omits many configuration lines that are automatically inserted or included by default.
Listing 2 focuses on the commands that you entered above.
You can now connect an Ethernet cable to the router’s WAN port, and try to get on the
Internet. Note that your internal LAN hosts will need to use static IP addressing if you
don’t have a DHCP server present.
What’s Next?
The possibilities from here are endless. You will most certainly want to set up usernames
and passwords for access to your router, set up Telnet and/or SSH access (if you haven’t
already), and limit that access to various IP addresses. You should also consider
modifying your access lists to deny private, non-routable (aka bogon) IP ranges from
being able to reach your network.
You can also make your router a DHCP server, set up VPN access with the router as an
endpoint, add NAT statements and access list entries to access a Web server on your
internal network from the Internet, or put an ISA Server firewall between your router and
your LAN clients. Over time, I’ve tweaked my setup to become much more complex than
the one presented in this article. Don’t be afraid to read some additional documentation (I
highly suggest the Cisco Field Manual series published by Cisco Press), ask questions of
your resident Cisco gurus, and experiment!
Thanks
on Jun 2, 2008
Prince (not verified)
Good Article..... it helps.... also one should refer Cisco's ICND Books (2 Books) if this article
doesnt helps
on Oct 7, 2008
tmagner
How do I get the remaining text of the article? There's not Next button or link and the article
ends with ...
6 of 7 2014-08-20 07:41 PM
9 Steps Setting Up Cisco Router | Networking content from Windows ... http://windowsitpro.com/networking/9-steps-setting-cisco-router
Related Articles
WindowsITPro.com
Windows Exchange Server SharePoint Virtualization Cloud Systems Management
Media Center
Follow Us
RSS
Sitemap
Site Archive
Related Sites
Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows IT/Dev Connections
7 of 7 2014-08-20 07:41 PM