3.1. Example 2:
The switching device still uses a Catalyst5500 switch and installs the WS-X5530-E3 management engine. Multiple WS-X5225R has 3 virtual networks in the switch, namely default, qbw, and rgw. It realizes virtual network routing through the Cisco3640 router. The switch settings are similar to Example 1.
The router Cisco3640 is equipped with an NM-1FE-TX module, which has a fast Ethernet interface that can support ISL. The Cisco3640 fast Ethernet interface is connected to a port that supports ISL on the switch, such as the first interface (port 3/1) in the third slot of the switch.
Router#wri t
Building configuration...
Current configuration:
!
version 11.2
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname Router
!
enable secret 5 $1$w1kK$AJK69fGOD7BqKhKcSNBf6.
!
ip subnet-zero
!
interface FastEthernet1/0
!
interface FastEthernet1/0.1
encapsulation isl 1
ip address 10.230.2.56 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation isl 777
ip address 10.230.3.56 255.255.255.0
!
interface FastEthernet1/0.3
encapsulation isl 888
ip address 10.230.4.56 255.255.255.0
!
no ip classless
!
line con 0
line aux 0
line vty 0 4
password router
login
!
end
Router#
refer to:
1. Cisco router password recovery
When the password of the Cisco router is modified or forgotten, you can follow the following steps:
1. Press <Ctrl+Break> when powering on to enter the ROM monitoring state
2. Press the o command to read the original value of the configuration register
> o General value is 0x2102
3. Make the following settings to ignore NVRAM boot
>o/r0x**4* Cisco2500 Series Commands
rommon 1 >confreg 0x**4* Cisco2600, 1600 Series Commands
Normal value is 0x2102
4. Restart the router
>I
rommon 2 >reset
5. In "Setup" mode, answer No
6. Enter privileged mode
Router>enable
7. Download NVRAM
Router>configure memory
8. Restore the original configuration register value and activate all ports
“hostname”#configure terminal
“hostname”(config)#config-register 0x“value”
“hostname”(config)#interface xx
“hostname”(config)#no shutdown
9. Query and record the lost password
“hostname”#show configuration (show startup-config)
10. Modify the password
“hostname”#configure terminal
“hostname”(config)line console 0
“hostname”(config-line)#login
“hostname”(config-line)#password xxxxxxxxx
“hostname”(config-line)#<ctrl+z>
“hostname”(config-line)#write memory(copy running-config startup-config)
2. IP address allocation
Address Class Network Host Network Address Range Standard Binary Mask
A 1-126 1111 1111 0000 0000 0000 0000 0000 0000
B 128-191 1111 1111 1111 1111 0000 0000 0000 0000
C 192-223 1111 1111 1111 1111 1111 1111 0000 0000
Number of subnet bits Subnet mask Subnet number Host number
Class B address
2 255.255.192.0 2 16382
3 255.255.224.0 6 8198
4 255.255.240.0 14 4894
5 255.255.248.0 30 2846
6 255.255.252.0 62 1822
7 255.255.254.0 126 518
8 255.255.255.0 254 254
9 255.255.255.128 518 126
10 255.255.255.192 1822 62
11 255.255.255.224 2846 30
12 255.255.255.240 4894 14
13 255.255.255.248 8198 6
14 255.255.255.252 16382 2
Category C Address
2 255.255.255.192 2 62
3 255.255.255.224 6 30
4 255.255.255.240 14 14
5 255.255.255.248 30 6
6 255.255.255.252 62 2
APTECH-BENET
Cisco routing configuration statement summary
Cisco routing configuration statement summary
Start the interface and assign IP address:
router>
router> enable
router#
router# configure terminal
router(config)#
router(config)# interface Type Port
router(config-if)# no shutdown
router(config-if)# ip address IP-Address Subnet-Mask
router(config-if)# ^z
Configure RIP routing protocol: update once every 30 seconds
router(config)# router rip
router(config-if)# network Number <--Advocate Standards A, B, C-type network-->
router(config-if)# ^z
Configure IGRP routing protocol: update once every 90 seconds
router(config)# router igrp AS-Number <- AS-Number range 1~65535-->
router(config-if)# network Number <--Advocate Standards A, B, C-type network-->
router(config-if)# ^z
Configure Novell IPX routing protocol: Novell RIP is updated once every 60 seconds
router(config)# ipx routing [node address]
router(config)# ipx maximum-paths Paths <--Set load balancing, range 1~512-->
router(config)# interface Type Port
router(config-if)# ipx network Number [encapsulation encapsulation-type] [secondary] <--Announcement Standards A, B, C-type network-->
router(config-if)# ^z
Configure DDR:
router(config)# dialer-list Group-Number protocol Protocol-Type permit [list ACL-Number]
router(config)# interface bri 0
router(config-if)# dialer-group Group-Number
router(config-if)# dialer map Protocol-Type Next-Hop-Address name Hostname Telphone-Number
router(config-if)# ^z
Configuring ISDN:
router(config)# isdnth-typeth-Type <-Configure ISDN switch type, China uses basic-net3-->
router(config-if)# ^z
__________________
Configure Frame Relay:
router(config-if)# encapsulation frame-relay [cisco | ietf ]
router(config-if)# frame-relay lmi-type [ansi | cisco | q933a ]
router(config-if)# bandwidth kilobits
router(config-if)# frame-relay invers-arp [ Protocol ] [dlci ]
<-Configure static Invers ARP table:
router(config)# frame-relay Protocol Protocol-Address DLCI [ Broadcast ] [ ietf | cisco ] [ payload-compress | packet-by-packet ]
-->
<--Set Keepalive interval:
router(config-if)# keepalive Number
-->
<--Specify DLCI for the local interface:
router(config-if)# frame-lelay local-dlci Number
-->
<--Subinterface configuration:
router(config-if)# interface Type -Number [ multipoint | point-to-point ]
router(config-subif)# ip unnumbered Interface
router(config-subif)# frame-lelay local-dlci Number
-->
router(config-if)# ^z
Configure standard ACL:
router(config)# access-list Access-List-Number [ permit | deny ] source [ source-mask ] <-- Access-List-Number Scope: 1-99 standard ACL; 100-199 extended ACL; 800-899 standard IPX ACL; 900-999 extended IPX ACL; 1000-1099 IPX SAP ACL; 600-699Apple Talk ACL-->
router(config)# interface Type Port
router(config-if)# ip access-group Access-List-Number [ in | out ]
router(config-if)# ^z
Configure Extended ACL:
router(config)# access-list Access-List-Number [ permit | deny ] [ Protocol | Protocol-Number ] source source-wildcard [ Source-Port ] destination destination-wildcard [ Destination-Port ] [ established ]
router(config)# interface Type Port
router(config-if)# ip access-group Access-List-Number [ in | out ]
router(config-if)# ^z
Configure named ACL:
router(config)# ip access-list [ standard | extended ] ACL-Name
router(config [ std- | ext- ] nacl)# [ permit | deny ] [ IP-Access-List-Test-Conditions ]
router(config [ std- | ext- ] nacl)# no [ permit | deny ] [ IP-Access-List-Test-Conditions ]
router(config [ std- | ext- ] nacl)# ^z
router(config)# interface Type Port
router(config-if)# ip access-group [ACL-Name | 1~199 ] [ in | out ]
router(config-if)# ^z
Configure DCE clock:
router# show controllers Type Port <--Determine the DCE interface-->
router(confin-if)# clock rate 64000 <--Enter the DCE interface to set the clock rate-->
router(config-if)# ^z
Configuring the PPP protocol:
router(config)# username Name password Set-Password-Here <--Verification Party Establishing Database-->
router(config)# interface Type Port
router(config-if)# encapsulation ppp <--Start PPP protocol-->
router(config-if)# ppp outhentication [ chap | chap pap | pap chap | pap ] <--Select PPP certification-->
router(config-if)# ppp pap sent-username Name password Password <--Send verification information-->
router(config-if)# ^z
PAP one-way authentication configuration example:
Verification party:
router-server(config)# username Client password 12345 <--The verification party establishes a database-->
router-server(config)# interface serial 0
router-server(config-if)# encapsulation ppp
router-server(config-if)# ppp authentication pap <--Select to use PAP to implement PPP authentication-->
router-server(config-if)# ^z
Verified party:
router-client(config-if)# encapsulation ppp
router-client(config-if)# ppp pap sent-username Client password 12345 <--Send verification information-->
router-client(config-if)# ^z
PAP two-way authentication configuration example:
Router A:
routerA(config)# username B password 12345
routerA(config)# interface serial 0
routerA(config-if)# encapsulation ppp
routerA(config-if)# ppp authentication pap
routerA(config-if)# ppp pap sent-username A password 54321
routerA(config-if)# ^z
Router B:
routerB(config)# username A password 54321
routerB(config)# interface serial 1
routerB(config-if)# encapsulation ppp
routerB(config-if)# ppp authentication pap
routerB(config-if)# ppp pap sent-username B password 12345
routerB(config-if)# ^z
CHAP one-way authentication configuration example:
Verification party:
router-server(config)# username router-client password 12345
router-server(config)# interface serial 0
router-server(config-if)# encapsulation ppp
router-server(config-if)# ppp authentication chap
router-server(config-if)# ^z
Verified party:
router-client(config-if)# encapsulation ppp
router-client(config-if)# ppp authentication chap
router-client(config-if)# ppp chap hostname router-client
router-client(config-if)# ppp chap password 12345
router-client(config-if)# ^z
CHAP two-way authentication configuration example:
Router A:
routerA(config)# username routerB password 12345
routerA(config)# interface serial 0
routerA(config-if)# encapsulation ppp
routerA(config-if)# ppp authentication chap
routerA(config-if)# ppp chap hostname routerA
routerA(config-if)# ppp chap password 54321
routerA(config-if)# ^z
Router B:
routerB(config)# username routerA password 54321
routerB(config)# interface serial 1
routerB(config-if)# encapsulation ppp
routerB(config-if)# ppp authentication chap
routerB(config-if)# ppp chap hostname routerB
routerB(config-if)# ppp chap password 12345
routerB(config-if)# ^z
Telnet use:
routerA# terminal monitor <--The result of executing Debug commands on the remote host-->
routerA# telnet IP-Address[ Router-Name ] <--Telnet to the host of the specified address or name-->
routerB#[ exit | logout ] <--Exit Telnet-->
routerB#++<6>Press again <--Suspend Telnet-->
routerA# show sessions <--Show all current Telnet information, including Connect-Number -->
routerA# Connect-Number <--Return to the specified Telnet connection-->
routerA# disconnect IP-Address [ Router-Name ] <--Disconnect the host with the specified address or name-->
routerA# show user <--Show connection information from Telnet to the local machine-->
routerA# clear line [ 0 | 1 | 2 | 3 | 4 ] <--Disconnect the specified Telnet to the local machine-->
Disable any Telnet to the local machine:
router(config)# line vty 0 4
router(config-line)# access-class ACL-Number
router(config)# ^z
Set host name:
router(config)# hostname Set-Hostname
router(config)# ^z
router(config)# ^z
Set user mode password:
router(config)# line console 0
router(config-line)# login
router(config-line)# password Set-Password
router(config-line)# ^z
Set Telnet password:
router(config)# line vty 0 4
router(config-line)# login
router(config-line)# password Set-Password
router(config-line)# ^z
Set the privileged mode password:
router(config)# enable password Set-Password <--Unencrypted password, clear code-->
router(config)# enable secret Set-Password <--encrypted password-->
router(config)# ^z
Encrypt all passwords:
router(config)# service password-ancryption Set-Password-Here
router(config)# no service password-ancryption <--Cancel encryption-->
router(config)# ^z
Set up login Banner:
router(config)# banner motd delimiter Set-Banner-Information-Here delimiter <--The front and back separators must be consistent-->
Setting interface description information:
router(config-if)# description Set-Port-Information-Here
router(config)# ^z
Control of CDP:
router(config-if)# cdp enable <--Enable CDP on the specified port, default-->
router(config-if)# no cdp enable <--Close CDP on the specified port-->
router(config)# cdp run <--Enable CDP on all ports-->
router(config)#«no«cdp«run«<--Change all ports to CDP-->
__________________
Ping's use:
router# ping IP-Address
router# ping <--Extended Ping command-->
Protocol [ip]: [ Protocol-Type ] <--Select protocol type-->
Target IP address: IP-Address<--Input test address-->
Repeat count [5]: <--Select the number of ICMP packets sent-->
Datagram size [100]: <--Select the size of each package-->
Timeout in seconds [2]: <--Set the timeout time for each package-->
Extended commands [n]:y <--Use the Extended Ping command-->
Sweep range of sizes [n]:
Tracke usage:
router# trace IP-Address [ Host-Name ]
Specify media type for Cisco 4000 router:
router(config-if)# media-type 10baset <--Invalidate the AUI (default) and use RJ-45--->
router(config-if)# ^z
Change the router startup order:
router(config)# boot system flash IOS-FileName
router(config)# boot system tftp IOS-FileName TFTP-IP-Address
router(config)# boot system rom
router(config)# ^z
Modify the register value:
router(config)# config-register value <--Cisco factory default value=0x2102, value range: 0x2100 (enter the ROM monitor), 0x2101 (make the system booted from ROM), 0x2102~0x210F (make the system booted from NVRAM). 0x1=0x2101, start to change from the minimum bit -->
Change the register value in the ROM monitor:
> o/r value
Recovery of router password:
Turn off the power cold, then turn on the power again and press < Ctrl>+ within 60 seconds to enter the ROM monitor mode.
> o/r 0x2142 <--25xx-type router--> or > confreg 0x2142 <--16xx-type router-->
router> I
router> n
router> enable
router# copy startup-config running-config
router# configure terminal
router(config)# enable secret New-Password
router(config)# config-register 0x2102
router(config)# ^z
router# copy running-config startup-config
router# reload
__________________
Configuration name - Host entry:
router(config)# ip host Set-Name [ TCP-Port-Number ] IP-Address [ IP-Address 2 ]...
router(config)# ^z
Define DNS host:
router(config)# ip name-server Server-Address [ Server-Address 2 ]...
router(config)# ^z
Disable DNS:
router(config)# no ip domain-lookup
router(config)# ^z
Configuration level segmentation:
router(config-if)# ip split-horizon
router(config-if)# no ip split-horizon
router(config-if)# ^z
Configure static routing:
router(config)# ip route IP-Address Subnet-Mask [ Next-Hop-Address | Local-Out-Port ] [Distace ]
<--Distance range: 1~255, equivalent to priority, the smaller the better. RIP=120; DSPF=110; IGRP=100; EIGRP=90-->
router(config)# ^z
Configure the default route:
router(config)# ip defoult-network IP-Address <--Dynamic Default Routing-->
router(config)# ip route 0.0.0.0 0.0.0.0 [ Next-Hop-Address | Local-Out-Port ] [Distace ] <--Static Default Routing-->
router(config)# ^z
Other commands:
router# show version
router# show running-config
router# show startup-config
router# show flash
router# show interface [ Type Port ]
router# show buffers
router# show protocol
router# show mem
router# show stacks
router# show processes
router# show cdp entry [ Device-Name ] <--Show the three-layer information of the specified neighbor-->
router# show cdp neighbors
router# show cdp neighbors detail <---Show all neighbors’ third-layer information->
router# show ip router
router# show ipx router
router# show host
router# show ip protocol
router# show ip interface Type Port
router# show ipx interface Type Port
router# show ipx servers
router# show ipx traffic
router# show access-lists [ ACL-Number ]
router# show isdn status
router# show dialer <--View ISDN dialing information-->
router# show isdn active
router# show frame-relay pvc
router# show frame-relay map
router# show frame-relay lmi
router# erase startup-config
router# reload
router# setup
router# copy running-config startup-config
router# copy startup-config running-config
router# copy tftp running-config
router# copy running-config tftp
router# debug ipx routing activity
router# debug ipx sap
router# debug isdn q921
router# debug isdn q931
router# debug dialer
router# debug ip rip
router# clear interface bri [ 0 | 1 | 2 ]
Cisco VPN connection configuration example
Establish a VPN connection between the company's Nanjing office and the Shanghai office.
Nanjing office network settings:
Intranet IP 10.1.1.0/24
External network IP 202.102.1.5/24
Shanghai office network settings:
Intranet IP 10.1.2.0/24
External network IP 202.102.1.6/24
Nanjing router configuration
!
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname nanjing
!
enable cisco
!
!
!------The following configurations are encrypted------
crypto isakmp policy 1 Generate iskamp policy number 1
encryption des Select to use DES Encryption can also use 3DES to specify triple DES encryption
hash sha Specify the hash algorithm used, or md5 (the two ends are consistent)
authentication pre-share
group 1 Specified as Diffie-Hellman group, 1 means 768 bits, 2 means 1024 bits
lifetime 14400 Specify the validity period of the security association, if not set, it is the default value
------The following method for configuring key -----
crypto isakmp identity address Specify the use of isakmp identity when communicating with a remote router
crypto isakmp key 654321 address 202.102.1.6 Use the key 654321 for remote router ports 202.102.1.6
crypto isakmp key 654321 address 192.168.1.2 Use key 654321 for remote router tunnel port 192.168.1.2
!
-------The following defines a conversion set -----
crypto ipsec transform-set tset1 ah-md5-hmac esp-des esp-md5-hmac can define one or more sets
!
!
--------The following creates an encrypted diagram-----
crypto map cmap1 local-address serial 0 Define the encrypted map cmap1 and specify s0 as the local address
crypto map cmap1 1 ipsec-isakmp Set the encrypted map with serial number 1
set peer 202.102.1.6 Set the target address
set peer 192.168.1.2
set transform-set test1 Specify the conversion set
match address 111 Specify the address in encrypted access list 111
!
!
process-max-time 200
!
--------The following sets the tunnel port -------
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel source 202.102.1.5
tunnel destination 202.102.1.6
crypto map cmap
!
-------The following settings are internal network port-----
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
!
-------The following settings are external network port-----
interface serial0
ip address 202.102.1.5 255.255.255.0
no ip mroute-cache
no fair-queue
crypto map cmap
!
ip classless
!
--------The following creates access list 111------
access-list 111 permit ip host 202.102.1.5 host 202.102.1.6
access-list 111 permit ip host 202.102.1.6 host 202.102.1.5
access-list 111 permit ip 10.1.1.0 0.0.0.255 202.102.1.0 0.0.0.255
access-list 111 permit ip 10.1.2.0 0.0.0.255 202.102.1.0 0.0.0.255
access-list 111 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 111 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
!
Shanghai router configuration
!
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname shanghai
!
enable cisco
!
!
!------The following configurations are encrypted------
crypto isakmp policy 1 Generate iskamp policy number 1
encryption des Select to use DES Encryption can also use 3DES to specify triple DES encryption
hash sha Specify the hash algorithm used, or md5 (the two ends are consistent)
authentication pre-share
group 1 Specified as Diffie-Hellman group, 1 means 768 bits, 2 means 1024 bits
lifetime 14400 Specify the validity period of the security association, if not set, it is the default value
------The following method for configuring key -----
crypto isakmp identity address Specify the use of isakmp identity when communicating with a remote router
crypto isakmp key 654321 address 202.102.1.5 Use key 654321 for remote router ports 202.102.1.6 654321
crypto isakmp key 654321 address 202.102.1.6 Use the key 654321 for remote router ports 202.102.1.6
crypto isakmp key 654321 address 192.168.1.1 Use the key 654321 for remote router tunnel ports 192.168.1.2
!
-------The following defines a conversion set -----
crypto ipsec transform-set tset1 ah-md5-hmac esp-des esp-md5-hmac can define one or more sets
!
!
--------The following creates an encrypted diagram-----
crypto map cmap1 local-address serial 0 Define the encrypted map cmap1 and specify s0 as the local address
crypto map cmap1 1 ipsec-isakmp Set the encrypted map with serial number 1
set peer 202.102.1.5 Set the target address
set peer 202.102.1.6
set peer 192.168.1.1
set transform-set test1 Specify the conversion set
match address 111 Specify the address in encrypted access list 111
!
!
process-max-time 200
!
--------The following sets the tunnel port -------
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
tunnel source 202.102.1.6
tunnel destination 202.102.1.5
crypto map cmap
!
-------The following settings are internal network port-----
interface Ethernet0
ip address 10.1.2.1 255.255.255.0
!
-------The following settings are external network port-----
interface serial0
ip address 202.102.1.6 255.255.255.0
no ip mroute-cache
no fair-queue
crypto map cmap
!
ip classless
!
--------The following creates access list 111------
access-list 111 permit ip host 202.102.1.5 host 202.102.1.6
access-list 111 permit ip host 202.102.1.6 host 202.102.1.5
access-list 111 permit ip 10.1.1.0 0.0.0.255 202.102.1.0 0.0.0.255
access-list 111 permit ip 10.1.2.0 0.0.0.255 202.102.1.0 0.0.0.255
access-list 111 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 111 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!