CISCO router debugging
1. Basic settings
Generally speaking, there are 5 ways to set up a router:
A microcomputer that connects to the terminal or runs terminal simulation software;
Connect the MODEM to the port and connect it to the remote terminal or the microcomputer running terminal simulation software through the telephone line;
3. Through the TFTP server on the Ethernet;
4. Through the TELNET program on the Ethernet;
Through the SNMP network management workstation on the Ethernet.
5. Through the SNMP network management workstation on the Ethernet.
However, the first setting of the router must be carried out in the first way, and it is generally controlled by a hyper terminal through the com port. At this time, the terminal's hardware settings are as follows:
Baud rate: 9600
Data bits: 8
Stop bit: 1
Parity: None
2. Command operation
The operating system used by CISCO router is IOS. There are several states:
1、router>
At the router> prompt, the router is in the user command state. At this time, the user can view the router's connection status and access other networks and hosts, but cannot see and change the router's settings. Enter at this time? And press Enter to view the commands that can be used in this state. (IOS allows you to view commands that can be used in a certain state at any time in this way). After typing enable and press Enter, enter the password as prompted by the system (you don’t need to enter the password when the new router is debugging for the first time, just press Enter). Enter the # prompt and you can perform various operations on the router.
2、router#
After the router enters the privileged command state router#, it can not only execute all user commands, but also see and change the router's settings content. At this time, you can set the name, password, etc. of the router.
3、router(config)#
Type configure terminal at the router# prompt, and the prompt router(config)# appears. At this time, the router is in the global setting state. At this time, the global parameters of the router can be set.
4、router(config-if)#;
router(config-line)#;
router(config-router)#;…
The router is in a local setting state, and at this time, a local parameter of the router can be set.
5、>
The router is in RXBOOT state. Press ctrl-break within 60 seconds after booting to enter this state. At this time, the router cannot complete the normal functions and can only perform software upgrades and manual boots. In this state, password recovery can be performed.
3. Commonly used commands
1. Help
In IOS operations, you can type "?" regardless of any state or location to get the help of the system. The system will display the commands that can be used at this time.
2. Change the command status
Task Commands
Enter privileged command status enable
Exit privileged command status disabled
Enter Setup dialog status
Enter the global setting state config terminal
Exit global settings status End
Enter the port setting status interface type slot/number
Enter sub-port setting status interface type [point-to-point | multipoint]
Enter the line setting status line type slot/number
Enter the routing settings state router protocol
Exit local settings status Exit
3. Display commands
Task Commands
View version and boot information show version
Check the run settings show running-config
Check the boot settings show startup-config
Show port information show interface type slot/number
Show routing information show ip router
4. Copy command
For backup and upgrade of IOS and CONFIG
5. Network commands
Task Commands
Log in to the remote host telnet hostname|IP address
Network detection ping hostname|IP address
Routing Trace hostname|IP address
6. Basic Setting Commands
Task Commands
Setting config terminal globally
Set access user and password username username password password
Set privileged password enable secret password
Set the router name hostname name
Set static route destination subnet-mask next-hop
Start IP routing
Start IPX routing
Port setting interface type slot/number
Set IP address ip address address subnet-mask
Set up IPX network IPx network network
Activate port no shutdown
Physical line setting line type number
Start the login process login [local|tacacs server]
Set the login password password
4. Overall settings
In the router# privileged command state, you can use setup to design the router overall. This design process can omit the tediousness of manual settings. But it cannot completely replace manual settings, and some special settings must be completed through manual input.
After entering the setup dialogue process, the router will first display some prompt information:
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
This tells you that you can type "?" anywhere during the setup conversation to get help from the system, press ctrl-c to exit the setup process, and the default settings will be displayed in '[]'. Then the router will ask if it enters the settings conversation:
Would you like to enter the initial configuration dialog? [yes]:
If you press y or enter, the router will enter the setup dialogue process. First you can see the current status of each port:
First, would you like to see the current interface summary? [yes]:
Any interface listed with OK? value "NO" does not have a valid configuration
InterfaceIP-AddressOK?MethodStatusProtocol
Ethernet0unassignedNOunsetupup
Serial0unassignedNOunsetupup
……………………………
Then, the router starts setting global parameters:
Configuring global parameters:
1. Set the router name:
Enter host name [Router]:
2. Set the ciphertext (secret) that enters the privileged state. This ciphertext will not be displayed in plain text after setting:
The enable secret is a one-way cryptographic secret used
instead of the enable password when it exists.
Enter enable secret: cisco
3. Set the password to enter the privileged state. This password only works when there is no ciphertext and will be displayed in plaintext after setting:
The enable password is used when there is no enable secret
and when using older software and some boot images.
Enter enable password: pass
4. Set the password for accessing the virtual terminal:
Enter virtual terminal password: cisco
5. Ask if you want to set up various network protocols supported by your router:
Configure SNMP Network Management? [yes]:
Configure DECnet? [no]:
Configure AppleTalk? [no]:
Configure IPX? [no]:
Configure IP? [yes]:
Configure IGRP routing? [yes]:
Configure RIP routing? [no]:
………
6. If the dial-up access server is configured, the system will also set the parameters of the asynchronous port:
Configure Async lines? [yes]:
1) Set the maximum speed of the line:
Async line speed [9600]:
2) Whether to use hardware flow control:
Configure for HW flow control? [yes]:
3) Whether to set modem:
Configure for modems? [yes/no]: yes
4) Whether to use the default modem command:
Configure for default chat script? [yes]:
5) Whether to set the PPP parameters of the asynchronous port:
Configure for Dial-in IP SLIP/PPP access? [no]: yes
6) Whether to use dynamic IP addresses:
Configure for Dynamic IP addresses? [yes]:
7) Whether to use the default IP address:
Configure Default IP addresses? [no]: yes
8) Whether to use TCP header compression:
Configure for TCP Header Compression? [yes]:
9) Whether to use the routing table to update on the asynchronous port:
Configure for routing updates on async links? [no]: y
10) Whether to set other protocols on the asynchronous port.
Next, the system will set parameters for each interface.
1.Configuring interface Ethernet0:
1) Whether to use this interface:
Is this interface in use? [yes]:
2) Whether to set the IP parameters of this interface:
Configure IP on this interface? [yes]:
3) Set the IP address of the interface:
IP address for this interface: 192.168.162.2
4) Set the IP subnet mask of the interface:
Number of bits in subnet field [0]:
Class C network is 192.168.162.0, 0 subnet bits; mask is /24
After setting all interface parameters, the system will display the results of the entire setup dialogue process:
The following configuration command script was created:
hostname Router
enable secret 5 $1$W5Oh$p6J7tIgRMBOIKVXVG53Uh1
enable password pass
…………
Please note that the garbled code is displayed after the enable secret, while the setting content is displayed after the enable password. That is to say, the priority of the secret password is relatively high. When both passwords are set, the secret password works.
After the display is finished, the system will ask whether to use this setting:
Use this configuration? [yes/no]: yes
If you answer yes, the system will store the settings result into the router's NVRAM, and then end the settings dialogue process to make the router start working normally.
WAN protocol settings
PPP (Point-to-Point Protocol) is the successor of SLIP (Serial Line IP protocol), which provides router-to-router and host-to-network connections across synchronous and asynchronous circuits.
CHAP (Challenge Handshake Authentication Protocol) and PAP (Password Authentication Protocol) (PAP) are usually used to provide security authentication on serial lines encapsulated by PPP. Using CHAP and PAP authentication, each router is identified by name, which can prevent unauthorized access.
Task Commands
Set up PPP encapsulation ppp1
Set authentication method ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default] [callin]
Specify password username name password secret
Set the DCE terminal line speed clockrate speed
Give an example
The S0 ports of routers Router1 and Router2 both encapsulate the PPP protocol and use CHAP as authentication. A user should be established in Router1, and the host name of the peer router should be used as the user name, that is, the user name should be router2. At the same time, a user should be established in Router2, and the host name of the peer router should be used as the user name, that is, the user name should be router1. The passwords of the two users created must be the same.
Settings are as follows:
Router1:
hostname router1
username router2 password xxx
interface Serial0
ip address 192.200.10.1 255.255.255.0
clockrate 1000000
ppp authentication chap
!
Router2:
hostname router2
username router1 password xxx
interface Serial0
ip address 192.200.10.2 255.255.255.0
ppp authentication chap
!
ISDN
1. Comprehensive Digital Service Network (ISDN)
The Integrated Digital Service Network (ISDN) consists of two parts: digital telephone and data transmission services, which are generally provided by the telephone bureau. The ISDN's Basic Rate Interface (BRI) service provides 2 B channels and 1 D channel (2B+D). The B channel rate of BRI is 64Kbps, which is used to transmit user data. The D channel's rate is 16Kbps, mainly transmitting control signals. In North America and Japan, the main rate interface (PRI) of ISDN provides 23 B channels and 1 D channel with a total rate of up to 1.544Mbps, with the D channel rate of 64Kbps. In Europe, Australia and other countries, ISDN's PRI provides 30 B channels and 1 64Kbps D channel, with a total speed of up to 2.048Mbps. The ISDN PRI provided by my country Telecommunications Bureau is 30B+D.
2. Basic commands
Task Commands
Set the ISDN switch-type switch-type1
Interface bri 0
Set up PPP encapsulation ppp
Set the mapping of protocol address and phone number dialer map protocol next-hop-address [name hostname] [broadcast] [dial-string]
Start PPP multilink
Set the threshold for starting another B channel dialer load-threshold load
Show ISDN information shows isdn {active | history | memory | services | status [dsl | interface-type number] | times}
Note: 1. The switch types are as follows. Domestic switches are generally basic-net3.
Keywords by region Switch type
Australia
basic-ts013 Australian TS013 switches
Europe
basic-1tr6 German 1TR6 ISDN switches
basic-nwnet3 Norway NET3 switches (phase 1)
basic-net3 NET3 ISDN switches (UK, Denmark, and other nations); covers the Euro-ISDN E-DSS1 signalling system
primary-net5 NET5 switches (UK and Europe)
vn2 French VN2 ISDN switches
vn3 French VN3 ISDN switches
Japan
ntt Japanese NTT ISDN switches
primary-ntt Japanese ISDN PRI switches
North America
basic-5ess AT&T basic rate switches
basic-dms100 NT DMS-100 basic rate switches
basic-ni1 National ISDN-1 switches
primary-4ess AT&T 4ESS switch type for the . (ISDN PRI only)
primary-5ess AT&T 5ESS switch type for the . (ISDN PRI only)
primary-dms100 NT DMS-100 switch type for the . (ISDN PRI only)
New Zealand
basic-nznet3 New Zealand Net3 switches
Implement DDR (dial-on-demand routing) example:
Settings are as follows:
Router1:
hostname router1
user router2 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.1 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.2 name router2 572
dialer load-threshold 80
ppp multilink
dialer-group 1
ppp authentication chap
!
dialer-list 1 protocol ip permit
!
Router2:
hostname router2
user router1 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.2 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.1 name router1 571
dialer load-threshold 80
ppp multilink
dialer-group 1
ppp authentication chap
!
dialer-list 1 protocol ip permit
!
Cisco router also supports callback function. We use router Router1 as Callback Server and Router2 as Callback Client.
Callback related commands:
Task Commands
Map protocol addresses and phone numbers and use the mapping category of PPP callback defined in global mode on the interface. dialer map protocol address name hostname class classname dial-string
Set the interface to support PPP callback ppp callback accept
Set mapping category for PPP callback in global mode map-class dialer classname
Decide callback by looking for the host name registered in the dialer map. dialer callback-server [username]
Setting the interface requires PPP callback ppp callback request
Settings are as follows:
Router1:
hostname router1
user router2 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.1 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.2 name router2 class s3 572
dialer load-threshold 80
ppp callback accept
ppp multilink
dialer-group 1
ppp authentication chap
!
map-class dialer s3
dialer callback-server username
dialer-list 1 protocol ip permit
!
Router2:
hostname router2
user router1 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.2 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.1 name router1 571
dialer load-threshold 80
ppp callback request
ppp multilink
dialer-group 1
ppp authentication chap
!
dialer-list 1 protocol ip permit
!
Related debugging commands:
debug dialer
debug isdn event
debug isdn q921
debug isdn q931
debug ppp authentication
debug ppp error
debug ppp negotiation
debug ppp packet
show dialer
show isdn status
For example: Execute the debug dialer command to observe the process of router2 calling router1 and router1 calling router2.
router1#debug dialer
router2#ping 192.200.10.1
router1#
00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:03:50: BRI0:1:PPP callback Callback server starting to router2 572
00:03:50: BRI0:1: disconnecting call
00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:03:50: BRI0:1: disconnecting call
00:03:50: BRI0:1: disconnecting call
00:03:51: %LINK-3-UPDOWN: Interface BRI0:2, changed state to up
00:03:52: callback to router2 already started
00:03:52: BRI0:2: disconnecting call
00:03:52: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down
00:03:52: BRI0:2: disconnecting call
00:03:52: BRI0:2: disconnecting call
00:04:05: : Callback timer expired
00:04:05: BRI0:beginning callback to router2 572
00:04:05: BRI0: Attempting to dial 572
00:04:05: Freeing callback to router2 572
00:04:05: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:04:05: BRI0:1: No callback negotiated
00:04:05: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
00:04:05: dialer Protocol up for Vi1
00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state
to up
00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, chang
ed state to up
00:04:11: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 572
#router1
Visit Capital Online 263 examples:
The local local network address is 10.0.0.0/24, which is a reserved address. Through the NAT address translation function, local area network users can access the Internet through ISDN 263 network. The ISDN phone number of 263 is 2633, the user is 263, and the password is 263. The commands involved are as follows:
Task Commands
Specify the interface to obtain the IP address through PPP/IPCP address negotiation. ip address negotiated.
Specify internal and external ports ip nat {inside | outside}
Use ppp/pap for authentication ppp authentication pap callin
Specify the interface belongs to the dialer group 1dialer-group 1
Define dialer-list 1 protocol ip permit
Set dialing, number 2633dialer string 2633
Set the username and password for login 263 ppp pap sent-username 263 password 263
Set the default route ip route 0.0.0.0 0.0.0.0 bri 0
Set all source addresses that meet access list 2 are translated as addresses owned by bri 0 ip nat inside source list 2 interface bri 0 overload
Set access list 2 to allow all protocols access-list 2 permit any
The specific configuration is as follows:
hostname Cisco2503
!
isdn switch-type basic-net3
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Ethernet 0
ip address 10.0.0.1 255.255.255.0
ip nat inside
no shutdown
!
interface Serial 0
shutdown
no description
no ip address
!
interface Serial 1
shutdown
no description
no ip address
!
interface bri 0
ip address negotiated
ip nat outside
encapsulation ppp
ppp authentication pap callin
ppp multilink
dialer-group 1
dialer hold-queue 10
dialer string 2633
dialer idle-timeout 120
ppp pap sent-username 263 password 263
no cdp enable
no ip split-horizon
no shutdown
!
ip classless
!
! Static Routes
!
ip route 0.0.0.0 0.0.0.0 bri 0
!
! Access Control List 2
!
access-list 2 permit any
!
dialer-list 1 protocol ip permit
!
! Dynamic NAT
!
ip nat inside source list 2 interface bri 0 overload
snmp-server community public ro
!
line console 0
exec-timeout 0 0
!
line vty 0 4
!
end
Routing protocol configuration
RIP protocol
RIP (Routing information Protocol) is an early and more common internal gateway protocol (IGP), suitable for small and similar networks, and is a typical distance vector (distance-vector) protocol. For documents, see RFC1058 and RFC1723.
RIP exchanges routing information by broadcasting UDP packets and sends routing information updates every 30 seconds. RIP provides a hop count as a scale to measure routing distance. The hop count is the number of routers a packet must pass through to reach the target. If there are two routers with uneven speed or different bandwidth to the same target, but the hop count is the same, RIP considers the two routes to be equally distanced. The maximum number of hops supported by RIP is 15, that is, the number of routers to pass between the source and destination network is 15, and the number of hops 16 means unreachable.
1. Related Commands
Task Commands
Specify the use of RIP protocol router rip
Specify RIP version version {1|2}1
Specify the network network connected to this router
Note: RIP version 2 supports verification, key management, routing summary, classless inter-domain routing (CIDR) and variable-length subnet masks (VLSMs)
2. Give an example
Router1:
router rip
version 2
network 192.200.10.0
network 192.20.10.0
!
Related debugging commands:
show ip protocol
show ip route
IGRP protocol
IGRP (Interior Gateway Routing Protocol) is a dynamic distance vector routing protocol designed by Cisco in the mid-1980s. Use combined user configuration scales including latency, bandwidth, reliability, and load.
By default, IGRP sends a route update broadcast every 90 seconds. During 3 update cycles (i.e. 270 seconds), no update is received from the first router in the route, and the route is declared inaccessible. After 7 update cycles, 630 seconds, the Cisco IOS software clears the route from the routing table.
1. Related Commands
Task Commands
Specify the use of igrp protocol router igrp autonomous-system1
Specify the network network connected to this router
Specify the node address adjacent to the router neighbor ip-address
Note: 1. The autonomous-system can be established at will, not the actual autonomous-system, but the autonomous-system needs to be the same if the router running IGRP wants to exchange route update information.
2. Give an example
Router1:
router igrp 200
network 192.200.10.0
network 192.20.10.0
!
Virtual LAN (VLAN)
The backbone network technologies we currently use when constructing enterprise networks are generally based on switching and virtual networks. Switching technology changes shared media to exclusive media, greatly improving network speed. Virtual network technology breaks the constraints of the geographical environment. Without changing the physical connection of the network, the workstation can be moved between work groups or subnets at will. The workstations form logical work groups or virtual subnets to improve the operating performance of the information system, balance network data traffic, and rationally utilize hardware and information resources. At the same time, the use of virtual network technology has greatly reduced the burden of network management and maintenance work and reduced network maintenance costs. With the application of virtual network technology, the problem of how to communicate between virtual networks will inevitably arise.
Inter-switch link (ISL) protocol
The ISL (Interior Switching Link) protocol is used to implement VLAN relay between switches. It is a packet marking protocol, and frames sent on support ISL interfaces are composed of a standard Ethernet frame and related VLAN information. As shown in the figure below, data from different VLANs can be transmitted on an ISL-enabled interface.
Virtual Local Area Network (VLAN) routing example
3.1. Example 1:
The device uses a Catalyst5500 switch, and it is equipped with WS-X5530-E3 management engine, and multiple WS-X5225R and WS-X5302 routing switch modules. The WS-X5302 is directly plugged into the switch and is connected to the VLAN on the system backplane through two channels. From the user's perspective, it is considered to be a 1-interface module. This interface supports ISL. There are 3 virtual networks in the switch, named default, qbw, and rgw, and virtual network routing is realized through WS-X5302.
The following is amplified the lower horizontal line, such as set system name 5500C as the command to be set.
Settings are as follows:
Catalyst 5500 configuration:
begin
set password $1$FMFQ$HfZR5DUszVHIRhrz4h6V70
set enablepass $1$FMFQ$HfZR5DUszVHIRhrz4h6V70
set prompt Console>
set length 24 default
set logout 20
set banner motd ^C^C
!
#system
set system baud 9600
set system modem disable
set system name 5500C
set system location
set system contact
!
#ip
set interface sc0 1 10.230.4.240 255.255.255.0 10.230.4.255
set interface sc0 up
set interface sl0 0.0.0.0 0.0.0.0
set interface sl0 up
set arp agingtime 1200
set ip redirect enable
set ip unreachable enable
set ip fragmentation enable
set ip route 0.0.0.0 10.230.4.15 1
set ip alias default 0.0.0.0
!
#Command alias
!
#vtp
set vtp domain hne
set vtp mode server
set vtp v2 disable
set vtp pruning disable
set vtp pruneeligible 2-1000
clear vtp pruneeligible 1001-1005
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 777 name rgw type ethernet mtu 1500 said 100777 state active
set vlan 888 name qbw type ethernet mtu 1500 said 100888 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active bridge 0x0 stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active bridge 0x0 stp ibm
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active parent 0 ring 0x0 mode srb aremaxhop 7 stemaxhop 7
!
#set boot command
set boot config-register 0x102
set boot system flash bootflash:cat5000-sup3.
!
#module 1 : 2-port 1000BaseLX Supervisor
set module name 1
set vlan 1 1/1-2
set port enable 1/1-2
!
#module 2 : empty
!
#module 3 : 24-port 10/100BaseTX Ethernet
set module name 3
set module enable 3
set vlan 1 3/1-22
set vlan 777 3/23
set vlan 888 3/24
set trunk 3/1 on isl 1-1005
#module 4 empty
!
#module 5 empty
!
#module 6 : 1-port Route Switch
set module name 6
set port level 6/1 normal
set port trap 6/1 disable
set port name 6/1
set cdp enable 6/1
set cdp interval 6/1 60
set trunk 6/1 on isl 1-1005
!
#module 7 : 24-port 10/100BaseTX Ethernet
set module name 7
set module enable 7
set vlan 1 7/1-22
set vlan 888 7/23-24
set trunk 7/1 on isl 1-1005
set trunk 7/2 on isl 1-1005
!
#module 8 empty
!
#module 9 empty
!
#module 10 : 12-port 100BaseFX MM Ethernet
set module name 10
set module enable 10
set vlan 1 10/1-12
set port channel 10/1-4 off
set port channel 10/5-8 off
set port channel 10/9-12 off
set port channel 10/1-2 on
set port channel 10/3-4 on
set port channel 10/5-6 on
set port channel 10/7-8 on
set port channel 10/9-10 on
set port channel 10/11-12 on
#module 11 empty
!
#module 12 empty
!
#module 13 empty
!
#switch port analyzer
!set span 1 1/1 both inpkts disable
set span disable
!
#cam
set cam agingtime 1-2,777,888,1003,1005 300
end
5500C> (enable)
WS-X5302 routing module settings:
Router#wri t
Building configuration...
Current configuration:
!
version 11.2
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname Router
!
enable secret 5 $1$w1kK$AJK69fGOD7BqKhKcSNBf6.
!
ip subnet-zero
!
interface Vlan1
ip address 10.230.2.56 255.255.255.0
!
interface Vlan777
ip address 10.230.3.56 255.255.255.0
!
interface Vlan888
ip address 10.230.4.56 255.255.255.0
!
no ip classless
!
line con 0
line aux 0
line vty 0 4
password router
login
!
end
Router#
3.1. Example 2:
The switching device still uses a Catalyst5500 switch and installs the WS-X5530-E3 management engine. Multiple WS-X5225R has 3 virtual networks in the switch, namely default, qbw, and rgw. It realizes virtual network routing through the Cisco3640 router. The switch settings are similar to Example 1.
The router Cisco3640 is equipped with an NM-1FE-TX module, which has a fast Ethernet interface that can support ISL. The Cisco3640 fast Ethernet interface is connected to a port that supports ISL on the switch, such as the first interface (port 3/1) in the third slot of the switch.
Router#wri t
Building configuration...
Current configuration:
!
version 11.2
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname Router
!
enable secret 5 $1$w1kK$AJK69fGOD7BqKhKcSNBf6.
!
ip subnet-zero
!
interface FastEthernet1/0
!
interface FastEthernet1/0.1
encapsulation isl 1
ip address 10.230.2.56 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation isl 777
ip address 10.230.3.56 255.255.255.0
!
interface FastEthernet1/0.3
encapsulation isl 888
ip address 10.230.4.56 255.255.255.0
!
no ip classless
!
line con 0
line aux 0
line vty 0 4
password router
login
!
end
Router#
Security Management
The security management of routers mainly includes: establishing passwords to protect the security of accessing routers, using correct access tables to manage acceptable data flows through the router, etc.
1. Password management
The following shows the command to set the password to control access from the terminal.
Command Operation effect
Line console 0 Create a password for the console terminal
Line vty 0 4 telnet connection to create a password
Enable-password Creates a password for the privileged exec mode
Enable-secret Use MD5 encryption method to create password password
Service password-encryption protects passwords to prevent them from displaying them through the idsplay command.
2. Message filtering
Cisco's firewall function is mainly achieved through message filtering.
It can control a variety of data streams, such as limiting inflows and outflows. By writing access lists, we can implement data flow restrictions on a specific network or host.
Access-list numbers have specific ranges:
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<200-299> Protocol type-code access list
<700-799> 48-bit MAC address access list
For example, we can define the following access table to implement packets that allow any host to host 160..10.2.101:
Accsess-list 101 permit ip any host 160.10.2.101
The following statement allows the udp packets sent to 160.10.2.100 by the host using the client source port (ports smaller than 1024 are left for the server), and the destination port of the packet must be the dns port (53). where gt is great than.
Accsess-list 101 permit udp any gt 1023 host 160.10.2.100 eq 53
After establishing the access list, if you want it to filter packets, you must apply it to the port. After entering the port to be controlled, apply this access table with the following command:
router(config-if)#ip access-group 101 in
In means filtering data inward (for this port). It should be noted that a port can only have one inward and outward list, and if there are several, only the first one will work.
refer to:
Cisco router password recovery
When the password of the Cisco router is modified or forgotten, you can follow the following steps:
1.Press when powering onEnter ROM monitoring status
2. Press the o command to read the original value of the configuration register
> o
3. Make the following settings to ignore NVRAM boot
>o/r0x**4*Cisco2500 Series Commands
rommon 1 >confreg 0x**4*Cisco2600, 1600 series commands
Normal value is 0x2102
4. Restart the router
>I
rommon 2 >reset
5. In "Setup" mode, answer No
6. Enter privileged mode
Router>enable
7. Download NVRAM
Router>configure memory
8. Restore the original configuration register value and activate all ports
“hostname”#configure terminal
“hostname”(config)#config-register 0x“value”
“hostname”(config)#interface xx
“hostname”(config)#no shutdown
9. Query and record missing passwords
“hostname”#show configuration (show startup-config)
10. Modify the password
“hostname”#configure terminal
“hostname”(config)line console 0
“hostname”(config-line)#login
“hostname”(config-line)#password xxxxxxxxx
“hostname”(config-line)#
“hostname”(config-line)#write memory(copy running-config startup-config)
2. IP address allocation
Address type Network host network address range standard binary mask
A.H1-1261111 1111 0000 0000 0000 0000 0000 0000
B.H128-1911111 1111 1111 1111 0000 0000 0000 0000
C.H192-2231111 1111 1111 1111 1111 1111 0000 0000
Subnet number subnet mask subnet number host number
Class B address
2255.255.192.0216382
3255.255.224.068198
4255.255.240.0144894
5255.255.248.0302846
6255.255.252.0621822
7255.255.254.0126518
8255.255.255.0254254
9255.255.255.128518126
10255.255.255.192182262
11255.255.255.224284630
12255.255.255.240489414
13255.255.255.24881986
14255.255.255.252163822
Class C address
2255.255.255.192262
3255.255.255.224630
4255.255.255.2401414
5255.255.255.248306
6255.255.255.252622
1. Basic settings
Generally speaking, there are 5 ways to set up a router:
A microcomputer that connects to the terminal or runs terminal simulation software;
Connect the MODEM to the port and connect it to the remote terminal or the microcomputer running terminal simulation software through the telephone line;
3. Through the TFTP server on the Ethernet;
4. Through the TELNET program on the Ethernet;
Through the SNMP network management workstation on the Ethernet.
5. Through the SNMP network management workstation on the Ethernet.
However, the first setting of the router must be carried out in the first way, and it is generally controlled by a hyper terminal through the com port. At this time, the terminal's hardware settings are as follows:
Baud rate: 9600
Data bits: 8
Stop bit: 1
Parity: None
2. Command operation
The operating system used by CISCO router is IOS. There are several states:
1、router>
At the router> prompt, the router is in the user command state. At this time, the user can view the router's connection status and access other networks and hosts, but cannot see and change the router's settings. Enter at this time? And press Enter to view the commands that can be used in this state. (IOS allows you to view commands that can be used in a certain state at any time in this way). After typing enable and press Enter, enter the password as prompted by the system (you don’t need to enter the password when the new router is debugging for the first time, just press Enter). Enter the # prompt and you can perform various operations on the router.
2、router#
After the router enters the privileged command state router#, it can not only execute all user commands, but also see and change the router's settings content. At this time, you can set the name, password, etc. of the router.
3、router(config)#
Type configure terminal at the router# prompt, and the prompt router(config)# appears. At this time, the router is in the global setting state. At this time, the global parameters of the router can be set.
4、router(config-if)#;
router(config-line)#;
router(config-router)#;…
The router is in a local setting state, and at this time, a local parameter of the router can be set.
5、>
The router is in RXBOOT state. Press ctrl-break within 60 seconds after booting to enter this state. At this time, the router cannot complete the normal functions and can only perform software upgrades and manual boots. In this state, password recovery can be performed.
3. Commonly used commands
1. Help
In IOS operations, you can type "?" regardless of any state or location to get the help of the system. The system will display the commands that can be used at this time.
2. Change the command status
Task Commands
Enter privileged command status enable
Exit privileged command status disabled
Enter Setup dialog status
Enter the global setting state config terminal
Exit global settings status End
Enter the port setting status interface type slot/number
Enter sub-port setting status interface type [point-to-point | multipoint]
Enter the line setting status line type slot/number
Enter the routing settings state router protocol
Exit local settings status Exit
3. Display commands
Task Commands
View version and boot information show version
Check the run settings show running-config
Check the boot settings show startup-config
Show port information show interface type slot/number
Show routing information show ip router
4. Copy command
For backup and upgrade of IOS and CONFIG
5. Network commands
Task Commands
Log in to the remote host telnet hostname|IP address
Network detection ping hostname|IP address
Routing Trace hostname|IP address
6. Basic Setting Commands
Task Commands
Setting config terminal globally
Set access user and password username username password password
Set privileged password enable secret password
Set the router name hostname name
Set static route destination subnet-mask next-hop
Start IP routing
Start IPX routing
Port setting interface type slot/number
Set IP address ip address address subnet-mask
Set up IPX network IPx network network
Activate port no shutdown
Physical line setting line type number
Start the login process login [local|tacacs server]
Set the login password password
4. Overall settings
In the router# privileged command state, you can use setup to design the router overall. This design process can omit the tediousness of manual settings. But it cannot completely replace manual settings, and some special settings must be completed through manual input.
After entering the setup dialogue process, the router will first display some prompt information:
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
This tells you that you can type "?" anywhere during the setup conversation to get help from the system, press ctrl-c to exit the setup process, and the default settings will be displayed in '[]'. Then the router will ask if it enters the settings conversation:
Would you like to enter the initial configuration dialog? [yes]:
If you press y or enter, the router will enter the setup dialogue process. First you can see the current status of each port:
First, would you like to see the current interface summary? [yes]:
Any interface listed with OK? value "NO" does not have a valid configuration
InterfaceIP-AddressOK?MethodStatusProtocol
Ethernet0unassignedNOunsetupup
Serial0unassignedNOunsetupup
……………………………
Then, the router starts setting global parameters:
Configuring global parameters:
1. Set the router name:
Enter host name [Router]:
2. Set the ciphertext (secret) that enters the privileged state. This ciphertext will not be displayed in plain text after setting:
The enable secret is a one-way cryptographic secret used
instead of the enable password when it exists.
Enter enable secret: cisco
3. Set the password to enter the privileged state. This password only works when there is no ciphertext and will be displayed in plaintext after setting:
The enable password is used when there is no enable secret
and when using older software and some boot images.
Enter enable password: pass
4. Set the password for accessing the virtual terminal:
Enter virtual terminal password: cisco
5. Ask if you want to set up various network protocols supported by your router:
Configure SNMP Network Management? [yes]:
Configure DECnet? [no]:
Configure AppleTalk? [no]:
Configure IPX? [no]:
Configure IP? [yes]:
Configure IGRP routing? [yes]:
Configure RIP routing? [no]:
………
6. If the dial-up access server is configured, the system will also set the parameters of the asynchronous port:
Configure Async lines? [yes]:
1) Set the maximum speed of the line:
Async line speed [9600]:
2) Whether to use hardware flow control:
Configure for HW flow control? [yes]:
3) Whether to set modem:
Configure for modems? [yes/no]: yes
4) Whether to use the default modem command:
Configure for default chat script? [yes]:
5) Whether to set the PPP parameters of the asynchronous port:
Configure for Dial-in IP SLIP/PPP access? [no]: yes
6) Whether to use dynamic IP addresses:
Configure for Dynamic IP addresses? [yes]:
7) Whether to use the default IP address:
Configure Default IP addresses? [no]: yes
8) Whether to use TCP header compression:
Configure for TCP Header Compression? [yes]:
9) Whether to use the routing table to update on the asynchronous port:
Configure for routing updates on async links? [no]: y
10) Whether to set other protocols on the asynchronous port.
Next, the system will set parameters for each interface.
1.Configuring interface Ethernet0:
1) Whether to use this interface:
Is this interface in use? [yes]:
2) Whether to set the IP parameters of this interface:
Configure IP on this interface? [yes]:
3) Set the IP address of the interface:
IP address for this interface: 192.168.162.2
4) Set the IP subnet mask of the interface:
Number of bits in subnet field [0]:
Class C network is 192.168.162.0, 0 subnet bits; mask is /24
After setting all interface parameters, the system will display the results of the entire setup dialogue process:
The following configuration command script was created:
hostname Router
enable secret 5 $1$W5Oh$p6J7tIgRMBOIKVXVG53Uh1
enable password pass
…………
Please note that the garbled code is displayed after the enable secret, while the setting content is displayed after the enable password. That is to say, the priority of the secret password is relatively high. When both passwords are set, the secret password works.
After the display is finished, the system will ask whether to use this setting:
Use this configuration? [yes/no]: yes
If you answer yes, the system will store the settings result into the router's NVRAM, and then end the settings dialogue process to make the router start working normally.
WAN protocol settings
PPP (Point-to-Point Protocol) is the successor of SLIP (Serial Line IP protocol), which provides router-to-router and host-to-network connections across synchronous and asynchronous circuits.
CHAP (Challenge Handshake Authentication Protocol) and PAP (Password Authentication Protocol) (PAP) are usually used to provide security authentication on serial lines encapsulated by PPP. Using CHAP and PAP authentication, each router is identified by name, which can prevent unauthorized access.
Task Commands
Set up PPP encapsulation ppp1
Set authentication method ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default] [callin]
Specify password username name password secret
Set the DCE terminal line speed clockrate speed
Give an example
The S0 ports of routers Router1 and Router2 both encapsulate the PPP protocol and use CHAP as authentication. A user should be established in Router1, and the host name of the peer router should be used as the user name, that is, the user name should be router2. At the same time, a user should be established in Router2, and the host name of the peer router should be used as the user name, that is, the user name should be router1. The passwords of the two users created must be the same.
Settings are as follows:
Router1:
hostname router1
username router2 password xxx
interface Serial0
ip address 192.200.10.1 255.255.255.0
clockrate 1000000
ppp authentication chap
!
Router2:
hostname router2
username router1 password xxx
interface Serial0
ip address 192.200.10.2 255.255.255.0
ppp authentication chap
!
ISDN
1. Comprehensive Digital Service Network (ISDN)
The Integrated Digital Service Network (ISDN) consists of two parts: digital telephone and data transmission services, which are generally provided by the telephone bureau. The ISDN's Basic Rate Interface (BRI) service provides 2 B channels and 1 D channel (2B+D). The B channel rate of BRI is 64Kbps, which is used to transmit user data. The D channel's rate is 16Kbps, mainly transmitting control signals. In North America and Japan, the main rate interface (PRI) of ISDN provides 23 B channels and 1 D channel with a total rate of up to 1.544Mbps, with the D channel rate of 64Kbps. In Europe, Australia and other countries, ISDN's PRI provides 30 B channels and 1 64Kbps D channel, with a total speed of up to 2.048Mbps. The ISDN PRI provided by my country Telecommunications Bureau is 30B+D.
2. Basic commands
Task Commands
Set the ISDN switch-type switch-type1
Interface bri 0
Set up PPP encapsulation ppp
Set the mapping of protocol address and phone number dialer map protocol next-hop-address [name hostname] [broadcast] [dial-string]
Start PPP multilink
Set the threshold for starting another B channel dialer load-threshold load
Show ISDN information shows isdn {active | history | memory | services | status [dsl | interface-type number] | times}
Note: 1. The switch types are as follows. Domestic switches are generally basic-net3.
Keywords by region Switch type
Australia
basic-ts013 Australian TS013 switches
Europe
basic-1tr6 German 1TR6 ISDN switches
basic-nwnet3 Norway NET3 switches (phase 1)
basic-net3 NET3 ISDN switches (UK, Denmark, and other nations); covers the Euro-ISDN E-DSS1 signalling system
primary-net5 NET5 switches (UK and Europe)
vn2 French VN2 ISDN switches
vn3 French VN3 ISDN switches
Japan
ntt Japanese NTT ISDN switches
primary-ntt Japanese ISDN PRI switches
North America
basic-5ess AT&T basic rate switches
basic-dms100 NT DMS-100 basic rate switches
basic-ni1 National ISDN-1 switches
primary-4ess AT&T 4ESS switch type for the . (ISDN PRI only)
primary-5ess AT&T 5ESS switch type for the . (ISDN PRI only)
primary-dms100 NT DMS-100 switch type for the . (ISDN PRI only)
New Zealand
basic-nznet3 New Zealand Net3 switches
Implement DDR (dial-on-demand routing) example:
Settings are as follows:
Router1:
hostname router1
user router2 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.1 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.2 name router2 572
dialer load-threshold 80
ppp multilink
dialer-group 1
ppp authentication chap
!
dialer-list 1 protocol ip permit
!
Router2:
hostname router2
user router1 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.2 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.1 name router1 571
dialer load-threshold 80
ppp multilink
dialer-group 1
ppp authentication chap
!
dialer-list 1 protocol ip permit
!
Cisco router also supports callback function. We use router Router1 as Callback Server and Router2 as Callback Client.
Callback related commands:
Task Commands
Map protocol addresses and phone numbers and use the mapping category of PPP callback defined in global mode on the interface. dialer map protocol address name hostname class classname dial-string
Set the interface to support PPP callback ppp callback accept
Set mapping category for PPP callback in global mode map-class dialer classname
Decide callback by looking for the host name registered in the dialer map. dialer callback-server [username]
Setting the interface requires PPP callback ppp callback request
Settings are as follows:
Router1:
hostname router1
user router2 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.1 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.2 name router2 class s3 572
dialer load-threshold 80
ppp callback accept
ppp multilink
dialer-group 1
ppp authentication chap
!
map-class dialer s3
dialer callback-server username
dialer-list 1 protocol ip permit
!
Router2:
hostname router2
user router1 password cisco
!
isdn switch-type basic-net3
!
interface bri 0
ip address 192.200.10.2 255.255.255.0
encapsulation ppp
dialer map ip 192.200.10.1 name router1 571
dialer load-threshold 80
ppp callback request
ppp multilink
dialer-group 1
ppp authentication chap
!
dialer-list 1 protocol ip permit
!
Related debugging commands:
debug dialer
debug isdn event
debug isdn q921
debug isdn q931
debug ppp authentication
debug ppp error
debug ppp negotiation
debug ppp packet
show dialer
show isdn status
For example: Execute the debug dialer command to observe the process of router2 calling router1 and router1 calling router2.
router1#debug dialer
router2#ping 192.200.10.1
router1#
00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:03:50: BRI0:1:PPP callback Callback server starting to router2 572
00:03:50: BRI0:1: disconnecting call
00:03:50: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
00:03:50: BRI0:1: disconnecting call
00:03:50: BRI0:1: disconnecting call
00:03:51: %LINK-3-UPDOWN: Interface BRI0:2, changed state to up
00:03:52: callback to router2 already started
00:03:52: BRI0:2: disconnecting call
00:03:52: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down
00:03:52: BRI0:2: disconnecting call
00:03:52: BRI0:2: disconnecting call
00:04:05: : Callback timer expired
00:04:05: BRI0:beginning callback to router2 572
00:04:05: BRI0: Attempting to dial 572
00:04:05: Freeing callback to router2 572
00:04:05: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
00:04:05: BRI0:1: No callback negotiated
00:04:05: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
00:04:05: dialer Protocol up for Vi1
00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state
to up
00:04:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, chang
ed state to up
00:04:11: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 572
#router1
Visit Capital Online 263 examples:
The local local network address is 10.0.0.0/24, which is a reserved address. Through the NAT address translation function, local area network users can access the Internet through ISDN 263 network. The ISDN phone number of 263 is 2633, the user is 263, and the password is 263. The commands involved are as follows:
Task Commands
Specify the interface to obtain the IP address through PPP/IPCP address negotiation. ip address negotiated.
Specify internal and external ports ip nat {inside | outside}
Use ppp/pap for authentication ppp authentication pap callin
Specify the interface belongs to the dialer group 1dialer-group 1
Define dialer-list 1 protocol ip permit
Set dialing, number 2633dialer string 2633
Set the username and password for login 263 ppp pap sent-username 263 password 263
Set the default route ip route 0.0.0.0 0.0.0.0 bri 0
Set all source addresses that meet access list 2 are translated as addresses owned by bri 0 ip nat inside source list 2 interface bri 0 overload
Set access list 2 to allow all protocols access-list 2 permit any
The specific configuration is as follows:
hostname Cisco2503
!
isdn switch-type basic-net3
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Ethernet 0
ip address 10.0.0.1 255.255.255.0
ip nat inside
no shutdown
!
interface Serial 0
shutdown
no description
no ip address
!
interface Serial 1
shutdown
no description
no ip address
!
interface bri 0
ip address negotiated
ip nat outside
encapsulation ppp
ppp authentication pap callin
ppp multilink
dialer-group 1
dialer hold-queue 10
dialer string 2633
dialer idle-timeout 120
ppp pap sent-username 263 password 263
no cdp enable
no ip split-horizon
no shutdown
!
ip classless
!
! Static Routes
!
ip route 0.0.0.0 0.0.0.0 bri 0
!
! Access Control List 2
!
access-list 2 permit any
!
dialer-list 1 protocol ip permit
!
! Dynamic NAT
!
ip nat inside source list 2 interface bri 0 overload
snmp-server community public ro
!
line console 0
exec-timeout 0 0
!
line vty 0 4
!
end
Routing protocol configuration
RIP protocol
RIP (Routing information Protocol) is an early and more common internal gateway protocol (IGP), suitable for small and similar networks, and is a typical distance vector (distance-vector) protocol. For documents, see RFC1058 and RFC1723.
RIP exchanges routing information by broadcasting UDP packets and sends routing information updates every 30 seconds. RIP provides a hop count as a scale to measure routing distance. The hop count is the number of routers a packet must pass through to reach the target. If there are two routers with uneven speed or different bandwidth to the same target, but the hop count is the same, RIP considers the two routes to be equally distanced. The maximum number of hops supported by RIP is 15, that is, the number of routers to pass between the source and destination network is 15, and the number of hops 16 means unreachable.
1. Related Commands
Task Commands
Specify the use of RIP protocol router rip
Specify RIP version version {1|2}1
Specify the network network connected to this router
Note: RIP version 2 supports verification, key management, routing summary, classless inter-domain routing (CIDR) and variable-length subnet masks (VLSMs)
2. Give an example
Router1:
router rip
version 2
network 192.200.10.0
network 192.20.10.0
!
Related debugging commands:
show ip protocol
show ip route
IGRP protocol
IGRP (Interior Gateway Routing Protocol) is a dynamic distance vector routing protocol designed by Cisco in the mid-1980s. Use combined user configuration scales including latency, bandwidth, reliability, and load.
By default, IGRP sends a route update broadcast every 90 seconds. During 3 update cycles (i.e. 270 seconds), no update is received from the first router in the route, and the route is declared inaccessible. After 7 update cycles, 630 seconds, the Cisco IOS software clears the route from the routing table.
1. Related Commands
Task Commands
Specify the use of igrp protocol router igrp autonomous-system1
Specify the network network connected to this router
Specify the node address adjacent to the router neighbor ip-address
Note: 1. The autonomous-system can be established at will, not the actual autonomous-system, but the autonomous-system needs to be the same if the router running IGRP wants to exchange route update information.
2. Give an example
Router1:
router igrp 200
network 192.200.10.0
network 192.20.10.0
!
Virtual LAN (VLAN)
The backbone network technologies we currently use when constructing enterprise networks are generally based on switching and virtual networks. Switching technology changes shared media to exclusive media, greatly improving network speed. Virtual network technology breaks the constraints of the geographical environment. Without changing the physical connection of the network, the workstation can be moved between work groups or subnets at will. The workstations form logical work groups or virtual subnets to improve the operating performance of the information system, balance network data traffic, and rationally utilize hardware and information resources. At the same time, the use of virtual network technology has greatly reduced the burden of network management and maintenance work and reduced network maintenance costs. With the application of virtual network technology, the problem of how to communicate between virtual networks will inevitably arise.
Inter-switch link (ISL) protocol
The ISL (Interior Switching Link) protocol is used to implement VLAN relay between switches. It is a packet marking protocol, and frames sent on support ISL interfaces are composed of a standard Ethernet frame and related VLAN information. As shown in the figure below, data from different VLANs can be transmitted on an ISL-enabled interface.
Virtual Local Area Network (VLAN) routing example
3.1. Example 1:
The device uses a Catalyst5500 switch, and it is equipped with WS-X5530-E3 management engine, and multiple WS-X5225R and WS-X5302 routing switch modules. The WS-X5302 is directly plugged into the switch and is connected to the VLAN on the system backplane through two channels. From the user's perspective, it is considered to be a 1-interface module. This interface supports ISL. There are 3 virtual networks in the switch, named default, qbw, and rgw, and virtual network routing is realized through WS-X5302.
The following is amplified the lower horizontal line, such as set system name 5500C as the command to be set.
Settings are as follows:
Catalyst 5500 configuration:
begin
set password $1$FMFQ$HfZR5DUszVHIRhrz4h6V70
set enablepass $1$FMFQ$HfZR5DUszVHIRhrz4h6V70
set prompt Console>
set length 24 default
set logout 20
set banner motd ^C^C
!
#system
set system baud 9600
set system modem disable
set system name 5500C
set system location
set system contact
!
#ip
set interface sc0 1 10.230.4.240 255.255.255.0 10.230.4.255
set interface sc0 up
set interface sl0 0.0.0.0 0.0.0.0
set interface sl0 up
set arp agingtime 1200
set ip redirect enable
set ip unreachable enable
set ip fragmentation enable
set ip route 0.0.0.0 10.230.4.15 1
set ip alias default 0.0.0.0
!
#Command alias
!
#vtp
set vtp domain hne
set vtp mode server
set vtp v2 disable
set vtp pruning disable
set vtp pruneeligible 2-1000
clear vtp pruneeligible 1001-1005
set vlan 1 name default type ethernet mtu 1500 said 100001 state active
set vlan 777 name rgw type ethernet mtu 1500 said 100777 state active
set vlan 888 name qbw type ethernet mtu 1500 said 100888 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state active bridge 0x0 stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active bridge 0x0 stp ibm
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state active parent 0 ring 0x0 mode srb aremaxhop 7 stemaxhop 7
!
#set boot command
set boot config-register 0x102
set boot system flash bootflash:cat5000-sup3.
!
#module 1 : 2-port 1000BaseLX Supervisor
set module name 1
set vlan 1 1/1-2
set port enable 1/1-2
!
#module 2 : empty
!
#module 3 : 24-port 10/100BaseTX Ethernet
set module name 3
set module enable 3
set vlan 1 3/1-22
set vlan 777 3/23
set vlan 888 3/24
set trunk 3/1 on isl 1-1005
#module 4 empty
!
#module 5 empty
!
#module 6 : 1-port Route Switch
set module name 6
set port level 6/1 normal
set port trap 6/1 disable
set port name 6/1
set cdp enable 6/1
set cdp interval 6/1 60
set trunk 6/1 on isl 1-1005
!
#module 7 : 24-port 10/100BaseTX Ethernet
set module name 7
set module enable 7
set vlan 1 7/1-22
set vlan 888 7/23-24
set trunk 7/1 on isl 1-1005
set trunk 7/2 on isl 1-1005
!
#module 8 empty
!
#module 9 empty
!
#module 10 : 12-port 100BaseFX MM Ethernet
set module name 10
set module enable 10
set vlan 1 10/1-12
set port channel 10/1-4 off
set port channel 10/5-8 off
set port channel 10/9-12 off
set port channel 10/1-2 on
set port channel 10/3-4 on
set port channel 10/5-6 on
set port channel 10/7-8 on
set port channel 10/9-10 on
set port channel 10/11-12 on
#module 11 empty
!
#module 12 empty
!
#module 13 empty
!
#switch port analyzer
!set span 1 1/1 both inpkts disable
set span disable
!
#cam
set cam agingtime 1-2,777,888,1003,1005 300
end
5500C> (enable)
WS-X5302 routing module settings:
Router#wri t
Building configuration...
Current configuration:
!
version 11.2
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname Router
!
enable secret 5 $1$w1kK$AJK69fGOD7BqKhKcSNBf6.
!
ip subnet-zero
!
interface Vlan1
ip address 10.230.2.56 255.255.255.0
!
interface Vlan777
ip address 10.230.3.56 255.255.255.0
!
interface Vlan888
ip address 10.230.4.56 255.255.255.0
!
no ip classless
!
line con 0
line aux 0
line vty 0 4
password router
login
!
end
Router#
3.1. Example 2:
The switching device still uses a Catalyst5500 switch and installs the WS-X5530-E3 management engine. Multiple WS-X5225R has 3 virtual networks in the switch, namely default, qbw, and rgw. It realizes virtual network routing through the Cisco3640 router. The switch settings are similar to Example 1.
The router Cisco3640 is equipped with an NM-1FE-TX module, which has a fast Ethernet interface that can support ISL. The Cisco3640 fast Ethernet interface is connected to a port that supports ISL on the switch, such as the first interface (port 3/1) in the third slot of the switch.
Router#wri t
Building configuration...
Current configuration:
!
version 11.2
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname Router
!
enable secret 5 $1$w1kK$AJK69fGOD7BqKhKcSNBf6.
!
ip subnet-zero
!
interface FastEthernet1/0
!
interface FastEthernet1/0.1
encapsulation isl 1
ip address 10.230.2.56 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation isl 777
ip address 10.230.3.56 255.255.255.0
!
interface FastEthernet1/0.3
encapsulation isl 888
ip address 10.230.4.56 255.255.255.0
!
no ip classless
!
line con 0
line aux 0
line vty 0 4
password router
login
!
end
Router#
Security Management
The security management of routers mainly includes: establishing passwords to protect the security of accessing routers, using correct access tables to manage acceptable data flows through the router, etc.
1. Password management
The following shows the command to set the password to control access from the terminal.
Command Operation effect
Line console 0 Create a password for the console terminal
Line vty 0 4 telnet connection to create a password
Enable-password Creates a password for the privileged exec mode
Enable-secret Use MD5 encryption method to create password password
Service password-encryption protects passwords to prevent them from displaying them through the idsplay command.
2. Message filtering
Cisco's firewall function is mainly achieved through message filtering.
It can control a variety of data streams, such as limiting inflows and outflows. By writing access lists, we can implement data flow restrictions on a specific network or host.
Access-list numbers have specific ranges:
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<200-299> Protocol type-code access list
<700-799> 48-bit MAC address access list
For example, we can define the following access table to implement packets that allow any host to host 160..10.2.101:
Accsess-list 101 permit ip any host 160.10.2.101
The following statement allows the udp packets sent to 160.10.2.100 by the host using the client source port (ports smaller than 1024 are left for the server), and the destination port of the packet must be the dns port (53). where gt is great than.
Accsess-list 101 permit udp any gt 1023 host 160.10.2.100 eq 53
After establishing the access list, if you want it to filter packets, you must apply it to the port. After entering the port to be controlled, apply this access table with the following command:
router(config-if)#ip access-group 101 in
In means filtering data inward (for this port). It should be noted that a port can only have one inward and outward list, and if there are several, only the first one will work.
refer to:
Cisco router password recovery
When the password of the Cisco router is modified or forgotten, you can follow the following steps:
1.Press when powering on
2. Press the o command to read the original value of the configuration register
> o
3. Make the following settings to ignore NVRAM boot
>o/r0x**4*Cisco2500 Series Commands
rommon 1 >confreg 0x**4*Cisco2600, 1600 series commands
Normal value is 0x2102
4. Restart the router
>I
rommon 2 >reset
5. In "Setup" mode, answer No
6. Enter privileged mode
Router>enable
7. Download NVRAM
Router>configure memory
8. Restore the original configuration register value and activate all ports
“hostname”#configure terminal
“hostname”(config)#config-register 0x“value”
“hostname”(config)#interface xx
“hostname”(config)#no shutdown
9. Query and record missing passwords
“hostname”#show configuration (show startup-config)
10. Modify the password
“hostname”#configure terminal
“hostname”(config)line console 0
“hostname”(config-line)#login
“hostname”(config-line)#password xxxxxxxxx
“hostname”(config-line)#
“hostname”(config-line)#write memory(copy running-config startup-config)
2. IP address allocation
Address type Network host network address range standard binary mask
A.H1-1261111 1111 0000 0000 0000 0000 0000 0000
B.H128-1911111 1111 1111 1111 0000 0000 0000 0000
C.H192-2231111 1111 1111 1111 1111 1111 0000 0000
Subnet number subnet mask subnet number host number
Class B address
2255.255.192.0216382
3255.255.224.068198
4255.255.240.0144894
5255.255.248.0302846
6255.255.252.0621822
7255.255.254.0126518
8255.255.255.0254254
9255.255.255.128518126
10255.255.255.192182262
11255.255.255.224284630
12255.255.255.240489414
13255.255.255.24881986
14255.255.255.252163822
Class C address
2255.255.255.192262
3255.255.255.224630
4255.255.255.2401414
5255.255.255.248306
6255.255.255.252622