a brief introduction to cisco router/s -------------------------------------- outline bibliography hardware basic setup memory redundancy software command overview command modes exec/enable configuration image/config upload/download security short tour on-line (telnet to router and demo some commands...) ------------------------------------------------ bibliography http://www.cisco.com (and more if you are a smartnet member and can login to cco) look at route.html class page at bottom for Cisco IOS "cd" on-line documentation ORA book - "Managing IP Networks, with Cisco Routers", by Scott Ballew. ISBN: 9-78165-923201 various Cisco Press books; .e.g., 1. Cisco IOS Configuration Fundamentals 2. Cisco Router Configuration and more ... ------------------------------------------------ hardware a router (or switch) is: ports + supervisor/memory (nvram/flash and runtime) + power supplies ports of the WAN or LAN variety (interfaces) can be bundled in cards (modules) the box itself may either be a chassis with expandability or a fixed set of ports. chassis: it has N slots for different kinds of boards typically big you can buy/add/swap new cards with new capabilities a new OC-3/Sonet WAN card 24 10/100BASE ethernet ports 9 1 G/ethernet ports overhead: a supervisor (CPU/memory) card other kinds of memory cards (flash) example: cisco 7513 (13 slots) fairly big router cisco 550X switch can take RSM card (router card) fixed number of slots: (typically smaller) although even smaller boxes may have some expandability e.g., Cisco 2621 router has 2 10/100 ethernet slots and WAN ports (for ISDN, and other low-speed possibilities) example: Cisco 2926 switch (fixed set of ports) port naming: if fixed ports, then names like Ethernet0 Serial0, Serial1 if modules, then two-tuple (module/port) FastEthernet 1/0 names may be more complex in case of virtual interfaces (vlans) or VIP controller (multi-module) cards FastEthernet 0/0/1 memory: NO hard disk one has two "objects" (configuration/os) stored in memory both of which can be stored on remote file systems with tftp/anonymous ftp and possibly other means three kinds of memory (storage of objects + runtime mem): 1. flash or "permanent" non-volative memory, where os is stored 2. nvram where configuration is stored 3. runtime RAM memory for the operating system, processes, and configuration itself while they are being used two kinds of objects: 1. the configuration view it as a ASCII file that can be uploaded in part or all at boot or other times the configuration is a set of IOS commands it can be modifed in runtime memory in part by IOS commands saved to remote disk or nvram storage 2. the kernel image itself loaded to/from flash may have multiple copies in flash memory (current image and test image) loaded into RAM memory by reboot thus the objects can be stored in non-volative memory locally and loaded either from that memory or a remote hard disk at boot and saved to flash or a remote hard disk too downside: you must be careful that what is running (e.g., with the configuration) is actually saved to Non Volatile memory (and on disk) pro: you may also try out a few changes in runtime memory configuration and only save them if they work redundancy: one of the definite PROs when we compare a cisco router to say a UNIX workstation/router power-supply redundancy - may be hot-swappable 2 power-supplies on a bigger chassis not unusual keep in mind less useful if 2 power supplies plugged into same AC circuits (but not useless) good UPS (with snmp management) worthwhile ethernet and WAN boards may be hot-swappable may have failover system. 2 boards as one. board A goes away, board B automatically takes over 2 ethernet boards would have to share MAC address important note: no HARD disk is a pro ... two things likely to fail are: disk/power supply(fan) harder to hack into it it can't fail if it doesn't exist :-> redundancy pros: improve odds of 7x24 production system cons: costs hw/capital money -- you pay for it misc. considerations: good power needed air conditioning likely required for big boxes wiring fabric should certainly converge where core router/switches exist ---------------------------------------------------- software IOS command set is huge and commands have options options have options focus is on IOS ASCII configuration set of ASCII commands but one can also of course 1. dump tables (interface stats/route tables/arp/access-list hits) 2. turn debugging on/off/which may go to remote syslog 3. clear counters 4. ping/tracerouter/telnet elsewhere to test connectivity ------------------- command-modes (exec/enable) : basic modes are exec/enable/configuration modes within enable: to enable mode: % telnet cisco-box password: xyzzy-whatever router> login (1st-level password) gets you to exec mode. exec modes mostly allows readonly access. you can look at some things (show commands), and clear some things (clear interfaces) look at ip table/arp table/go to enable mode/clear counters prompt is: router> exec mode commands include: router> help tell you at any level how to use help system. in general, when in doubt type in ? e.g., router> ? router> show ? list of show commands router> show ip ? router#> ? --- enable level commands router(config)# ? ---- commands in config mode router> logout router> trace/mtrace router> ping router> telnet router> show flash router> show ip route router> show ip arp router> show interface router> show processes router> show modules (some switches) (show mac and show port too for higher breed of switches) router> show version router> show snmp router> show ip ospf (for example) router> enable ----------------------------- from exec mode: router> enable password: (enable password) router#> now you can change/configure things. note that certain configuration moves will take you into sub-configuration areas (router/interface/access-list commands) you can also view the entire RAM configuration: router# show running-conf router# reload to reboot router# debug to debug (of course) router# exit or logout to get out --------------------------------------------------- short overview of config commands: configuration is a mode from enable mode sub-configuration modes exist too (acl/interface/router ...) router# config terminal which are infinite by their vary nature 1. general (entire setup) time (NTP) logging DNS specific ip routes (e.g., static default) snmp do: router# config term Cntrl-Z to get out 2. per interface oriented router# config term router-config# interface Ethernet0 per interface command example: interface Ethernet1 shutdown <---- turn it off 3. router process oriented router-config# router ospf ospf command 4. various lists (often of ip addresses or tcp/udp ports) access-control list (acl) for security router map for filtering 5. terminal setup (vty and console) acl for vty access (who can telnet) ---------------------------------------------------- upload/download config/image to/from disk/memory names: running-confg <--- the running configuration startup-config <---- the startup config saved in nvram 1. manipulate config file to/from nvram router# show running-config router# show startup-config router# copy running-config startup-config <-- copy running to startup older: router # write memory (same thing) router# copy startup-config running-config <-- copy startup to running router# erase startup-config <--- wipe out config in nvram 2. upload/download config file from 2ndary disk router# copy running-config tftp: (or older # write network) 3. upload/download binary image copy from tftp/disk to flash memory (and then reload to reboot) router# copy tftp flash you will be prompted for filename/remote ip router# reload IOS image might be named c2500-i-l.112-9.P.bin note: router may have more than one space for images. You may have flash partitioned for > 1 image. router# show flash copy from image to disk router# copy flash tftp zap flash router# erase flash strong suggestion: keep the last known working image on a known backed-up disk ---------------------------- security: 1. router's own security must be considered USE acls to disallow access to/from router as desired, especially on external WAN or Inet i/f. acl may be used to enable snmp access as well. 2. ACL mechanism used for many purposes including security, route filtering (we will look at examples) 3. ACL may apply to VTY which controls telnet access e.g., you can only allow one local system to get access via telnet 4. dialup much more complex (AAA/radius, etc.) - need to tie dialin login to backend workstation accounts 5. cisco now supports IPSEC as well see acl demos and acl log. Look at 1. accept a few things/deny rest (security is stronger) 2. deny a few things/accept rest (security is weaker) # see what access list has been denying router> show ip access list use syslog. use ntp time. you want log time to be accurate with real time in case of reconstruction post security event/random crash be careful about what you syslog in terms of acls. you don't want everything, else risk router spending too much time processing logging, not enough on packets ---------------------------- short tour ---------- visual on-line demo of cisco commands during class ssh note: consider using ssh to get as close to router as possible. then telnet. minimize sniffer attack on passwords.