Guide to Cisco Router Configuration Contents Preface And Scope Description of Cisco Router Products Cisco Interface Cards Preparing for Configuration Configuring the Router I. Set a Hostname II. Establishing Enable Password Protection III. Optionally Enable UDP and TCP network services IV. Configure Console and Network Access V. Configure Serial and Ethernet Interfaces VI. Configuring the CIP card and the virtual interfaces VII. Add IP Routes and Set a Default Route VIII. Configure Frame Relay IX. Configure Asynchronous Transfer Mode (ATM) Configuring Access Lists and Network Security Configuring Routing Protocols I. Configuring RIP II. Configuring IGRP III. Configuring Enhanced IGRP IV. Configuring OSPF V. Configuring BGP VI. Exchanging Routes Between Protocols
Preface and Scope This document is intended to instruct in the basics of Cisco router configuration and maintenance. It is by no means complete or authoritative. This document purposely omits many topics and assumes a foreknowledge of others. It is assumed that the reader has a preexisting knowledge of Internet protocols and an understanding of TCP/IP networking. Prior experience with Cisco router products will make this document easier to understand but is not required. The commands and procedures detailed in this writing are consistent with Cisco's Internetwork Operating Software (IOS) version 11.0, 11.1, and 11.2. Cisco endeavors to maintain backwards compatability in their software however, there is no guarantee of such. Hence, the commands and procedures outlined herein should only be used as a guide when working with latter releases of IOS. References within this writing to IOS documentation refer to the manual set for IOS version 11.0.
Description of Cisco Router Products There are several varieties of cisco routers. The relevant router models are the 2500, 4000, 7000, and 7500 series. Physically, each is as follows: The 2501 (which is about the only router out of the 2500 series we use) has a console port and an aux port in the form of rj45 type connectors. There is one 10 megabit ethernet AUI type connector, and two high density 60 pin serial connectors. The serial connectors are used for the WAN connections. The 4000 is the next step up in Cisco's product line. It has a console port and an aux port in the form of two db25 connectors. There are slots for various interfaces, however, they are not presented in a card/slot format, rather each card adds interfaces to those already in existance so it becomes possible to have, for example, interfaces Serial0 through Serial11 by using three cards. One of the more recent generations of backbone routers is Cisco's 7000 series router. This router is quite large. It has room for a primary and redundant power supply. In the backplane, there are 7 slots that are used as follows. All the way on the right-hand side is a slot labeled for the Route processor (which holds two db25 connectors for console and aux.) It utilizes a Motorola 68040 for its processor and has internal slots for two flash modules and 4 30 pin simms. There is also a bank of pins for various jumpers. These control certain default settings that are read when the router is powered up. Factory default is almost ALWAYS correct and these jumpers should NOT be moved. To the left of this card is the switch processor. This card handles "fast switching" in this model router. "fast switching" will be explained later in this document. Finally, there are slots labeled 0 through 4. These are for interface cards. There is also an upgraded processor card for the 7000 as well. The primary difference is the processor is MIPS based and the flash slots have been made external to accommodate a single removable PCMCIA flash module. Finally, is the 7500 series. This is Cisco's latest router model. The processor is MIPS based and the backplane has been greatly enhanced. The 7505, which is our most common router, has a single power supply, a slot for the route/switch processor with two PCMCIA slots for flash cards (they are one card here instead of 2 because of changes made in the way that fast switching is done), and interface slots labeled 0 through 3. The on board memory is 4 72 pin simm slots using paritied RAM. The 7507 adds a redundant power supply and an additional interface slot, and room for a redundant processor card. The 7513 adds a blower for additional cooling and contains a route processor, switch processor, and can hold up to 11 interface cards in addition to the processors.
Cisco Interface Cards There are several cards for use with the cisco 4000, 7000, 7200, and 7500 series routers. The 2500 series are fixed configurations. This section only describes the cards used with 7000 and 7500 series routers. The first is the Fast Serial Interface Processor (FSIP) card. The FSIP is available with 4 or 8 serial ports. These are used for synchronous data connections such as T1s which are used in Wide Area Networks (WANs). Ethernet Interface Processor (EIP) cards contain 2, 4 or 6 AUI type connectors for 10 megabit ethernet and are used for connecting the router to the low speed Local Area Network (LAN). Fast Ethernet Interface processor (FEIP) cards contain two rj45 type modular connectors used for 100baseT connections. ATM Interface Processor (AIP) cards are used for Asynchronous Transfer Mode (ATM) connections. There are a couple of varieties of ATM cards. Most commonly used is a DS3 interface which has two BNC type coaxial connectors (one for transmit and one for receive). This interface operates at 45 Mbps. In our Phoenix POP, we have installed a SONET interface card which makes use of a fiber optic connection to a lightstream 100 (which is an ATM switch essentially). This connection operates at OC3c speeds (155 Mbps). Fiber Distributed Data Interface (FDDI) Processors (FIP) are used in These cards have two fiber optic connectors and may be connected by one or the other, or both connectors may be utilized to create a fiber ring for redundancy. This interface operates at 90 Mbps. High Speed Serial Interface (HSSI) Processors (HIP) are used for DS3 level connections. These cards have a single connector for one T3. Channelized T3 Interface Processors (CIP) are used to connect a muxed T3 into a router. This card has two BNC connectors for the transmit and receive of the T3. It also has 3 db9 connectors for T1 output and one db9 for output to a test set. Using this card, it is possible to configure 28 full or fractional T1 circuits in one slot within the router. This is a significant advantage over the use of external CSUs and multiple FSIP cards which occupy valuable rack and bus space, respectively. Built using the second generation Versatile Interface Processor design (VIP2), this card also supports distributed switching and can actually handle the same conventional load while using less of the router's primary processor. The outputs can be used to feed T1s to external devices of for connecting to a MIP card for channelized T1 processing. Pack Over SONET Interface Processors (POSIP) are used to provide Point-To-Point connectivity between locations at the OC3 level. This interface operates at 155 Mbps, full duplex. It has one optical connection to receive an OC3 circuit.
Preparing for Configuration There are several steps involved in commissioning a new router. The first is to determine physical configuration. Although any interface card may be placed in any slot, thought should go into how cards are arranged. For example, if you intend to have a large group of routers with more or less identical types and quantities of cards, it is easier to place the cards in a "standard" order. This way, there is no searching to find what card is in which slot. it is simply assumed that a given card will be in a given slot. This leaves less to remember and can cut critical time off diagnosing network problems. Initial configuration is done from the console. There are a few caveats which will be explained later. The console should be connected via a straight through rs232 interface using either a standard rs232 cable or one of the appropriate adaptors provided with the 2501 (Note: the adaptors for the 2500 series routers are proprietary to cisco and do NOT contain standard pinouts.) The connection operates at 9600 baud, 8 data bits, 1 stop bit and no parity. Boot the router and wait for the "press return to get started" prompt. When the router boots for the first time after being shipped from the manufacturer, you may enter the "setup" dialogue. In general, you don't want to use setup to initialize your router. You may exit out of this when prompts or you can type C-^ (caret), which is the cisco interrupt character, to break out of it. You should end up at a "Router>" prompt. This is an unprivileged access mode known as "User EXEC Mode". There are several levels of access that can be configured within the router. This mode is privilege level 1. (You may use the "show privilege" command to find out what your current privilege level is.) To enter a higher privilege mode, use "enable". The default privilege level is 15. If a password has been set, you will be prompted to enter it at this time. If no password has yet been set, you will not be prompted for a password, and instead immediately gain privileged access. Your prompt will now become "Router#". At that point, you may prepare to enter configuration commands by typing "configure terminal". Your prompt will change to "Router (config)#". To exit the configuration, type "exit" or Cz. Once you are done, you need to store your configuration changes in non-volatile memory. Type "write" from the privileged EXEC prompt (Router#). It will take a few moments to build the configuration file and store it in memory. As mentioned above, there are a few things to watch for when configuring cisco routers. Once logged into a router via a network connection, you cannot "enable" from the network connection if no enable password has been set. One of the most important things to remember is that ALL changes are IMMEDIATE. If you attempt to restart an interface by shutting it down and then turning it back up, if it is the interface you are coming in over, you will never be able to turn the interface back up unless you come in via an alternate path (such as logging in on console or by dialing up to a POP) or power cycle the router. Likewise, when configuring a packet filter, it is a good idea to remove the filter from the associated interface while updating it if at all feasible. This saves you from filtering yourself out of the router and possibly causing significant interruption of services for others. Also, for any given command, with only a few exceptions, placing a "no" in front of the command has the effect of "undoing" that operation.
Configuring the Router The Cisco Internetwork Operating System (IOS) is extremely flexible and powerful. Hence, there are many subtleties to configuring certain services and many things that the router can do that you will never use. For the full description of the options that can be used with each of these commands, refer to the router configuration guide and command reference. These documents are available in printed form and via the World Wide Web as http://www.cisco.com/univercd/data/doc/software.htm. (hint: This is a good bookmark to place in Netscape.) From there, you may select the appropriate version of IOS to find the section you are looking for. Cisco interfaces are named according to interface type and interface number. The 7000, 7200, and 7500 series routers also add a slot number. All interfaces and slots are indexed at zero. The first ethernet port on a model 2501 router would be identified as Ethernet0. The fourth serial port on a 7000 with a serial card in slot 2 would be Serial2/3. * For the remainder of this section, it is assumed that the reader has entered the terminal configuration mode within the router via "configure terminal" from the privileged EXEC prompt.
I. Set a Hostname The first order of business in configuring a router is to choose a hostname for the router. This name is not used by the router itself and is entirely for human consumption. The hostname you set replaces "Router" in the prompt and can be useful in distinguishing which router you are connected to when telnetting among several routers. This line also appears within the first 20 lines of the configuration file and can be used to distinguish saved configurations of one router from another. The form of this command is hostname
II. Establishing Enable Password Protection Before connecting the router to your network it is also a good idea to set the enable password. This password is used to gain privileged access to the router so it should not be an obvious password. The format of this command is as follows: enable password
This password may contain any alphanumeric characters up to 80 including spaces but MUST NOT START with a number or a space. The password is stored in an unencrypted (plain text) format in the configuration file. Obviously, it is desirable to have the password encrypted before it is saved. To do this, use: service password-encryption
This will cause all passwords in the system to be encrypted before being stored in a saved configuration using Cisco's proprietary encryption algorithm. NOTE: There is no way to recover a lost encrypted password.
III. Optionally Enable UDP and TCP network services Cisco routers support standard network services for TCP and UDP such as echo, discard, daytime, and so forth. These services are enabled with the commands service tcp-small-servers service udp-small-servers
It should be noted that these package all standard network services in one bundle. Without creating access lists, it is not possible to disallow any of the services these create. Cisco also supports a finger daemon to give information about who is connected to a given router. This service is enabled by default. Finger may be disabled as follows no service finger
IV. Configure Console and Network Access Initialy, the only device setup for access is the console. When placed in the field, it is more convenient to program and maintain the routers through a telnet connection than it is to dial up into each router to configure or monitor the system. In order to do this, virtual ttys (vtys) must be configured. Generally, 5 vtys should be configured however, the router will support up to 100. Each should be given a timeout to avoid all vtys being in use. If all vtys are in use, further connection attempts will result in a "connection refused". It is probably a good idea to force the user to enter a password before he can login to the router through a vty as well. An example of this configuration is shown below. line vty 0 4 exec-timeout 30 0 login password steamboat
This creates 5 vtys numbered 0 through 4. Each vty has a timeout of 30 minutes and 0 seconds. These vtys require a password for login. This password is "steamboat". Note: If password-encryption is enabled, this password is encrypted before being stored in the router's configuration. The minimum number of vtys that may be enabled is 5. Usually you do not want to require a password for console access but you would like to specify a timeout. line con 0 exec-timeout 15 0
For a full description of how each vty may be configured, refer to chapter 4 of the router configuration guide.
V. Configure Serial and Ethernet Interfaces By far, the easiest interfaces to configure are ethernet interfaces. To bring up an ethernet interface, all that is necessary is to assign it an IP address, associate a netmask with that address, and turn up the interface. For example, to bring online the ethernet interface on a 2501 and assign it the IP address 150.151.152.1 with a class C netmask (255.255.255.0), the following commands would be used: interface Ethernet0 ip address 150.151.152.1 255.255.255.0 no shutdown
and thats it. It should be noted that this has the side effect of placing a route for 150.151.152.0 in the 2501's routing tables since this is a network that is directly "Connected" via ethernet0. As a result, you can immediately connect to any system on that network from the router. Routing and types of routes will be discussed later in this document. Configuring serial interfaces for point to point connections is not too different. interface serial0/3 ip address 203.142.253.33 255.255.255.252 encapsulation ppp mtu 1500 no shutdown
This gives serial0/3 the address 203.142.253.33 and makes it part of a subnet of 2 ip addresses (plus broadcast/network number) of 203.142.253.32-35. Again, a connected route is placed in the routing tables. These routes can be useful when configuring BGP or OSPF or some other routing protocol as discussed later. IP subnetting, as used in the above example, is not covered within the scope of this document. The preceeding example also assigned a link encapsulation of PPP to the interface and gives it an MTU of 1500 bytes, which is the default if no MTU is specified. This is correct for most instances, but when connecting to another cisco, it will be slightly more efficient to make use of Cisco's HDLC protocol. This is the default encapsulation for all serial interfaces. To make use of this, either omit the encapsulation or specify "no encapsulation" to remove a previous setting. There is a third encapsulation for serial interfaces, frame relay, which will be discussed in its own section later on.
VI. Configuring the CIP card and the virtual interfaces The CIP card appears to the router as a controller instead of a standard interface. T1 channels may be defined, modified, or deleted without any external configuration to the card. CSU loops may be initiated and released from within software and testing patterns run to these loops from the router. The advantages of full management is well known to anyone who has spent any time at all performing work as a network operations technician. The ability to quickly determine CSU states, attempt quick fixes, and obtain a full diagnostic of the problem is invaluable when reporting an outage to a carrier. The more information that can be provided to them during the initial problem report can often greatly speed the diagnostic and repair processes. The T3 controller, since it is built on VIP2 technology introduces a third level to the card designation. Instead of simply slot/port, it not introduces a port adaptor number. Since there is only one CT3IP per card, the port and port adaptor numbers will always be zero. An interface in slot 2 will be identified as 2/0/0. T1 channels are designated by a colon and a channel number after the interface identifier (numbering 1 through 28 to coincide with belcore designations). In the previous example, the 17th T1 channel would be 2/0/0:17. The first step in configuring this interface is the configuration of the T3. Settings required are T3 framing, clock source, and cable distance (which is used in determining the LBO to use). The default cable length is 224 feet. This should be acceptable for most applications. The framing types availible are cbit and m23. It is possible to configure the router to autodetect framing but in many instances, auto detection can lead to future problems so it is best to use this only when you are uncertain of the framing being used. Once the framing has been identified, it can then be set staticly in the router's configuration. For most muxed T3s, the framing type will be m23. cbit is used, for example, in a clear channel T3 into an ATM network. controller t3 0/0/0 framing m23 clock source line cablelength 224
Once the T3 has been configured, T1 channels may be assigned. The T1 channels need to be configured for the number of slots on the T1 in use, the framing and encoding being used, the speed of the underlying DS0s (56K or 64K), and the clock source for the T1. controller t3 0/0/0 t1 1 timeslots 1-24 speed 64 t1 1 clock source line t1 1 framing esf t1 1 linecone b8zs
T1 default parameters are clock source line, esf, b8zs, and 64K DS0s. If this is the desired configuration, the only command necessary is "t1 1 timeslots 1-24". The first three channels on the T3 may also be output to the connectors on the outside of the card. This is accomplished by configuring that T1 as external. controller t3 0/0/0 t1 external 1
After the T1 is configured, the router creates a virtual serial interface. This interface does not appear until the T1 has been created and is identified in the same manner described above. For example, to refference the serial interface for the first t1, it would be identified as Serial0/0/0:1. This interface may beconfigured as any other serial interface. Loopbacks and tests are initiated from the interface level. The T3 may also be looped back from the controller configuration. It is important to note that the T1s may NOT be looped from the controller configuration. interface Serial0/0/0:1 loopback network
The loop is removed by specifying "no loopback network" in the interface configuration.
VII. Add IP Routes and Set a Default Route Obviously, the internet is not centered around one router. Usually, to get to another system requires passing through at least one other router (probably several). It is also possible that more than one network will end up on a single interface. The general form of Cisco's route command is ip route [metric]
The metric is used by certain routing protocols such as RIP as a hint to other routers of the "distance" to network when advertising this route to other routers. In general, you can omit the metric and let the routing protocols assign default values to these. Examples: Add a route for 202.123.100.0 (class C) through 204.203.12.1. ip route 202.123.100.0 255.255.255.0 204.203.12.1
Add 122.250.0.0 (class B) to ethernet0 ip route 122.250.0.0 255.255.0.0 Ethernet0
Classless Inter-Domain Routing. With the recent explosion of the internet, Dividing address into class A, B, C, and D networks is no longer adequate. Cisco's IOS support the concept of Classless Inter-Domain Routing, or CIDR entries (often pronounced "cider") to allow a given subset of any class of network to be routed at a given destination. For example, the following example routes 8 class Cs at the specified router. ip route 221.243.242.0 255.255.248.0 128.230.3.1
Note that the only change from the above examples is the different mask. This command uses subnet style netmasks to split off 8 class C networks beginning at 221.243.242.0 through 221.243.250.0 and lists 128.230.3.1 as the next-hop router. Normally, 8 routes would be needed to accomplish what this one entry has done. The goal of CIDR routing is to simplify routing tables and reduce the size of the internet routing tables, preventing complete collapse when older backbone routers (such as sprint, ANS, and Alternet) reach a point where they simply do not have enough memory to hold the full internet routing tables and cannot operate. Such outages cause major disruption of internet services worldwide. One practice often used is subnetting a class C network into blocks of 64 or 32 IP addresses for customers who don't require the full 254 addresses in order to save wasting large blocks of numbers. Traditional subnetting allowed you to split a class C into blocks of 4, 8, 16, 32, 64, and 128 but ONLY one size. Cisco's IOS supports variable length subnetting however. This allows a class C to be segmented such that it is possible to have some portions 4 addresses in length, some in 32, etc. This permits more efficient use of addresses by eliminating the need to send 32 addresses at a customer who only intends to use 6. One caveat of subnet routing is that the IOS does not normally permit you to specify a subnet mask with a class C address (ie, you can't route a subnet of 8 addresses 203.102.123.0 since that is the network number for a class C and it wants to treat the route as a class C route). This can cause confusion when looking at routing tables. In order to get around this, Cisco has provided a command to override this behavior: ip subnet-zero
Once that has been entered, it will very happily take the subnet route.
VIII. Configure Frame Relay Configuring Frame Relay is a little more complicated than configuring point to point networks and therefore involves a few more steps. First is to configure the interface as a frame relay link. At the same time, you need to specify the type of frame relay packets carried by this network. Currently, cisco only supports IETF and Cisco's own frame relay packet types. Since not very many vendors use the cisco format, we always specify IETF. The format of this command as as follows. interface Serial0/0 ip address 1.2.3.4 255.255.255.224 encapsulation frame-relay IETF
Having the wrong LMI type specified can interfere with the operation of the frame relay circuit. Cisco supports LMI types ANSI (annex D), cisco (default), and q933a (annex A). Most vendors' switches are capable of auto detecting which LMI type you are using but not all. Generally, its safe to leave the default LMI type set. Should you need to change it, the command is frame-relay lmi-type ANSI
to specify the ANSI packet format. Using LMI, the router can obtain information from the switch and other routers with PVCs to this circuit to build its own DLCI list or map as its sometimes called. However, it should be noted that cisco has problems talking to some vendors' equipment (most notably Livingston Enterprises.) This can result in the router sensing an active PVC (based on what its getting from the switch) but not being able to tell what the address of the router on the other end is. For the sake of robustness, it is generally better to manually configure the DLCI list. This can make it more difficult to configure the router or make changes in the frame relay network but can save considerable headaches when initially configuring a circuit or coping with service disruptions within the frame relay network. The DLCI number assigned to each PVC is provided by the telco and is entered into the router along with the networking protocol operating over this PVC as well as additional optional information about this PVC. For example, a router transmitting IP into with an address of 10.2.3.4 and connected to DLCI 19 would be entered into the "map" as shown below frame-relay map ip 10.2.3.4 19 broadcast IETF
Again, the packet type needs to be specified for this particular PVC and again, we have selected IETF. The "broadcast" keyword instructs the router to forward broadcast packets over this PVC. This can assist with broadcast routing protocols, for example. One line is needed for each DLCI configured. You can check to see the status of the PVC you just setup by entering the command "show frame-relay map" from the EXEC prompt.
IX. Configure Asynchronous Transfer Mode (ATM) The structure of ATM draws heavily from X.25 and frame relay but is designed to operate at much higher speeds. Unlike frame relay, however, there is a card for the 7000 and 7500 series router designed specially to interface with the ATM network. It is also possible to configure ATM over a serial interface using a serial interface (either FSIP or HSSI) or (on a 4000) an NMP. For more information on this configuration, refer to chapter 7 of the configuration guide. Configuring the ATM interface begins with assigning the interface an IP address (as demonstrated earlier in this document). Like Frame Relay, ATM requires that each host on the network be a part of the same subnet. The next step is configuring PVCs. There are two parts to doing this. The first is creating the PVC "map" on the interface. The second is mapping a protocol address to each PVC created. PVCs are created by assigning a Virtual Circuit Descriptor (VCD) to a given Virtual Path Identifier (VPI) and a Virtual Circuit Identifier (VCI). The VCI for a given link, as with frame relay DLCIs, is assigned by the carrier. The general form of the command to create a PVC on a given interface is atm pvc [[ ] [ [oam ]]
The VCD is specific to the router and is used by the router to match VPI/VCI pairs and can be different than the numbers used to identify the VPI and VCI. It is also necessary to specify an encapsulation for the ATM packets over this VCI. This is the ATM Adaptation Layer (AAL). The peak and average values are used to specify the bandwidth at which this PVC will be permitted to connect. When these values are omitted, the highest possible connection rate is assumed. Next, it is necessary to map a protocol to each PVC created on an interface. This is accomplished by creating a map list. Each entry in this list has the form " atm-vc [broadcast]" where protocol is either IPX, IP, or AppleTalk for example. The address is the address of the remote router with respect to the protocol being transmitted over the virtual connection. Once the map is created, it need to be associated with a given ATM interface using the interface command "map-group