Exploring the Functions of

Routing
Routers
Cisco 2800 Series Routers

 Routers have the following components:

– CPU
– Motherboard
– RAM
– ROM
 Routers have network adapters to which IP addresses are assigned.
 Routers may have the following two kinds of ports:
– Console: For the attachment of a terminal used for management
– Network: Different LAN or WAN media ports
 Routers forward packets based upon a routing table.
 Router Basics (cont.)
The router is a computer that selects the best
paths and manages the switching of packets
between two different networks. Internal
configuration components of a router are as
follows:
 External componets of Router

WIC 2-T module

WIC 1-T module
Router Basics (cont.)

RAM/DRAM : Stores routing tables, ARP cache,

fast-switching cache, packet buffering (shared
RAM), and packet hold queues. RAM also
provides temporary and/or running memory for
the router's configuration file while the router is
powered on. RAM content is lost when you
power down or restart.

NVRAM : Nonvolatile RAM; stores a router's

backup/startup configuration file; content remains
same when you power down or restart.
Router Basics (cont.)

Flash : Erasable, reprogrammable ROM; holds

the operating system image and microcode;
allows you to update software without removing
and replacing chips on the processor; content
remains when you power down or restart;
multiple versions of IOS software can be stored
in Flash memory
ROM : Contains power-on diagnostics, a
bootstrap program, and operating system
software; software upgrades in ROM require
replacing pluggable chips on the CPU
Router Basics (cont.)

Interface : Network connection through which packets

enter and exit a router; it can be on the motherboard or
on a separate interface module
for example ; Ethernet, Serial , Console,etc.
Management console
connections

Usb to serial convertor

Connect Router With Terminal Emulation softwares
(i.e Secure CRT program)
Connect Router With Terminal Emulation softwares
(i.e Secure CRT program)
Router Functions

RouterX# show ip route

D 192.168.1.0/24 [90/25789217] via 10.1.1.1
1 R 192.168.2.0/24 [120/4] via 10.1.1.2 2
O 192.168.3.0/24 [110/229840] via 10.1.1.3

1. Lets other routers know about changes

2. Determines where to forward packets
Path Determination
Routing Tables
Routing Table Entries

 Directly connected: Router attaches to this network

 Static routing: Entered manually by a system administrator
 Dynamic routing: Learned by exchange of routing information
 Default route: Statically or dynamically learned; used when no
explicit route to network is known
Routing Metrics
Starting a Router
Initial Startup of the Cisco Router

 System startup routines

initiate router software
 Router falls back to startup
alternatives if needed
Bootup Output from the Router

Unconfigured vs. Configured Router

Setup: The Initial Configuration Dialog
 Setup Interface Summary

Any interface listed with OK? value "NO" does not have a valid configuration

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 unassigned NO unset up up
FastEthernet0/1 unassigned NO unset up up
Serial0/0/0 unassigned NO unset up up
Serial0/0/1 unassigned NO unset down down

Interfaces Found During Startup

Setup Initial Global Parameters

Configuring global parameters:

Enter host name [Router]:RouterX

The enable secret is a password used to protect access to privileged

EC and configuration modes. This password, after entered, becomes
encrypted in the configuration.
Enter enable secret: Cisco1

The enable password is used when you do not specify an enable secret
password, with some older software versions, and some boot images.
Enter enable password: SanFran3

The virtual terminal password is used to protect access to the router

over a network interface.
Enter virtual terminal password: Sanj0se
Configure SNMP Network Management? [no]:
Setup Initial Protocol Configurations

Configure IP? [yes]:

Configure RIP routing? [yes]: no
Configure CLNS? [no]:
Configure bridging? [no]:

Depending on your software revision this text may

appear.
Setup Interface Parameters

Configuring interface parameters:

Do you want to configure FastEthernet0/0 interface? [yes]:

Use the 100 Base-TX (RJ-45) connector? [yes]:
Operate in full-duplex mode? [no]:
Configure IP on this interface? [yes]:
IP address for this interface: 10.2.2.11
Subnet mask for this interface [255.0.0.0] : 255.255.255.0
Class A network is 10.0.0.0, 24 subnet bits; mask is /24

Do you want to configure FastEthernet0/1 interface? [yes]: no

Do you want to configure Serial0/0/0 interface? [yes]: no

Do you want to configure Serial0/0/1 interface? [yes]: no

Cisco AutoSecure

Would you like to go through AutoSecure configuration? [yes]: no

AutoSecure dialog can be started later using "auto secure" CLI

Depending on your software revision, this text may appear.

Setup Script Review and Use
The following configuration command script was created:

hostname RouterX
enable secret 5 $1$aNMG$kV3mxjlWDRGXmfwjEBNAf1
enable password cisco
line vty 0 4
password sanjose interface FastEthernet0/0
no snmp-server media-type 100BaseX
! half-duplex
ip routing ip address 10.2.2.11 255.255.255.0
no clns routing no mop enabled
no bridge 1 !
! interface FastEthernet0/1
shutdown
no ip address
!
interface Serial0/0/0
shutdown
no ip address
!
interface Serial0/0/1
shutdown
no ip address
dialer-list 1 protocol ip permit
!
end
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2

Logging in to the Cisco Router
Router User-Mode Command List

RouterX>?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
connect Open a terminal connection
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
-- More --

You can abbreviate a command to the fewest characters that

make a unique character string.
Router Privileged-Mode Command List
RouterX#?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
access-template Create a temporary Access-List entry
bfe For manual emergency modes setting
cd Change current directory
clear Reset functions
clock Manage the system clock
configure Enter configuration mode
connect Open a terminal connection
copy Copy from one file to another
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
erase Erase a filesystem
exit Exit from the EXEC
help Description of the interactive help system
-- More --

You can complete a command string by entering the unique

character string, then pressing the Tab key.
show version Command
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

RouterX uptime is 2 days, 21 hours, 15 minutes

System returned to ROM by power-on
System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"

This product contains cryptographic features and is subject to United States and local country laws
governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors
and users are responsible for compliance with U.S. and local country laws. By using this product you agree
to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return
this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.

Processor board ID FTX1107A6BB
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

RouterX#
Summary

 The Cisco router startup sequence is similar to the startup

sequence of the Cisco Catalyst switch. After performing POST,
the router finds and loads the Cisco IOS image. Finally, it finds
and loads the device configuration file.
 Use the enable command to access the privileged EXEC mode
from the user EXEC mode.
 After logging in to a Cisco router, you can verify the initial startup
status of a router by using the router status commands: show
version, show running-config, and show
startup-config
Configuring a Cisco Router
Overview of Router Modes
Saving Configurations

RouterX#
RouterX#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…

RourterX#

Copies the current configuration to NVRAM

Configuring Router Identification
Console-Line Commands

RouterX(config)#line console 0
RouterX(config-line)#exec-timeout 20 30

 Modifies console session timeout

RouterX(config)#line console 0
RouterX(config-line)#logging synchronous

 Redisplays interrupted console input

Configuring an Interface

RouterX(config)#interface type number

RouterX(config-if)#

 type includes serial, ethernet, token ring, fddi, hssi,

loopback, dialer, null, async, atm, bri, tunnel, and so on
 number is used to identify individual interfaces

RouterX(config)#interface type slot/port

RouterX(config-if)#

 For modular routers, selects an interface

RouterX(config-if)#exit

 Quits from current interface configuration mode

Configuring an Interface Description

RouterX(config-if)# description string

 string is a comment or a description to help you remember

what is attached to this interface.
 The maximum number of characters for the string argument
is 238.
Disabling or Enabling an Interface

RouterX#configure terminal
RouterX(config)#interface serial 0
RouterX(config-if)#shutdown
%LINK-5-CHANGED: Interface Serial0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down

 Administratively turns off an interface

RouterX#configure terminal
RouterX(config)#interface serial 0
RouterX(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up

 Enables an interface that is administratively shut down

Configuring IP Addresses

 Unique addressing allows communication

between end stations
 Path choice is based on destination address
Router show interfaces
and show ip interfaces brief Command

RouterX#show interfaces
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 00e0.1e5d.ae2f (bia 00e0.1e5d.ae2f)
Internet address is 10.1.1.11/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:07, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
81833 packets input, 27556491 bytes, 0 no buffer
Received 42308 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort
0 input packets with dribble condition detected
55794 packets output, 3929696 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 4 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Interpreting the Interface Status
Verifying a Serial Interface Configuration
Summary

 From the privileged EXEC mode, you can enter the global
configuration mode, providing access to other configuration
modes such as the interface configuration mode or line
configuration mode.
 The main function of a router is to relay packets from one network
device to another. To do this, the characteristics of the interfaces
through which the packets are received and sent must be defined.
Interface characteristics, such as the IP address and bandwidth,
are configured using the interface configuration mode.
Summary (Cont.)

 In a TCP/IP environment, end stations communicate seamlessly

with servers or other end stations. This communication occurs
because each node using the TCP/IP protocol suite has a unique
32-bit logical IP address.
 When the router interface configuration has been completed, it
can be verified by using show commands
Exploring the Packet Delivery
Process
Layer 2 Addressing
Layer 3 Addressing
Host-to-Host Packet Delivery (1 of 17)
Host-to-Host Packet Delivery (2 of 17)

192.168.4.2
Host-to-Host Packet Delivery (3 of 17)
Host-to-Host Packet Delivery (4 of 17)
Host-to-Host Packet Delivery (5 of 17)
Host-to-Host Packet Delivery (6 of 17)
Host-to-Host Packet Delivery (7 of 17)
Host-to-Host Packet Delivery (8 of 17)
Host-to-Host Packet Delivery (9 of 17)
Host-to-Host Packet Delivery (10 of 17)
Host-to-Host Packet Delivery (11 of 17)
Destination Next Hop Interface

192.168.3.0/24 Connected fa 0/0

192.168.4.0/24 Connected fa 0/1
Host-to-Host Packet Delivery (12 of 17)
Host-to-Host Packet Delivery (13 of 17)
Host-to-Host Packet Delivery (14 of 17)
Host-to-Host Packet Delivery (15 of 17)
Host-to-Host Packet Delivery (16 of 17)
Host-to-Host Packet Delivery (17 of 17)
Using the show OP Command

Router# show ip arp

Protocol Address Age(min) Hardware Addr Type Interface

Internet 172.69.233.229 - 0000.0c59.f892 ARPA Ethernet0/0
Internet 172.69.233.218 - 0000.0c07.ac00 ARPA Ethernet0/0
Internet 172.69.233.19 - 0000.0c63.1300 ARPA Ethernet0/0
Internet 172.69.233.309 - 0000.0c36.6965 ARPA Ethernet0/0
Internet 172.19.168.11 - 0000.0c63.1300 ARPA Ethernet0/0
Internet 172.19.168.254 9 0000.0c36.6965 ARPA Ethernet0/0
ping

Router#
ping [[protocol {host-name | system-address}]
 To diagnose basic network connectivity, use the ping command in
user EXEC or privileged EXEC mode.
 traceroute
Router#
traceroute [protocol] destination
 To discover the routes that packets will actually take when traveling
to their destination address, use the traceroute command in user
EXEC or privileged EXEC mode.
Summary
 If the hosts are not on the same segment, the frame is sent to the
default gateway.
 Packets sent to the default gateway will have the local host
source and remote host destination IP address.
 Frames sent to the default gateway will have the local host
source and the default gateway MAC address.
 A router will change the Layer 2 address as needed, but will not
change the Layer 3 address.
 The show ip arp command displays the mapping between
network addresses and MAC addresses that the router has
learned.
 Cisco IOS connectivity tools include ping and traceroute.
Understanding Cisco Router
Security
Common Threats to Physical
Installations

 Hardware threats
 Environmental threats
 Electrical threats
 Maintenance threats
Configuring a Router Password
 Configuring the Login Banner

 Defines and enables a customized banner to be displayed before

the username and password login prompts

RouterX# banner login " Access for authorized users only. Please enter your
username and password. "
 Telnet vs. SSH Access
 Telnet
– Most common access method
– Insecure
 SSH
– Encrypted
– IP domain must be defined
– key must be generated

!--- The username command create the username and password for the SSH session
username cisco password 0 cisco

ip domain-name mydomain.com

crypto key generate rsa

ip ssh version 2

line vty 0 4
login local
transport input ssh
Summary

 The first level of security is physical.

 Passwords can be used to restrict access.
 The login banner can be used to display a message before the
user is prompted for a username.
 Telnet sends the session traffic in cleartext; SSH encrypts the
traffic.
Using the Cisco SDM
(Security Device Manager)
Cisco Router and Security Device
Manager
What Is Cisco SDM?
 Embedded web-based management tool
 Provides intelligent wizards to enable quicker and easier
deployments and does not require knowledge of Cisco IOS CLI or
security expertise
 Tools for more advanced users:
– ACL editor
– VPN crypto map editor
– Cisco IOS CLI preview
Supported Cisco Routers and Cisco IOS
Software Releases

 Cisco SDM is supported on a number of Cisco router

platforms and Cisco IOS Software releases.
 Always verify Cisco SDM router and Cisco IOS release
support at www.cisco.com/go/sdm.
Configuring Your Router to Support SDM

1. Enable the HTTP and HTTPS servers on your router.

2. Create a user account defined with privilege level 15 (enable
privileges).
3. Configure SSH and Telnet for local login and privilege level 15.
SDM Startup
 Cisco SDM Main Window Layout and
Navigation
Menu Bar

Toolbar

Router
Information

Configuration
Overview
Cisco SDM Wizards
 LAN configuration: Configure LAN interfaces and
DHCP
 WAN configuration: Configure PPP, Frame Relay, and
HDLC WAN interfaces
 Firewall
 VPN
 Security audit: Perform a router security audit, with a
button for router lockdown
 IPS: Intrusion prevention system
 QoS: Quality of service
Summary

 Cisco SDM is a useful tool for configuring Cisco access routers.

 Cisco SDM contains several easy-to-use wizards for efficient
configuration of Cisco access routers.
 Cisco SDM allows you to customize Cisco access router
configurations using advanced features.
Using a Cisco Router as a
DHCP Server
Understanding DHCP
 DHCP is built on a client-server model, as follows:
– The DHCP server hosts allocate network addresses and deliver
configuration parameters.
– The term "client" refers to a host requesting initialization
parameters from a DHCP server.
 DHCP supports these three mechanisms for IP address allocation:
– Automatic allocation; DHCP assigns a permanent IP address to a
client.
– Dynamic allocation; DHCP assigns an IP address to a client for a
limited period of time.
– Manual allocation; A client IP address is assigned by the network
administrator, and DHCP is used simply to convey the assigned
address to the client.
 Dynamic allocation is the only that allows automatic reuse of an
address that is no longer needed by the client to which it was
assigned.
DHCP
Using a Router as a DHCP Server

Cisco IOS Software includes a full DHCP server

implementation:
 Assigns IP addresses from specified address pools within the
router
 Can be configured to assign the IP address of these components:
– Domain Name System (DNS) server
– Default router
DHCP Server Using a Router
Additional Tasks
DHCP Pool
Checking the DHCP Configuration
DHCP Pool Status
show ip dhcp conflict

RouterX# show ip dhcp conflict

IP address Detection Method Detection time

172.16.1.32 Ping Feb 16 2007 12:28 PM
172.16.1.64 Gratuitous ARP Feb 23 2007 08:12 AM
Summary

 DHCP is built on a client-server model.

 DHCP server hosts allocate network addresses and deliver
configuration parameters.
 Cisco IOS Software includes a DHCP server.
 Cisco SDM can be used to configure a DHCP server on a router.
 The required configuration items are as follows:
– Pool name
– Pool network and subnet
– Starting and ending addresses
 Cisco SDM can be used to monitor a DHCP server on the router.
 The show ip dhcp conflict command can be used to find
conflicts.
Accessing Remote
Devices
Using Telnet to Connect to Remote
Devices
telnet
Viewing Telnet Connections
Viewing SSH Connections

RouterB# show ssh

Connection Version Encryption State Username

0 1.5 3DES Session Started guest
Suspending and Resuming a Telnet
Session
Closing a Telnet Session
 Using the ping and traceroute Commands

RouterX#ping 10.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

RouterX#trace 192.168.101.101

Type escape sequence to abort.

Tracing the route to 192.168.101.101

1 p1r1 (192.168.1.49) 20 msec 16 msec 16 msec

2 p1r2 (192.168.1.18) 48 msec * 44 msec
RouterX

Tests the connectivity and path to a remote device

Summary

 Once connected to a remote device, you may want to access a

local device without terminating the Telnet session. Telnet allows
temporary suspension and then resumption of a remote session.
 Ending a Telnet session on a Cisco device uses the exit, logout,
disconnect, or clear commands.
 The ping and trace commands provide information about the
connectivity with and path to remote devices.
Module Summary

 Cisco routers operate at Layer 3, and their function is path

determination.
 Binary numbers are based on the “powers of 2.”
 IP addressing:
– Dotted decimal representation of a binary string
– Identifies the network, subnet, and host
 Routers have a startup process where they test the hardware and
load the operating system and configuration.
Module Summary (Cont.)

 Basic router configuration is usually done through the console

port using CLI and consists of the host address and interface IP
addressing.
 Routers have hardware, environmental, electrical, and
maintenance-related security threats similar to switches.
 Basic router security consists of a login banner and Telnet and
SSH.
Module Summary (Cont.)

 The Cisco IOS DHCP server is a full DHCP server that can be
configured using Cisco SDM.
 Cisco IOS commands provide a set of tools for remote accessing
and testing, as follows:
– Telnet
– SSH
– ping
– traceroute