Configuring a Cisco 2821 Router for a T1
This page describes basic procedures for setting up a Cisco 2821 router for our institute. The LAN consists of two subnets fed by a T1 line. We have a minimal installation that handles about fifty PCs. The process of programming a router is actually simple, but it can be intimidating for new users, and it's easy to get locked out of the router. We also describe how to create a stateful firewall on a Cisco router.
When purchasing hardware from Cisco, always order a minimal configuration. It's better to keep other components, such as wireless access points, as separate components rather than loading up the router with expensive interface cards and options that may conflict with each other. Another tip: Don't buy too small a router. A slow router might be able to handle a T1, but if you have more than one subnet, a slow router will be a disaster. The first time someone backs up a Windows PC across a subnet, your network will slow to a crawl and everyone will blame you.
Make sure you purchase a router that includes a triple DES (3DES) IPSec version of the IOS, or you will only be able to connect to it using telnet; secure shell (SSH) will not work. Unfortunately, it's an expensive option, and our router did not have it.
|Component||Nextwarehouse part no.||Description|
|Router||134535||Cisco 2821 AC power router|
This router has two Gigabit Ethernet ports labeled GE 0/0 and GE 0/1. It's supplied without a CSU/DSU, which is a plug-in card that is essential for connecting to a T1 line. If you have something else, like a PRI ISDN line, obviously a different card will be needed. The process of configuring an order from Cisco is a little complex; it's recommended to use their online ordering tool to avoid ordering incompatible parts. It's also a good idea to have an extra CSU/DSU, or even an entire extra router, in case your line gets struck by lightning (which happened to us, twice). If your cable was installed properly (lightning arrestors and all) it's unlikely that your router will get fried, but many times you will need proof that your equipment is okay before the telco will bother to check their line.
First-time router setup
- With the power cable unplugged, plug the CSU/DSU card into the lowest-numbered narrow slot (HWIC slot) in the back (or is it the front?) of the router.
- Using a straight-through patch cable, connect the GE0/0 port on the back of the router to a PC running Windows. For other routers, you may have to connect to some other port. This would be indicated in the Quick Start documentation that came with the router. Although the instructions specify a crossover cable, a regular patch cable works fine.
- Using the light blue Cisco cable supplied with the router, connect the port labeled "console" on the front of the router to the serial port of another computer running a terminal emulator such as Minicom.
- Set the serial port on the terminal emulator to 9600-8-N-1, no flow control.
- Attach a ground wire to the router using the included ground connector.
- Power up the router, but do not press any keys on the terminal. If you do, the default one-time password might become invalidated and you will be locked out.
The messages that appear on the terminal console screen will determine how you set up the router. If it says:
Would you like to enter the initial configuration dialog [yes/no]:
it means you should configure it through the serial console. If it says:
yourname con0 is now available Press RETURN to get started.
it means the router has a security package called Cisco Router and Security Device Manager (SDM). In this case, you need to use a Windows computer to provision it. Our router had the SDM, so we had to use the <spit> Windows interface.
Configuration through Windows
If the router has SDM, Cisco provides special software to configure it.
Unfortunately, this is not necessarily as easy as it sounds. In our case,
Windows was unable to read Cisco's CD-ROM. It only found the top-level
directories on the CD, but couldn't run setup or show the contents
of any of the directories. Making a fresh copy of the CD didn't help. The
only solution was to copy all the files onto a Linux machine, reset the
permissions recursively to
a+r, and then
create a new CD.
- Set the PC to a static IP of 10.10.10.2, subnet mask 255.255.255.248. Leave the other settings blank.
- Disable the Windows Firewall and any popup blockers within the default browser (usually IE). This is done using the Tools | Pop-up Blocker in the main IE Menu. Start the Cisco SDM Express software. It should open a browser. If the browser can't find your router, try entering 10.10.10.1 in the address bar.
- If you don't have the Cisco CD, launch IE and navigate to http://10.10.10.1.
Enter the default username 'cisco' and password 'cisco'. After this,
you must enter the following command before logging off, or you will
be locked out:
username username privilege 15 secret 0 password
- If you have the CD, just follow the instructions and enter the configuration data as shown in the table below (making any changes as needed).
Enter the following for your local area network:
|LAN Interface - GigabitEthernet|
|IP address||IP address of router|
|Subnet Mask or bits||Subnet mask|
|DNS||IP addresses of two DNS servers|
For the T1 connection, click on "Add connection" and enter the following (change as necessary according to information provided by your ISP). For our T1 line, we used the following:
|WAN Interface - Serial0/0/0.1|
|Use IETF encapsulation||yes|
|Default route||Create default route|
Don't just make up numbers here; your ISP should provide them. They must be correct for your circuit, or your T1 won't work properly. In particular, watch out for accidentally setting your IP address on the WAN interface instead of the LAN interface. If you do that, the software will silently delete your LAN IP address and you will have to do some fancy footwork on the serial console to get back in. Most T1 lines are "unnumbered"; they are just point-to-point, and don't need an address.
Accept the security configuration, except for SNMP (which should be left on), and click Finish. It will create a valid startup-config on the router for you. At this point you can toss out the Windows computer and finish the configuration in the serial console.
Configuring from console
The Web interface is pretty minimal. Even for a routine provisioning, you will probably need to use the CLI. Log in over the serial console using your new username and password and type the following:
conf t sh interface GigabitEthernet0/0
If it says
Administratively down , type the following:
conf t interface GigabitEthernet0/0 no shutdown
The four green LEDs in back (or possibly the front) of the router should go on.
Adding a second subnet
If you have two subnets on the same interface, type the following:
conf t interface GigabitEthernet0/0 ip address 22.214.171.124 255.255.255.192 secondary
Note that you put the IP address of the router here, not the network address. Be sure to substitute your own IP address and subnet mask in that last line, otherwise it won't work.
If you want to enable flows to keep tabs on the type of traffic going through the router, type the following:
conf t ip route-cache policy ip route-cache flow ip flow-export source GigabitEthernet0/0 ip flow-export version 5 ip flow-export destination 126.96.36.199 9991
Be sure to substitute your own IP address in that last line, otherwise all your flow will belong to us.
SNMP is a protocol for getting data from the router. For example, MRTG uses SNMP to create a nice graph of your bandwidth utilization. If you want to activate it, type the following:
conf t snmp-server community mypassword snmp-server packetsize 2048 snmp-server enable traps snmp
Mrtg is not usually run as a daemon, but is started every five minutes in your crontab.
Other useful commands
This command lets you type a bad password ten times instead of three times before it locks you out:
conf t security authentication failure rate 10 log
This command sends all the logs and error messages to the computer with the specified IP:
conf t logging 192.168.2.3
These commands show the status of your interfaces:
sh ip interface brief sh interface sh interface Serial0/0/0.1
This next command saves your configuration in non-volatile RAM, so your changes will be remembered if the router is rebooted. (Don't issue this command until you're 100% sure everything is working.)
copy running-config startup-config
Here is the startup configuration that was produced, with irrelevant parts omitted:
Using 3571 out of 245752 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname <hostname here> ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 <encrypted string here> ! no aaa new-model ! resource policy ! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ip cef ! ! no ip bootp server ip domain name <Our domain name here> ip name-server <IP address here> ip name-server <IP address here> ! username <username here> privilege 15 secret 5 <encrypted string here> ! ! interface GigabitEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$ ip address <IP address here> 255.255.255.192 secondary ip address <IP address here> 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp ip route-cache policy ip route-cache flow duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto no mop enabled ! interface Serial0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation frame-relay ip route-cache flow frame-relay lmi-type ansi ! interface Serial0/0/0.1 point-to-point ip unnumbered GigabitEthernet0/0 ip access-group infilter in ip access-group outfilter out no ip redirects no ip unreachables no ip proxy-arp frame-relay interface-dlci 500 IETF ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1 ip flow-export source GigabitEthernet0/0 ip flow-export version 5 ip flow-export destination <IP address here> 9991 ! logging trap debugging logging <IP address here> no cdp run ! control-plane ! line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet line vty 5 15 privilege level 15 login local transport input telnet ! scheduler allocate 20000 1000 ! end
Creating a firewall on a Cisco router
To create a firewall, you construct an access control list, and then apply it to the Serial (T1) interface. A firewall is a text file that you send to the router by tftp, cut-and-paste over a terminal, or some other means. It's not recommended to save it in your startup-config, because it changes frequently. Also, if you make a mistake in your firewall, you can easily lock yourself out. The firewall has several parts:
- Delete the existing firewall.
- Access-list commands for incoming traffic (the largest section, where you block the people you hate, and throw away any malformed packets).
- Access-list commands for outgoing traffic.
- 'Evaluate' commands.
- Apply the access list to the Serial Interface (i.e., your connection to the Internet). You wouldn't apply a firewall to the GigabitEthernet interface, because that would prevent your users from communicating with each other.
The first time you install the firewall, it's best to enter it into the router one line at a time. This way, you can easily catch and correct any errors.
Here is part of our firewall, with any sensitive information removed. The commands are mostly self-explanatory. The only tricky part is the "reflect myfilter" section. Reflect means it is a reflexive access list. A reflexive access list watches outbound traffic and creates temporary entries to allow the returning inbound traffic that is associated with the IP session. This is basically a "stateful" firewall.
Also, a definition is needed: a source mask is the bit inverse of a netmask. Each bit that is not set indicates that the corresponding bit in the address is meaningful. If the source mask is all zeroes, it means that all 32 bits are meaningful and the address applies to a single host. If a bit is set, it matches any address.
As with a computer program, firewalls accumulate a certain amount of cruft over the years. It's best to keep them simple so they can be easily understood by the guy who gets your job after you're fired.
Don't just copy this firewall and try to use it. It must be customized with your own IP addresses or it won't work.
Disabling the existing firewall
config t interface GigabitEthernet0/0 no ip directed-broadcast no ip source-route interface Serial0/0/0.1 no ip source-route interface Serial0/0/0.1 no ip directed-broadcast no ip access-list extended infilter interface Serial0/0/0.1 no ip access-list extended outfilter interface Serial0/0/0.1
Access list for incoming traffic
Note that the deny commands come first.
! !First create an access group called infilter. ! ip access-list extended infilter !First we have a number of special cases for people who attacked us. !The notation is: source-address source-mask port. !Since we are blocking a single computer, the source mask is all 0. deny ip 188.8.131.52 0.0.0.0 any deny ip 184.108.40.206 0.0.0.0 any deny ip 220.127.116.11 0.0.0.0 any deny ip 18.104.22.168 0.0.0.0 any deny ip 22.214.171.124 0.0.0.0 any !block known ssh and ftp portscanners - most recent 3 are shown deny ip 126.96.36.199 0.0.0.0 any deny ip 188.8.131.52 0.0.0.0 any deny ip 184.108.40.206 0.0.0.0 any !The next section blocks bad packets: packets with bad IP addresses !that shouldn't be there. !Substitute your own network address and mask here. deny tcp 220.127.116.11 0.0.0.63 any deny tcp 18.104.22.168 0.0.0.63 any !Block packets from non-routable IP addresses. !This is pretty standard. deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 22.214.171.124 126.96.36.199 any !Block other bad packets deny ip host 0.0.0.0 any deny ip any 0.0.0.255 255.255.255.0 deny ip any 0.0.0.0 255.255.255.0 !Now we have another section where we block a couple of networks. !block one particular batch of virus-infested computers sending stuff on port 25 deny tcp 188.8.131.52 0.0.0.255 any eq 25 !Allow all other incoming http - this could cause problems !because malware often listens on 80 permit tcp any 0.0.0.0 eq 80 reflect myfilter !Block a number of ports, including 0 and the Windows ports. !block kazaa and netbios, also witty UDP/4000 and port 0. !Connections to these ports should never be coming in from outside. deny tcp any any eq 0 deny udp any any eq 0 deny tcp any any eq 135 deny udp any any eq 135 ... etc... permit tcp any any established !Our policy is to allow all icmp, because it's essential for !testing connectivity. permit icmp any any echo permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any traceroute permit icmp any any unreachable permit icmp any any ttl-exceeded permit icmp any any net-unreachable permit icmp any any host-unreachable permit icmp any any source-quench permit icmp any any packet-too-big permit icmp any any !Ports to leave open for everybody !The notation here is network address followed by source mask. !This allows anyone on our network to accept connections on these ports. permit tcp any 184.108.40.206 0.0.0.63 eq 113 reflect tcpfilter !openvpn is on udp 1194 or 5000. Better let in tcp as well. permit tcp any any eq 1194 reflect tcpfilter permit udp any any eq 1194 reflect tcpfilter permit tcp any any eq 1195 reflect tcpfilter permit udp any any eq 1195 reflect tcpfilter permit udp any any eq 5000 reflect tcpfilter permit tcp any any eq 5000 reflect tcpfilter permit udp any any eq 5001 reflect tcpfilter permit tcp any any eq 5001 reflect tcpfilter !This section opens specific ports on our servers. The first four !lines are shown. The 0.0.0.0 notation means these lines apply to !a single computer. permit tcp any <IP address here> 0.0.0.0 eq 20 reflect tcpfilter permit tcp any <IP address here> 0.0.0.0 eq 21 reflect tcpfilter permit tcp any <IP address here> 0.0.0.0 eq 22 reflect tcpfilter permit tcp any <IP address here> 0.0.0.0 eq 23 reflect tcpfilter !Finally, we want the ACL to be evaluated, then we exit. evaluate tcpfilter evaluate myfilter exit
Next we do the same thing for outgoing traffic. This obviously can be less strict, because we want to allow our users to be able to establish outgoing connections.
! !First create an access group called outfilter. ! ip access-list extended outfilter ! block some ports deny tcp any any eq 135 deny udp any any eq 135 deny tcp any any eq 137 ... etc ... !Allow anyone to initiate an outgoing connection to any other port. permit tcp 220.127.116.11 0.0.0.63 any reflect myfilter permit tcp 18.104.22.168 0.0.0.63 any reflect myfilter !Or we could have these lines to allow anyone to make DNS inquiries. permit tcp 22.214.171.124 0.0.0.63 any eq 53 reflect myfilter permit tcp 126.96.36.199 0.0.0.63 any eq 53 reflect myfilter !If they establish a connection, they can use other ports. permit tcp any any established !Our policy is to allow all icmp, because it's essential for !testing connectivity. permit icmp any any echo permit icmp any any echo-reply ... etc ... !Now evaluate all the filters evaluate tcpfilter evaluate myfilter exit
Finally, we apply the access-group to the connection between us and the Internet, Serial0/0/0.
! ! apply the entire acl to Serial0/0/0.1 ! interface Serial0/0/0.1 ip access-group infilter in ip access-group outfilter out exit exit