Linux Setup Notes
name and address
created sep 25, 2008

Configuring a Cisco 2821 Router for a T1

This page describes basic procedures for setting up a Cisco 2821 router for our institute. The LAN consists of two subnets fed by a T1 line. We have a minimal installation that handles about fifty PCs. The process of programming a router is actually simple, but it can be intimidating for new users, and it's easy to get locked out of the router. We also describe how to create a stateful firewall on a Cisco router.

Components

Cisco 2821 router (front view) Front view of Cisco 2821 router ... or maybe the back

When purchasing hardware from Cisco, always order a minimal configuration. It's better to keep other components, such as wireless access points, as separate components rather than loading up the router with expensive interface cards and options that may conflict with each other. Another tip: Don't buy too small a router. A slow router might be able to handle a T1, but if you have more than one subnet, a slow router will be a disaster. The first time someone backs up a Windows PC across a subnet, your network will slow to a crawl and everyone will blame you.

Make sure you purchase a router that includes a triple DES (3DES) IPSec version of the IOS, or you will only be able to connect to it using telnet; secure shell (SSH) will not work. Unfortunately, it's an expensive option, and our router did not have it.

Compo­nent Next­ware­house part no. Descrip­tion
Router 134535 Cisco 2821 AC power router
CSU/DSU 52193 WIC-1DSU-T1-V2

This router has two Gigabit Ethernet ports labeled GE 0/0 and GE 0/1. It's supplied without a CSU/DSU, which is a plug-in card that is essential for connecting to a T1 line. If you have something else, like a PRI ISDN line, obviously a different card will be needed. The process of configuring an order from Cisco is a little complex; it's recommended to use their online ordering tool to avoid ordering incompatible parts. It's also a good idea to have an extra CSU/DSU, or even an entire extra router, in case your line gets struck by lightning (which happened to us, twice). If your cable was installed properly (lightning arrestors and all) it's unlikely that your router will get fried, but many times you will need proof that your equipment is okay before the telco will bother to check their line.

First-time router setup

  1. With the power cable unplugged, plug the CSU/DSU card into the lowest-numbered narrow slot (HWIC slot) in the back (or is it the front?) of the router.
  2. Using a straight-through patch cable, connect the GE0/0 port on the back of the router to a PC running Windows. For other routers, you may have to connect to some other port. This would be indicated in the Quick Start documentation that came with the router. Although the instructions specify a crossover cable, a regular patch cable works fine.
  3. Using the light blue Cisco cable supplied with the router, connect the port labeled "console" on the front of the router to the serial port of another computer running a terminal emulator such as Minicom.
  4. Set the serial port on the terminal emulator to 9600-8-N-1, no flow control.
  5. Attach a ground wire to the router using the included ground connector.
  6. Power up the router, but do not press any keys on the terminal. If you do, the default one-time password might become invalidated and you will be locked out.

The messages that appear on the terminal console screen will determine how you set up the router. If it says: 

Would you like to enter the initial configuration dialog [yes/no]:

it means you should configure it through the serial console. If it says: 

yourname con0 is now available
Press RETURN to get started.

it means the router has a security package called Cisco Router and Security Device Manager (SDM). In this case, you need to use a Windows computer to provision it. Our router had the SDM, so we had to use the <spit> Windows interface.

Configuration through Windows

If the router has SDM, Cisco provides special software to configure it. Unfortunately, this is not necessarily as easy as it sounds. In our case, Windows was unable to read Cisco's CD-ROM. It only found the top-level directories on the CD, but couldn't run setup or show the contents of any of the directories. Making a fresh copy of the CD didn't help. The only solution was to copy all the files onto a Linux machine, reset the permissions recursively to a+r, and then create a new CD.

  1. Set the PC to a static IP of 10.10.10.2, subnet mask 255.255.255.248. Leave the other settings blank.
  2. Disable the Windows Firewall and any popup blockers within the default browser (usually IE). This is done using the Tools | Pop-up Blocker in the main IE Menu. Start the Cisco SDM Express software. It should open a browser. If the browser can't find your router, try entering 10.10.10.1 in the address bar.
  3. If you don't have the Cisco CD, launch IE and navigate to http://10.10.10.1. Enter the default username 'cisco' and password 'cisco'. After this, you must enter the following command before logging off, or you will be locked out:
    username  username  privilege 15 secret 0  password
  4. If you have the CD, just follow the instructions and enter the configuration data as shown in the table below (making any changes as needed).

Enter the following for your local area network:

LAN Interface - GigabitEthernet
IP address IP address of router
Subnet Mask or bits Subnet mask
DHCP server Off
DNS IP addresses of two DNS servers

For the T1 connection, click on "Add connection" and enter the following (change as necessary according to information provided by your ISP). For our T1 line, we used the following:

WAN Interface - Serial0/0/0.1
Encapsulation Frame relay
IP Address Unnumbered
DLCO 500
LMI ansi
Use IETF encapsulation yes
Default route Create default route
Enable NAT off

Don't just make up numbers here; your ISP should provide them. They must be correct for your circuit, or your T1 won't work properly. In particular, watch out for accidentally setting your IP address on the WAN interface instead of the LAN interface. If you do that, the software will silently delete your LAN IP address and you will have to do some fancy footwork on the serial console to get back in. Most T1 lines are "unnumbered"; they are just point-to-point, and don't need an address.

Accept the security configuration, except for SNMP (which should be left on), and click Finish. It will create a valid startup-config on the router for you. At this point you can toss out the Windows computer and finish the configuration in the serial console.

Configuring from console

The Web interface is pretty minimal. Even for a routine provisioning, you will probably need to use the CLI. Log in over the serial console using your new username and password and type the following: 

conf t
sh interface GigabitEthernet0/0

If it says Administratively down , type the following: 

conf t
interface GigabitEthernet0/0
no shutdown

The four green LEDs in back (or possibly the front) of the router should go on.

Adding a second subnet

If you have two subnets on the same interface, type the following: 

conf t
interface GigabitEthernet0/0
ip address 65.198.102.65 255.255.255.192 secondary

Note that you put the IP address of the router here, not the network address. Be sure to substitute your own IP address and subnet mask in that last line, otherwise it won't work.

Enable flow

If you want to enable flows to keep tabs on the type of traffic going through the router, type the following: 

conf t
ip route-cache policy
ip route-cache flow
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 63.127.146.196 9991

Be sure to substitute your own IP address in that last line, otherwise all your flow will belong to us.

Activate SNMP

SNMP is a protocol for getting data from the router. For example, MRTG uses SNMP to create a nice graph of your bandwidth utilization. If you want to activate it, type the following: 

conf t
snmp-server community mypassword
snmp-server packetsize 2048
snmp-server enable traps snmp

Mrtg is not usually run as a daemon, but is started every five minutes in your crontab.

Other useful commands

This command lets you type a bad password ten times instead of three times before it locks you out: 

conf t
security authentication failure rate 10 log

This command sends all the logs and error messages to the computer with the specified IP: 

conf t
logging 192.168.2.3

These commands show the status of your interfaces: 

sh ip interface brief
sh interface
sh interface Serial0/0/0.1

This next command saves your configuration in non-volatile RAM, so your changes will be remembered if the router is rebooted. (Don't issue this command until you're 100% sure everything is working.) 

copy running-config startup-config

Startup configuration

Here is the startup configuration that was produced, with irrelevant parts omitted: 

Using 3571 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <hostname here>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 <encrypted string here>
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
ip cef
!
!
no ip bootp server
ip domain name <Our domain name here>
ip name-server <IP address here>
ip name-server <IP address here>
!
username <username here> privilege 15 secret 5 <encrypted string here>
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 ip address <IP address here>  255.255.255.192 secondary
 ip address <IP address here>  255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache policy
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation frame-relay
 ip route-cache flow
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 ip unnumbered GigabitEthernet0/0
 ip access-group infilter in
 ip access-group outfilter out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 frame-relay interface-dlci 500 IETF   
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination <IP address here>  9991
!
logging trap debugging
logging <IP address here>
no cdp run
!
control-plane
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Creating a firewall on a Cisco router

To create a firewall, you construct an access control list, and then apply it to the Serial (T1) interface. A firewall is a text file that you send to the router by tftp, cut-and-paste over a terminal, or some other means. It's not recommended to save it in your startup-config, because it changes frequently. Also, if you make a mistake in your firewall, you can easily lock yourself out. The firewall has several parts:

The first time you install the firewall, it's best to enter it into the router one line at a time. This way, you can easily catch and correct any errors.

Here is part of our firewall, with any sensitive information removed. The commands are mostly self-explanatory. The only tricky part is the "reflect myfilter" section. Reflect means it is a reflexive access list. A reflexive access list watches outbound traffic and creates temporary entries to allow the returning inbound traffic that is associated with the IP session. This is basically a "stateful" firewall.

Also, a definition is needed: a source mask is the bit inverse of a netmask. Each bit that is not set indicates that the corresponding bit in the address is meaningful. If the source mask is all zeroes, it means that all 32 bits are meaningful and the address applies to a single host. If a bit is set, it matches any address.

As with a computer program, firewalls accumulate a certain amount of cruft over the years. It's best to keep them simple so they can be easily understood by the guy who gets your job after you're fired.

Don't just copy this firewall and try to use it. It must be customized with your own IP addresses or it won't work.

Disabling the existing firewall 

config t
interface GigabitEthernet0/0
  no ip directed-broadcast
  no ip source-route
interface Serial0/0/0.1
  no ip source-route
interface Serial0/0/0.1
  no ip directed-broadcast
  no ip access-list extended infilter
interface Serial0/0/0.1
  no ip access-list extended outfilter
interface Serial0/0/0.1

Access list for incoming traffic
Note that the deny commands come first. 

!
!First create an access group called infilter.
!
ip access-list extended infilter
!First we have a number of special cases for people who attacked us.
!The notation is: source-address  source-mask  port.
!Since we are blocking a single computer, the source mask is all 0.
  deny   ip    83.64.49.10     0.0.0.0    any      
  deny   ip    69.60.124.69    0.0.0.0    any      
  deny   ip    200.76.209.150  0.0.0.0    any
  deny   ip    121.15.245.245  0.0.0.0    any
  deny   ip    60.12.225.7     0.0.0.0    any
!block known ssh and ftp portscanners - most recent 3 are shown
  deny   ip    70.159.142.121  0.0.0.0    any      
  deny   ip    213.8.154.248   0.0.0.0    any      
  deny   ip    67.205.112.219  0.0.0.0    any      

!The next section blocks bad packets: packets with bad IP addresses
!that shouldn't be there. 
!Substitute your own network address and mask here.
  deny tcp 63.127.146.192  0.0.0.63      any  
  deny tcp 65.198.102.64   0.0.0.63      any  
!Block packets from non-routable IP addresses.
!This is pretty standard.
  deny ip  192.168.0.0     0.0.255.255   any  
  deny ip  172.16.0.0      0.15.255.255  any  
  deny ip  10.0.0.0        0.255.255.255 any  
  deny ip  127.0.0.0       0.255.255.255 any  
  deny ip  224.0.0.0       7.255.255.255 any  
!Block other bad packets
  deny ip  host            0.0.0.0       any       
  deny ip  any 0.0.0.255    255.255.255.0      
  deny ip  any 0.0.0.0      255.255.255.0      

!Now we have another section where we block a couple of networks.
!block one particular batch of virus-infested computers sending stuff on port 25
  deny tcp  69.140.180.0 0.0.0.255      any eq 25

!Allow all other incoming http - this could cause problems
!because malware often listens on 80
  permit tcp any  0.0.0.0 eq 80 reflect myfilter 

!Block a number of ports, including 0 and the Windows ports.
!block kazaa and netbios, also witty UDP/4000 and port 0. 
!Connections to these ports should never be coming in from outside.
  deny tcp any any eq 0
  deny udp any any eq 0  
  deny tcp any any eq 135  
  deny udp any any eq 135  
   ... etc...
  permit tcp any any  established  

!Our policy is to allow all icmp, because it's essential for
!testing connectivity.
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any time-exceeded
  permit icmp any any traceroute
  permit icmp any any unreachable
  permit icmp any any ttl-exceeded
  permit icmp any any net-unreachable
  permit icmp any any host-unreachable
  permit icmp any any source-quench
  permit icmp any any packet-too-big
  permit icmp any any 

!Ports to leave open for everybody
!The notation here is network address followed by source mask.
!This allows anyone on our network to accept connections on these ports.
  permit tcp any 63.127.146.192  0.0.0.63 eq 113 reflect tcpfilter 

!openvpn is on udp 1194 or 5000. Better let in tcp as well.
  permit tcp any any eq 1194 reflect tcpfilter 
  permit udp any any eq 1194 reflect tcpfilter 
  permit tcp any any eq 1195 reflect tcpfilter 
  permit udp any any eq 1195 reflect tcpfilter 
  permit udp any any eq 5000 reflect tcpfilter
  permit tcp any any eq 5000 reflect tcpfilter
  permit udp any any eq 5001 reflect tcpfilter
  permit tcp any any eq 5001 reflect tcpfilter

!This section opens specific ports on our servers. The first four
!lines are shown. The 0.0.0.0 notation means these lines apply to
!a single computer.
  permit tcp any <IP address here> 0.0.0.0 eq 20 reflect tcpfilter 
  permit tcp any <IP address here> 0.0.0.0 eq 21 reflect tcpfilter 
  permit tcp any <IP address here> 0.0.0.0 eq 22 reflect tcpfilter 
  permit tcp any <IP address here> 0.0.0.0 eq 23 reflect tcpfilter 

!Finally, we want the ACL to be evaluated, then we exit.
  evaluate tcpfilter
  evaluate myfilter
exit

Next we do the same thing for outgoing traffic. This obviously can be less strict, because we want to allow our users to be able to establish outgoing connections.

!
!First create an access group called outfilter.
!
ip access-list extended outfilter
! block some ports
  deny tcp any any eq 135  
  deny udp any any eq 135  
  deny tcp any any eq 137  
  ... etc ...

!Allow anyone to initiate an outgoing connection to any other port.
  permit tcp 63.127.146.192  0.0.0.63 any reflect myfilter      
  permit tcp 65.198.102.64   0.0.0.63 any reflect myfilter      
!Or we could have these lines to allow anyone to make DNS inquiries. 
  permit tcp 63.127.146.192  0.0.0.63 any eq 53 reflect myfilter
  permit tcp 65.198.102.64   0.0.0.63 any eq 53 reflect myfilter

!If they establish a connection, they can use other ports.
  permit tcp any any  established  

!Our policy is to allow all icmp, because it's essential for
!testing connectivity.
  permit icmp any any echo
  permit icmp any any echo-reply
   ... etc ...  

!Now evaluate all the filters
  evaluate tcpfilter
  evaluate myfilter
exit

Finally, we apply the access-group to the connection between us and the Internet, Serial0/0/0. 

!
! apply the entire acl to Serial0/0/0.1
!
interface Serial0/0/0.1
  ip access-group infilter in
  ip access-group outfilter out
exit
exit

Back