Post on 30-Mar-2018
2
Agenda:• Memory
– Static and Dynamic• Interfaces
– Physical, Virtual, and Console• Environmental• Configuration
– Outline and Example• P.O.S.T.• Initial Configuration
3
Memory Allocation: Static
SIMMbootflashSIMM
IC
NVRAM SIMM
FLASHSIMM
PCMCIA
startup-config
IOS image
configuration(s)
emergency IOS image
4
Memory Allocation: Dynamic
Routing Table(s)
Protocol Table(s)
running-config
running image
message logs
SRAM
(packet
memory)SIMM
DRAM
(main
memory)
SIMMSRAM
(packet
memory)
Session Table(s)
Route Cache
5
Interfaces
• Virtual– Always On– Loopback– Null– VTY– Sub-Interface
• Physical– Modular– Fixed– LAN– WAN– LAN/WAN– Con, Aux
6
Interface Numbering
• Fixed– E 0 and/or E 0/0
• Modular– E 3/0, S 0/1, Atm 6/5/0
• Channelized– S 0/1:1
• Sub– S 3/1.16 or S 0/1:1.208
8
Console Port• Asynchronous port (RJ45) with max speed 115000• All traffic - in or out - is treated as a processor interrupt• All logging and debug traffic is mirrored to the console
port• Port can be used to
– Troubleshoot– Upload files (IOS and config)– Crack the password– Route traffic
9
Show InterfaceEthernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0001.96f3.8320 (bia 0001.96f3.8320) Internet address is 192.168.5.3/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 3807518 packets input, 304727708 bytes, 0 no buffer Received 3513249 broadcasts, 0 runts, 0 giants, 0 throttles 5 input errors, 0 CRC, 0 frame, 0 overrun, 5 ignored 0 input packets with dribble condition detected 2127578 packets output, 195123880 bytes, 0 underruns 0 output errors, 23 collisions, 2 interface resets 0 babbles, 0 late collision, 254 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out
10
Environmental - NEBS
• Network Equipment Building Systems– Bellcore, 1985
• Mounting– Where: Front, Back, Middle– Loading
• Cooling– Where are the fans?– Load Sharing and Load Balancing
• Online Insertion & Removal (OIR)– Don’t do it!!!
11
Environmental - Power
• AC• AC - redundant• DC• DC - redundant• Load Sharing and Load Balancing• Hot Swappable• Where are the switches and what do they control?
13
Internetworking Operating System
• Software (IOS) vs. Command Line (CLI)• Marketing vs. Bug List• Version makes the difference
– Major, Minor, Release– GD, ED, Deferred, etc.– c2600-io3s56i-mz.120-7.T.bin
14
Show VersionCisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-IO3-M), Version 12.2(31), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by cisco Systems, Inc.Compiled Thu 11-Aug-05 17:24 by tinhuangImage text-base: 0x8000808C, data-base: 0x80A6D5A0
ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)ROM: C2600 Software (C2600-IO3-M), Version 12.2(31), RELEASE SOFTWARE (fc2)
TLab-term-srv uptime is 13 weeks, 1 day, 20 hours, 59 minutesSystem returned to ROM by power-onSystem image file is "flash:c2600-io3-mz.122-31.bin"
cisco 2611 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.Processor board ID JAD041506T8 (4268698135)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.2 Ethernet/IEEE 802.3 interface(s)16 terminal line(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
15
Configuration Outline
• Global configuration• Interface configuration
– sub-interface• Global configuration
– routing– access control– routing policy
• Line configuration– con, aux, vty
16
Global Configuration• version 11.1• service config• no service finger• service timestamps log datetime localtime• service password-encryption• no service udp-small-servers• no service tcp-small-servers• !• hostname cr01.scrl• !• clock timezone PST -8• clock summer-time PDT recurring• clock calendar-valid• boot system flash slot0:rsp-pv-mz.111-24.1.CC• boot system rom• aaa new-model• aaa authentication login no_tacacs local• aaa authentication login vty tacacs+ enable• aaa authorization exec tacacs+ if-authenticated none• aaa authorization commands 15 tacacs+ none• aaa accounting commands 15 start-stop tacacs+• enable secret 5 $1$Iz1I$4wkuF1PS6fHlccO6yS/f6/• enable password 7 04490424161F56561C1C1656• !
• ip subnet-zero• ip tftp source-interface Loopback0• ip telnet source-interface Loopback0• ip spd enable• ip cef distributed• ip cef accounting per-prefix prefix-length• ip multicast-routing• ip dvmrp route-limit 20000• ip rcmd rsh-enable• ip rcmd remote-host nobody 207.173.0.18 nobody• ip rcmd remote-host peering 207.173.0.2 peering• ip rcmd remote-host netstats 207.173.86.4 netstats• ip rcmd source-interface Loopback0• ip accounting-threshold 400• ip tcp path-mtu-discovery• !
17
Interface Configuration• interface Loopback0• description _BB_, IBGP Router Address• ip address 207.173.112.8 255.255.255.255• no ip redirects• no ip directed-broadcast• no ip proxy-arp• transmit-buffers backing-store• !• interface ATM0/0• description _BB_, 10.1-SCRLA001-SCRLIC01-0.0-
OC3, DB101/OC3/XXXX/XXXX• no ip address• no ip directed-broadcast• ip pim sparse-dense-mode• no ip route-cache optimum• shutdown• !• interface FastEthernet1/0/0• description _NM_, SACRAMENTO DMZ• ip address 209.210.75.245 255.255.255.252• ip access-group 180 out• no ip directed-broadcast• no ip route-cache optimum• ip route-cache distributed• full-duplex• no cdp enable• !
• interface Hssi1/1/0• description _TP_, SPRINT, AS1239,
6025/T3/SCRLCACWH02/SCRMCAGFH01,PON:eds#1712-001
• ip address 144.228.107.18 255.255.255.252• no ip redirects• no ip directed-broadcast• no ip proxy-arp• no ip route-cache optimum• ip route-cache distributed• no cdp enable• !• interface Fddi4/0/0• description _BB_,SCRLIC01-SCRLIC02-
SCRLIB01,IO101/FDDI/• ip address 207.173.112.250 255.255.255.248• no ip redirects• no ip directed-broadcast• no ip proxy-arp• ip pim sparse-dense-mode• no ip route-cache optimum• ip route-cache distributed• ip ospf cost 10• no keepalive
18
Global Config - routing
• router ospf 300• passive-interface FastEthernet1/0/0• passive-interface Ethernet4/1/0• passive-interface Ethernet4/1/1• passive-interface Ethernet4/1/2• passive-interface Ethernet4/1/3• network 207.173.112.8 0.0.0.0 area 2• network 207.173.112.250 0.0.0.0 area 2• network 207.173.113.0 0.0.0.255 area 0• network 207.173.114.0 0.0.0.255 area 0• ospf log-adjacency-changes
• router bgp 5650• no synchronization• no bgp client-to-client reflection• bgp log-neighbor-changes• bgp dampening 40 450 950 160• redistribute connected route-map BB-ROUTE-CONNECTEDS• redistribute static route-map BB-ROUTE-STATICS• neighbor IBGP-REGION-10 peer-group• neighbor IBGP-REGION-10 remote-as 5650• neighbor IBGP-REGION-10 description IBGP AS Region-10• neighbor IBGP-REGION-10 update-source Loopback0• neighbor IBGP-REGION-10 next-hop-self• neighbor IBGP-REGION-10 send-community• neighbor IBGP-REGION-10 soft-reconfiguration inbound• neighbor IBGP-REGION-10 route-map BB-AS5650-OUT out• neighbor 144.228.107.17 remote-as 1239• neighbor 144.228.107.17 send-community• neighbor 144.228.107.17 soft-reconfiguration inbound• neighbor 144.228.107.17 distribute-list 190 in• neighbor 144.228.107.17 distribute-list 191 out• neighbor 144.228.107.17 route-map SPRINT-AS1239-IN in• neighbor 144.228.107.17 route-map SPRINT-AS1239-OUT out• neighbor 207.173.112.1 peer-group IBGP-REGION-10• neighbor 207.173.112.1 description IBGP-cr02.slkc.eli.net
19
Global Config - access control• ip community-list 1 permit 5650:10• ip community-list 2 permit 5650:20• ip community-list 3 permit 5650:30• ip community-list 4 permit 5650:40• ip community-list 5 permit 5650:50
• ip as-path access-list 9 permit .*• ip as-path access-list 10 permit ^$• ip as-path access-list 10 permit ^(10260_)+$• ip as-path access-list 10 permit ^(10323_)+$• ip as-path access-list 10 permit ^(10345_)+$• ip as-path access-list 10 permit ^(10406_)+$• ip as-path access-list 10 permit ^(10444_)+$• ip as-path access-list 10 permit ^(10494_)+$• access-list 6 permit 208.131.4.34
• access-list 7 permit 128.11.16.0 0.0.7.255• access-list 101 deny ip host 207.173.112.8 any• access-list 101 permit ip any any• access-list 104 deny ip 0.0.0.0 0.255.255.255 any log• access-list 104 permit ip any any• access-list 105 deny ip 10.0.0.0 0.255.255.255 any• access-list 105 deny ip 152.148.0.0 0.0.255.255 any• access-list 105 deny ip 192.168.0.0 0.0.255.255 any• access-list 105 deny ip 172.16.0.0 0.15.255.255 any• access-list 105 deny ip 240.0.0.0 15.255.255.255 any• access-list 105 permit ip any 0.0.0.0 255.255.255.0
20
Line Configuration
• line con 0• exec-timeout 5 0• login authentication no_tacacs• length 20• stopbits 1• line aux 0• exec-timeout 5 0• login authentication no_tacacs• modem answer-timeout 120• modem InOut• terminal-type vt100• length 25• transport preferred none• transport input all• rxspeed 19200• txspeed 19200• flowcontrol hardware
• line vty 0• access-class 110 in• exec-timeout 60 0• password 7 0823414558125756• login authentication vty• length 25• width 132• notify• line vty 1• access-class 110 in• exec-timeout 60 0• password 7 0823414558125756• login authentication vty• length 25• width 132• line vty 2 4• access-class 110 in• exec-timeout 60 0• password 7 bmk1k2!• login authentication vty
21
Prompt Levels*• Disabled
>• Enabled
#• Configuration
hostname(config)#hostname(config-if)#hostname(config-subif)#hostname(config-router)#
*online [context sensitive] help always available
22
Power On Self Test (POST)
• Environmental Diagnostics• Decompress/Copy IOS to Running Memory• Copy Config to Running Memory
– If no Config run Setup utility• Configure RTR according to Config• Enable Interfaces
23
Initial Configuration• Setup Mode• CLI
• Passwords• Banners• Host info: name, clock, security, etc.
• Saving config to NVRAM• Show commands
24
Good for Security• Global
– No ip source-route– No cdp run– No ip http server
• Interface– No ip directed-broadcast
• no direct to physical broadcast translation
– No ip unreachable• don’t send icmp unreachable messages
– No ip proxy-arp• no sending rtr mac address as a proxy arp for destination arp
– No ip redirects• don’t send icmp redirects messages
25
Good Idea• Global
– ip classless (Default after IOS 12.2)• Effects operation of forwarding processes; it doesn't effect the
way the routing table is built. If configured, router will forwardpackets to supernets.
– ip subnet-zero (Default after IOS 12.2)• Due to an ancient RFC, the first subnet (according to old-style
classfull boundaries) can’t be put on a router interface withoutthis command.
– No logging console• This keeps messages from queuing up and using system
cycles.– Logging
• Set the trap level and push the messages to a syslog server.
• Routing– Log neighbor state changes