Introduction toCisco IOS & Cisco

ArchitecturePresented by,

Jack Crowder - CCIE

2

Agenda:• Memory

– Static and Dynamic• Interfaces

– Physical, Virtual, and Console• Environmental• Configuration

– Outline and Example• P.O.S.T.• Initial Configuration

3

Memory Allocation: Static

SIMMbootflashSIMM

IC

NVRAM SIMM

FLASHSIMM

PCMCIA

startup-config

IOS image

configuration(s)

emergency IOS image

4

Memory Allocation: Dynamic

Routing Table(s)

Protocol Table(s)

running-config

running image

message logs

SRAM

(packet

memory)SIMM

DRAM

(main

memory)

SIMMSRAM

(packet

memory)

Session Table(s)

Route Cache

5

Interfaces

• Virtual– Always On– Loopback– Null– VTY– Sub-Interface

• Physical– Modular– Fixed– LAN– WAN– LAN/WAN– Con, Aux

6

Interface Numbering

• Fixed– E 0 and/or E 0/0

• Modular– E 3/0, S 0/1, Atm 6/5/0

• Channelized– S 0/1:1

• Sub– S 3/1.16 or S 0/1:1.208

7

Interface Numbering Example

0

3 2

1

3640

1 0

1 0

8

Console Port• Asynchronous port (RJ45) with max speed 115000• All traffic - in or out - is treated as a processor interrupt• All logging and debug traffic is mirrored to the console

port• Port can be used to

– Troubleshoot– Upload files (IOS and config)– Crack the password– Route traffic

9

Show InterfaceEthernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0001.96f3.8320 (bia 0001.96f3.8320) Internet address is 192.168.5.3/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 3807518 packets input, 304727708 bytes, 0 no buffer Received 3513249 broadcasts, 0 runts, 0 giants, 0 throttles 5 input errors, 0 CRC, 0 frame, 0 overrun, 5 ignored 0 input packets with dribble condition detected 2127578 packets output, 195123880 bytes, 0 underruns 0 output errors, 23 collisions, 2 interface resets 0 babbles, 0 late collision, 254 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

10

Environmental - NEBS

• Network Equipment Building Systems– Bellcore, 1985

• Mounting– Where: Front, Back, Middle– Loading

• Cooling– Where are the fans?– Load Sharing and Load Balancing

• Online Insertion & Removal (OIR)– Don’t do it!!!

11

Environmental - Power

• AC• AC - redundant• DC• DC - redundant• Load Sharing and Load Balancing• Hot Swappable• Where are the switches and what do they control?

12

Show Environment

13

Internetworking Operating System

• Software (IOS) vs. Command Line (CLI)• Marketing vs. Bug List• Version makes the difference

– Major, Minor, Release– GD, ED, Deferred, etc.– c2600-io3s56i-mz.120-7.T.bin

14

Show VersionCisco Internetwork Operating System SoftwareIOS (tm) C2600 Software (C2600-IO3-M), Version 12.2(31), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2005 by cisco Systems, Inc.Compiled Thu 11-Aug-05 17:24 by tinhuangImage text-base: 0x8000808C, data-base: 0x80A6D5A0

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)ROM: C2600 Software (C2600-IO3-M), Version 12.2(31), RELEASE SOFTWARE (fc2)

TLab-term-srv uptime is 13 weeks, 1 day, 20 hours, 59 minutesSystem returned to ROM by power-onSystem image file is "flash:c2600-io3-mz.122-31.bin"

cisco 2611 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory.Processor board ID JAD041506T8 (4268698135)M860 processor: part number 0, mask 49Bridging software.X.25 software, Version 3.0.0.2 Ethernet/IEEE 802.3 interface(s)16 terminal line(s)32K bytes of non-volatile configuration memory.16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

15

Configuration Outline

• Global configuration• Interface configuration

– sub-interface• Global configuration

– routing– access control– routing policy

• Line configuration– con, aux, vty

16

Global Configuration• version 11.1• service config• no service finger• service timestamps log datetime localtime• service password-encryption• no service udp-small-servers• no service tcp-small-servers• !• hostname cr01.scrl• !• clock timezone PST -8• clock summer-time PDT recurring• clock calendar-valid• boot system flash slot0:rsp-pv-mz.111-24.1.CC• boot system rom• aaa new-model• aaa authentication login no_tacacs local• aaa authentication login vty tacacs+ enable• aaa authorization exec tacacs+ if-authenticated none• aaa authorization commands 15 tacacs+ none• aaa accounting commands 15 start-stop tacacs+• enable secret 5 $1$Iz1I$4wkuF1PS6fHlccO6yS/f6/• enable password 7 04490424161F56561C1C1656• !

• ip subnet-zero• ip tftp source-interface Loopback0• ip telnet source-interface Loopback0• ip spd enable• ip cef distributed• ip cef accounting per-prefix prefix-length• ip multicast-routing• ip dvmrp route-limit 20000• ip rcmd rsh-enable• ip rcmd remote-host nobody 207.173.0.18 nobody• ip rcmd remote-host peering 207.173.0.2 peering• ip rcmd remote-host netstats 207.173.86.4 netstats• ip rcmd source-interface Loopback0• ip accounting-threshold 400• ip tcp path-mtu-discovery• !

17

Interface Configuration• interface Loopback0• description _BB_, IBGP Router Address• ip address 207.173.112.8 255.255.255.255• no ip redirects• no ip directed-broadcast• no ip proxy-arp• transmit-buffers backing-store• !• interface ATM0/0• description _BB_, 10.1-SCRLA001-SCRLIC01-0.0-

OC3, DB101/OC3/XXXX/XXXX• no ip address• no ip directed-broadcast• ip pim sparse-dense-mode• no ip route-cache optimum• shutdown• !• interface FastEthernet1/0/0• description _NM_, SACRAMENTO DMZ• ip address 209.210.75.245 255.255.255.252• ip access-group 180 out• no ip directed-broadcast• no ip route-cache optimum• ip route-cache distributed• full-duplex• no cdp enable• !

• interface Hssi1/1/0• description _TP_, SPRINT, AS1239,

6025/T3/SCRLCACWH02/SCRMCAGFH01,PON:eds#1712-001

• ip address 144.228.107.18 255.255.255.252• no ip redirects• no ip directed-broadcast• no ip proxy-arp• no ip route-cache optimum• ip route-cache distributed• no cdp enable• !• interface Fddi4/0/0• description _BB_,SCRLIC01-SCRLIC02-

SCRLIB01,IO101/FDDI/• ip address 207.173.112.250 255.255.255.248• no ip redirects• no ip directed-broadcast• no ip proxy-arp• ip pim sparse-dense-mode• no ip route-cache optimum• ip route-cache distributed• ip ospf cost 10• no keepalive

18

Global Config - routing

• router ospf 300• passive-interface FastEthernet1/0/0• passive-interface Ethernet4/1/0• passive-interface Ethernet4/1/1• passive-interface Ethernet4/1/2• passive-interface Ethernet4/1/3• network 207.173.112.8 0.0.0.0 area 2• network 207.173.112.250 0.0.0.0 area 2• network 207.173.113.0 0.0.0.255 area 0• network 207.173.114.0 0.0.0.255 area 0• ospf log-adjacency-changes

• router bgp 5650• no synchronization• no bgp client-to-client reflection• bgp log-neighbor-changes• bgp dampening 40 450 950 160• redistribute connected route-map BB-ROUTE-CONNECTEDS• redistribute static route-map BB-ROUTE-STATICS• neighbor IBGP-REGION-10 peer-group• neighbor IBGP-REGION-10 remote-as 5650• neighbor IBGP-REGION-10 description IBGP AS Region-10• neighbor IBGP-REGION-10 update-source Loopback0• neighbor IBGP-REGION-10 next-hop-self• neighbor IBGP-REGION-10 send-community• neighbor IBGP-REGION-10 soft-reconfiguration inbound• neighbor IBGP-REGION-10 route-map BB-AS5650-OUT out• neighbor 144.228.107.17 remote-as 1239• neighbor 144.228.107.17 send-community• neighbor 144.228.107.17 soft-reconfiguration inbound• neighbor 144.228.107.17 distribute-list 190 in• neighbor 144.228.107.17 distribute-list 191 out• neighbor 144.228.107.17 route-map SPRINT-AS1239-IN in• neighbor 144.228.107.17 route-map SPRINT-AS1239-OUT out• neighbor 207.173.112.1 peer-group IBGP-REGION-10• neighbor 207.173.112.1 description IBGP-cr02.slkc.eli.net

19

Global Config - access control• ip community-list 1 permit 5650:10• ip community-list 2 permit 5650:20• ip community-list 3 permit 5650:30• ip community-list 4 permit 5650:40• ip community-list 5 permit 5650:50

• ip as-path access-list 9 permit .*• ip as-path access-list 10 permit ^$• ip as-path access-list 10 permit ^(10260_)+$• ip as-path access-list 10 permit ^(10323_)+$• ip as-path access-list 10 permit ^(10345_)+$• ip as-path access-list 10 permit ^(10406_)+$• ip as-path access-list 10 permit ^(10444_)+$• ip as-path access-list 10 permit ^(10494_)+$• access-list 6 permit 208.131.4.34

• access-list 7 permit 128.11.16.0 0.0.7.255• access-list 101 deny ip host 207.173.112.8 any• access-list 101 permit ip any any• access-list 104 deny ip 0.0.0.0 0.255.255.255 any log• access-list 104 permit ip any any• access-list 105 deny ip 10.0.0.0 0.255.255.255 any• access-list 105 deny ip 152.148.0.0 0.0.255.255 any• access-list 105 deny ip 192.168.0.0 0.0.255.255 any• access-list 105 deny ip 172.16.0.0 0.15.255.255 any• access-list 105 deny ip 240.0.0.0 15.255.255.255 any• access-list 105 permit ip any 0.0.0.0 255.255.255.0

20

Line Configuration

• line con 0• exec-timeout 5 0• login authentication no_tacacs• length 20• stopbits 1• line aux 0• exec-timeout 5 0• login authentication no_tacacs• modem answer-timeout 120• modem InOut• terminal-type vt100• length 25• transport preferred none• transport input all• rxspeed 19200• txspeed 19200• flowcontrol hardware

• line vty 0• access-class 110 in• exec-timeout 60 0• password 7 0823414558125756• login authentication vty• length 25• width 132• notify• line vty 1• access-class 110 in• exec-timeout 60 0• password 7 0823414558125756• login authentication vty• length 25• width 132• line vty 2 4• access-class 110 in• exec-timeout 60 0• password 7 bmk1k2!• login authentication vty

21

Prompt Levels*• Disabled

>• Enabled

#• Configuration

hostname(config)#hostname(config-if)#hostname(config-subif)#hostname(config-router)#

*online [context sensitive] help always available

22

Power On Self Test (POST)

• Environmental Diagnostics• Decompress/Copy IOS to Running Memory• Copy Config to Running Memory

– If no Config run Setup utility• Configure RTR according to Config• Enable Interfaces

23

Initial Configuration• Setup Mode• CLI

• Passwords• Banners• Host info: name, clock, security, etc.

• Saving config to NVRAM• Show commands

24

Good for Security• Global

– No ip source-route– No cdp run– No ip http server

• Interface– No ip directed-broadcast

• no direct to physical broadcast translation

– No ip unreachable• don’t send icmp unreachable messages

– No ip proxy-arp• no sending rtr mac address as a proxy arp for destination arp

– No ip redirects• don’t send icmp redirects messages

25

Good Idea• Global

– ip classless (Default after IOS 12.2)• Effects operation of forwarding processes; it doesn't effect the

way the routing table is built. If configured, router will forwardpackets to supernets.

– ip subnet-zero (Default after IOS 12.2)• Due to an ancient RFC, the first subnet (according to old-style

classfull boundaries) can’t be put on a router interface withoutthis command.

– No logging console• This keeps messages from queuing up and using system

cycles.– Logging

• Set the trap level and push the messages to a syslog server.

• Routing– Log neighbor state changes