Multilink on Cisco

Tags

, , ,

R1# conf t
R1# username R2 password cisco
R1# int s0/0/0
R1# encapsulation ppp
R1# ppp multilink group 1
R1# clock rate 128000
R1# exit
R1# int s0/1/0
R1# encapsulation ppp
R1# ppp multilink group 1
R1# clock rate 128000
R1# exit
R1# int multilink 1
R1# ip add 8.8.8.8 255.255.255.0
R1# no shut
R1# encapsulation ppp
R1# ppp authentication chap
R2# conf t
 R2# username R1 password cisco
 R2# int s0/0/0
 R2# encapsulation ppp
 R2# ppp multilink group 1
 R2# exit
 R2# int s0/1/0
 R2# encapsulation ppp
 R2# ppp multilink group 1
 R2# exit
 R2# int multilink 1
 R2# ip add 8.8.8.9 255.255.255.0
 R2# no shut
 R2# encapsulation ppp
 R2# ppp authentication chap

For one way authentication, configure R2 as follows.

R2# conf t
 R2# int s0/0/0
 R2# encapsulation ppp
 R2# ppp multilink group 1
 R2# exit
 R2# int s0/1/0
 R2# encapsulation ppp
 R2# ppp multilink group 1
 R2# exit
 R2# int multilink 1
 R2# ip add 8.8.8.9 255.255.255.0
 R2# no shut
 R2# encapsulation ppp
 R2# ppp authentication chap callin

Cisco dynamic routing

Tags

, , , , , ,

RIPv2

R0# conf t
R0# int lo0
R0# ip add 10.10.10.1 255.255.255.0
R0# no shut
R0# exit
R0# int f0/0
R0# ip add 10.10.1.1 255.255.255.0
R0# no shut
R0# exit
R0# router rip
R0# version 2
R0# no auto
R0# network 10.10.10.0 255.255.255.0
R1# conf t
 R1# int lo0
 R1# ip add 10.10.11.1 255.255.255.0
 R1# no shut
 R1# exit
 R1# int f0/0
 R1# ip add 10.10.1.2 255.255.255.0
 R1# no shut
 R1# exit
 R1# router rip
 R1# version 2
 R1# no auto
 R1# network 10.10.11.0 255.255.255.0

 

OSPF

R1# conf t
 R1# int f0/1
 R1# ip add 10.10.2.1 255.255.255.0
 R1# no shut
 R1# exit
 R1# router ospf 1
 R1# network 10.10.2.0 0.0.0.255 area 0
 R1# network 10.10.11.0 0.0.0.255 area 0
R2# conf t
 R2# int lo0
 R2# ip add 10.10.12.1 255.255.255.0
 R2# no shut
 R2# exit
 R2# int f0/1
 R2# ip add 10.10.2.2 255.255.255.0
 R2# no shut
 R2# exit
 R2# router ospf 1
 R2# network 10.10.2.0 0.0.0.255
 R2# network 10.10.12.0 0.0.0.255

 

EIGRP

R2# conf t
 R2# int f0/0
 R2# ip add 10.10.3.1 255.255.255.0
 R2# no shut
 R2# exit
 R2# router eigrp 1
 R2# network 10.10.3.0 0.0.0.255
 R2# network 10.10.12.0 0.0.0.255
R3# conf t
 R3# int lo0
 R3# ip add 10.10.13.1 255.255.255.0
 R3# no shut
 R3# exit
 R3# int f0/1
 R3# ip add 10.10.3.2 255.255.255.0
 R3# no shut
 R3# exit
 R3# router eigrp 1
 R3# network 10.10.3.0 0.0.0.255
 R3# network 10.10.13.0 0.0.0.255

 

Route redistribution

R1# conf t
R1# router rip
R1# redistribute ospf 1 metric 1 match internal
R1# exit
R1# router ospf 1
R1# redistribute rip metric 1 subnets
R2# conf t
R2# router ospf 1
R2# redistribute eigrp 1 subnets
R2# exit
R2# router eigrp 1
R2# redistribute ospf 1 metric 1544 2000 255 1 1500 match internal external 2

 

Recovering router’s IOS via TFTP

Tags

, , ,

Set up TFTP server on a PC and place the IOS image in the directory.

Connect the PC to FE0/0 port on the router using a crossover cable as the tftpdnld wizard uses that port as default.

Boot up the router. If the IOS is not in the flash, it will boot into the rommon mode. If it doesn’t go into rommon mode automatically, do a Ctrl+Break for putty(visit this URL for alternative key input for rommon mode).

Once we’re in the romon mode, we have to specify the following parameters.

  • IP address
  • subnet mask
  • default gateway
  • tftp server’s ip address
  • ios filename

Enter the following commands.

rommon 1 > IP_ADDRESS=192.168.1.100
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=192.168.1.1
rommon 4 > TFTP_SERVER=192.168.1.50
rommon 5 > TFTP_FILE=c1841-adventerprisek9-mz.124-24.T3.bin
rommon 6 > TFTP_VERBOSE=2
rommon 6 > tftpdnld

 

The download should start after entering the tftpdnld command.

After the download is completed, router should automatically reboot and boot into the downloaded IOS.

Zone-based firewall – SSH

Tags

, , ,

When I attempted to allow SSH access on the zone-based firewall, I encountered a problem whereby the SSH protocol selection doesn’t do the job of allowing the SSH traffic to cross the zone.

I then tried using assigning extended access list for port 22 to the class-map and it still couldn’t work.

I then assigned the class-map with the extended access list to another class-map, and assign the new class-map to the policy-map instead of the old one and it worked.

ip access-list extended SSH-ACL
 permit any any eq 22
class-map type inspect match-any SSH-CLASS
 match access-group name SSH-ACL
class-map type inspect match-any SSH2-CLASS
 match class-map SSH-CLASS
policy-map type inspect SSH-POLICY
 class type inspect SSH2-CLASS
  inspect
 class class-default
  drop
zone-pair security IN-OUT source IN-ZONE destination OUT-ZONE
 service-policy type inspect SSH-POLICY
zone-pair security OUT-IN source OUT-ZONE destination IN-ZONE
 service-policy type inspect SSH-POLICY

Zone-based firewall

Tags

,

Creating security zones.

# conf t
# zone security IN-ZONE
# zone security OUT-ZONE

 

Assigning interfaces as zone member.

# conf t
# int f0/0
# zone-member security IN-ZONE
#
# int s0/1/0
# zone-member security OUT-ZONE

 

Create class map and assigning the class map to a policy map.

# conf t
# class-map type inspect match-any ICMP-CLASS
# match protocol icmp
# exit

# policy-map type inspect ICMP-POLICY
# class type inspect ICMP-CLASS
# inspect
# end

 

Create zone pair and assigning the policy map to it.

# conf t
# zone-pair security IN-OUT source IN-ZONE destination OUT-ZONE
# service-policy type inspect ICMP-POLICY
# exit
# zone-pair security OUT-IN source OUT-ZONE destination IN-ZONE
# service-policy type inspect ICMP-POLICY

 

After entering the commands above, we should now be able to ping across IN-ZONE and OUT-ZONE.

Network Address Translation(NAT) on Cisco

Tags

, , , , ,

Dynamic NAT

# conf t
# ip access-list standard NAT_ADDRESS
# permit 192.168.1.0 0.0.0.255
# deny any
# exit
#
# int f0/1
# ip nat inside
# exit
#
# int f0/0
# ip nat outside
# exit
#
# ip nat inside source list NAT_ADDRESS interface f0/0 overload

 

Static NAT

Lets say we have a server in the internal network with a network address of 192.168.1.100 and we want it to have a static global ip address of 8.8.8.8 so that other people in the internet can have access to the server.

# conf t
# ip nat inside source static 192.168.1.100 8.8.8.8

 

 

Access list on Cisco

Tags

, , ,

Standard access list

The following commands will create a standard access list to allow ip address 10.10.10.10 and block everything else.

# conf t
# ip access-list standard 1
# permit 10.10.10.10
# deny any

 

Extended access list

We can use the extended access list to deny/permit certain protocol such as TCP/UDP/ICMP.

We can also specify the destination address which the standard access list can’t.

The following commands will create a extended access list that will allow only connection from network 10.10.10.0/24 to 20.20.20.0/24 and deny access to anything else.

# conf t
# ip access-list extended 100
# permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
# deny ip any any