Configuring the Router
The Cisco Internetwork Operating System (IOS) is extremely flexible and powerful. Hence, there are many subtleties to configuring certain services and many things that the router can do that you will never use. For the full description of the options that can be used with each of these commands, refer to the router configuration guide and command reference. These documents are available in printed form and via the World Wide Web as http://www.cisco.com/univercd/data/doc/software.htm. (hint: This is a good bookmark to place in Netscape.) From there, you may select the appropriate version of IOS to find the section you are looking for.
Cisco interfaces are named according to interface type and interface number. The 7000, 7200, and 7500 series routers also add a slot number. All interfaces and slots are indexed at zero. The first ethernet port on a model 2501 router would be identified as Ethernet0. The fourth serial port on a 7000 with a serial card in slot 2 would be Serial2/3.
* For the remainder of this section, it is assumed that the reader has entered the terminal configuration mode within the router via "configure terminal" from the privileged EXEC prompt.
I. Set a Hostname
The first order of business in configuring a router is to choose a hostname for the router. This name is not used by the router itself and is entirely for human consumption. The hostname you set replaces "Router" in the prompt and can be useful in distinguishing which router you are connected to when telnetting among several routers. This line also appears within the first 20 lines of the configuration file and can be used to distinguish saved configurations of one router from another. The form of this command is
hostname <name>
II. Establishing Enable Password Protection
Before connecting the router to your network it is also a good idea to set the enable password. This password is used to gain privileged access to the router so it should not be an obvious password. The format of this command is as follows:
enable password <password>
This password may contain any alphanumeric characters up to 80 including spaces but MUST NOT START with a number or a space. The password is stored in an unencrypted (plain text) format in the configuration file. Obviously, it is desirable to have the password encrypted before it is saved. To do this, use:
service password-encryption
This will cause all passwords in the system to be encrypted before being stored in a saved configuration using Cisco's proprietary encryption algorithm.
NOTE: There is no way to recover a lost encrypted password.
III. Optionally Enable UDP and TCP network services
Cisco routers support standard network services for TCP and UDP such as echo, discard, daytime, and so forth. These services are enabled with the commands
service tcp-small-servers
service udp-small-serversIt should be noted that these package all standard network services in one bundle. Without creating access lists, it is not possible to disallow any of the services these create.
Cisco also supports a finger daemon to give information about who is connected to a given router. This service is enabled by default. Finger may be disabled as follows
no service finger
IV. Configure Console and Network Access
Initialy, the only device setup for access is the console. When placed in the field, it is more convenient to program and maintain the routers through a telnet connection than it is to dial up into each router to configure or monitor the system. In order to do this, virtual ttys (vtys) must be configured. Generally, 5 vtys should be configured however, the router will support up to 100. Each should be given a timeout to avoid all vtys being in use. If all vtys are in use, further connection attempts will result in a "connection refused". It is probably a good idea to force the user to enter a password before he can login to the router through a vty as well. An example of this configuration is shown below.
line vty 0 4
exec-timeout 30 0
login
password steamboatThis creates 5 vtys numbered 0 through 4. Each vty has a timeout of 30 minutes and 0 seconds. These vtys require a password for login. This password is "steamboat". Note: If password-encryption is enabled, this password is encrypted before being stored in the router's configuration. The minimum number of vtys that may be enabled is 5.
Usually you do not want to require a password for console access but you would like to specify a timeout.
line con 0
exec-timeout 15 0For a full description of how each vty may be configured, refer to chapter 4 of the router configuration guide.
V. Configure Serial and Ethernet Interfaces
By far, the easiest interfaces to configure are ethernet interfaces. To bring up an ethernet interface, all that is necessary is to assign it an IP address, associate a netmask with that address, and turn up the interface. For example, to bring online the ethernet interface on a 2501 and assign it the IP address 150.151.152.1 with a class C netmask (255.255.255.0), the following commands would be used:
interface Ethernet0
ip address 150.151.152.1 255.255.255.0
no shutdownand thats it. It should be noted that this has the side effect of placing a route for 150.151.152.0 in the 2501's routing tables since this is a network that is directly "Connected" via ethernet0. As a result, you can immediately connect to any system on that network from the router. Routing and types of routes will be discussed later in this document.
Configuring serial interfaces for point to point connections is not too different.
interface serial0/3
ip address 203.142.253.33 255.255.255.252
encapsulation ppp
mtu 1500
no shutdownThis gives serial0/3 the address 203.142.253.33 and makes it part of a subnet of 2 ip addresses (plus broadcast/network number) of 203.142.253.32-35. Again, a connected route is placed in the routing tables. These routes can be useful when configuring BGP or OSPF or some other routing protocol as discussed later. IP subnetting, as used in the above example, is not covered within the scope of this document.
The preceeding example also assigned a link encapsulation of PPP to the interface and gives it an MTU of 1500 bytes, which is the default if no MTU is specified. This is correct for most instances, but when connecting to another cisco, it will be slightly more efficient to make use of Cisco's HDLC protocol. This is the default encapsulation for all serial interfaces. To make use of this, either omit the encapsulation or specify "no encapsulation" to remove a previous setting.
There is a third encapsulation for serial interfaces, frame relay, which will be discussed in its own section later on.
VI. Configuring the CIP card and the virtual interfaces
The CIP card appears to the router as a controller instead of a standard interface. T1 channels may be defined, modified, or deleted without any external configuration to the card. CSU loops may be initiated and released from within software and testing patterns run to these loops from the router. The advantages of full management is well known to anyone who has spent any time at all performing work as a network operations technician. The ability to quickly determine CSU states, attempt quick fixes, and obtain a full diagnostic of the problem is invaluable when reporting an outage to a carrier. The more information that can be provided to them during the initial problem report can often greatly speed the diagnostic and repair processes.
The T3 controller, since it is built on VIP2 technology introduces a third level to the card designation. Instead of simply slot/port, it not introduces a port adaptor number. Since there is only one CT3IP per card, the port and port adaptor numbers will always be zero. An interface in slot 2 will be identified as 2/0/0. T1 channels are designated by a colon and a channel number after the interface identifier (numbering 1 through 28 to coincide with belcore designations). In the previous example, the 17th T1 channel would be 2/0/0:17.
The first step in configuring this interface is the configuration of the T3. Settings required are T3 framing, clock source, and cable distance (which is used in determining the LBO to use). The default cable length is 224 feet. This should be acceptable for most applications. The framing types availible are cbit and m23. It is possible to configure the router to auto-detect framing but in many instances, auto detection can lead to future problems so it is best to use this only when you are uncertain of the framing being used. Once the framing has been identified, it can then be set staticly in the router's configuration.
For most muxed T3s, the framing type will be m23. cbit is used, for example, in a clear channel T3 into an ATM network.
controller t3 0/0/0
framing m23
clock source line
cablelength 224Once the T3 has been configured, T1 channels may be assigned. The T1 channels need to be configured for the number of slots on the T1 in use, the framing and encoding being used, the speed of the underlying DS0s (56K or 64K), and the clock source for the T1.
controller t3 0/0/0
t1 1 timeslots 1-24 speed 64
t1 1 clock source line
t1 1 framing esf
t1 1 linecone b8zsT1 default parameters are clock source line, esf, b8zs, and 64K DS0s. If this is the desired configuration, the only command necessary is "t1 1 timeslots 1-24".
The first three channels on the T3 may also be output to the connectors on the outside of the card. This is accomplished by configuring that T1 as external.
controller t3 0/0/0
t1 external 1After the T1 is configured, the router creates a virtual serial interface. This interface does not appear until the T1 has been created and is identified in the same manner described above. For example, to refference the serial interface for the first t1, it would be identified as Serial0/0/0:1. This interface may beconfigured as any other serial interface.
Loopbacks and tests are initiated from the interface level. The T3 may also be looped back from the controller configuration. It is important to note that the T1s may NOT be looped from the controller configuration.
interface Serial0/0/0:1
loopback networkThe loop is removed by specifying "no loopback network" in the interface configuration.
VII. Add IP Routes and Set a Default Route
Obviously, the internet is not centered around one router. Usually, to get to another system requires passing through at least one other router (probably several). It is also possible that more than one network will end up on a single interface. The general form of Cisco's route command is
ip route <network> <mask> <interface/next-hop> [metric]
The metric is used by certain routing protocols such as RIP as a hint to other routers of the "distance" to network when advertising this route to other routers. In general, you can omit the metric and let the routing protocols assign default values to these.
Examples:
Add a route for 202.123.100.0 (class C) through 204.203.12.1.
ip route 202.123.100.0 255.255.255.0 204.203.12.1
Add 122.250.0.0 (class B) to ethernet0
ip route 122.250.0.0 255.255.0.0 Ethernet0
Classless Inter-Domain Routing.
With the recent explosion of the internet, Dividing address into class A, B, C, and D networks is no longer adequate. Cisco's IOS support the concept of Classless Inter-Domain Routing, or CIDR entries (often pronounced "cider") to allow a given subset of any class of network to be routed at a given destination. For example, the following example routes 8 class Cs at the specified router.
ip route 221.243.242.0 255.255.248.0 128.230.3.1
Note that the only change from the above examples is the different mask. This command uses subnet style netmasks to split off 8 class C networks beginning at 221.243.242.0 through 221.243.250.0 and lists 128.230.3.1 as the next-hop router. Normally, 8 routes would be needed to accomplish what this one entry has done. The goal of CIDR routing is to simplify routing tables and reduce the size of the internet routing tables, preventing complete collapse when older backbone routers (such as sprint, ANS, and Alternet) reach a point where they simply do not have enough memory to hold the full internet routing tables and cannot operate. Such outages cause major disruption of internet services worldwide.
One practice often used is subnetting a class C network into blocks of 64 or 32 IP addresses for customers who don't require the full 254 addresses in order to save wasting large blocks of numbers. Traditional subnetting allowed you to split a class C into blocks of 4, 8, 16, 32, 64, and 128 but ONLY one size. Cisco's IOS supports variable length subnetting however. This allows a class C to be segmented such that it is possible to have some portions 4 addresses in length, some in 32, etc. This permits more efficient use of addresses by eliminating the need to send 32 addresses at a customer who only intends to use 6.
One caveat of subnet routing is that the IOS does not normally permit you to specify a subnet mask with a class C address (ie, you can't route a subnet of 8 addresses 203.102.123.0 since that is the network number for a class C and it wants to treat the route as a class C route). This can cause confusion when looking at routing tables. In order to get around this, Cisco has provided a command to override this behavior:
ip subnet-zero
Once that has been entered, it will very happily take the subnet route.
VIII. Configure Frame Relay
Configuring Frame Relay is a little more complicated than configuring point to point networks and therefore involves a few more steps. First is to configure the interface as a frame relay link. At the same time, you need to specify the type of frame relay packets carried by this network. Currently, cisco only supports IETF and Cisco's own frame relay packet types. Since not very many vendors use the cisco format, we always specify IETF. The format of this command as as follows.
interface Serial0/0
ip address 1.2.3.4 255.255.255.224
encapsulation frame-relay IETFHaving the wrong LMI type specified can interfere with the operation of the frame relay circuit. Cisco supports LMI types ANSI (annex D), cisco (default), and q933a (annex A). Most vendors' switches are capable of auto detecting which LMI type you are using but not all. Generally, its safe to leave the default LMI type set. Should you need to change it, the command is
frame-relay lmi-type ANSI
to specify the ANSI packet format.
Using LMI, the router can obtain information from the switch and other routers with PVCs to this circuit to build its own DLCI list or map as its sometimes called. However, it should be noted that cisco has problems talking to some vendors' equipment (most notably Livingston Enterprises.) This can result in the router sensing an active PVC (based on what its getting from the switch) but not being able to tell what the address of the router on the other end is. For the sake of robustness, it is generally better to manually configure the DLCI list. This can make it more difficult to configure the router or make changes in the frame relay network but can save considerable headaches when initially configuring a circuit or coping with service disruptions within the frame relay network.
The DLCI number assigned to each PVC is provided by the telco and is entered into the router along with the networking protocol operating over this PVC as well as additional optional information about this PVC. For example, a router transmitting IP into with an address of 10.2.3.4 and connected to DLCI 19 would be entered into the "map" as shown below
frame-relay map ip 10.2.3.4 19 broadcast IETF
Again, the packet type needs to be specified for this particular PVC and again, we have selected IETF. The "broadcast" keyword instructs the router to forward broadcast packets over this PVC. This can assist with broadcast routing protocols, for example. One line is needed for each DLCI configured. You can check to see the status of the PVC you just setup by entering the command "show frame-relay map" from the EXEC prompt.
IX. Configure Asynchronous Transfer Mode (ATM)
The structure of ATM draws heavily from X.25 and frame relay but is designed to operate at much higher speeds. Unlike frame relay, however, there is a card for the 7000 and 7500 series router designed specially to interface with the ATM network. It is also possible to configure ATM over a serial interface using a serial interface (either FSIP or HSSI) or (on a 4000) an NMP. For more information on this configuration, refer to chapter 7 of the configuration guide.
Configuring the ATM interface begins with assigning the interface an IP address (as demonstrated earlier in this document). Like Frame Relay, ATM requires that each host on the network be a part of the same subnet. The next step is configuring PVCs. There are two parts to doing this. The first is creating the PVC "map" on the interface. The second is mapping a protocol address to each PVC created. PVCs are created by assigning a Virtual Circuit Descriptor (VCD) to a given Virtual Path Identifier (VPI) and a Virtual Circuit Identifier (VCI). The VCI for a given link, as with frame relay DLCIs, is assigned by the carrier. The general form of the command to create a PVC on a given interface is
atm pvc <vcd> <vpi> <vci> <aal-encapsulation> [[<midlow> <midhigh>]
[<peak> <avg> <burst> [oam <seconds>]]The VCD is specific to the router and is used by the router to match VPI/VCI pairs and can be different than the numbers used to identify the VPI and VCI. It is also necessary to specify an encapsulation for the ATM packets over this VCI. This is the ATM Adaptation Layer (AAL). The peak and average values are used to specify the bandwidth at which this PVC will be permitted to connect. When these values are omitted, the highest possible connection rate is assumed.
Next, it is necessary to map a protocol to each PVC created on an interface. This is accomplished by creating a map list. Each entry in this list has the form "<protocol> <address> atm-vc <vcd> [broadcast]" where protocol is either IPX, IP, or AppleTalk for example. The address is the address of the remote router with respect to the protocol being transmitted over the virtual connection.
Once the map is created, it need to be associated with a given ATM interface using the interface command "map-group <map name>
An example configuration might look as follows
interface ATM1/0
ip address 1.2.3.4 255.255.255.224
ipx network 121
atm pvc 32 0 3 aal5snap
atm pvc 33 0 4 aal5snap
map-group atm-map-1
map-list atm-map-1
ip 1.2.3.5 atm-vc 3 broadcast
ipx 121.0000.0c7e.a45.546 atm-vc 4There are two principle AAL encapsulations appropriate for use with data. The first, as already shown is aal5snap. This encapsulation allows multiple protocols to be routed over a virtual circuit. The second encapsulation is AAL5MUX. This encapsulation dedicates a single protocol to a virtual circuit. It has slightly less overhead than AAL5SNAP and can be useful when the network you are attached to has been configured with a per packet usage charge.
The current default for Cisco's IOS is AAL5SNAP. However, earlier versions of the operating software specified AAL5NLPID as the default. NLPID is also a multi protocol encapsulation somewhat similar to SNAP which is often used when running ATM over a serial interface (such HSSI) where an external ATM DSU is necessary. This encapsulation is prevalent at exchange points such as Ameritech's NAP (AADS).
Tidak ada komentar:
Posting Komentar