Network setup - How to - Routers - Cisco - Linux

One of the most common mechanisms for testing IPv6 network interconnection, are 6over4 tunnels, which are used to encapsulate IPv6 packets in IPv4 native network, creating a peer to peer network between two machines that are communicating by this protocol .

Normally an IPv6/IPv4 node, or dual stack, in order to communicate with another computer through an IPv4 network, you need a tunnel interface, in which IPv6 addresses are configured as shown in the graph.

6over4 Tunnels Configuration

Configure the tunnel 6over4 is in principle a relatively simple task, the configuration is similar to that performed in a GRE tunnel

For configuration, you must define the start and destination addresses on both computers, in some cisco equipment does not allow defining the start address, so they can define the start of the tunnel through the interface with local public IPv4 address. To 6over4 tunnel configuration is not necessary to define an IPv4 address.

Router1#configure terminal 
Router1(config)#interface Tunnel10
Router1(config)# ipv6 address 2800:100:101::1/64
Router1(config-if)#tunnel source 154.54.6.5
Router1(config-if)#tunnel destination 206.167.13.198
Router1(config-if)#tunnel mode ipv6ip
Router1(config-if)#end
Router1#

On Router 2, you must create another tunnel interface, as Router 1, and associate the source and destination addresses.

Router2#configure terminal 
Router2(config)#interface Tunnel20
Router1(config)# ipv6 address 2800:100:101::2/64
Router2(config-if)#tunnel source 206.167.13.198
Router2(config-if)#tunnel destination 154.54.6.5
Router1(config-if)#tunnel mode ipv6ip
Router2(config-if)#end
Router2#

As discussed above in some cases the equipment can not define the starting IP address, so you will need to specify the start of the tunnel with the physical interface name, for our example, will the interface f0/0, the command will be the following: "Router2 (config-if) # tunnel source int f0/0".

At the end of these configurations, the resulting topology will be as shown in the graph below, with an interface Tunnel10 in router1, connected with a direct cable to Tunnel20 interface on Router 2 and allow the simulation of having a link dedicated to communicate via IPv6, this is a simple way to interconnect their networks for IPv6 testing.

Routing traffic through the tunnel 6over4

The next step now will allow routing from network 2800:20:20 :: 0/64 with the network 2800:10:10 :: 0/64. This is very simple, just simply turn on IPv6 routing and then add a route to reach the other network, the commands needed are:

Router1(config)#ipv6 route 2800:10:10::/64 2800:100:10::2
Router1(config)#ipv6 unicas-routing
Router2(config)#ipv6 route 2800:10:10::/64 2800:100:10::1
Router2(config)#ipv6 unicas-routing

GRE (Generic Router Encapsulation) is a protocol that can encapsulate a wide variety of different protocol types inside IP tunnels, creating a peer to peer network between two machines that are communicating by this protocol. Its main use is to create VPN tunnels. GRE is defined by RFC 1701, 1702 and 2784.

It is important to understand the need to make when configuring GRE tunnels, it could be difficult to manage if the number of them grows too. These tunneles turn out to be useful when you need to work with a protocol that is not routable as NetBIOS, or IP routable protocols other than through an IP network. Currently the use of GRE has become a major transition mechanisms for IPv6 network deployment. This means you can connect two IPv6 islands over IPv4 tunnel.

Configuring GRE Tunnels

Configure the GRE tunnel is in principle a relatively simple task, just define the start and destination addresses on both devices and create the tunnel interface. To run the example will use Cisco 2800 series routers, although it is possible to make a tunnel with a variety of equipment.

Router1#configure terminal 
Router1(config)#interface Tunnel10
Router1(config-if)#ip address 192.168.2.6 255.255.255.252
Router1(config-if)#tunnel source 154.54.6.5
Router1(config-if)#tunnel destination 206.167.13.198
Router1(config-if)#end
Router1#

On Router 2, you must create another tunnel interface, as Router 1, and associate the source and destination addresses.

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#interface Tunnel30
Router2(config-if)#ip address 192.168.2.5  255.255.255.252
Router2(config-if)#tunnel source 206.167.13.198
Router2(config-if)#tunnel destination 154.54.6.5
Router2(config-if)#end
Router2#

At the end of these configurations, the resulting topology will be as shown in the graph below, with an interface Tunnel10 in router1, connected with a direct cable to Tunnel30 interface on Router 2.


The next step now will allow routing from 172.16.2.0/24 to 172.16.3.0/24. In practice this is simple and does not hit the network performance, thus creating tunneles, can solve many problems of connectivity between remote sites without much complexity. The only thing that should be taken into account when creating the tunneles is no mistakes with the start addresses and destination.

Commands to configure static routing:

Router1(config)#ip route 172.16.3.0 255.255.255.0 tunnel 10 192.168.2.5
Router1(config-if)#end
Router2(config)#ip route 172.16.2.0 255.255.255.0 tunnel 30 192.168.2.6
Router2(config-if)#end

Selecting the type of tunnel to use

When you create a tunnel, usually do not specify the protocol to use, so that devices default, select the GRE protocol. However it is possible to define the protocol, by a single command, as shown below:

Router1(config)#interface Tunnel1
Router1(config-if)#tunnel mode ipip 

Ipip mode is the type of tunnel that allows IP packets encapsulated within another IP packet, very useful to allow communication between IPv6 networks through IPv4 networks. The process for selecting the protocol is simple and need to be configured on both sides of the tunnel, as defined ipip protocol can also select any of the following: AURP, Cayman, dvmrp, eon, gre ip, ip gre multipoint, ipip, iptalk.

In some cases, when you have more than one public IP address you may want to use dynamic allocation thereof to the local network computers can connect to the Internet. This is accomplished by configuring an IP address pool on the router that performs NAT.

The commands needed for this configuration are described below:

General configuration of NAT and public address pool

Configuring the interface f0/0 (Internet)

Configuring the interface f0/1 (Internal LAN)

This is similar to the configuration required for a dynamic NAT with a single public IP address, with the only difference that it allows external devices to see more than one IP address on your network.



In the above commands, you can identify how you create the pool of public IP addresses and then how it is assigned to the NAT configuration line. In this case is no longer necessary overload keyword.

In the basic configuration of NAT, all internal network computers will share the same IP address for the public interface. Cisco routers allow the NAT settings in a way quite simple.

General Configuration of NAT (Access Control List)
--------------------------------------------
Router#configure terminal
Router(config)#access-list 90 permit 192.168.1.0 0.0.0.255
Router(config)#access-list 90 permit 192.168.2.0 0.0.0.255
Router(config)#ip nat inside source list 90 interface Ethernet0/0 overload 

Configuring the Interface F1/0 (LAN 1)
--------------------------------------------
Router(config)#interface FastEthernet1/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit

Configuring the Interface F1/0 (LAN 2)
--------------------------------------------
Router(config)#interface FastEthernet1/1
Router(config-if)#ip address 192.168.2.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#exit


Configuring the Interface F0/0 (Internet)
--------------------------------------------
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 172.16.10.1 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#end
Router# 

In this example, the cisco router performs rewriting of the public IP address to all devices that are both internal networks (LAN1 and LAN2). When devices connect to computers on the Internet, they do appear with the IP address 172.16.10.1

The following command tells the router that will translate any address that matches the access control list 90. The router performs the translation of all devices with the address of the interface f0/0, or rather by the network interface connected to the public network.

Router(config)#ip nat inside source list 90 interface F0/0 overload

The overload keyword is not necessary to write because the router automatically configures the option.

The configuration or operation of NAT is confusing to some users because they usually relate to functions of a firewall.

Usually a router is restarted so that it executes this function immediately. However, sometimes it is necessary that it be reset at a certain time, long after writing the command. For example, if you need to reboot a router but is not allowed to carry out the process during the production period or during periods of high traffic, it would be interesting to use these options that are included in the IOS router.

Sometimes this is done when it is intended to provide an escape route to any configuration fails, you can restart the router to remove it. Here's how to remove or roll back a command to reload as scheduled.

The commands needed to instruct a router to restart in 20 minutes are:


The command "reload at" to specify the time and date in particular which should restart the router, it is very important to use a time reference valid and reliable to specify the time in routers to use this tool.


The command "reload in" to specify a reason or comment on the reason why it is performing the reset of the router.


If you have any reason to cancel the planned and reload a Cisco router, you can use some command options as "show reload" to see if there is a scheduled task and the command "reload cancel" to cancel the task is scheduled.

In environments of large networks is recommended to setup the router to use DNS to resolve computer names. Cisco routers enabled their default name resolution via DNS, but have not setup DNS server address used as the broadcast address (255.255.255.255) until you setup the DNS server address.


Subsequently, these commands can be accessed from the router to any computer through its name, if DNS servers do their jobs well.

For example, in case you want to do a simple test to www.yahoo.com:


The following command line is possible to identify the router sends a request to 172.16.1.10 DNS server and asks it to translate the name www.yahoo.com. The server responds with the IP address and then the ping will be held as usual.

The router will consult with both servers in order to make decisions. So that if the first server is not able to answer the request, then sends the request to the second server if the second server can not resolve the request, then the request fails:


For the information of the configured DNS servers, you can use the show hosts command:


The above command not only shows the DNS servers configured, also shows the domain name and DNS entries recently translated. The team names caches have been resolved recently. There is a difference between the domain names that the team learns the names dynamically and statically configured. The statically defined names are not deleted from the cache, while the dynamically learned are deleted after a certain period of time.

Defining a domain name on the router not only helps the team know your domain name, but also facilitates obtaining the domain names of the teams that are on your subnet, for example:


In doing so, you can use a classification such as ftp to reference the domain name server ftp.test.com. For organizations that use or possess more than one domain name, it is recommended to enter all names in the router:

Cisco includes an HTTP server in each router or switch, in the IOS. Some network administrators use this feature on the router to manage it remotely from any web browser instead of using Telnet to access the computer.

How to setup HTTP Server on Cisco Routers? Is as follows:


After configuring the HTTP server on the router you can access it from any web browser. In the above example, you can identify that you are allowing access to the router only from a computer IP address 172.16.2.10 due to the configuration of the access control list.

This option is available in the IOS from Version 11.2. However, according to some experts believe that the official version there were many security problems have been fixed in version 12.1 (5). It is not advisable to use the web server option in previous versions.

As security measures to this problem, we recommend a list of access control to ensure that only you can access from a well known team. The following lines explain that only you can access from the IP address 172.16.1.10 and then applied through the command ip http access-class.


Although set up access via the web is not so complicated, it is easier to access through a command line. It is not recommended to use this access to the router.

Router1#configure terminal
Router1(config)#cdp run
Router1(config-if)#exit
Router1(config)#interface FastEthernet0/0
Router1(config-if)#no cdp enable
Router1(config-if)#exit
Router1(config)#interface FastEthernet1/0
Router1(config-if)#cdp enable
Router1(config-if)#end
Router1#

Router1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
Router2          Ser 0/0            179          R        2621      Ser 0/1
Switch1          Fas 1/0            152         T S       WS-C2960  F0/2
Router1#

Router1#show cdp neighbors detail
-------------------------
Device ID: Router2
Entry address(es):
  IP address: 10.1.1.2
Platform: cisco 2621,  Capabilities: Router
Interface: Serial0/0,  Port ID (outgoing port): Serial0/1
Holdtime : 136 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S-M), Version 12.2(13), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 19-Nov-02 22:27 by john

advertisement version: 2

Device ID: Switch1
Entry address(es):
  IP address: 172.25.1.4
Platform: WS-C2924,  Capabilities: Trans-Bridge Switch
Interface: FastEthernet1/0,  Port ID (outgoing port): FastEthernet0/12
Holdtime : 116 sec

Version :
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC3b, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Fri 15-Feb-02 10:14 by john

advertisement version: 2
Duplex: full

Router1#

How to use a Cisco router as a tftp server

In some cases you can use a router to perform the functions of a tftp server, but it is necessary to take into account the functions performed by the computer and only use these tools or facilities where necessary.

One case where you can use this function when you need to update multiple routers via a slow link WAN or Internet as in a branch or remote site


In situations like this, it is possible to upgrade from a remote computers and then set it as TFTP server to upgrade the rest, so it is optimizing the use of slow network links. The necessary commands are:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin
Router1(config)#end
Router1#

It is important to know that this router a tftp server is not 100% functional, ie only works for file downloads, you can not use it to upload files. However, it is possible to use the tftp server to load than the IOS files and download files to non-cisco. It is also important to be aware that enable a new service like tftp involves security issues that could be exploited by an attacker.

Some authors recommend not to use tftp in routers, especially on computers that are connected to public networks, however you can use an access control list to prevent problems that jeopardize the security of the network.

Access control list used for the previous figure.

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 50 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 50 deny any
Router1(config)#tftp-server flash:c2600-ik9o3s-mz.122-12a.bin  50
Router1(config)#end
Router1#

This simple access control list allows all devices are on the 172.25.1.0/24 network to access the tftp server. As you can see, it is necessary to indicate the number of the access control list at the end of the tftp-server command. If you want to share more than one file from the server, you need to add more lines to the command tftp-server

As a special recommendation, it is suggested to activate this service for necessary, ie to complete the process of renovation is recommended to disable the service.

Delete the boot configuration of Cisco router

For some people this process would sound ridiculous, but there are some circumstances where you have to complete this process and return the router to its original factory settings. For those who are in this situation, I prepare this segment.

To make this process, you must delete the startup file and then restart the router.

Router1#erase nvram:
Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK]
Erase of nvram: complete
Router1#reload

System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

You can get the same result by running the following command: erase startup-config

Router1#erase startup-config 
Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK]
Erase of nvram: complete
Router1#reload
Proceed with reload? [confirm]

By using a router for a new feature, you should delete the old configuration and so it is certain that the router will have a cleaner setup. It needs to be absolutely sure that what you are doing, before entering the reload.

Once the router is rebooted, enter the configuration dialog mode, many experienced users avoid this configuration method.

If you accidentally delete the startup-config file, you can restore it while the router is restarted.

Router1#show startup-config
startup-config is not present
Router1#copy running-config startup-config
Building configuration...
[OK]
Router1#show startup-config 
version 12.2
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname Router1

If the startup-config file is deleted and the router is still error reset, no problem, for surely you already have a copy made ​​on a tftp server.

How to save a configuration file larger than that NVRAM available in Cisco router

Sometimes it is possible that the configuration file (running-config) so that it grows larger than the available space in nvram. It is possible to compress the router configuration file before burning it to nvram and then to decompress when required.

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service compress-config 
Router1(config)#end
Router1#

In most cases, Cisco routers equipped with enough NVRAM to save files of average size, however, some devices may configuration files grows so large that you can not save directly.

This could be a serious problem because at the time that the router is unable to save the settings in the NVRAM, it means that the router can not keep a copy of your configuration when restarted. It is not possible to know exactly which part of the configuration would be lost if it is restarted.

An alternative solution before going out to buy more memory NVRAM, would turn the compression option on the router with the command "service compress-config" from a terminal. Once this is necessary to file a copy of the NVRAM settings.

Router1#copy running-config startup-config 

Destination filename [startup-config]?
Building configuration... 
Compressed configuration from 9664 bytes to 4903 bytes[OK] 
Router1#

In this example we can see that the compression has reduced the configuration file to a little less than half the original size. In this case it was possible to save the file, however there will be cases in which compression is not yet sufficient to make the copy of the file so you need to check with how much NVRAM memory your router is equipped with the show version command and analyze option to buy more memory.

Router#show version 
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.

System returned to ROM by power-on
System image file is "c2800nm-advipservicesk9-mz.124-15.T1.bin"

cisco 2811 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
Processor board ID JAD05190MTZ (4292891495)
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
239K bytes of NVRAM.
62720K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102

This router is equipped with a capacity of 239Kbytes of NVRAM. It is possible to identify the amount of NVRAM used by the show startup-config command as shown below.

Router1#show startup-config 
Using 463 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption

Copy running-config file of Cisco router to tftp server

We regularly need to backup the configuration of a router in a safe place to minimize the impact should there be any software or hardware failure of the router, if this happens the computer's configuration will be lost. Anyone who has made the complex configuration of a router, you can tell how hard it is to remember everything that was previously configured.

It is more easy to make a backup and then, changing only the damaged device would have to copy back the saved settings. This allows the response time would be much lower failure and thus result in better employee performance.

Cisco believes that the average time between failures (MTBF Mean Time Before Failure) is approximately 15 years, but in a network infrastructure large enough, indicating that failures could be expected at least a few per year, not including possible failures caused by human manipulation.


In this image you can identify the basic connection between a router and a TFTP server, both are configured on the same network 172.16.1.0/24. However, it is possible to make this process even when the server is not on the same network segment.

Router1>enable 
Password: 
Router1#copy running-config tftp://172.16.1.1/router1-confg 
Address or name of remote host [172.25.1.1]? 
Destination filename [router1-confg]? 
!!! 
9640 bytes copied in 3.956 secs (2437 bytes/sec) 
Router1#

As can be seen, it's easy to back a file from a router to a tftp server, however this is not the only thing that can be done with the following command lines can be displayed from a router's configuration in tftp server.

Router1#more tftp://172.16.1.1/router1-confg

!
! Last configuration change at 11:23:59 EST Sat Jan 11 2003 by paulpierce 
! NVRAM config last updated at 00:37:16 EST Sat Jan 11 2003 by paulpierce
!
version 12.2
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname Router1