Router Functions and Configurations- WSEC

 

Wireless security can be additionally enhanced through the judicious use of routers. Data traffic is most effectively managed using routers to filter data transmissions and to limit the broadcast domain that the data packets can travel to/from. Although wireless access points can be used to filter frame traffic (MAC) at layer 2, routers manage traffic flow even more effectively at layer three. Understanding how routers route data packets over a local area network (LAN) and how basic configurations are made is therefore important to WSEC. You will need an understanding of the OSI network model and router functioning at OSI layer 3 (network layer) to fully utilize this information.

 

OVERVIEW:

Router Memory functions

Routers have various memory locations where configuration command files are stored (temporarily or permanently), and where the router’s operating system (IOS) is located. This memory is of two types- volatile and non-volatile (volatile means the information is lost when the router is turned off or rebooted).

Our LAN diagram is shown below (the oval-shaped objects are the routers).

Wireless access points (APs) would connect to the switches (rectangular-shaped objects).

 

 

Router operating modes (access)

 

We are using the MS HYPERTERMINAL application to establish a console session separately on each of two routers that form a LAN (see diagram). This is done to configure each router. Once you cable and power up each router (and attached switch) you will need to wait a few minutes for the router  to run diagnostics and load the IOS and STARTUP CONFIGURATION into RAM. DO NOT USE SETUP configuration mode as you must learn router CLI commands as shown below. You will not need to configure the switches- just cable them correctly and then power them up. Each workstation will be used both as a console (via the serial port), and as a LAN device (via its NIC).

 

USER mode- Only allows for viewing the router basic configuration (show commands). This is the mode that the router begins in when router finishes the bootup process (may take several minutes). To go from USER to Privileged mode, type in the enable  command from the USER mode prompt.

Router>                 (USER mode indicated)

Router>enable     (type in “enable”, then press the ENTER keyboard key)

Router#                 (you are now in PRIVILEDGED mode)

 

PRIVILEGED mode- Allows for viewing the entire router configuration, and to make changes. You will use this mode most of the time. Use the DISABLE command to return to USER mode.

Example PRIVILEGED mode prompt:

Router#

Router# disable

Router>

Basic router commands. Ethernet, serial interfaces, hostname, installing and testing a ROUTING protocol, using PING utility to test connectivity once router is configured and cabled, and saving the configuration(s). After each command is typed, press the ENTER key to install that command into the RUNNING CONFIGURATION (RAM). Do not place a SPACE after the command prompt. Remember to save the RUNNING CONFIGURATION (replaces the STARTUP CONFIGURATION in NVRAM) before you reload or shutdown the router.

 

 

 

To configure an Ethernet router interface with a suitable ip host address and subnet mask. We are giving the e0 router interface an address of 192.168.1.1 which is on the 192.168.1.0 sub-network (as specified by the subnet mask 255.255.255.0). Follow the network diagram provided.

 

Router>

Router> enable                          (router goes to PRIVILEGED  mode- to allow changes)

Router#

Router# config terminal            (you can now configure the router)

Router(config)#

Router(config)# interface e0      (to configure the first ethernet interface e0 on the router)

Router(config-if)#

Router(config-if)# ip address 192.168.1.1 255.255.255.0     (sets a host IP address on e0)

Router(config-if)#

Router(config-if)# no shutdown        (enables the interface, default is shutdown)

Router(config-if)#

Router(config-if)# exit       (drops you back down one sub-mode step)

Router1(config)#

Router(config)# exit       (drops you back to PRIVILEDGED mode)

Router#

Router# disable         (drops down to USER mode)

Router>

 

To configure a SERIAL interface (s0, s1, etc) – is similar to the steps for an ethernet interface (above), but you must add the following command to configure the DCE serial interface (not the other end DTE interface):

 

Router(config-if)# clock rate 4000000         (this sets a 4Mbps data rate on the serial interface).

 

Additional NOTES:

 

ROUTER1(config-int)# clock rate ?  (shows a list of all serial data rates available)

 

 

 

 

 

 

 

 

 

Hostname configuration -- you name each router. You will name one router ROUTER1 and the other router ROUTER2 using the procedure below:.

 

Router> (the “Router” hostname is the default. To change it press enter to proceed)

Router> enable

Router#

Router# config terminal 

Router(config)#

Router(config)# hostname ROUTER1

ROUTER1(config)#

ROUTER1(config)# exit

ROUTER1#

ROUTER1# exit

ROUTER1>

 

To install a ROUTING protocol (We will use “RIP”, but several others are also available).

 

ROUTER1>

ROUTER1> enable

ROUTER1#

ROUTER1# config terminal 

ROUTER1(config)#

ROUTER1(config)# router rip

ROUTER1(config-router)# network  xxxxx  (type separately each network address - not hosts)

ROUTER1(config-router)#

ROUTER1(config-router)# network  xxxxx  

ROUTER1(config-router)#

ROUTER1(config-router)# network  xxxxx  

ROUTER1(config-router)#

ROUTER1(config)# exit  (drops you back to PRIVILEDGED mode)

ROUTER1#

ROUTER1# disable (drops down to USER mode)

ROUTER1>

 

To check out a router’s ROUTING TABLE (running within RAM) once a group of routers are configured and cabled correctly, and a Routing Protocol is configured correctly:

 

ROUTER1>

ROUTER1> enable

ROUTER1#

ROUTER1# show ip route   (table of IP network-to-interface should appear for each network)

 

Router testing & troubleshooting (mandatory for all students)

 

You must have all devices (routers, switches, workstations properly configured and powered up before you test your configurations and cabling. To test the interface configurations, connectivity, and cabling (best for end-to-end testing):

PING command

 

ROUTER1>

ROUTER1> enable

ROUTER1#

ROUTER1# ping 192.168.X.X  (pings a router’s interface or a configured workstation NIC)

You should receive a reply message stating--  Success  !!!!!  100% .

 

Ensure your entire configuration is valid by “pinging” each interface (host ip address) from both ends of the LAN (from each router console and from each workstation to each router interface). Remember you must have an active switch connected to each router Ethernet interface in order to activate the interface. Have someone else double check your configurations by pinging the interfaces. Troubleshoot as required to get everything working.

 

NOTE: Workstations must be configured and cabled correctly in order to ping to or from them. The configuration procedure for a workstation is as follows:

Start- Settings- Network connections- Local area connections- Properties- Internet Protocol (TCP/IP) – Properties- Use the Following IP address (then key in the IP host address and subnet mask for that particular workstation)- click OK

 

 

To prevent interruptions as you configure the router- install these optional commands:

 

ROUTER1>

ROUTER1> enable

ROUTER1#

ROUTER1# config terminal 

ROUTER1(config)#

ROUTER1(config)# no ip domain-lookup

ROUTER1(config)#

ROUTER1(config)# line con 0

ROUTER1(config-line)#   

ROUTER1(config-line)# logging sync

ROUTER1(config-line)#   

ROUTER1(config-line)# exec-timeout 0 0          (put a space between the zeros) 

ROUTER1(config-line)#   

ROUTER1(config-line)# exit 

ROUTER1(config)#

ROUTER1(config)# exit  (drops you back to PRIVILEDGED mode)

ROUTER1#

ROUTER1# disable (drops down to USER mode)

ROUTER1>

 

 

Save the Configuration(s)- Copy Running Configuration to Startup Configuration

 

ROUTER1>

ROUTER1> enable

ROUTER1#

ROUTER1# copy run start  

ROUTER1#

ROUTER1# disable (drops down to USER mode)

ROUTER1>

 

Additional Router commands

 

 

LOOPBACK interface

Used to create a virtual router interface (testing, etc)

 

To configure a LOOPBACK interface on a router, install the following commands:

 

Router>

Router>enable

Router#

Router#config terminal

Router(config)#

Router(config)#int loopback0        (creates a loopback virtual interface “0” on the router)

Router(config-if)#

Router(config-if)#ip address (see below) 255.255.255.0     (assigns host IP address to interface)

Router(config-if)#

Router(config-if)#no shutdown        (turns on the interface)

Router(config-if)#

Router(config-if)#exit

Router(config)#

Router(config)#exit

Router#

Router#disable

Router>

 

Setup a LOOPBACK interface on ROUTER1. Use the IP address 192.168.4.1 and subnet mask 255.255.255.0. In order to ping the LOOPBACK interface, you will need to add the 192.168.4.0 network to each of the routers RIP list of networks so each router can “learn” the route to the LOOPBACK (see ROUTING protocol section).

 

 

 

IP HTTP Server

IP HTTP Server is used to provide a GUI that facilitates router configuration using a console’s browser. The GUI consists of a master menu, and sub-menu http links. These links allow router configuration. Can ALL router commands be instituted via IP HTTP Service? Explain.

 

To configure IP HTTP Server on a router:

 

Router>

Router>enable

Router#

Router#config terminal

Router(config)#

Router(config)#ip http server

Router(configf)#

Router(config)#exit

Router#

Router#disable

Router>

 

TELNET  

 

Telnet allows for remote administration (testing and configuration). You can TELNET router-to-router, workstation-router, and/or workstation-workstation. All network devices must be correctly configured for TELNET to work. Use “password” for all passwords.

To configure:

1. Install ENABLE password on each router

2. Install a CONSOLE password on each router

3. Configure a TELNET password on each router

 

ENABLE Password

Router>

Router> enable

Router#

Router# config t

Router(config)#

Router(config)# enable password _____________     (use password as the password)

Router(config)#

Router(config)# exit

Router#

 

CONSOLE Password

Router#

Router# config t

Router(config)#

Router(config)# line con 0

Router(config-line)#

Router(config-line)# login

Router(config-line)#

Router(config-line)# password _____________       (use password as the password)

Router(config-line)#

Router(config-line)# exit

Router(config)#

Router(config)# exit

Router#

 

TELNET Password

Router#

Router# config t

Router(config)#

Router(config)# line vty 0 4    (space between the zero and the 4)

Router(config-line)#

Router(config-line)# login

Router(config-line)#

Router(config-line)# password _____________       (use password as the password)

Router(config-line)#

Router(config-line)# exit

Router(config)#

Router(config)# exit

Router#

Router# disable

Router>

 

 

DON’T FORGET TO SAVE YOUR CONFIGURATIONS (see above) or else you will have to do it all over again !!!  Use the copy run start command.