Chapter Three: Router and Switch

Basic configuration
Connecting to a Device
To connect to a Cisco device to configure it, verify its configuration, and check statistics, and
although there are different approaches to this,
1. The first place you would usually connect to is the console port. The console port is
usually an RJ45, 8-pin modular connection located at the back of the device, and there
may or may not be a password set on it by default.
2. An auxiliary port, which is really the same thing as a console port is the second way. The
main difference with an auxiliary port is that it also allows you to configure modem
commands so that a modem can be connected to the router. It also lets you dial up a
remote router and attach to the auxiliary port if the router is down and you need to
configure it remotely, out-of-band. One of the differences between Cisco routers and
switches is that switches do not have an auxiliary port.
3. The third way to connect to a Cisco device is in-band, through the program Telnet or
Secure Shell (SSH). In-band means configuring the device via the network, the opposite
of out-of-band.
Starting router or switch
1. It will run a power-on self-test - POST.
2. The machine will load the IOS from flash memory and expand it into RAM.
3. Load a valid configuration (startup-config) stored in nonvolatile RAM (NVRAM).
4. The startup-config will be copied from NVRAM into RAM and from then on
referred to as the running-config.
5. If a valid startup-config isn’t found in NVRAM, the switch will enter setup mode.

Passwords
There are five passwords needed to secure Cisco routers. These are: console, auxiliary,
telnet/SSH (VTY), enable password, and enable secret. The enable secret and enable password

1
are the ones used to set the password for securing privileged mode. Once the enable commands
are set, users will be prompted for a password. The other three are used to configure a password
when user mode is accessed through the console port, through the auxiliary port, or via Telnet.
Enable Passwords
wkuRouter(config)#enable password 123@321
Enable Secret
wkuRouter(config)#enable secret 123@321
Console Password
wkuRouter(config)#line console 0
wkuRouter(config-line)#password 123@321
wkuRouter(config-line)#login
Telnet Password
wkuRouter(config)#line vty 0 15
wkuRouter(config-line)#password 123@321
wkuRouter(config-line)#login
Auxiliary Password
wkuRouter(config)#line aux 0
wkuRouter(config-line)#password 123@321
wkuRouter(config-line)#login
Wildcard masks
Wildcards are used with access lists to specify an individual host, a network, or a specific range
of a network or networks block sizes. The different block sizes available are 64, 32, 16, 8, and 4.
When you need to specify a range of addresses, you choose the next-largest block size for your
needs.
 To specify 34 networks …… you need a block size of 64.
 To specify 18 hosts …… you need a block size of 32.
 To specify only 2 networks …… go with a block size of 4.
Wildcards are used with the host or network address to tell the router a range of available
addresses to filter.

2
To specify a host, the address would look like this: 10.100.5.3 0.0.0.0. The four zeros represent
each octet of the address.
 The zero indicates that the octet in the address must exactly match the corresponding
reference octet.
 The number 255 indicate that an octet can be any value.
Example: -
 To specify a /24 subnet with a wildcard mask:
10.100.5.0 0.0.0.255. -> Tells the router to match up the first three octets exactly, but the
fourth octet can be any value.
If someone wants to specify only a small range of subnets he/she needs to specify the range of
values in a block size, so can’t choose to specify 20 networks. He/she can only specify the exact
amount that the block size value allows. This means the range has to be either 16 or 32, but not 20.
Example 1: -
 To block access to the part of the network that ranges from 10.100.5.0 through
10.100.10.255.
 You would go with a block size of 8.
 Your network number would be 10.100.5.0.
 The wildcard would be 0.0.7.255. The 7.255 equals the value the router will use to
determine the block size.
 The network number and the wildcard tell the router to begin at 10.100.5.0 and go up
a block size of eight addresses to network 10.100.5.0.
All you need to remember that the wildcard is always one number less than the block size. So, if
the block size is 8, the wildcard would be 7 and if you used a block size of 16, the wildcard
would be 15.
Example 2:
 To configuration a router to start network at 10.100.16.0 through 10.100.19.255.
 Use a block size of 4.
 Your network number would be 10.100.16.0.
 The wildcard would be 0.0.3.255.
Exercise: -
Specify the range of address, wildcard mask and block size of the following ip addresses

3
 1. 172.16.0.0/16 - 172.29.0.0/16
2. 192.168.6.0/24 - 192.168.12.0/24
3. 10.10.0.0 - 10.16.255.255
Access Control Lists
An access list is a list of conditions that categorize packets, and used when you need to exercise
control over network traffic. An ACL can be used for:-
 Filter unwanted packets when implementing security policies. (Allow only certain hosts
to access web resources on the Internet while restricting others).
 To enforce nearly any security policy.
 Access-list statements are basically packet filters that packets are compared against,
categorized by, and acted upon accordingly
Creating access lists is like programming a series of if … then statements. If a given condition is
met, then an action is taken and if otherwise nothing happens and the next statement is evaluated.
 Once the lists are built, they can be applied to either inbound or outbound traffic on any
interface.
 Access list causes the router to analyze every packet in that interface and take the
appropriate action.
There are three important rules that a packet follows when it’s being compared with an access
list:
1. The packet is always compared with each line of the access list in sequential order it will
always start with the first line of the access list.
2. The packet is compared with lines of the access list only until a match is made. Once the
matching condition is obtained, the packet will be acted upon and no further comparisons
take place.
3. There is an implicit “deny” at the end of each access list. Therefore, if a packet doesn’t
match any listed conditions it will be discarded.
There are two main types of access lists:
 Standard access lists: use only the source IP address in an IP packet as the condition test.
They permit or deny an entire suite of protocols.

4
  Extended access lists: Can evaluate source and destination IP addresses, the Protocol
field in the Network layer header, and the port number at the Transport layer header. They
have the ability to make much more decisions when controlling traffic.
Once an access list is created, you need to apply it to an interface on the router/switch where you
want the traffic filtered. And you need to specify which direction of traffic you want the access
list applied to. These directions are:
 Inbound access lists: Applied to inbound packets on an interface which are processed
before being routed to the outbound interface. Any packets that are denied won’t be routed
because they’re discarded before routing.
 Outbound access lists: Applied to outbound packets on an interface which are routed to
the outbound interface and then processed through the access list.
Access-list guidelines:
i. Assign only one access list per interface per protocol per direction. That means, one can
have only one inbound access list and one outbound access list per interface.
ii. More specific tests should be at the top.
iii. New entry is added to the access list will be placed at the bottom of the list.
iv. You can’t remove one line from an access list. It’s best to copy the access list to a text
editor before trying to edit the list.
v. All packets will be discarded if they do not meet any of the tests, unless the access list
ends with a permit any command.
vi. An access list applied to an interface without access-list test statements will not filter
traffic.
vii. Access lists will not filter traffic that has originated from the router. They are designed to
filter traffic going through the router.
viii. Place standard access lists as close to the destination as possible.
ix. Place extended access lists as close to the source as possible.
Access list type is generally differentiated using a number. Standard access list are created by
using the access-list numbers 1–99 or numbers in the expanded range of 1300–1999.
Syntax used when creating a standard IP access list:
wkuRouter(config)#access-list 10 ?
deny - Specify packets to reject

5
 permit - Specify packets to forward
remark - Access list entry comment
wkuRouter(config)# access-list 10 deny ?
any - IP address to specify either a single host or a range of them.
host - A command to specify a specific host address.
wkuRouter(config)# access-list 10 deny host 10.10.25.100
Using access-list with wildcard mask:
wkuRouter(config)# access-list 10 deny 10.10.25.0 0.0.0.255 - tells the router to match the first
three octets exactly but the last octet can be anything.
wkuRouter(config)# access-list 10 deny 10.10.0.0 0.0.255.255 - tells the router to match the
first two octets and the last two octets can be anything.
Example:
Based on the design shown below, let’s deny users on the HRM LAN not to have access to the
Registrar LAN, but should have access to the Internet and other LANs.
wkuRouter(config)# access-list 10 deny 10.10.30.0 0.0.0.255
wkuRouter(config)# access-list 10 permit any
The next step is applying the access and the best place to apply this access list is on the
Gigabit interface (Gig0/1) of the HRM department as an outbound list:
wkuRouter(config)# interface GigabitEthernet0/1
wkuRouter(config-if)# ip access-group 10 out

6
Exercise:
1. Write a standard access-list that will deny registrar LAN from accessing both HRM and
Finance network.
2. Write a standard access-list that will deny Finance LAN from accessing HRM and
Internet.
3. Write a standard access-list that will deny the Registrar LAN from accessing Internet.
Extended Access List
Extended ACLs allow specifying source and destination addresses as well as the protocol and
port number that identify the upper-layer protocol or application. They effectively allow access
to a physical LAN and deny them access to specific hosts and services. Extended access-list
ranges from 100 to 199 as well as an expanded range from 2000 to 2699.
Example:
wkuRouter(config)#access-list 110 deny tcp any host 10.10.30.2 eq 23 log
tcp - protocol and indicating the specific destination TCP port at the end of the line
any - source address
10.10.30.2 - specific destination address
eq - equal to command entered as eq to specify type of service to deny
23 - Block Telnet (port 23) to host 10.10.30.2
log - Used to log messages every time the access list entry is hit.
In general, the access-list denies any source host trying to telnet to destination host 10.10.30.2.
Example:
To deny access to a host at 10.10.20.2 on the HRM department LAN for both Telnet and SSH
services while all other services on this and other hosts are acceptable for the Registrar and
Finance LAN.
wkuRouter(config)#access-list 120 deny tcp any host 10.10.20.2 eq 22
wkuRouter(config)#access-list 120 deny tcp any host 10.10.20.2 eq 23
wkuRouter(config)#access-list 120 permit ip any any
The next step is to apply the list to interface Gig0/1 to block all outside SSH and Telnet access to
the host 10.10.20.2.
wkuRouter(config)#interface gigabitEthernet 0/1
wkuRouter(config-if)#ip access-group 120 out

7
Exercise:
1. Write an access list that will prevent Telnet access to Finance and Registrar networks
attached to the Gig0/0 and Gig0/2 interfaces.
2. Write an access list that will deny HTTP and DNS access to HRM and Registrar networks.
3. Write an access list that will prevent SSH access from HRM network to Registrar network.
4. Assume you have identified that some unknown users are frequently trying to login to
registrar network through remote connection, which is completely forbidden, while the
reverse is allowed. So write an access list that will prevent registrar network from being
accesses from remote login.

Remote access
Setting Up Secure Shell (SSH)
Using Secure Shell (SSH) is better instead of Telnet because it creates a more secure session.
The Telnet application uses an unencrypted data stream, but SSH uses encryption keys to send
data so username and password aren’t sent in the clear plaintext.
To set-up SSH:
1. Set hostname: Router(config)#hostname wkuRouter
2. Set domain name: wkuRouter(config)#ip domain-name wku.edu.et

8
 3. Set username to allow SSH client access: wkuRouter(config)#username wku password
myPassword
4. Generate the encryption keys for securing the session: wkuRouter(config)# crypto key
generate rsa
5. Enable SSH version 2: wkuRouter(config)#ip ssh version 2
6. Connect to the VTY lines of the switch or router: wkuRouter(config)#line vty 0 15
7. Tell the lines to use the local database for password: wkuRouter(config-line)#login local
8. Configure access protocols: wkuRouter(config-line)# transport input ssh telnet
Note: -
* If the keyword <<telnet>> is not used at the end of the command, only SSH will work.
* Both hostname and domain name arse required for the encryption keys to be generated.
Logging with syslog usage
System messages from switches or routers internal buffer helps to see what’s going on in a
network at a particular time. Logging messages to a syslog server stores messages from users and
can even time-stamp and sequence them.
Syslog allows sorting, searching and display messages which makes it a really great
troubleshooting tool. The search feature enables to use keywords and even severity levels. The
server can email admins based on the severity level of the message.
Network devices can be configured to generate a syslog message and forward it to various
destinations. These are popular ways to gather messages from devices:
 Logging buffer
 Console line
 Terminal lines
 Syslog server
Syslog server:
Syslog server message format:
Seq no: timestamp: %facility-severity-MNEMONIC: description
 Seq no - Logs messages with a sequence number. (Will show up only if configured)
 Timestamp - Data and time of the message or event. (Will show up only if configured)
 Facility - The facility to which the message refers.
 Severity - A single-digit code from 0 to 7 that indicates the severity of the message.

9
  MNEMONIC - Text string that uniquely describes the message.
 Description - Text string containing detailed information about the event being reported.
Severity Level Name Explanation
Severity 0 Emergency System is unusable
Severity 1 Alert Immediate action is needed
Severity 2 Critical Critical condition
Severity 3 Error Error condition
Severity 4 Warning Warning condition
Severity 5 Notification Normal but significant condition
Severity 6 Informational Normal information message
Severity 7 Debugging Debugging message
Table: Severity Level
Enabling console and buffer to receive all log messages of all severities. These are actually the
default configurations.
wkuRouter(config)#logging console
wkuRouter(config)#logging buffered
To disable the defaults, use the following commands:
wkuRouter(config)#no logging console
wkuRouter(config)#no logging buffered
To see the buffers:
wkuRouter(config)#show logging
Configuring a device to send messages to a syslog server:
wkuRouter(config)#logging 172.16.10.1
wkuRouter(config)#logging informational
Limit the amount of messages sent to the syslog server, based on severity:
wkuRouter(config)#logging trap informational
To configure the router to use sequence numbers:
wkuRouter(config)#no service timestamps
wkuRouter(config)#service sequence-numbers
wkuRouter(config)#^Z (end of configuration and exit to privilege EXEC mode)

10