1. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html Networking Operating Systems (CO32010) 1. Operating Systems 2. Processes and scheduling 3. Distributed processing 4. Distributed file systems 5. Routing protocols 6. Routers 7. Encryption 8. NT, UNIX and NetWare 6.1Introduction 6.2Router configuration and startup 6.3Router commands 6.4Access Control Lists (ACLs) 6.5Exercises 6.6Cisco router commands Objectives: To outline the main elements of a router. To be able to understand the main elements in the programming of a router. To be able to program a router for a given specification. To understand the operation of firewalls, and how these are implemented on a firewall. Objectives: To outline the main elements of a router. To be able to understand the main elements in the programming of a router. To be able to program a router for a given specification. To understand the operation of firewalls, and how these are implemented on a firewall.

2. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.1 Routers Router Console port Modem Auxiliary port Ether1 Serial0 Ether0 Console terminal Virtual Terminal (through telnet) TFTP Server (to download configuration files over the network) Serial1 Interfaces Auxiliary Port (RJ-45) Console Port (RJ-45) Serial0 (DB-60) Serial1 (DB-60) Ether0 (DB-15) Ether1 (DB-15) ROUTER

3. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.2 Router modes ROM Perform hardware tests Perform hardware tests Load operating system Load operating system Run EXEC Run EXEC Bootstrap program Executes User commands Global, process and interface information Load configuration file from NVRAM User EXEC. View configuration parameters User EXEC. View configuration parameters Privileged EXEC. Edit configuration parameter/ debug/testing Privileged EXEC. Edit configuration parameter/ debug/testing Setup mode Used to configure the router when first started Setup mode Used to configure the router when first started RXBOOT Maintenance mode, such as recovering lost passwords RXBOOT Maintenance mode, such as recovering lost passwords Global Config Performs simple configuration tasks Global Config Performs simple configuration tasks

4. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.2 Example topology Switch LAB-A (Router) LAB-A (Router) LAB-B (Router) LAB-B (Router) Serial0 Serial1Ether1 LAB-C (Router) LAB-C (Router) Serial0 Serial1 LAB-D (Router) LAB-D (Router) Hub LAB-E (Router) LAB-E (Router) Ether0 Serial0 201.100.11.0205.7.5.0 192.5.5.0219.17.100.0223.8.151.0 210.93.105.0 Serial1 Ether0 199.6.13.0 201.100.11.1201.100.11.2199.6.13.1199.6.13.2

5. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.3 Router startup The bootstrap loader is loaded from ROM and run on the processor. The operation system (Cisco IOS – Internetwork Operating System) is then loaded from the boot field of a configuration register (which specifies either boot from flash memory, boot from the network or manual boot). The lower four bits of the configuration register define the boot field. The operating system is then booted, and it determines the hardware and the software on the system, and displays these to the console terminal. The operating system then loads the configuration file from NVRAM and executes it one line at a time. These lines start different processes, and define addresses and protocol types. If there is no configuration file in NVRAM, the router automatically goes into user setup mode, where the router asks the user questions about the router configuration. Once these have been specified the router saves these to NVRAM, so that the settings will be saved. Once saved, the router should automatically boot, without going into user setup mode. As much as possible the router tries to discover its environment, and tries to minimize the settings that the user has to add. Typically values are given in squared brackets, which are defaults that the user can choose if the return key is pressed at the option.

6. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.4 Router memory NVRAM. This type of memory does not lose its contents when the power is withdrawn, but can be written to. It is used to store the router’s backup/startup configuration file. One of the options in the configuration is where the operating system image is loaded from, typically either from flash memory, or from a TFTP server. Flash. This is erasable, reprogrammable ROM, which keeps its contents when the power is taken away. It is used in the router to contain one or more copies of the operating system image and microcode. Flash memory allows for easy updates to the operating system software, without having to replace any parts of the hardware. ROM. This is a permanent type of memory, which cannot be changed, and does not lose its contents when the power is withdrawn. On the router it contains power-on diagnostics, a bootstrap program, and operating system software. Upgrades to ROM require a change of a ROM integrated circuit. RAM. This is the main memory of the router and stores running programs and the current running configuration file. Along with this the RAM stores routing tables, ARP cache, packet buffering and packet hold queues. The contents of the RAM are lost when the power is withdrawn.

7. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.5 Router commands (enable) LAB-A con0 is now available Press RETURN to get started. User Access Verification Password: ******* LAB-A>? Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface clear Reset functions connect Open a terminal connection :::::::: LAB-A>enable Password: ********** LAB-A#? Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry cd Change current directory ::::::::

8. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.6 Router commands (enable) show arp. Displays the current status of router’s ARP tables, which map IP addresses to MAC address. Session run 6.6 gives an example of this command. show buffers. This command shows detailed statistics on the buffers within the router. Session run 6.2 gives an example of this command. In this case, the memory buffers split into small buffers (104 bytes), middle buffers (600 bytes), big buffers (1524 bytes), very big buffers (4520 bytes), large buffers (5024 bytes) and huge buffers (18024 bytes). show flash. This command displays information on the data stored in the flash memory. An example is given in Session run 6.8. show hosts. This command displays a lists of connected hosts and their IP addresses. show interfaces. This command displays statistics for all interfaces configured on the router. Session run 6.10 shows an example. show mem. This command displays the usage of the routers memory. Session run 6.3 shows an example. show processes. This command shows the active processes. show protocols. This command displays the status of currently running protocols (such as IP, IPX, AppleTalk and DECnet). It can be seen from Session run 6.9 that there are three active interfaces (Ethernet0, Serial0 and Serial1), and that each of the interfaces is operating (‘they are up’). For example the IP address of Ethernet0 interface is 219.17.100.1/24, which specifies that it has an IP address of 219.17.100.1 and that 24 bits are used to define the network part of the address (as expected as it is a Class C address). show running-config. This command displays the active configuration file. show startup. Displays the startup configuration file. show version. This command display information on the hardware, software version, configuration file name, and the boot image.

9. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.7 Router commands (show buffers) LAB-A#show buffers Buffer elements: 500 in free list (500 max allowed) 2026 hits, 0 misses, 0 created Public buffer pools: Small buffers, 104 bytes (total 50, permanent 50): 49 in free list (20 min, 150 max allowed) 669 hits, 0 misses, 0 trims, 0 created :::::::: Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Interface buffer pools: Ethernet0 buffers, 1524 bytes (total 32, permanent 32): 8 in free list (0 min, 32 max allowed) 24 hits, 0 fallbacks 8 max cache size, 8 in cache :::::::: Serial0 buffers, 1524 bytes (total 32, permanent 32): 7 in free list (0 min, 32 max allowed) 102 hits, 0 fallbacks 8 max cache size, 8 in cache

10. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.8 Router commands (show hosts) LAB-A>show hosts Default domain is not set Name/address lookup uses domain service Name servers are 255.255.255.255 Host Flags Age Type Address(es) LAB-B (perm, OK) 17 IP 201.100.11.2 219.17.100.1 199.6.13.1 LAB-C (perm, OK) 18 IP 199.6.13.2 223.8.151.1 204.204.7.1 LAB-D (perm, OK) 19 IP 204.204.7.2 210.93.105.1 LAB-E (perm, OK) 18 IP 210.93.105.2 LAB-A (perm, OK) 19 IP 192.5.5.1 205.7.5.1 201.100.11.1

11. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.9 Router commands (show protocols) Lab-B>show protocols Internet Protocol routing is enabled Ethernet0 is up, line protocol is up Internet address is 219.17.100.1/24 Serial0 is up, line protocol is up Internet address is 199.6.13.1/24 Serial1 is up, line protocol is up Internet address is 201.100.11.2/24

12. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.10 Router commands (show running-config) Lab-B#show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Lab-B ! enable password class ! ip subnet-zero ! interface Ethernet0 ip address 219.17.100.1 255.255.255.0 no ip directed-broadcast ! interface Serial0 ip address 199.6.13.1 255.255.255.0 ip directed-broadcast no ip mroute-cache no fair-queue clockrate 56000 !

13. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.11 Router commands (show running-config – cont.) interface Serial1 ip address 201.100.11.2 255.255.255.0 no ip directed-broadcast ! router rip network 199.6.13.0 network 201.100.11.0 network 219.17.100.0 ! no ip classless ! line con 0 password cisco login transport input none line aux 0 line vty 0 4 password cisco login ! end !

14. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.12 MAC and IP address Switch LAB-A (Router) LAB-A (Router) Hub MAC: 0010.7b81.1d72 IP: 192.5.5.1 205.7.5.0 192.5.5.0 ARP TABLE (in LAB-A) Protocol Address Age (min) Hardware Addr Type Interface Internet 205.7.5.254 108 0030.8071.9f40 ARPA Ethernet1 Internet 192.5.5.1 - 0010.7b81.1d72 ARPA Ethernet0 Internet 192.5.5.12 1 0000.b430.b332 ARPA Ethernet0 Internet 205.7.5.1 - 0010.7b81.1d73 ARPA Ethernet1 MAC: 0000.b430.b332 IP: 192.5.5.12 MAC: 0010.7b81.1d73 IP:205.7.5.1 MAC: 0030.8071.9f40 IP:205.7.5.254

15. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.13 Router programming Router> enable Router# Router# config t Enter configuration commands, one per line. End with END. Router (config)# hostname LAB_A LAB_A (config)# LAB_A (config)# enable secret class LAB_A (config)# exit LAB_A# exit LAB_A> enable Password: ccc Password: class LAB_A#

16. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.14 Router programming LAB_A# config t LAB_A (config)# int e0 LAB_A (config-if)# ip address 192.5.5.1 255.255.255.0 LAB_A (config-if)# no shutdown LAB_A (config-if)# exit LAB_A (config)# int e1 LAB_A (config-if)# ip address 205.7.5.1 255.255.255.0 LAB_A (config-if)# no shutdown LAB_A (config-if)# exit LAB_A (config)# int s0 LAB_A (config-if)# ip address 201.100.11.1 255.255.255.0 LAB_A (config-if)# clock rate 56000 LAB_A (config-if)# no shutdown LAB_A (config-if)# exit LAB_A (config)# router rip LAB_A (config-router)# network 192.5.5.0 LAB_A (config-router)# network 205.7.5.0 LAB_A (config-router)# network 201.100.11.0 LAB_A (config-router)# exit LAB_A (config)#

17. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.15 ACLs A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number For example the firewall may block FTP traffic going out of the network. Router

18. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.16 ACLs Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic.

19. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.17 Standard ACLs Router# access-list access-list-value {permit | deny} source source-mask Router# access-list 1 deny 156.1.1.10 0.0.0.0 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in

20. bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html 6.18 Extended ACLs Router# access-list access-list-value {permit | deny} {test-conditions} Router(config)#access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1 Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.192 Router (config-if)# ip access-group 100 in