This document shows how to rebuild the baseline state of the various infrastructure devices in the XNetwork. In the configuration commands below, comments run from "//" to the end of the line. Comments are not part of the command.
The following procedures can be used to initialize the routers and switches to their pristine state. The intent is to keep a baseline-config always available so the devices can easily be restored to a baseline configuration. Note that the procedures described here assume the enable secret is known. If it is not, a more complex recovery procedure is needed (not documented here).
For the routers:
Router> enable Router# erase startup-config // Restores to Cisco defaults. Router# copy baseline-config startup-config // Restores to XNetwork baseline configuration. Router# reload
For the switches:
Switch> enable Switch# show flash // To check for vlan.dat. Switch# delete vlan.dat // One if vlan.dat exists. Switch# erase startup-config Switch# copy baseline-config startup-config Switch# reload
We are using a very basic configuration for now. Obviously use S2 for the hostname on switch 2.
Switch> enable Switch# configure terminal Switch(config)# hostname S0 S0(config)# enable secret hotdog S0(config)# exit // The following commands are done by SE/IT faculty after the full configuration. S0# copy running-config startup-config S0# copy running-config baseline-config
Switch S0 has span monitoring configuration so that a monitoring system, running tshark, snort, or some other tool, can view the traffic on the 192.168.0.0/24 subnetwork. Note that R1 is connected to port 0/1, Alpha is connected to port 0/22, and Mu's eth1 interface (for "normal" usage) is connected to port 0/23. The destination of the monitoring is interface port 0/24, currently connected to Mu's eth2 interface.
S0(config)# monitor session 1 source interface FastEthernet 0/1 S0(config)# monitor session 1 source interface FastEthernet 0/2 S0(config)# monitor session 1 source interface FastEthernet 0/22 S0(config)# monitor session 1 source interface FastEthernet 0/23 S0(config)# monitor session 1 destination interface FastEthernet 0/24
We are using a very basic configuration for now. Obviously use S3 for the hostname on switch 3.
Switch> enable Switch# configure terminal Switch(config)# hostname S1 S1(config)# enable secret hotdog S1(config)# exit // The following commands are done by SE/IT faculty after the full configuration. S1# copy running-config startup-config S1# copy running-config baseline-config
R2 is configured in a similar way as for R1, except the network addresses are appropriately different. Also, R2 does not have anything connected to its Serial0/0/1 interface.
The basics. Note that the banner text is delimited by '#' characters (which you must type).
Router> enable Router# configure terminal Router(config)# hostname R1 R1(config)# enable secret hotdog R1(config)# no ip domain lookup R1(config)# banner motd # Warning! Unauthorized access is prohibited! # R1(config)# ipv6 unicast-routing // The following commands are done by SE/IT faculty after the full configuration. R1# copy running-config startup-config R1# copy running-config baseline-config
Configure the interfaces, both IPv4 and IPv6.
R1(config)# interface FastEthernet 0/0 R1(config-if)# ip address 192.168.0.1 255.255.255.0 R1(config-if)# ipv6 address FD25:F376:7B60:1000::1/64 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface FastEthernet 0/1 R1(config-if)# ip address 192.168.1.1 255.255.255.0 R1(config-if)# ipv6 address FD25:F376:7B60:1001::1/64 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface Serial0/0/0 R1(config-if)# ip address 192.168.255.1 255.255.255.252 R1(config-if)# ipv6 address FD25:F376:7B60:1004::1/64 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# interface Serial0/0/1 R1(config-if)# ip address 192.168.255.5 255.255.255.252 R1(config-if)# ipv6 address FD25:F376:7B60:1005::5/64 R1(config-if)# no shutdown R1(config-if)# exit
Router R2 should have its serial line configured as a DCE. This is done by specifying the clock rate explicitly on that side when configuring the line. Note that the Packet Tracer model is using a clock rate of 128000 because 115200 isn't an option in Packet Tracer.
R2(config-if)# clock rate 115200
Next, OSPF routing...
R1(config)# router ospf 10 R1(config-router)# network 192.168.0.0 0.0.0.255 area 0 R1(config-router)# network 192.168.1.0 0.0.0.255 area 0 R1(config-router)# network 192.168.255.0 0.0.0.3 area 0 R1(config-router)# network 192.168.255.4 0.0.0.3 area 0 R1(config-router)# exit R1(config)# ipv6 router ospf 60 R1(config-rtr)# router-id 0.0.0.1 R1(config-rtr)# exit R1(config)# interface FastEthernet 0/0 R1(config-if)# ipv6 ospf 60 area 0 R1(config-if)# interface FastEthernet 0/1 R1(config-if)# ipv6 ospf 60 area 0 R1(config-if)# interface Serial0/0/0 R1(config-if)# ipv6 ospf 60 area 0 R1(config-if)# interface Serial0/0/1 R1(config-if)# ipv6 ospf 60 area 0 R1(config-if)# exit
... and similarly for R2, with appropriate changes to the addresses and router ID.
On router R1 set a default route to Mu (which may eventually be configured as a NAT gateway to the VTSU LAN). It is also necessary to configure R1 to propagate the default information.
R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.0.99 R1(config)# router ospf 10 R1(config-router)# default-information originate R1(config-router)# exit
Now, Console access. Unlike Packet Tracer, the real 1841 requires the use of an AAA authentication database. Adding a simple line password has no effect by itself, and the `login` command is taken as "incomplete." Furthermore, `login local` is an error. The commands below set up the console to not require user authentication at all.
R1(config)# line console 0 R1(config-line)# logging synchronous R1(config-line)# exec-timeout 15 R1(config-line)# exit
Now, SSH access. The routers use a 2048-bit RSA key. Notice that even though the `login local` command is not used, SSH access still requires that one of the defined users logs in.
It would be preferred for the student user to log in at privilege level 0 and then enable an appropriate view to gain access to functionality. However, even if privilege level 0 is specified in the `username` command, the user still logs in at privilege level 1. Perhaps the procedure is to have the student log-in directly into the desired, restricted-access view.
R1(config)# ip domain-name cislab.vermontstate.edu R1(config)# username admin privilege 15 secret hamburger R1(config)# username student privilege 1 secret frenchfry R1(config)# crypto key generate rsa R1(config)# ip ssh version 2 R1(config)# line vty 0 15 R1(config-line)# transport input ssh R1(config-line)# login local R1(config-line)# logging synchronous R1(config-line)# exec-timeout 15 R1(config-line)# exit R1(config)# exit
Finally, to lock this configuration down, save everything.
R1# copy running-config startup-config R1# copy running-config baseline-config
Student users must not execute either of the commands above to ensure the devices can be easily recovered should there be a configuration mishap.
The basic configuration is the same as for R1 and R2. Note that the banner text is delimited by '#' characters (which you must type).
Router> enable Router# configure terminal Router(config)# hostname Shangri-La Shangri-La(config)# enable secret hotdog Shangri-La(config)# no ip domain lookup Shangri-La(config)# banner motd # Warning! Unauthorized access is prohibited! # Shangri-La(config)# ipv6 unicast-routing
Configure the interfaces.
Shangri-La(config)# interface FastEthernet 0/0 Shangri-La(config-if)# ip address 10.0.1.254 255.255.255.0 Shangri-La(config-if)# ipv6 address FD25:F376:7B60:1006::FE/64 Shangri-La(config-if)# no shutdown Shangri-La(config-if)# exit Shangri-La(config)# interface Serial0/0/0 Shangri-La(config-if)# ip address 192.168.255.6 255.255.255.252 Shangri-La(config-if)# ipv6 address FD25:F376:7B60:1005::6/64 Shangri-La(config-if)# clock rate 115200 Shangri-La(config-if)# no shutdown Shangri-La(config-if)# exit
Shangri-La should have its serial line configured as a DCE. This is done by specifying the clock rate explicitly as above. Note that the Packet Tracer model is using a clock rate of 128000 because 115200 isn't an option in Packet Tracer.
Next, OSPF routing.
Shangri-La(config)# router ospf 10 Shangri-La(config-router)# network 10.0.1.0 0.0.0.255 area 0 Shangri-La(config-router)# network 192.168.255.4 0.0.0.3 area 0 Shangri-La(config-router)# exit Shangri-La(config)# ipv6 router ospf 60 Shangri-La(config-rtr)# router-id 0.0.0.3 Shangri-La(config-rtr)# exit Shangri-La(config)# interface FastEthernet 0/0 Shangri-La(config-if)# ipv6 ospf 60 area 0 Shangri-La(config-if)# interface Serial0/0/0 Shangri-La(config-if)# ipv6 ospf 60 area 0 R1(config-if)# exit
Now, Console access. Unlike Packet Tracer, the real 1841 requires the use of an AAA authentication database. Adding a simple line password has no effect by itself, and the `login` command is taken as "incomplete." Furthermore, `login local` is an error. The commands below set up the console to not require user authentication at all.
Shangri-La(config)# line console 0 Shangri-La(config-line)# logging synchronous Shangri-La(config-line)# exec-timeout 15 Shangri-La(config-line)# exit
Now, SSH access. The router uses a 2048-bit RSA key. Notice that even though the `login local` command is not used, SSH access still requires that one of the defined users logs in.
It would be preferred for the student user to log in at privilege level 0 and then enable an appropriate view to gain access to functionality. However, even if privilege level 0 is specified in the `username` command, the user still logs in at privilege level 1. Perhaps the procedure is to have the student log-in directly into the desired, restricted-access view.
Shangri-La(config)# ip domain-name cislab.vermontstate.edu Shangri-La(config)# username admin privilege 15 secret hamburger Shangri-La(config)# username student privilege 1 secret frenchfry Shangri-La(config)# crypto key generate rsa Shangri-La(config)# ip ssh version 2 Shangri-La(config)# line vty 0 15 Shangri-La(config-line)# transport input ssh Shangri-La(config-line)# login local Shangri-La(config-line)# logging synchronous Shangri-La(config-line)# exec-timeout 15 Shangri-La(config-line)# exit Shangri-La(config)# exit
Finally, to lock this configuration down, save everything.
R1# copy running-config startup-config R1# copy running-config baseline-config
Student users must not execute either of the commands above to ensure the devices can be easily recovered should there be a configuration mishap.
A very basic configuration for now.
Switch> enable Switch# configure terminal Switch(config)# hostname Portal Portal(config)# enable secret hotdog Portal(config)# exit // The following commands are done by SE/IT faculty after the full configuration. Portal# copy running-config startup-config Portal# copy running-config baseline-config
The addresses below are appropriate for StudentR1. Modify the addresses as needed for the other routers.
Router> enable Router# configure terminal Router(config)# hostname StudentR1 StudentR1(config)# enable secret hotdog StudentR1(config)# no ip domain lookup StudentR1(config)# banner motd # Warning! Unauthorized access is prohibited! # StudentR1(config)# interface FastEthernet 0/0 StudentR1(config-if)# ip address 172.18.0.1 255.254.0.0 StudentR1(config-if)# no shutdown StudentR1(config-if)# exit StudentR1(config)# interface FastEthernet 0/1 StudentR1(config-if)# ip address 10.0.1.1 255.255.255.0 StudentR1(config-if)# no shutdown StudentR1(config-if)# exit StudentR1(config)# router ospf 10 StudentR1(config-router)# network 172.18.0.0 0.1.255.255 area 0 StudentR1(config-router)# network 10.0.1.0 0.0.0.255 area 0 StudentR1(config-router)# exit StudentR1(config)# line console 0 StudentR1(config-line)# logging synchronous StudentR1(config-line)# exec-timeout 15 StudentR1(config-line)# exit StudentR1(config)# ip domain-name cislab.vermontstate.edu StudentR1(config)# username admin privilege 15 secret hamburger StudentR1(config)# username student privilege 1 secret frenchfry StudentR1(config)# crypto key generate rsa StudentR1(config)# ip ssh version 2 StudentR1(config)# line vty 0 15 StudentR1(config-line)# transport input ssh StudentR1(config-line)# login local StudentR1(config-line)# logging synchronous StudentR1(config-line)# exec-timeout 15 StudentR1(config-line)# exit StudentR1(config)# exit StudentR1# copy running-config startup-config StudentR1# copy running-config baseline-config
The student switches are almost entirely without configuration. Only their hostnames have been set to facilitate identifying one switch from the other when working at the IOS command prompt.
The console server gives you access to the console lines on the student routers and switches.
TODO: Finish documenting the configuration of Connie!
Last Revised: 2024-01-03
© Copyright 2024 by Peter Chapin <peter.chapin@vermontstate.edu>