IP unnumbered. An IP unnumbered
approach allows a port to borrow an IP address from
an unused address on a connected network. For example
to assign an address from the network which connects
to EO to S1:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
interface s1 (config-if)#
ip unnumbered e0
4
Go back to the user executive
mode with the command exit,
followed by exit
5
Show the main system configuration with
show
running-config.
Implementing NAT. NAT (Network
Address Translation) allows the mapping of internal
private addresses to one or more public addresses.
For NAT, the internal addresses are defined as inside,
and the public interface is outside.
This to define the addresses on EO as internal,
and S0 as external:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
interface e0 (config-if)#
ip nat inside (config-if)#
exit (config)#
interface s0 (config-if)#
ip nat outside
4
Go back to the user executive
mode with the command exit,
followed by exit
5
Show the main system configuration with
show
running-config.
Defining SNMP. The SNMP-server
command is used to enable SNMP monitoring, such
as:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
The snmp-server community command is used
to initialise SNMP. For example to define
the read-only string to public:
(config)#
snmp-server community public RO
or for read-write access use RW instead of
RO. The community access string (in this case,
public) acts as a password for the access
to the SNMP information. To setup the SNMP
contact:
(config)#
snmp-server contact fred smith
and to set the location:
(config)#
snmp-server location room c27
To enable SNMP traps so that all the data
is monitored:
(config)#
snmp-server enable traps
and to send these traps to a remote host
(to www.myhost.com):
(config)#
snmp-server host www.myhost.com public
4
Go back to the user executive
mode with the command exit
5
Show the main system configuration with
show
running-config.
6
To show SNMP event values:
#
show management event
and to determine the status of the SNMP communications:
#
show snmp
and to display the SNMP engine and remote
engines:
#
show snmp engine
and to display the SNMP group:
#
show snmp group
SNMP uses an MIB database to store its values.
To display its contents:
#
show snmp mib
To show the currently pending SNMP requests:
#
show snmp pending
To show the SNMP sessions:
#
show snmp sessions
7
Show the main system configuration with
show
running-config.
Adding a description to the interface.
The description command can be added to the interface,
such as:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
interface e0 (config-if)#
description Bert's Port
4
Go back to the user executive
mode with the command exit,
followed by exit
5
Show the main system configuration with
show
running-config.
Defining SNTP. The SNTP (Simple
Network Time Protocol) can be used to allow the
router to listen to Time Servers. This achieved
with:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then to enable the router to receive broadcasted
NTP packets from a time server:
# config
t (config) #
sntp broadcast client
4
Go back to the user executive mode with
the command exit.
5
For the SNTP (Simple Network Time Protocol):
# show
sntp
Showing other statistics.
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
# show
tcp
4
For the reload details:
# show
reload
5
For the boot details:
# show
boot
6
For the aliases:
# show
aliases exec
7
For system crashes
# show
context
8
or:
# show
context summary
9
To show debugging:
# show
debugging
10
To show environment details:
# show
environment
Defining a MOTD. The Message of
the Day (motd) is show when someone logs into the
router, and is setup by:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
banner motd # This is my router #
4
Go back to the user executive
mode with the command exit,
followed by exit
5
Show the main system configuration with
show
running-config. Also apply
a SLIP/PPP banner, with:
(config)#
banner slip-ppp # Welcome to the SLIP/PPP
login #
IP interface options. There are
many IP options which can be applied to an interface:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
interface e0 (config-if)#
ip ?
4
You can also view the commands avialable
from each mode with the ?
key.
Go back to the user executive
mode with the command exit
5
Show the main system configuration with
show
running-config. To get rid
of AppleTalk routing, use:
(config)#
no appletalk routing
Enabling DECnet routing. Cisco
routers can also be used to route DECnet networks
(such as those which use VAX/DEC-type equipment).
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
decnet routing (config)#
exit
4
Go back to the user executive
mode with the command exit
5
Show the main system configuration with
show
running-config. To get rid
of DECnet routing, use:
(config)#
no decnet routing
Context-based control. Context-based
control is used to implement firewall options, such
as limiting the number of open connections. A typical
attack is the DoS (Denial of Service) attack, where
the external party open up multiple connections.
To overcome this the router can be setup to detect
a minimum threshold for half-open sessions. This
can be achieved with:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then to limit the maximum open sessions
to between 900 and 1100:
(config)#
ip inspect max-incomplete low 900 (config)#
ip inspect max-incomplete high 1100
and for the maximum open sessions for one-minute:
(config)#
ip inspect one-minute low 900 (config)#
ip inspect one-minute high 1100 (config)#
exit
3
Then to limit the maximum open sessions
to between 900 and 1100:
(config)#
ip inspect max-incomplete low 900 (config)#
ip inspect max-incomplete high 1100
and for the maximum open sessions for one-minute:
(config)#
ip inspect one-minute low 900 (config)#
ip inspect one-minute high 1100 (config)#
exit
4
Go back to the user executive
mode with the command exit,
followed by exit
5
Show the main system configuration with
show
running-config. To get rid
of IP inspect, use:
(config)#
no ip inspect one-minute low
6
To limit the DNS-timeout to 10 seconds:
(config)#
ip inspect dns-timeout 10
7
To limit the TCP connection timeout value
to 30 seconds:
(config)#
ip inspect tcp synwait-time 30
Defining a Syslog server. The
router can be setup to sent system logging information
to a remote server which supports Syslog (which
is UDP port 514). For example to send it to 192.168.0.20:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
logging 192.168.0.20
4
Go back to the user executive
mode with the command exit
5
Show the main system configuration with
show
running-config.
IDS (Intrusion Detection System).
An IDS can be used to detect intruders into the
system. This is normally applied at the perimeter
of the network. To setup a SPAM filter which sets
a threshold of 30 users receiving the same email
message:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
ip audit log
(config)# ip audit smtp 30
4
Go back to the user executive
mode with the command exit
5
Show the main system configuration with
show
running-config.
BGP routing. BGP is used as an
Exterior Routing protocol. It is setup with:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then its neigbour(s) are defined with:
(config)# router bgp 200 (config-router)#
neighbor 10.11.12.13 remote-as 300 (config-router)#
neighbor 10.11.12.13 description Link to ISP (config-router)#
neighbor 10.11.12.13 send-community (config-router)#
neighbor 10.11.12.13 version 4 (config-router)#
neighbor 10.11.12.13 route-map Community1
out
4
Go back to the user executive
mode with the command exit,
followed by exit
5
Show the main system configuration with
show
running-config.
Defining a time zone.
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
clock timezone GMT 0
4
Go back to the user executive
mode with the command exit.
5
Show the main system configuration with
show
running-config.
Alarm interface. The alarm interface
gives access to alarm interface. For example for
the alarm interface in Slot 5:
1
Go into the privileged mode
by typing enable.
2
Configure the device using by typing config
t.
3
Then:
(config)#
alarm-interface 5 (config-aic)#
ip address 192.10.0.10 (config-aic)#
reset
Alarm Interface Card in slot 5 restarted (config)#
exit
4
Go back to the user executive
mode with the command exit.
5
Show the main system configuration with
show
running-config.
[