How to apply access list to the CISCO router …!!!!

Access List:

You can use the console or telnet to one of the interfaces in your router.

Example 1: Applying access list 102 (Inbound) to Serial 0.

Router>enable

Router#Config term

Router(config)# interface serial 0

Router(config-if)# ip access-group 102 in

Router(config-if)#exit

(config)#exit

Example 2 : Applying access list 101 (Outbound) to Ethernet 0 .

Router# config term

Router (Config)# interface Ethernet 0

Router (Config-if)# ip access-group 101 out

Router (config-if)#exit

(Config)#exit

Example 3 : To remove access list from Serial 0

Router>Config term

Router(config)# interface Serial 0

Router(config-if)# no ip access-group 101 out

Router(config-if)#exit

(config)#exit

Some helpful commands to monitor and verify the access list.

Show running-config                            {displays active configuration and presence of
access group}.

show access-list                                  {displays all access-list}

show access-list 1xx                            {displays access list 1xx only}

show ip access-list                              {displays IP access-list}

show interface serial 0                        {displays info on serial 0 interface)

no access-list 1xx                               {remove access-list 1xx only}

copy running-config start-up config      {save the active configuration to NVRAM}

Access List Guidelines :

1. Access List numbers indicate which protocol is filtered. Extended IP is from 100-199
2. Only one access list per protocol, per direction, per interface is allowed.
3. Top-down processing. Most restrictive statements should be at the top.
4. At the end of the access list is an implicit deny all. Due to the implicit deny, there
should be at least one permit statement on every access list.
5. New Entries are added to the bottom. Any new access list are added to the bottom of the list. If modifications are necessary, delete access list and recreate the entire access list off-line such as with text editor and upload any changes from TFTP server or Cut and Paste from a computer.
6. Create access list before applying it to the interface.
7. Access lists only filter traffic going through the router. It does not apply to traffic

Cisco IOS Command Line Interface Shortcuts …!!!!

1. The Cursor movement Shortcuts are given below :

Cursor Movement Shortcuts

Shortcut	Description	Mnemonic
Ctrl+A	Move cursor to the beginning for the line	Alpha, First letter == beginning
Ctrl+E	Move cursor to the end of the line	E for End
Ctrl+F	Move cursor forward one character	F for Forward
Ctrl+B	Move cursor backward	B for Backward
Esc+F	Moves forward one word	Always forget the escape version
Esc+B	Moves backwards one word	Ditto
Ctrl+P	Previous command	P for Previous – also up arrow
Ctrl+N	Next command	N for Next – also down arro

2. The editing Shortcuts are given below :

Editing Shortcuts

Shortcut	Description	Mnemonic
Ctrl+W	Delete the word to the left from the cursor	W for Word
Ctrl+U	Delete the whole line	??
Ctrl+T	Swap or transpose the current character with the one before it	T for Transpose
Ctrl+K	Erase characters from the cursor to end of the line	??
Ctrl+X	Erase characters from the cursor to beginning of the line	??
Esc+D	Delete from Cursor to end of word
Delete	Removes the character to the right of the cursor
Backspace	Removes the character to the left of the cursor
Up Arrow	Allows you to scroll forward through previous commands
Down Arrow	Allows you to scroll backwards through previous commands

3. The functional shortcuts are given below :

Functional Shortcuts

Shortcut	Description	Mnemonic
Ctrl+L	Reprint the line	L for Line
Ctrl+R	Refresh	R for Repeat – starts a new line, with the same command shown (If the system sends a message to the screen while a command is being entered and your are not using line synchonisation
Tab	Command autocomplete	No Comment
Ctrl+C	Exit. Exit from config mode
Ctrl+Z	Apply the command line and exit from config mode ie. return to privileged EXEC mode.
Ctrl+Shift+6 (X)	CTRL-SHIFT-6 is one action, the X is the second action

4. The Less common shortcuts are listed below :

Less Common Shortcuts

Shortcut	Description	Mnemonic
Esc, C	Makes the letter at the cursor uppercase.	C for Capital
Esc, L	Changes the word at the cursor to lowercase	L for Lower
Esc, U	Makes letters from the cursor to the end of the word uppercase.	U for Uppercase

5. Using the delete buffer are listed below :

Using the Delete Buffer

Shortcut	Description	Mnemonic
The buffer stores the last ten items that have been deleted using Ctrl-K, Ctrl-U, or Ctrl-X
Ctrl-Y	Paste the most recent entry in the delete buffer	Y for “Yank” as in Yank from buffer
Esc-Y	Paste the Previous entry in the history buffer	Y for “Yank” as in Yank from buffer

Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers …!!!

Site to Site IPSec VPN Tunnel :

Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet public network and encrypted using a number of advanced encryption algorithms to provide confidentiality of the data transmitted between the two sites.

This article will show how to setup and configure two Cisco routers to create a permanent secure site-to-site VPN tunnel over the Internet, using the IPSec protocol.

ISAKMP (Internet Security Association and Key Management Protocol) and IPSec are essential to building and encrypting the VPN tunnel. ISAKMP, also called IKE (Internet Key Exchange), is the negotiation protocol that allows two hosts to agree on how to build an IPsec security association. ISAKMP negotiation consists of two phases:

1. Phase 1 : creates the first tunnel, which protects later ISAKMP negotiation messages.
2. Phase 2 : creates the tunnel that protects data. IPSec then comes into play to encrypt the data using encryption algorithms and provides authentication, encryption and anti-replay services.
IPSec VPN Requirements :

To help make this an easy-to-follow exercise, we have split it into two steps that are required to get the Site-to-Site IPSec VPN Tunnel to work.

These steps are :

(1)  Configure ISAKMP (ISAKMP Phase 1)

(2)  Configure IPSec  (ISAKMP Phase 2, ACLs, Crypto MAP)

Our example setup is between two branches of a small company, these are Site 1 and Site 2. Both the branch routers connect to the Internet and have a static IP Address assigned by their ISP as shown on the diagram :

#. Site 1 is configured with an internal network of 10.10.10.0/24, while Site 2 is configured with network 20.20.20.0/24. The goal is to securely connect both LAN networks and allow full communication between them, without any restrictions.

#. Configure ISAKMP (IKE) – (ISAKMP Phase 1) :

To begin, we’ll start working on the Site 1 router (R1).

First step is to configure an ISAKMP Phase 1 policy :

R1(config)#  crypto isakmp policy 1

R1(config-isakmp)# encr 3des

R1(config-isakmp)# hash md5

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 2

R1(config-isakmp)# lifetime 86400

#.The above commands define the following (in listed order) :

3DES - The encryption method to be used for Phase 1.

MD5 - The hashing algorithm

Pre-share - Use Pre-shared key as the authentication method

Group 2 - Diffie-Hellman group to be used

86400 – Session key lifetime. Expressed in either kilobytes (after x-amount of traffic, change the key) or seconds. Value set is the default value.

Next we are going to define a pre shared key for authentication with our peer (R2 router) by using the following command:

R1(config)# crypto isakmp key firewallcx address 1.1.1.2

The peer’s pre shared key is set to firewallcx and its public IP Address is 1.1.1.2. Every time R1 tries to establish a VPN tunnel with R2 (1.1.1.2), this pre shared key will be used.

Configure IPSec :

To configure IPSec we need to setup the following in order :

- Create extended ACL

- Create IPSec Transform

- Create Crypto Map

- Apply crypto map to the public interface

#.Creating Extended ACL :

Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel.  In this example, it would be traffic from one network to the other, 10.10.10.0/24 to 20.20.20.0/24.  Access-lists that define VPN traffic are sometimes calledcrypto access-list or interesting traffic access-list.

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip 10.10.10.0  0.0.0.255  20.20.20.0  0.0.0.255

Create IPSec Transform (ISAKMP Phase 2 policy)Next step is to create the transform set used to protect our data. We’ve named this TS:

R1(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

The above command defines the following :

- ESP-3DES - Encryption method

-   MD5         -  Hashing algorithm

Create Crypto Map :The Crypto map is the last step of our setup and connects the previously defined ISAKMP and IPSec configuration together.
R1(config)# crypto map CMAP 10 ipsec-isakmp

R1(config-crypto-map)# set peer 1.1.1.2

R1(config-crypto-map)# set transform-set TS

R1(config-crypto-map)# match address VPN-TRAFFIC

Apply Crypto Map to the Public Interface :The final step is to apply the crypto map to the outgoing interface of the router. Here, the outgoing interface is FastEthernet 0/1.

R1(config)# interface FastEthernet0/1
R1(config- if)# crypto map CMAP

Note : You can assign only one crypto map to an interface .

#. We now move to the Site 2 router to complete the VPN configuration. The settings for Router 2 are identical, with the only difference being the peer IP Addresses and access lists : R2(config)# crypto isakmp policy 1

R2(config-isakmp)# encr 3des

R2(config-isakmp)# hash md5

R2(config-isakmp)# authentication pre-share

R2(config-isakmp)# group 2

R2(config-isakmp)# lifetime 86400

R2(config)# crypto isakmp key firewallcx address 1.1.1.1

R2(config)# ip access-list extended VPN-TRAFFIC

R2(config-ext-nacl)# permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

R2(config)# crypto ipsec transform-set TS esp-3des esp-md5-hmac

R2(config)# crypto map CMAP 10 ipsec-isakmp

R2(config-crypto-map)# set peer 1.1.1.1

R2(config-crypto-map)# set transform-set TS

R2(config-crypto-map)# match address VPN-TRAFFIC

R2(config)# interface FastEthernet0/1

R2(config- if)# crypto map CMAP

Important Idea of Cisco Router Startup Procedure …!!!

Cisco Router Startup Procedure

1.         POST; hardware tests

2.        Load and run bootstrap code; subsequent events

3.        Find the IOS software;

4.        Load the IOS software

5.        Find the configuration; default location is NVRAM or TFTP

6.       Load the configuration

7.       Run

In-Band management is the process of using your network for management of a device (Ex: local subnet). Out-of-band management would be a modem dialing into a router’s auxiliary interface. The AUX port must be configured using the console port before it will function. A router contains five virtual terminal lines (0-4 VTY lines) to accept incoming Telnet sessions for in-band management. A Telnet session can also come from any interface. Every Cisco router has a console port that can be directly connected to a PC or terminal so that you can type commands at the keyboard and receive output on a terminal screen through a communications program, such as HyperTerminal. To set up out-of-band management with the connection between your terminal and Cisco console port you need to do the following:

1.     Cable the device using a rollover cable. You may need an RJ-45 to DB-9 or an RJ-45 to DB-25 adapter for your PC or terminal.

2.   Configure terminal emulation with the following COM port settings: 9600bps, 8 data bits, no parity, 1 stop bit, and no flow control.

There are two configuration files for Cisco routers one that is active and volatile (RAM), and one that the router uses to get configuration parameters during startup (stored in NVRAM).

A multi-protocol router maintains a separate routing table for each router protocol.

If a router does not know how to forward a packet, it will drop the packet. If it does know how to forward a packet, it changes the destination physical address to that of the next hop and transmits the packet. As the packet moves along the internetwork, its physical address changes but its protocol address remains constant. Routers each make independent routing decisions based on the local routing table. This is a hop-by-hop process, one step at a time.

Syslog messages are event messages that occur when the user is at the command line.

Cisco routers have the ability to copy its configuration to and from a TFTP (Trivial File Transfer Protocol) server. This is normally used in a WAN for remote router configuration. Cisco IOS does not support FTP. TFTP is UDP-based.

Cisco routers need at least four passwords set for minimal security: an enable password (primary router password), a console password, an auxiliary line password, and a VTY password (incoming telnet sessions).

Every Cisco router has a 16-bit configuration register, which is stored in a special memory location in NVRAM which allows the following functions: Force bootstarp program, select boot source, enable or disable the console break function, set terminal baud rate, load OS from ROM, and enable booting from TFTP.

Cisco routers can set the boot sequence by the BOOT command (EX: BOOT SYSTEM FLASH, BOOT SYSTEM ROM) (not as many features as the full IOS in flash), BOOT SYSTEM TFTP xxx.xxx.xxx.xxx). There may be as many BOOT TFTP commands as you would like for redundancy. Be careful of the order used to boot the router!

“Router” is the default hostname for all Cisco routers; the character following the hostname tells you what mode you are in. The part of Cisco IOS that provides the user interface and interprets the commands you type is called the command executive, or EXEC.

MD5 (Message Direct 5) is a one-way cryptographic algorithm used for encoding data, particularly passwords.

Enabling IPX routing automatically enables IPX RIP, Enabling Appletalk routing automatically enables RTMP. IP Routing must be manually configured.

Idea of Most important Cisco Router Environment ..!!

Cisco Router Environment

Dear viewers,

Today we are discuss some important cisco router mode and some router elements. This information is very important our professional sector because when we are properly maintain the cisco router.  So, build our knowledge……….

Router>

EXEC (user) mode; LOWEST level of access. This allows router examination of router status, examination of router configurable components, see routing tables, and do non-destructive troubleshooting. However, you cannot change the configuration, view the configuration files, or control the router in any way.

Router#

Privileged (enable) EXEC mode; FULL router access. This mode allows you to have all the privileges of EXEC (user) mode plus commands that enable you to change the configuration, perform testing that could potentially disrupt traffic, reboot, and view configuration files.

From here you may enter Global Configuration Mode (command: ‘CONFIGURE TERMINAL’ to enter and ‘EXIT’ or ‘CTRL-Z’ to exit). The prompt will become Router (config)#. This allows you to perform tasks that affect the entire router, such as naming the router, configuration of banner messages, enabling routed protocols, and generally anything that affects the operation of the entire router. Setup mode is different from configuration mode in that setup mode appears when there is no configuration file present. Upon entering setup mode, Cisco IOS will ask for basic configuration parameters.

Router Elements:

RAM (Random Access Memory); stores the running configuration, routing tables, and packet buffers. Some routers, such as the 2500 series, run IOS from Flash, not RAM.

Flash Memory; stores the compressed OS (IOS) image. Flash memory is either EEPROM or PCMCIA card.

NVRAM (Non-Volatile Ram); memory that does not lose information when power is lost. Stores the system’s startup configuration file and the configuration register. NVRAM uses a battery to maintain the data when power is off.

ROM (Read Only Memory); Memory containing micro-code for basic functions to start and maintain the router. ROM is not typically used after the IOS is loaded. RXBOOT is located here.

Configuration Register; a 16 bit register used to contrl how the router boots up, where the IOS image is, how to deal with the NVRAM configuration, setting the console baud rate, and enabling or disabling the break function. Changing bit 6 from 0 to 1 will bypass the NVRAM settings and allow access to the router in the event a password is lost.

The lowest four bits in the configuration register control the startup sequence. If a router does not find a valid configuration file when booting, it will enter a setup dialog with the prompt “Would you like to enter the initial configuration dialog?” This will allow you to set your router with minimal configuration (hostname, passwords, protocols, etc). When finished, the router writes the configuration to NVRAM and RAM.

Interfaces; the physical connections to the external world. These often include Ethernet connections. ATM, Token Ring, FDDI, Console, and auxiliary ports. For the console interface, a communications package (such as HyperTerminal) may be used. A console cable will be needed (DB-9 serial to RJ-45). Set the COM port settings to 9600bps, 8 data bits, NO parity, 1 stop bit, and NO flow control.

Idea of Cisco IOS command-line interface-(Part-1)

The CLI (Cisco IOS command-line interface) can be accessed via a console connection, modem connection , or telnet session. These shortcuts have reportedly been on the test-learn them.

Shortcuts for Enhanced Editing:

CTRL-P; rewinds the history buffer

CTRL-N; forwards the history buffer

CTRL-B; moves cursor back one character

CTRL-F; go forward one character

CTRL-A; moves cursor to beginning

CTRL-E; moves cursor to end

ESC-B; moves to beginning of previous word.

ESC-F; moves to beginning of next word.

CTRL-R; creates new command prompt, followed by all the characters typed at the last one. This is useful for SYSLOG message.

ENABLE/DISABLE; enables or disables privileged exec mode.

ENABLE PASSWORD; a global command that restricts access to privileged exec mode. This is a no-encrypted password.

ENABLE SECRET; assigns an encrypted from of the ENABLE PASSWORD command. This secret password is used instead of the enable password when it exists.

CONFIG_REGISTER<REGISTER in hex>; global command to write a new configuration register. After changing, you must reboot for the changes to take effect.

BANDWIDTH; a global command that is used to compute routing metrics and the load of the link. This command has no actual effect on the speed of the link.

SERVICE PASSWORD-ENCRYPTION; a global command that encrypts passwords in the configuration file so they are not seen in clear text.

LOGGING<HOST>; sends syslog messages to a syslog capture server.

LOGGING SYNCHRONOUS; prevents console messages from interrupting your EXEC input.

                                                  (Continue)........