router - pt 5
Home | Pt 1 | Pt 2 | Pt 3 | Pt 4 | Pt 5 | Chall1 | Chall2 | Chall3 | Chall4Demo | 5-r | Test | [Bill's]

[Expand][PDF Version]

Authentication, authorization and accounting (AAA). The main elements of security are AAA. These allows for enhanced security for who is allowed to log into a network, and what they are allowed to do, and logs the things that they have done. Typically this security is applied at the edge of a network, using a nework access server (NAS). This server contains a database of users and their associated passwords, and any other configuration. On routers there are three main security protocols: TACACS+, RADIUS and Kerberos. On a router, AAA is enabled with:

1

Go into the privileged mode by typing enable.

2

Configure the device using by typing config t.

3

Then:

(config)# aaa new-model

4

For TACACS+, the IP address of the TACACS+ server is specified with:

(config)# tacacs-server host 192.168.0.10

5

Next the encryption key is specified with:

(config)# tacacs-server key mypass

6

For RADIUS, the IP address of the RADIUS server is specified with:

(config)# radius-server host 192.168.0.10

7

Next the encryption key is specified with:

(config)# radius-server key mypass

8

Go back to the user executive mode with the command exit

9

Show the main system configuration with show running-config.

OSPF and EIGRP. EIGRP is an enhanced version of IGRP, and OSPF is typically used to determine routes on exterior routes. To setup them up:

1

Go into the privileged mode by typing enable.

2

Configure the device using by typing config t.

3

Then:

(config)# router eigrp 100
(config-router)# network 10.1.1.0
(config-router)# network 192.10.20.0
(config-router)# exit

4

Or for OSPF

(config)# router ospf 100
(config-router)# network 10.1.1.0
(config-router)# network 192.10.20.0
(config-router)# exit

8

Go back to the user executive mode with the command exit

9

Show the main system configuration with show running-config.

Other commands implemented:

# help

# show ip aliases - to enable the usage of the .0 subnet (use no ip subnet-zero to disable it).
# show ip idrp - to display details of IDRP (ICMP Discovery Routing Protocol).
# show ip netmasks - to display details of netmasks used on a given subnet address.
# show ip nat statistics - to display details of NAT (Network Address Translation).
# show ip nat translations - to display details of NAT translations.
# show ip nat translations verbose - to display details of port translations in NAT.
# show ip snat- to display active SNAT (Stateful Network Address Translation) translations.
# clear counters - clear counters on interfaces.
# show ip nhrp- to display NHRP details.
# show ip nhrp traffic - to display NHRP traffic.
# show ip rip database- to display rip database.
# show ip route summary - show summmary details of a route.
# show ip route - show details of a route.

# show flash: chips- show details of Flash devices.
# show flash: filesys- show details of file system on the Flash devices.
# show flash: all- show all the details of the Flash.
# show flash: detailed - show detailed information of the Flash.
# show memory scan - show if there are any memory errors.
# show ip http server all - show HTTP server details.
# show ip http server status - show HTTP server status.
# ping ipx 1111.2222.3333.4444 - ping an IPX address.


(config)# ip http max-connections 5 - set the maximum connections to 5 for the HTTP server.
(config)# ip default-gateway w.x.y.z - which defaults the default gateway when routing is disabled
(config)# ip classless - defines classless IP addresses
(config)# ip directed-broadcast - enable the translation of directed broadcasts to physical broadcasts
(config)# ip domain-list - define list of default domain names for unqualified host names
(config)# ip domain-lookup - enable DNS lookup service
(config)# ip forward-protocol - specify the ports which forwards broadcasts
(config)# ip netmask-format bitcount - display netmask in bit count format (such as 192.168.0.10/24).
(config)# ip netmask-format decimal - display netmask in decimal format (such as 255.255.255.0).
(config)# ip netmask-format hexadecimal - display netmask in hexadecimal format (such as 0xFFFFFF00).
(config)# no ip routing - disable routing (use ip routing to enable it).
(config)# ip subnet-zero - to enable the usage of the .0 subnet (use no ip subnet-zero to disable it).
(config)# router odr- enable ODR (On-demand routing) routing (use no router odr to disable it).
(config)# cdp run- enable CDP on router
(config)# no cdp run- disable CDP on router (recommended for security purposes).

(config-if)# carrier-delay 5 - defines carrier-delay on a serial port (in this case 5 seconds).
(config-if)# cut-through - defines cut-through switching on an Ethernet port (cut-through forwards the data frame before it has been fully received on the incoming port).
(config-if)# duplex full - defines full duplex on an Ethernet port.
(config-if)# duplex half - defines half duplex on an Ethernet port.
(config-if)# duplex auto - defines auto duplex on an Ethernet port.
(config-if)# speed 10- defines 10Mbps rate on an Ethernet port.
(config-if)# speed 100 - defines 100Mbps rate on an Ethernet port.
(config-if)# ip split-horizon- enables split-horizon on the interface.
(config-if)#ip nhrp - enables NHRP (Next Hop Resolution Protocol).
(config-if)# ip proxy-arp- enable proxy Address Resolution Protocol on an interface.
(config-if)# cdp enable - enable CDP on an interface.
(config-if)# no cdp enable- disable CDP on an interface.

(config-router)# default-metric 1544 2000 255 1 1500 - setup default metrics.
(config-router)# redistribute ospf 10 metric 3 - redistribute route.
(config-router)# distribute-list 2 in - distribution list on an interface.



(config-router)# neighbor w.x.y.z - defines the router (w.x.y.z) in which to broadcast the routing information to.
(config-router)# version 2- defines RIP Version 2 (or Version 1 can be used).



Additional:

ACLs can also be extended ACL, such as, to block Napster traffic destined for port 8888:

(config)# access-list 100 deny tcp 192.5.5.0 0.0.0.255 any eq 8888 log
(config)# access-list 100 deny udp 192.5.5.0 0.0.0.255 any eq 8888 log
(config)# interface e0
(config-if)# ip access-group 100 in

or Kazaa (on port 1214):

(config)# access-list 101 deny tcp 192.5.5.0 0.0.0.255 any eq 1214 log
(config)# access-list 101 deny udp 192.5.5.0 0.0.0.255 any eq 1214 log
(config)# interface e0
(config-if)# ip access-group 101 in

Gnutella can be blocked with ports 6346 and 6347, while ICQ is blocked with 5190.

Note. If you want to see the completed configuration, please type the command complete at any point, and the configuration should be set, to the configuration defined in the previous sections.

[Challenge 1]

If you would like to register the router emulator, or obtain the full version, please complete the following: