Configuration Manual for some Cisco and Miktorik devices

Configuration Guide

Cisco 2600 Router

Mikrotik RouterBOARD 951G-2HnD

Cisco Catalyst 2950 series switch

August, 2013

1

Table of ContentsI. Configuration of the devices........................................................................................................3

i. Resetting the Cisco 2600 Router..........................................................................................3

ii. Configuring the Cisco 2600 router.......................................................................................5

iii. Configuring static route and static NAT for Cisco 2600 router...........................................6

iv. Configuring Cisco 2600 Router for DHCP..........................................................................7

v. Configuration of Mikrotik RouterBOARD 951G- 2HnD....................................................7

vi. Configuring Mikrotik Router for blocking certain sites.......................................................9

vii. Blocking Torrent sites using Mikrotik Router................................................................10

viii. Resetting Mikrotik RouterBOARD 951G- 2HnD..........................................................11

ix. Configuring Cisco Catalyst 2950 series switch..................................................................11

x. Adding Security to Cisco Catalyst 2950 series switch.......................................................12

II. Configuration Log for the devices............................................................................................14

Cisco 2600 Router Configuration :...........................................................................................14

Cisco Catalyst 2950 switch configuration.................................................................................16

III. Applications Used....................................................................................................................20

REFERENCES..............................................................................................................................21

2

I. Configuration of the devices

i. Resetting the Cisco 2600 Router

Requirements:

Console cable ( We used Prolific USB to Serial Converter cable )

Software tools like : Tera Term or Putty

Procedure:

1. Connect Cisco 2600 router to PC via console port with serial cable or USB to

serial cable.

2. Open Tera Term

3. Connect using Serial Port (COM port which is available)

4. Turn on the Cisco 2600 Router

5. The router will start to boot (Says Self-decompressing the image…..)

6. Send break to the router normal booting process. The scenario will be like as

shown in the figure below. In Tera Term boot process can be sent break by going

to Menu>>Control>>Send Break.

3

7. The main idea about resetting the router is based on changing the bootup

sequence. Configuration register value can affect the bootup sequence. The

default configuration register value is: 0x2102 (0010000100000010). This

default value of configuration register is changed to 0x2142

(0010000101000010). This change ignores the NVRAM contents by altering the

sixth bit in configuration register. By ignoring the NVRAM contents we can

access the router by bypassing the password and then set the password of our

own. It is shown below after we have send break to the normal booting process:

Self decompressing the image :

#############

monitor: command "boot" aborted due to user interrupt

rommon 1 >

rommon 1 > confreg 0x2142

rommon 2 > reset

System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.

Self decompressing the image :

##########################################################################

[OK]

The router boots normally and finally we are asked to continue with

configuration dialog? Hit “no” and then we can continue to enter our own

password as follows:

--- System Configuration Dialog ---

Continue with configuration dialog? [yes/no]: no

Press RETURN to get started!

Router>en

Router#config t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#enable secret cisco

4

Router(config)#line con 0

Router(config-line)#password cisco

Router(config-line)#login

Router(config-line)#exit

Now the boot sequence has to be set to the default so that router boots normally.

Router(config)#config-register 0x2102

Now the running configuration has to be copied to the Startup configuration

Router(config)#exit

Router#copy run start

Destination filename [startup-config]?

Building configuration...

[OK]

So the router has been reset successfully.

ii. Configuring the Cisco 2600 router

Configuring the router is an easy task. We configure with Fa0/0 IP address of

192.168.20.21 and Fa0/1 IP address of 192.168.60.1 with a static route and NAT

ISMS_router#config t


ISMS_router(config)#int f0/0

ISMS_router(config-if)#ip address 192.168.20.21 255.255.255.0

ISMS_router(config-if)#no shut

ISMS_router(config-if)#exit

ISMS_router(config)#int f0/1

ISMS_router(config-if)#ip address 192.168.60.1 255.255.255.0

5

ISMS_router(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

ISMS_router(config-if)#exit

ISMS_router(config)#exit

This configures the IP address for the router.

iii. Configuring static route and static NAT for Cisco 2600 router

Figure 1

Considering the Figure 1, static route and NAT can be set for Cisco 2600 router.

Static Route Configuration: It is done by providing the network and its mask and the next

hop to route to. Here it is configured such that packets from any network are hopped to

192.168.20.1 gateway.

Static NAT configuration: It is done by indicating the inside and outside network. Here

the outside network is 192.168.20.0 network and inside network is 192.168.60.0 network

The complete configuration for static route and static NAT is shown below:

6

Router#

Router#config t


Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.1

Router(config)#access-list 1 permit 192.168.60.0 0.0.0.255

Router(config)#ip nat inside source list 1 interface fa0/0 overload

Router(config)#int fa0/0

Router(config-if)#ip nat outside

Router(config-if)#int fa0/1

Router(config-if)#ip nat inside

Router(config-if)#exit

iv. Configuring Cisco 2600 Router for DHCP

For a private network (192.168.1.0) connected to Fa0/1 of the router, DHCP can be done

with following configuration. Here 192.168.1.1 is the IP address of Fa0/1 port of router.

Router#config t


Router(config)#int fa0/1

Router(config-if)#ip address 192.168.1.1 255.255.255.0

Router(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

Router(config-if)#ip dhcp excluded-address 192.168.1.1 192.168.1.255

Router(config)#ip dhcp pool DHCP_POOL

Router(dhcp-config)#network 192.168.1.0 255.255.255.0

Router(dhcp-config)#default-router 192.168.1.1

Router(dhcp-config)#exit

v. Configuration of Mikrotik RouterBOARD 951G- 2HnD

Mikrotik Router Board was configured with following login parameters.

Username: admin

Password : faculty_123

7

The first thing is to connect to the Router via Winbox application through the Ethernet

cable. The cable can be connected to Ethernet port 2 through 5. Due to the firewall

installed at Ethernet port 1 we cannot connect using port 1.

Figure 2 WinBox login interface

After we are connected we can set up the interfaces and configure everything. The environment

looks like as shown in Figure 5.

Figure 3 WinBox GUI interface

There are 5 Ethernet interfaces. Ethernet 1 through 5 and a wireless interface WLAN1. Ethernet

1 is connected to Internet enabled network (Here it is connected to Fa0/1 of Cisco 2600 router)

and Ethernet 2 is connected to Cisco Catalyst 2950 switch.

8

We start by creating a Bridge between WLAN1 and Ethernet 2. IP addressing is configured by

going to: IP >>Address.

Configuration of (pertaining to Figure 3) was done as follows:

For Bridge Interface :

Address : 192.168.50.1/24

For Ethernet 1 :

Address : 192.168.60.2/24

Static Route was defined by going to : IP>>Route

Route was configured as : 0.0.0.0 /0 via 192.168.60.1

DNS: 116.90.239.4

DCHP: Configured for bridged interface of WLAN1 and Ethernet 2.

Hotspot is created by going to IP>>Hotspot and then performing Hotspot setup. This creates a

new hotspot IP pool. A new hotspot profile can be created for this pool (we created 1MBps

profile). After profile creation, we can create users for that profile. Mikrotik offers a wide variety

of configuration for hotspot all of which cannot be shown here.

A good video tutorial showing all the required information about accessing, configuring and

creating Hotspot in Mikrotik router can be found in [1] and [2].

vi. Configuring Mikrotik Router for blocking certain sites

Sites can be blocked for access by creating a rule in Web Proxy as follows:

In WinBox GUI, Go to IP >> Web Proxy >> Web Proxy Settings >> Click on Enabled >>Port

8080 >> Apply >>Access

In Access window: Enter the website that is to be blocked in Dst. Host .

9

i.e . Dst. Host : www.youtube.com , Action=deny >> And then Apply

For this to work properly, a transparent Firewall settings has to be created. This is done by going

to IP>>Firewall>>Click on the NAT tab >> Then New NAT RULE >>In General TAB, select

Chain to be : dsnat >> Protocol : 6[tcp] >> Dst. Port: 80 >> Click on Action TAB>> Select

Action : dsnat >> To Addresses: Enter network address of your network>> To Ports: 8080 >>

Then Click OK.

vii. Blocking Torrent sites using Mikrotik Router

Go to IP>> Firewall>>Layer 7 Protocols>> Click on New Rule>> Put any name (eg. Torrent

block ) >> Then pasting following site names under REGEXP and the click APPLY

^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|

btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|

fenopy|gpirate|commonbits).*$

Now go to Advanced Tab on Firewall rule and then on Layer 7 protocol select the name just

created, here Torrent block. Then select action in action tab to ‘drop’. Then click on Firewall >>

Layer 7 protocol>> New Rule and put a new name such as ‘torrent-dns’ and then on REGEXP

add the following contents:

10

^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|

bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|

commonbits).*$

Then Goto Filter Rules>>Add new Rule>>Set Chain : forward>>Protocol:17[udp], Dst Port:53.

Then in Advanced tab set the Layer 7 protocol to your filter rule (torrent-dns). Then Finally click

on Action and select ‘drop’

viii. Resetting Mikrotik RouterBOARD 951G- 2HnD

Resetting Mikrotik RouterBOARD 951G- 2HnD can be done in case we wish to return the

device to its original configuration. This is done by using the RESET button located to the left of

the Ethernet ports. To reset follow the following steps:

Power Off the device

Press the Reset button with a sharp object

Connect the power cable

Remove the power cable as soon as the LED stats flashing.

Point to be noted !!!!: If the Rest button is hold longer then the flashing LED turns off then

Routerboard looks for Netinstall Servers

ix. Configuring Cisco Catalyst 2950 series switch

Configuration starring from setting of Password to creation of VLAN and assigning of IP

address is shown here:

Press RETURN to get started!

Switch>en

Switch#config t


11

Switch(config)#enable secret cisco

Switch(config)#line con 0

Switch(config-line)#password cisco

Switch(config-line)#login

Switch(config-line)#exit

The above sets the login and enable password for the switch. Now follows the creation

of VLAN 99 and VLAN 100.

Switch(config)#interface range fastethernet 0/1-10

Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport access vlan 99

% Access VLAN does not exist. Creating vlan 99

Switch(config-if-range)#exit


Switch(config-if-range)#switchport mode access

Switch(config-if-range)#switchport access vlan 100

% Access VLAN does not exist. Creating vlan 100

Switch(config-if-range)#exit

Now follows the assigning of IP address to VLAN 99 for remote management of switch.

Switch(config)#int vlan 99

%LINK-5-CHANGED: Interface Vlan99, changed state to up

Switch(config-if)#ip address 192.168.50.11 255.255.255.0

Switch(config-if)#no shut

Switch(config-if)#exit

x. Adding Security to Cisco Catalyst 2950 series switch

Cisco Catalyst 2950 switch was configured for port-security such that Fastethernet port

f0/2 accepts only a single end device with a specific MAC address only. And all other

ports were shut down.

Switch#config t


Switch(config)#int f0/2

12

Switch(config-if)#switchport mode access

Switch(config-if)#switchport port-security

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security mac-address 0021.70fe.661a

Switch(config-if)#exit

Now shutting all other ports


Switch(config-if-range)#shut

13

II. Configuration Log for the devices

Cisco 2600 Router Configuration :

Login Password : cisco

Enable Password : cisco

Detailed Configuration is shown below:

ISMS2600#sh run


Current configuration : 1059 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ISMS2600

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$fcqt$p.uVrq1HNvNpUxpn1sZxG.

!

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

ip cef

!

!

ip dhcp excluded-address 192.168.60.1 192.168.60.99

!

ip dhcp pool DHCP_POOL

network 192.168.60.0 255.255.255.0

14

default-router 192.168.60.1

!

no ftp-server write-enable

!

!

!

!

interface FastEthernet0/0

ip address 192.168.20.21 255.255.255.0

ip nat outside

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!


ip address 192.168.60.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.20.1

no ip http server

!

access-list 101 permit ip 192.168.60.0 0.0.0.255 any

!

line con 0

password cisco

login

line aux 0

line vty 0 4

login

!

15

!

!

End

Cisco Catalyst 2950 switch configuration

Login Password: cisco

Enable Password: cisco

Detailed Configuration is shown below:

ISMS_switch#show run


Current configuration : 2401 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname ISMS_switch

!

enable secret 5 $1$7MYG$vvmsqm20RrzKrdva626gW/

!

ip subnet-zero

!

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

!

!


switchport access vlan 99

switchport mode access

!

16




switchport port-security

switchport port-security mac-address 0021.70fe.661a

!



!



!



!



!



!



!



!



!



!



!


17


!



!




!




!




!




!




!




!




!




!

18




!




!

interface Vlan1

ip address 192.168.60.10 255.255.255.0

no ip route-cache

shutdown

!

interface Vlan99

ip address 192.168.50.11 255.255.255.0

no ip route-cache

!

interface Vlan100

no ip address

no ip route-cache

shutdown

!

ip http server

!

line con 0

password cisco

login

line vty 0 4

password cisco

login

line vty 5 15

password cisco

login

!

!end

19

III. Applications Used

This section of Appendix III describes the software tools that we have used during our Internship

at ISMS. They are listed as follows:

1) Cisco Packet Tracer : Network creation and simulation tool

2) PuTTY: An open source SSH and Telnet client.

3) Tera Term : Similar to PuTTY

4) WinBox: Configuration tool for Mikrotik Router with GUI interface

5) Xirrus Wi-Fi Inspector: Wi-Fi detection and signal analyzing tool.

20

REFERENCES

1. Mikrotik Hotspot Quick Setup Guide in Urdu, Adeel Ahmed, YouTube Video

http://www.youtube.com/watch?v=T_TEaDrqRVE

2. Mikrotik Router Access Point Basic, ISP Supplies, YouTube Video,

http://www.youtube.com/watch?v=ulDefmf1ces

3. How to configure Mikrotik Router to Block Website, YouTube Video,

http://www.youtube.com/watch?v=qtrv-cKO2Zg

4. How to Setup Your Own Hotspot with MIKROTIK routers, Hotspotsystem.com,

http://www.hotspotsystem.com/en/hotspot/install_guide_mikrotik.html

5. Cisco IOS Switch Security Configuration Guide, A. Borza, D.Duesterhaus, C.

Grabczynski, J. Johnson, R. Kelly, T.Miller, National Security Agency

6. Information System Management Section (ISMS) , Kathmandu University, Fact Sheet,

January 2013, http://www.ku.edu.np/isms/Factsheet_ISMS_jan2013.pdf

21

Documents

Configuration Manual for some Cisco and Miktorik devices