Upload
saurav-thewhite-bhattarai
View
31
Download
0
Embed Size (px)
DESCRIPTION
This manual helps in configuring some cisco devices and a Mikrotik ROuterboard
Citation preview
Configuration Guide
Cisco 2600 Router
Mikrotik RouterBOARD 951G-2HnD
Cisco Catalyst 2950 series switch
August, 2013
1
Table of ContentsI. Configuration of the devices........................................................................................................3
i. Resetting the Cisco 2600 Router..........................................................................................3
ii. Configuring the Cisco 2600 router.......................................................................................5
iii. Configuring static route and static NAT for Cisco 2600 router...........................................6
iv. Configuring Cisco 2600 Router for DHCP..........................................................................7
v. Configuration of Mikrotik RouterBOARD 951G- 2HnD....................................................7
vi. Configuring Mikrotik Router for blocking certain sites.......................................................9
vii. Blocking Torrent sites using Mikrotik Router................................................................10
viii. Resetting Mikrotik RouterBOARD 951G- 2HnD..........................................................11
ix. Configuring Cisco Catalyst 2950 series switch..................................................................11
x. Adding Security to Cisco Catalyst 2950 series switch.......................................................12
II. Configuration Log for the devices............................................................................................14
Cisco 2600 Router Configuration :...........................................................................................14
Cisco Catalyst 2950 switch configuration.................................................................................16
III. Applications Used....................................................................................................................20
REFERENCES..............................................................................................................................21
2
I. Configuration of the devices
i. Resetting the Cisco 2600 Router
Requirements:
Console cable ( We used Prolific USB to Serial Converter cable )
Software tools like : Tera Term or Putty
Procedure:
1. Connect Cisco 2600 router to PC via console port with serial cable or USB to
serial cable.
2. Open Tera Term
3. Connect using Serial Port (COM port which is available)
4. Turn on the Cisco 2600 Router
5. The router will start to boot (Says Self-decompressing the image…..)
6. Send break to the router normal booting process. The scenario will be like as
shown in the figure below. In Tera Term boot process can be sent break by going
to Menu>>Control>>Send Break.
3
7. The main idea about resetting the router is based on changing the bootup
sequence. Configuration register value can affect the bootup sequence. The
default configuration register value is: 0x2102 (0010000100000010). This
default value of configuration register is changed to 0x2142
(0010000101000010). This change ignores the NVRAM contents by altering the
sixth bit in configuration register. By ignoring the NVRAM contents we can
access the router by bypassing the password and then set the password of our
own. It is shown below after we have send break to the normal booting process:
Self decompressing the image :
#############
monitor: command "boot" aborted due to user interrupt
rommon 1 >
rommon 1 > confreg 0x2142
rommon 2 > reset
System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.
Self decompressing the image :
##########################################################################
[OK]
The router boots normally and finally we are asked to continue with
configuration dialog? Hit “no” and then we can continue to enter our own
password as follows:
--- System Configuration Dialog ---
Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret cisco
4
Router(config)#line con 0
Router(config-line)#password cisco
Router(config-line)#login
Router(config-line)#exit
Now the boot sequence has to be set to the default so that router boots normally.
Router(config)#config-register 0x2102
Now the running configuration has to be copied to the Startup configuration
Router(config)#exit
Router#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
So the router has been reset successfully.
ii. Configuring the Cisco 2600 router
Configuring the router is an easy task. We configure with Fa0/0 IP address of
192.168.20.21 and Fa0/1 IP address of 192.168.60.1 with a static route and NAT
ISMS_router#config t
Enter configuration commands, one per line. End with CNTL/Z.
ISMS_router(config)#int f0/0
ISMS_router(config-if)#ip address 192.168.20.21 255.255.255.0
ISMS_router(config-if)#no shut
ISMS_router(config-if)#exit
ISMS_router(config)#int f0/1
ISMS_router(config-if)#ip address 192.168.60.1 255.255.255.0
5
ISMS_router(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
ISMS_router(config-if)#exit
ISMS_router(config)#exit
This configures the IP address for the router.
iii. Configuring static route and static NAT for Cisco 2600 router
Figure 1
Considering the Figure 1, static route and NAT can be set for Cisco 2600 router.
Static Route Configuration: It is done by providing the network and its mask and the next
hop to route to. Here it is configured such that packets from any network are hopped to
192.168.20.1 gateway.
Static NAT configuration: It is done by indicating the inside and outside network. Here
the outside network is 192.168.20.0 network and inside network is 192.168.60.0 network
The complete configuration for static route and static NAT is shown below:
6
Router#
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.20.1
Router(config)#access-list 1 permit 192.168.60.0 0.0.0.255
Router(config)#ip nat inside source list 1 interface fa0/0 overload
Router(config)#int fa0/0
Router(config-if)#ip nat outside
Router(config-if)#int fa0/1
Router(config-if)#ip nat inside
Router(config-if)#exit
iv. Configuring Cisco 2600 Router for DHCP
For a private network (192.168.1.0) connected to Fa0/1 of the router, DHCP can be done
with following configuration. Here 192.168.1.1 is the IP address of Fa0/1 port of router.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int fa0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Router(config-if)#ip dhcp excluded-address 192.168.1.1 192.168.1.255
Router(config)#ip dhcp pool DHCP_POOL
Router(dhcp-config)#network 192.168.1.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.1.1
Router(dhcp-config)#exit
v. Configuration of Mikrotik RouterBOARD 951G- 2HnD
Mikrotik Router Board was configured with following login parameters.
Username: admin
Password : faculty_123
7
The first thing is to connect to the Router via Winbox application through the Ethernet
cable. The cable can be connected to Ethernet port 2 through 5. Due to the firewall
installed at Ethernet port 1 we cannot connect using port 1.
Figure 2 WinBox login interface
After we are connected we can set up the interfaces and configure everything. The environment
looks like as shown in Figure 5.
Figure 3 WinBox GUI interface
There are 5 Ethernet interfaces. Ethernet 1 through 5 and a wireless interface WLAN1. Ethernet
1 is connected to Internet enabled network (Here it is connected to Fa0/1 of Cisco 2600 router)
and Ethernet 2 is connected to Cisco Catalyst 2950 switch.
8
We start by creating a Bridge between WLAN1 and Ethernet 2. IP addressing is configured by
going to: IP >>Address.
Configuration of (pertaining to Figure 3) was done as follows:
For Bridge Interface :
Address : 192.168.50.1/24
For Ethernet 1 :
Address : 192.168.60.2/24
Static Route was defined by going to : IP>>Route
Route was configured as : 0.0.0.0 /0 via 192.168.60.1
DNS: 116.90.239.4
DCHP: Configured for bridged interface of WLAN1 and Ethernet 2.
Hotspot is created by going to IP>>Hotspot and then performing Hotspot setup. This creates a
new hotspot IP pool. A new hotspot profile can be created for this pool (we created 1MBps
profile). After profile creation, we can create users for that profile. Mikrotik offers a wide variety
of configuration for hotspot all of which cannot be shown here.
A good video tutorial showing all the required information about accessing, configuring and
creating Hotspot in Mikrotik router can be found in [1] and [2].
vi. Configuring Mikrotik Router for blocking certain sites
Sites can be blocked for access by creating a rule in Web Proxy as follows:
In WinBox GUI, Go to IP >> Web Proxy >> Web Proxy Settings >> Click on Enabled >>Port
8080 >> Apply >>Access
In Access window: Enter the website that is to be blocked in Dst. Host .
9
i.e . Dst. Host : www.youtube.com , Action=deny >> And then Apply
For this to work properly, a transparent Firewall settings has to be created. This is done by going
to IP>>Firewall>>Click on the NAT tab >> Then New NAT RULE >>In General TAB, select
Chain to be : dsnat >> Protocol : 6[tcp] >> Dst. Port: 80 >> Click on Action TAB>> Select
Action : dsnat >> To Addresses: Enter network address of your network>> To Ports: 8080 >>
Then Click OK.
vii. Blocking Torrent sites using Mikrotik Router
Go to IP>> Firewall>>Layer 7 Protocols>> Click on New Rule>> Put any name (eg. Torrent
block ) >> Then pasting following site names under REGEXP and the click APPLY
^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|
btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|
fenopy|gpirate|commonbits).*$
Now go to Advanced Tab on Firewall rule and then on Layer 7 protocol select the name just
created, here Torrent block. Then select action in action tab to ‘drop’. Then click on Firewall >>
Layer 7 protocol>> New Rule and put a new name such as ‘torrent-dns’ and then on REGEXP
add the following contents:
10
^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|
bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|
commonbits).*$
Then Goto Filter Rules>>Add new Rule>>Set Chain : forward>>Protocol:17[udp], Dst Port:53.
Then in Advanced tab set the Layer 7 protocol to your filter rule (torrent-dns). Then Finally click
on Action and select ‘drop’
viii. Resetting Mikrotik RouterBOARD 951G- 2HnD
Resetting Mikrotik RouterBOARD 951G- 2HnD can be done in case we wish to return the
device to its original configuration. This is done by using the RESET button located to the left of
the Ethernet ports. To reset follow the following steps:
Power Off the device
Press the Reset button with a sharp object
Connect the power cable
Remove the power cable as soon as the LED stats flashing.
Point to be noted !!!!: If the Rest button is hold longer then the flashing LED turns off then
Routerboard looks for Netinstall Servers
ix. Configuring Cisco Catalyst 2950 series switch
Configuration starring from setting of Password to creation of VLAN and assigning of IP
address is shown here:
Press RETURN to get started!
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
11
Switch(config)#enable secret cisco
Switch(config)#line con 0
Switch(config-line)#password cisco
Switch(config-line)#login
Switch(config-line)#exit
The above sets the login and enable password for the switch. Now follows the creation
of VLAN 99 and VLAN 100.
Switch(config)#interface range fastethernet 0/1-10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 99
% Access VLAN does not exist. Creating vlan 99
Switch(config-if-range)#exit
Switch(config)#interface range fastethernet 0/11-24
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 100
% Access VLAN does not exist. Creating vlan 100
Switch(config-if-range)#exit
Now follows the assigning of IP address to VLAN 99 for remote management of switch.
Switch(config)#int vlan 99
%LINK-5-CHANGED: Interface Vlan99, changed state to up
Switch(config-if)#ip address 192.168.50.11 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#exit
x. Adding Security to Cisco Catalyst 2950 series switch
Cisco Catalyst 2950 switch was configured for port-security such that Fastethernet port
f0/2 accepts only a single end device with a specific MAC address only. And all other
ports were shut down.
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int f0/2
12
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 0021.70fe.661a
Switch(config-if)#exit
Now shutting all other ports
Switch(config)#interface range fastethernet 0/11-24
Switch(config-if-range)#shut
13
II. Configuration Log for the devices
Cisco 2600 Router Configuration :
Login Password : cisco
Enable Password : cisco
Detailed Configuration is shown below:
ISMS2600#sh run
Building configuration...
Current configuration : 1059 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISMS2600
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$fcqt$p.uVrq1HNvNpUxpn1sZxG.
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.60.1 192.168.60.99
!
ip dhcp pool DHCP_POOL
network 192.168.60.0 255.255.255.0
14
default-router 192.168.60.1
!
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 192.168.20.21 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.60.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.1
no ip http server
!
access-list 101 permit ip 192.168.60.0 0.0.0.255 any
!
line con 0
password cisco
login
line aux 0
line vty 0 4
login
!
15
!
!
End
Cisco Catalyst 2950 switch configuration
Login Password: cisco
Enable Password: cisco
Detailed Configuration is shown below:
ISMS_switch#show run
Building configuration...
Current configuration : 2401 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ISMS_switch
!
enable secret 5 $1$7MYG$vvmsqm20RrzKrdva626gW/
!
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 99
switchport mode access
!
16
interface FastEthernet0/2
switchport access vlan 99
switchport mode access
switchport port-security
switchport port-security mac-address 0021.70fe.661a
!
interface FastEthernet0/3
switchport access vlan 99
!
interface FastEthernet0/4
switchport access vlan 99
!
interface FastEthernet0/5
switchport access vlan 99
!
interface FastEthernet0/6
switchport access vlan 99
!
interface FastEthernet0/7
switchport access vlan 99
!
interface FastEthernet0/8
switchport access vlan 99
!
interface FastEthernet0/9
switchport access vlan 99
!
interface FastEthernet0/10
switchport access vlan 99
!
interface FastEthernet0/11
switchport access vlan 100
!
interface FastEthernet0/12
switchport access vlan 100
!
interface FastEthernet0/13
17
switchport access vlan 100
!
interface FastEthernet0/14
switchport access vlan 100
!
interface FastEthernet0/15
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/17
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/18
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/19
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/20
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/21
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/22
switchport access vlan 100
switchport mode access
!
18
interface FastEthernet0/23
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/24
switchport access vlan 100
switchport mode access
!
interface Vlan1
ip address 192.168.60.10 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan99
ip address 192.168.50.11 255.255.255.0
no ip route-cache
!
interface Vlan100
no ip address
no ip route-cache
shutdown
!
ip http server
!
line con 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!end
19
III. Applications Used
This section of Appendix III describes the software tools that we have used during our Internship
at ISMS. They are listed as follows:
1) Cisco Packet Tracer : Network creation and simulation tool
2) PuTTY: An open source SSH and Telnet client.
3) Tera Term : Similar to PuTTY
4) WinBox: Configuration tool for Mikrotik Router with GUI interface
5) Xirrus Wi-Fi Inspector: Wi-Fi detection and signal analyzing tool.
20
REFERENCES
1. Mikrotik Hotspot Quick Setup Guide in Urdu, Adeel Ahmed, YouTube Video
http://www.youtube.com/watch?v=T_TEaDrqRVE
2. Mikrotik Router Access Point Basic, ISP Supplies, YouTube Video,
http://www.youtube.com/watch?v=ulDefmf1ces
3. How to configure Mikrotik Router to Block Website, YouTube Video,
http://www.youtube.com/watch?v=qtrv-cKO2Zg
4. How to Setup Your Own Hotspot with MIKROTIK routers, Hotspotsystem.com,
http://www.hotspotsystem.com/en/hotspot/install_guide_mikrotik.html
5. Cisco IOS Switch Security Configuration Guide, A. Borza, D.Duesterhaus, C.
Grabczynski, J. Johnson, R. Kelly, T.Miller, National Security Agency
6. Information System Management Section (ISMS) , Kathmandu University, Fact Sheet,
January 2013, http://www.ku.edu.np/isms/Factsheet_ISMS_jan2013.pdf
21