by Jean-Baptiste Marchand (25/03/2005)
-[ Minimizing Windows Server 2003 network services ]-
1. Introduction
This document is an evolution of the document
Minimizing Windows network services - Examples with Windows 2000 and Windows XP
published for the first time in September 2002
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
and explains how the same methodology can be applied to minimize network services
of Windows Server 2003 systems.
Windows network services are presented in details in the _Windows network
services internals_ paper, available at
http://www.hsc.fr/ressources/articles/win_net_srv/
2. Target
The hardening recommendations presented in this document will only be used for
isolated Windows Server 2003 systems (systems that are not part of an Active
Directory domain).
Depending on the target environment, only a subset of the recommendations will
be implemented.
Yet, it is possible to apply all recommendations on hardened systems (such as
servers used in DMZ).
3. Overview of default Windows Server 2003 network services
The netstat command can be used to enumerate running network services on a
default Windows Server 2003 system:
C:\>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 680
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 508
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 992
TCP 192.70.106.144:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 508
UDP 0.0.0.0:1027 *:* 992
UDP 0.0.0.0:1029 *:* 912
UDP 0.0.0.0:4500 *:* 508
UDP 127.0.0.1:123 *:* 992
UDP 192.70.106.144:123 *:* 992
UDP 192.70.106.144:137 *:* 4
UDP 192.70.106.144:138 *:* 4
When the -o netstat option is used, the PID column contains the process
identifier of the process that bound a socket.
The tasklist command displays the translation between process identifiers and
executable names:
C:\>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ =========== ============
System Idle Process 0 Console 0 16 K
System 4 Console 0 212 K
smss.exe 372 Console 0 456 K
csrss.exe 428 Console 0 3 656 K
winlogon.exe 452 Console 0 1 988 K
services.exe 496 Console 0 3 052 K
lsass.exe 508 Console 0 8 284 K
svchost.exe 680 Console 0 2 732 K
svchost.exe 728 Console 0 3 748 K
svchost.exe 912 Console 0 3 792 K
svchost.exe 964 Console 0 1 868 K
svchost.exe 992 Console 0 17 352 K
spoolsv.exe 1220 Console 0 4 876 K
msdtc.exe 1248 Console 0 3 944 K
svchost.exe 1340 Console 0 1 748 K
svchost.exe 1372 Console 0 1 304 K
dfssvc.exe 1568 Console 0 3 116 K
wmiprvse.exe 1932 Console 0 4 564 K
explorer.exe 1816 Console 0 17 012 K
ctfmon.exe 560 Console 0 2 304 K
msiexec.exe 204 Console 0 3 168 K
wpabaln.exe 1004 Console 0 2 460 K
cmd.exe 280 Console 0 1 468 K
wmiprvse.exe 276 Console 0 4 744 K
tasklist.exe 1268 Console 0 3 244 K
4. TCP and UDP ports used by Windows Server 2003 default network services
4.1 IPSEC Services (PolicyAgent)
The IPSEC Services service opens two UDP sockets:
- one UDP socket bound to UDP port 500 (ISAKMP support)
- one UDP socket bound to UDP port 4500 (NAT-T support)
These two UDP ports appear in netstat's output:
UDP 0.0.0.0:500 *:* 508
UDP 0.0.0.0:4500 *:* 508
^^^
508 corresponds to the PID of lsass.exe (the PolicyAgent service runs inside
the LSA process):
C:\>tasklist /svc /fi "pid eq 508"
Image Name PID Services
========================= ====== =============================================
lsass.exe 508 PolicyAgent, ProtectedStorage, SamSs
Stopping the PolicyAgent service immediately closes the two UDP sockets:
C:\>net stop policyagent
The IPSEC Services service is stopping.
The IPSEC Services service was stopped successfully.
To set the startup mode of the PolicyAgent service to manual instead of
automatic (default configuration), use the following command:
C:\>sc config policyagent start= demand
[SC] ChangeServiceConfig SUCCESS
4.2 Windows Time service (w32time)
The Windows Time service opens one UDP socket bound to UDP port 123 for each
network adapter present on the system, plus the loopback IPv4 address
(127.0.0.1):
UDP 127.0.0.1:123 *:* 992
UDP 192.70.106.144:123 *:* 992
^^^
svchost.exe 992 Console 0 17 352 K
^^^^^^^^^^^ ^^^
992 corresponds to the svchost.exe instance that hosts the w32time service.
Stopping the w32time immediately closes all sockets bound to UDP port 123:
C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopping successfully.
To set the startup mode of the w32time service to manual instead of
automatic (default configuration), use the following command:
C:\>sc config w32time start= demand
[SC] ChangeServiceConfig SUCCESS
4.3 NetBIOS over TCP/IP driver (NetBT support)
By design, the NetBIOS over TCP/IP driver binds 3 sockets on the IP address of
each network adapter.
These 3 sockets correspond to the 3 NetBIOS over TCP/IP services:
- 137/UDP : NetBIOS name resolution service
- 138/UDP : NetBIOS datagram service
- 139/TCP : NetBIOS session service
In our example, 3 sockets are bound to the network adapter:
TCP 192.70.106.144:139 0.0.0.0:0 LISTENING 4
UDP 192.70.106.144:137 *:* 4
UDP 192.70.106.144:138 *:* 4
^
4 corresponds to the System process and confirms that these sockets are bound by
the NetBIOS over TCP/IP driver (netbt.sys), running in kernel-mode.
NetBIOS over TCP/IP is not needed if all systems of the environment are running
Windows 2000 or later.
Disabling NetBIOS over TCP/IP support on all network adapters (choose
Disable NetBIOS over TCP/IP in the WINS tab of the network adapter's Advanced
TCP/IP Settings window) closes sockets bound to 137/udp, 138/udp and
139/tcp.
4.4 NetBIOS over TCP/IP driver (raw SMB support)
Starting with Windows 2000, the SMB protocol (Windows protocol behind Windows
resource sharing and remote administration capabilities) can be carried directly
into TCP, using TCP port 445.
Thus, the netbt.sys driver of recent Windows systems (including Windows Server
2003) binds two sockets, one on TCP port 445 and one on UDP port 445.
The purpose of the UDP socket is, to the best of our knowledge, not documented.
These two sockets are bound to all network adapters (0.0.0.0):
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
To close these two sockets, it is possible to either:
- stop the NetBT driver
- set the SmbDeviceEnabled registry value to 0
The NetBT driver can be stopped with the following command:
C:\>net stop /y srv
The following services are dependent on the Server service.
Stopping the Server service will also stop these services.
Distributed File System
Computer Browser
The Distributed File System service was stopped successfully.
The Computer Browser service is stopping.
The Computer Browser service was stopped successfully.
The Server service is stopping.
The Server service was stopped successfully.
C:\>net stop rdr
The Workstation service is stopping.
The Workstation service was stopped successfully.
The netbt driver can then be stopped with the following command:
C:\>net stop /y netbt
The following services are dependent on the NetBios over Tcpip service.
Stopping the NetBios over Tcpip service will also stop these services.
TCP/IP NetBIOS Helper
The TCP/IP NetBIOS Helper service was stopped successfully.
The NetBios over Tcpip service was stopped successfully.
Because of services dependencies, if the NetBT driver is disabled, the startup
mode of the following services must be set to manual or disabled:
- Computer Browser service (Browser)
- Distributed File System service (Dfs)
- Server service (lanmanserver)
- Workstation service (lanmanworkstation)
- TCP/IP NetBIOS Helper (lmhosts)
To prevent the netbt.sys to be started at the next system startup, its startup
mode must be set to manual:
C:\>sc config netbt start= demand
[SC] ChangeServiceConfig SUCCESS
Startup modes of all services that depend on it must also be modified:
C:\>sc config lmhosts start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config dfs start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config browser start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config lanmanserver start= demand
[SC] ChangeServiceConfig SUCCESS
C:\>sc config lanmanworkstation start= demand
[SC] ChangeServiceConfig SUCCESS
In addition, the Remote Registry service (RemoteRegistry) can be disabled
because it is not possible to remotely access the registry when the server
service is not started:
C:\>sc config remoteregistry start= demand
[SC] ChangeServiceConfig SUCCESS
4.5 DNS Client service (Dnscache)
The Windows Server 2003 DNS Client service is a caching DNS resolver used by
applications that need a DNS resolution service.
When started, the Dnscache service binds a UDP socket to communicate with DNS
servers on UDP port 53.
The UDP socket used by the Dnscache service appears in netstat's output:
UDP 0.0.0.0:1029 *:* 912
^^^
912 corresponds to the svchost.exe instance that hosts the Dnscache service:
C:\>tasklist /svc /fi "pid eq 912"
Image Name PID Services
========================= ====== =============================================
svchost.exe 912 Dhcp, Dnscache
^^^^^^^^
Stopping the Dnscache service closes the dynamic UDP port:
C:\>net stop dnscache
The DNS Client service is stopping.
The DNS Client service was stopped successfully.
4.6 RPC services listening on TCP
Windows Server 2003 LSA runs several RPC services that can be reached via a
dynamic TCP port:
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 508
^^^
As seen earlier, 508 corresponds to the LSA process (lsass.exe):
C:\>tasklist /svc /fi "pid eq 508"
Image Name PID Services
========================= ====== =============================================
lsass.exe 508 ProtectedStorage, SamSs
The Task Scheduler service runs several RPC services and also opens a dynamic TCP
port:
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 992
Finally, the MSRPC portmapper and COM SCM, started by the RpcSs service both use
TCP port 135:
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 680
680 corresponds to the svchost.exe instance that hosts the RpcSs service:
C:\>tasklist /svc /fi "pid eq 680"
Image Name PID Services
========================= ====== =============================================
svchost.exe 680 RpcSs
^^^^^
In Windows Server 2003, the netsh rpc context can be used to specify that RPC
services listening on TCP ports (ncacn_ip_tcp protocol sequence) should only
bind to a specific network adress.
Using netsh, it is possible to restrict these three RPC services so that they
only bind to the loopback IPv4 address (127.0.0.1):
C:\>netsh -c rpc
netsh rpc>show interfaces
Subnet Interface Status Description
127.0.0.0 127.0.0.1 Enabled MS TCP Loopback interface
192.70.106.128 192.70.106.144 Disabled AMD PCNET Family PCI Ethernet Adapter
netsh rpc>show settings
Default
netsh rpc>add 127.0.0.0
netsh rpc>show settings
Add List
127.0.0.0
After a reboot, the three RPC services only bind to 127.0.0.1, as shown below:
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:135 0.0.0.0:0 LISTENING 740
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 788
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 516
4.7 Setting a port range for dynamic ports used by RPC services
By default, dynamic (TCP or UDP) ports opened by RPC servers are allocated in
the Windows default range of dynamic ports: 1025-5000.
It is possible to use a dedicated port range for these RPC services, so that it
is is easier to identify running RPC services.
The rpccfg tool, part of Windows Server 2003 Resource Kit tools, can be used to
setup a port range (5050-5070 in the following example):
C:\>rpccfg /pe 5050-5070
The following ports/port range will be used for Internet ports
5050-5070
Default port allocation is from Intranet ports
C:\>rpccfg /d 0
The following ports/port range will be used for Internet ports
5050-5070
Default port allocation is from Internet ports
Finally, the complete configuration of the RPC runtime can be displayed with the
/q option of rpccfg:
C:\>rpccfg /q
Admit List
Subnet Description
1 127.0.0.0 1 MS TCP Loopback interface
The following ports/port ranges will be used for Internet ports
5050-5070
Default port allocation is from Internet ports
After a reboot, the three remaining RPC services only bind to 127.0.0.1 and the
two RPC services that previously used dynamic ports from the default range
(1025-5000) now use the first two ports from the range for Internet ports (5050
and 5051):
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:135 0.0.0.0:0 LISTENING 752
TCP 127.0.0.1:5050 0.0.0.0:0 LISTENING 844
TCP 127.0.0.1:5051 0.0.0.0:0 LISTENING 516
5. Windows Server 2003 SP1
In Windows Server 2003 SP1, a new netstat option, -b, can be used to directly
display the Windows service or process that open sockets.
The output of the netstat -anb command on a default Windows Server 2003 SP1
system is shown below:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1244
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 856
[lsass.exe]
TCP 192.70.106.144:139 0.0.0.0:0 LISTENING 4
[System]
UDP 0.0.0.0:4500 *:* 856
[lsass.exe]
UDP 0.0.0.0:500 *:* 856
[lsass.exe]
UDP 0.0.0.0:445 *:* 4
[System]
UDP 0.0.0.0:1026 *:* 1296
Dnscache
[svchost.exe]
UDP 127.0.0.1:123 *:* 1344
W32Time
[svchost.exe]
UDP 192.70.106.144:137 *:* 4
[System]
UDP 192.70.106.144:123 *:* 1344
W32Time
[svchost.exe]
UDP 192.70.106.144:138 *:* 4
[System]
It seems that in Windows Server 2003 SP1, the Task Scheduler service no longer
opens a TCP port for its RPC services.
Thus, compared to a default Windows Server 2003 system, there is one less
listening TCP socket on a default Windows Server 2003 SP1 system.
Otherwise, opened sockets are the same as the one found on a default Windows
Server 2003 system and the same methodology can be used.
6. Conclusion
Depending on the role and the environment, only a subset or all Windows Server
2003 network services will be minimized.
An isolated Windows Server 2003 system can be configured so that no listening
TCP port appear when scanned remotely with a network scanner.
However, when dealing with network services minimization, the most important
thing is not necessarily to close all ports but instead to determine which
network communications are needed, analyze the risks associated to the network
services and decide which network services are needed, must be hardened,
filtered or disabled.
7. List of TCP and UDP ports used by Windows Server 2003 network services
TCP:
135/tcp: Remote Procedure Call (RPC) service (RpcSs)
139/tcp: NetBIOS over TCP/IP driver (netbt.sys)
445/tcp: NetBIOS over TCP/IP driver (netbt.sys)
One dynamic TCP port (LSA RPC services): lsass.exe
One dynamic TCP port (RPC services): Task Scheduler service (schedule)
-> not in Windows Server 2003 SP1
UDP:
123/udp: Windows Time service (w32time)
137/udp, 138/udp: NetBIOS over TCP/IP driver (netbt.sys)
445/udp: NetBIOS over TCP/IP driver (netbt.sys)
500/udp, 4500/udp: IPSEC Services service (PolicyAgent)
One dynamic UDP port: DNS Client service (Dnscache)
For further information, see the list of network ports used by Windows systems
found in the #832017 Microsoft knowledge base article:
http://support.microsoft.com/?id=832017
Because the RpcSs service can not be disabled nor the lsass.exe process stopped,
a Windows Server 2003 system will, at a minimum, always have two listening TCP
sockets, that can be bound only to 127.0.0.1 if the rpc subsystem has been
configured explictly with netsh, as shown earlier:
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:135 0.0.0.0:0 LISTENING 740
TCP 127.0.0.1:5050 0.0.0.0:0 LISTENING 788
$Id: min_w2k3_net_srv.tip,v 1.10 2005/04/07 08:16:18 marchand Exp $
Friday, October 3, 2008
Tuesday, September 30, 2008
Basic Two Router Lab
2 Router Basic Configuration Lab
* DCE
Objective:
In this lab you will configure a simple network to allow two routers to route packets between to remote networks.
Requirements:
* Two Cisco routers with one Ethernet port and one serial port.
* Cisco IOS 10.0 or higher
* One PC for consoling into routers with terminal emulation software
* One serial cable
* One Cisco rollover cable
Setup:
Step 1: Physical Connections Connect the following interfaces:
* Console: Connect your PC/terminal to the console port using a rollover cable and HyperTerminal (9600-8-N-1-no flow)
* Ethernet: Connect Ethernet ports to a hub or a switch using a straight-through cable. Use a cross-over cable if going directly from the PC’s NIC to the Ethernet (AUI) port on the router using a transceiver.
* Serial: If going directly between two routers, don’t forget to connect one port via the DTE cable and the other via the DCE cable.
Step 2: Boot up the routers
Just say “no” to use the setup mode (setup dialogue). The setup mode will only allow you to configure the router with the basic features and not with any advanced features.
If asked if you would like to terminate the auto configuration; say “yes”.
Let the routers finish booting.
Step 3: Host Name and Passwords
Begin your configuration with the hostname and passwords. This is to remind you of what router you are configuring and now's the time to start thinking about router security.
RouterA
router>en router#
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#hostname RouterA (sets the router's name)
RouterA(config)#enable secret cisco (Sets the secret password
for the router)
RouterA(config)#line vty 0 4 (there are five concurrent
connections for the telnet ports coming into a Cisco 2500
router. We are setting the login password on all five of them)
RouterA(config-line)#login (This enables the router to require a
login password for a telnet session to the router)
RouterA(config-line)#password cisco (this sets the login
password for all 5 telnet sessions coming into the router as cisco)
RouterA(config-line)#exit
RouterA(config)#^Z (This is the key combination of control+z
which takes you back to the privileged executive mode)
RouterA#
RouterB
router>en
router#
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#hostname RouterB (sets the router's name)
RouterB(config)#enable secret cisco (Sets the secret password for the router)
RouterB(config)#line vty 0 4 (there are five concurrent connections for the telnet ports coming into a Cisco 2500 router. We are setting the login password on all five of them)
RouterB(config-line)#login (This enables the router to require a login password for a telnet session to the router)
RouterB(config-line)#password cisco (this sets the login password for all 5 telnet sessions coming into the router as cisco)
RouterB(config-line)#exit
3 RouterB(config)#^Z (This is the key combination of control+z which takes you back to the privileged executive mode)
FYI: Anytime you make a configuration change to a router and you come back to the privileged exec mode you need to save your changes to NVRAM. This ensures that if the router reboots, you won’t loose your changes which are in the running-config which is volatile RAM. The following command(s) saves your changes to the startup-config.
RouterA#copy running-config startup-config
Or
RouterA# copy run start
Or
RouterA#wr me (short for write memory)
Step 4: Adding IP Addresses
Adding IP addresses, is a basic function of configuring routers. Below is an example of configuring both an Ethernet and serial interface. For serial interface with the DCE cable you will need to also add the clocking with the clockrate command. Get the IP addresses from the network diagram.
RouterA
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int e0
RouterA(config-if)#ip address 172.16.12.1 255.255.255.0
RouterA(config-if)# description LAN Network for RouterA
RouterA(config-if)# no shutdown
RouterA(config-if)#int s0
RouterA(config-if)#ip address 172.16.10.1 255.255.255.0
(RouterA will have the serial 0 with the DCE end of the serial cable. The other partner will have serial1 with the DTE end of the serial cable. Check the network diagram to confirm to see who has what interface)
RouterA(config-if)#clockrate 250000 (DCE interface only which is the s0 on RouterA)
RouterA(config-if)#no shutdown
RouterA(config-if)#description Network connection to RouterB
RouterB
RouterB#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#int e0
RouterB(config-if)#ip address 172.16.11.1 255.255.255.0
RouterB(config-if)# description LAN Network for RouterB
RouterB(config-if)# no shutdown
RouterB(config-if)#int s1
RouterB(config-if)#ip address 172.16.10.2 255.255.255.0
RouterB(config-if)#no shutdown
RouterB(config-if)#description Network connection to RouterA
Once both routers are configured properly, you should be able to use the ping command and ping the interface e0 on each of the routers from the neighboring router.
If you do a show ip route on both routers and do not see the directly connected interfaces in the routing table, they are either not configured or they never came up.
Confirm that the IP addressing took and the interfaces came up by using the show ip int and looking at the interfaces' status and ip address configuration.
RouterA# show ip route
RouterA# show ip int
Do this on both routers.
Step 5a: Adding Dynamic Routing: RIP
For this router to participate in a dynamic routing using a dynamic routing protocol like RIP or IGRP, you'll need to enable a routing protocol and advertise the directly connected networks that want advertised.. We only advertise the classful network address, not the subnet mask of the network.
RouterA
RouterA>en
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#router RIP
RouterA(config-router)#network 172.16.12.0
RouterB
RouterB>en
RouterB#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#router RIP
RouterB(config-router)#network 172.16.11.0
FYI: We need to advertise the network, not any particular host. An example of that would be enabling RIP on RouterB. We want the other router (RouterA) to know that any packet destined for the network 172.16.11.0 can be sent to RouterB which has a directly connected 5 entry in it’s routing table showing what interface to send the packet to; in this case its e0. If you route to 172.16.11.1, all your every going to route to, is the e0 on RouterB and nothing else.
Test your configuration to ensure that it is configured properly by pinging from router to router. Check your routing table for entries that are preceded by a capital letter "R" to ensure that you are receiving routing updates using RIP. Ensure that your partner has finished configuring his router so that you can receive his updates. No updates, no ping.
Do a show ip protocol to see what routing protocol is configured on the routers.
Step 5b: Adding Dynamic Routing: IGRP IGRP
uses an autonomous system (AS) number or process id. This number must be the same on all routers wanting to share IGRP routing updates or they don’t share. Turn RIP off before you turn on IGRP. For this lab we'll be using an AS number of 100.
RouterA
RouterA>en
RouterA#config t
RouterA(config)#no router rip
RouterA(config)#router igrp 100
RouterA(config-router)#network 172.16.12.0 (again, just the network portion of the IP for your Ethernet network, NO subnet mask)
RouterB
RouterB>en
RouterB#config t
Enter configuration commands, one per line. End with CNTL/Z. RouterB(config)#no router rip
RouterB(config)#router igrp 100
RouterB(config-router)#network 172.16.11.0 (again, your Ethernet network IP NO Subnet Address)
Step 6: Adding Default Routes
Good candidates for default routes are routers which are known as the boundary router. This is a router which is normally part of a stub network. Inside the stub network, the routers may be participating in a dynamic routing using a protocol like RIP, but only a static default route is needed to connect the stub network to the Internet.
RouterA
RouterA>en
RouterA#config t
RouterA(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.2
RouterB
RouterB>en
RouterB#config t
RouterB(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.1
Step 7: Adding Static Routes
A static route can be used for different reasons. One reason may be for a router to connect to another router in a lab. You'll need to turn off all routing protocols before you configure the router for static routing.
RouterA
RouterA>en
RouterA#config t
RouterA(config)#no router igrp 100
RouterA(config)#ip route 172.16.11.0 255.255.255.0 172.16.10.2
What we are saying here is: For RouterA to route to the network 172.16.11.0, go to the next hop interface which is the serial1 (172.16.10.2) attached to RouterB. Since RouterB knows about the directed connected Ethernet network of 172.16.11.0, it will have route for it in its routing table proceeded by the letter "C". (See next example)
RouterB#sh ip route
(Output omitted)
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Ethernet0
RouterB#
RouterB
RouterB>en
RouterB#
RouterB#config t
RouterB(config)#no router igrp 100
RouterB(config)#ip route 172.16.12.0 255.255.255.0 172.16.10.1
Step 8: Testing and Monitoring
At this point it is a good idea to start testing your network using various commands. Perform the following on both routers.
RouterA# show ip route
RouterA# show ip interface brief (This command shows the IP and status of all interface)
RouterA# show controller s0 (Shows whether or not the serial cable is DCE or DTE.)
RouterA# ping ip-address
RouterA# trace ip-address
RouterA# debug ip rip (Remember to turn debug off when done, use undebug all, no debug all or un all)
RouterA# terminal monitor (for using debug from a telnet
session, otherwise debug output will go to the console. Caution: This will cause the debug output to go to all telnet sessions on the router.)
Show commands
RouterA# terminal no monitor(To turn off monitoring during a telnet session.)
RouterA# show cdp neighbors
RouterA# show ip protocols
RouterA# #show version
RouterA# #show flash
RouterA# show ip route (shows the routing table)
RouterA# show memory
RouterA# show stacks
RouterA# show buffers
RouterA# show arp
RouterA# show processes
RouterA# show processes cpu
RouterA# show tech-support
Step 9: Finishing up
Once you have your routers up and working you may wish to run some commands to make working on Cisco routers easier and to stop some of the default annoying behavior of Cisco routers.
RouterA(config)# ip host RouterB 172.16.10.2 (This configures a host table entry for the name RouterB. So instead of having to remember the IP of RouterB to ping it, you can now ping it using its name, RouterB. It's the same as using a hosts file on a computer. If you just type in RouterB and hit enter, the router will assume you’re wanting to telnet into RouterB using port 23) RouterA(config)# no ip domain-lookup (When there is no DNS server and you miss spell a single word command, it will try to do a DNS lookup using a broadcast address of 255.255.255.255. To stop this lookup of a non-existent DNS server, we can turn off the DNS lookup capability using this command.)
RouterA(config)# banner motd #!!!!Warning! Authorized Access Only!!!!# (This message will be seen by anyone trying to logon to your router. The # sign is known as a delimiting character and is used to identify the text portion of the MOTD. Notice that the actual message starts and ends with the delimiting character)
RouterA(config)# no service-config (When you reboot a Cisco router, the default behavior is to try and find a configuration file on the network using a number of methods over a broadcast address of 255.255.255.255. To stop this annoying behavior, Use this command.)
RouterA(config)#no logging console (Each time you leave one level of the router and return to the previous level or bring an interface up, you get a read out on the console screen. If you get busy typing and configuring the router this can be distracting and annoying. Use this command to stop the logging of messages to the console screen.)
And don’t forget to…
RouterA# show running-config
RouterA# copy running-config startup-config
Miscellaneous
RouterA#? (the question mark can be used by itself or follow at the end of any partial command line to get the next part of the command syntax)
To have the router CLI finish typing a command for you, just type out a partial command and hit the TAB key. An example would be typing out copy ru and hitting the TAB key. The router CLI with finish the command as copy running-configuration. Now if you add st to that and hit the tab key again, the CLI will add to your last command startup-configuration, making your entire command copy running-configuration startup-configuration. This works because there is only one command the begins with copy ru.
Editing Commands
Control-A: Moves to the beginning of the command line.
Control-E: Moves to the end of the command line.
Esc-B: Moves back one word.
Control F: Moves forward one character.
Control-B: Move back one character.
Esc F: Moves forward one word.
History Commands
Control P or up arrow key - Recalls last (previous command.)
Control N or down arrow key - Recalls most recent command
Tab key: completes the entry.
RouterA# show history
RouterA# terminal history
RouterA# terminal editing
RouterA# no terminal editing
FYI: This lab was designed to show you how to configure basic routing between two routers. If you would like to ping from one PC on one network (RouterA) to another PC on the other network (RouterB), you would need to configure the PC on each network with a host IP that belonged to the Ethernet network IP of each router. An example of that would be that the first available IP for a PC on the Ethernet network of RouterB would be 172.16.11.2. We know that the ".1" is already in use for the e0 interface on RouterB. The subnet mask for the PC would have to be the same as the rest of the network; 255.255.0.0 and the default gateway for the PC would be the e0 that connects the LAN to RouterB.
So if a PC needs to find something that is not local or located on its LAN, the DFGW will take the request to the router by way of the Ethernet Interface that connects the LAN to the Router. An example of that would be, if you ping a PC located on the Ethernet network of RouterB from RouterA’s LAN, the return echo from the PC has to know how to get back to the network on RouterA from which it came. Since the Ethernet network path on RouterA is known to RouterB through a routing table entry, the DFGW on the PC will take the unknown request for the return trip of the packet from the PC and send it to RouterB which will know what to do with it. No default Gateway in the TCP/IP properties of the PC and the packet will just time out and the ping attempt will be unsuccessful. Chances are the ping did reach the PC but the return echo did not know how to find a way back.
End of Lab
Basic Router Configuration Lab NoAnswers
Objective:
In this lab you will configure a simple network to allow two routers to route packets between to remote networks.
Requirements:
* Two Cisco routers with one Ethernet port and one serial port.
* Cisco IOS 10.0 or higher
* One PC for consoling into routers with terminal emulation software
* One serial cable
* One Cisco rollover cable
Setup:
Step 1: Physical Connections
Configure a console session to your router(s) from your PC.
Step 2: Boot up the routers
Do not use the setup mode (setup dialogue) or auto configuration to configure the router. Let the routers finish booting.
Step 3: Host Name and Passwords
Begin your configuration with the hostnames and passwords for both routers.
Configure RouterA and RouterB with their correct hostnames. Configure all telnet sessions on both routers with the password of cisco Exit back to the privileged mode and save your current configuration
Step 4: Adding IP Addresses
Configure the interfaces on both routers with the IPs as per the network diagram. Set a description on all interface. Set the clockrate on the DCE end of the serial cable with a clockrate of 250000. Ensure the interfaces come up.
Step 5a: Adding Dynamic Routing: RIP
Configure both routers for dynamic routing using the routing protocol RIP. Advertise the appropriate networks on both routers.
Check both routers to see if they are receiving RIP routing updates from each other. Ensure connectivity between the routers by using the ping command. Remove RIP before starting step 5b.
Step 5b: Adding Dynamic Routing:
IGRP Configure both routers to use the routing protocol IGRP. Configure both routers to use the same AS number. Advertise the appropriate networks on both routers.
Check both routers to see if they are receiving IGRP routing updates from each other. Check to see what routing protocol the routers are using. Ensure connectivity between the routers by using the ping command. Remove IGRP before starting step 6.
Step 6: Adding Default Routes
Configure both routers with a default route to each other. Use the neighboring router as a smart gateway of last resort.
Check to ensure that the routers have a default route.
Ensure connectivity between the routers by using the ping command and pinging the interface e0 on each router.
Step 7: Adding Static Routes
Configure both routers with static routes to each routers remote network. Tell the routers how to find the path to each others Ethernet network.
Check to ensure that the routers have a static route.
Ensure connectivity between the routers by using the ping command and pinging the interface e0 on each router.
Step 8: Optimize the router performance.
Create a host table entry on each router to be able to ping the name of the router in lieu of the IP address.
Configure both routers to turn off ip domain-lookup so they do not try and use a DNS server.
Configure a MOTD on each router that warns of authorized access only.
Configure both router not to look for a network configuration when they startup.
Disable logging to the console screen on both routers.
Step 9:
Configure your PC(s) for connectivity on the network.
Ping from the PC connected on RouterA's Ethernet 0 network to the PC on the Ethernet 0 of RouterB. If you only have one PC, ping the interface Ethernet 0 on the either router.
End of Lab
* DCE
Objective:
In this lab you will configure a simple network to allow two routers to route packets between to remote networks.
Requirements:
* Two Cisco routers with one Ethernet port and one serial port.
* Cisco IOS 10.0 or higher
* One PC for consoling into routers with terminal emulation software
* One serial cable
* One Cisco rollover cable
Setup:
Step 1: Physical Connections Connect the following interfaces:
* Console: Connect your PC/terminal to the console port using a rollover cable and HyperTerminal (9600-8-N-1-no flow)
* Ethernet: Connect Ethernet ports to a hub or a switch using a straight-through cable. Use a cross-over cable if going directly from the PC’s NIC to the Ethernet (AUI) port on the router using a transceiver.
* Serial: If going directly between two routers, don’t forget to connect one port via the DTE cable and the other via the DCE cable.
Step 2: Boot up the routers
Just say “no” to use the setup mode (setup dialogue). The setup mode will only allow you to configure the router with the basic features and not with any advanced features.
If asked if you would like to terminate the auto configuration; say “yes”.
Let the routers finish booting.
Step 3: Host Name and Passwords
Begin your configuration with the hostname and passwords. This is to remind you of what router you are configuring and now's the time to start thinking about router security.
RouterA
router>en router#
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#hostname RouterA (sets the router's name)
RouterA(config)#enable secret cisco (Sets the secret password
for the router)
RouterA(config)#line vty 0 4 (there are five concurrent
connections for the telnet ports coming into a Cisco 2500
router. We are setting the login password on all five of them)
RouterA(config-line)#login (This enables the router to require a
login password for a telnet session to the router)
RouterA(config-line)#password cisco (this sets the login
password for all 5 telnet sessions coming into the router as cisco)
RouterA(config-line)#exit
RouterA(config)#^Z (This is the key combination of control+z
which takes you back to the privileged executive mode)
RouterA#
RouterB
router>en
router#
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#hostname RouterB (sets the router's name)
RouterB(config)#enable secret cisco (Sets the secret password for the router)
RouterB(config)#line vty 0 4 (there are five concurrent connections for the telnet ports coming into a Cisco 2500 router. We are setting the login password on all five of them)
RouterB(config-line)#login (This enables the router to require a login password for a telnet session to the router)
RouterB(config-line)#password cisco (this sets the login password for all 5 telnet sessions coming into the router as cisco)
RouterB(config-line)#exit
3 RouterB(config)#^Z (This is the key combination of control+z which takes you back to the privileged executive mode)
FYI: Anytime you make a configuration change to a router and you come back to the privileged exec mode you need to save your changes to NVRAM. This ensures that if the router reboots, you won’t loose your changes which are in the running-config which is volatile RAM. The following command(s) saves your changes to the startup-config.
RouterA#copy running-config startup-config
Or
RouterA# copy run start
Or
RouterA#wr me (short for write memory)
Step 4: Adding IP Addresses
Adding IP addresses, is a basic function of configuring routers. Below is an example of configuring both an Ethernet and serial interface. For serial interface with the DCE cable you will need to also add the clocking with the clockrate command. Get the IP addresses from the network diagram.
RouterA
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#int e0
RouterA(config-if)#ip address 172.16.12.1 255.255.255.0
RouterA(config-if)# description LAN Network for RouterA
RouterA(config-if)# no shutdown
RouterA(config-if)#int s0
RouterA(config-if)#ip address 172.16.10.1 255.255.255.0
(RouterA will have the serial 0 with the DCE end of the serial cable. The other partner will have serial1 with the DTE end of the serial cable. Check the network diagram to confirm to see who has what interface)
RouterA(config-if)#clockrate 250000 (DCE interface only which is the s0 on RouterA)
RouterA(config-if)#no shutdown
RouterA(config-if)#description Network connection to RouterB
RouterB
RouterB#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#int e0
RouterB(config-if)#ip address 172.16.11.1 255.255.255.0
RouterB(config-if)# description LAN Network for RouterB
RouterB(config-if)# no shutdown
RouterB(config-if)#int s1
RouterB(config-if)#ip address 172.16.10.2 255.255.255.0
RouterB(config-if)#no shutdown
RouterB(config-if)#description Network connection to RouterA
Once both routers are configured properly, you should be able to use the ping command and ping the interface e0 on each of the routers from the neighboring router.
If you do a show ip route on both routers and do not see the directly connected interfaces in the routing table, they are either not configured or they never came up.
Confirm that the IP addressing took and the interfaces came up by using the show ip int and looking at the interfaces' status and ip address configuration.
RouterA# show ip route
RouterA# show ip int
Do this on both routers.
Step 5a: Adding Dynamic Routing: RIP
For this router to participate in a dynamic routing using a dynamic routing protocol like RIP or IGRP, you'll need to enable a routing protocol and advertise the directly connected networks that want advertised.. We only advertise the classful network address, not the subnet mask of the network.
RouterA
RouterA>en
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#router RIP
RouterA(config-router)#network 172.16.12.0
RouterB
RouterB>en
RouterB#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)#router RIP
RouterB(config-router)#network 172.16.11.0
FYI: We need to advertise the network, not any particular host. An example of that would be enabling RIP on RouterB. We want the other router (RouterA) to know that any packet destined for the network 172.16.11.0 can be sent to RouterB which has a directly connected 5 entry in it’s routing table showing what interface to send the packet to; in this case its e0. If you route to 172.16.11.1, all your every going to route to, is the e0 on RouterB and nothing else.
Test your configuration to ensure that it is configured properly by pinging from router to router. Check your routing table for entries that are preceded by a capital letter "R" to ensure that you are receiving routing updates using RIP. Ensure that your partner has finished configuring his router so that you can receive his updates. No updates, no ping.
Do a show ip protocol to see what routing protocol is configured on the routers.
Step 5b: Adding Dynamic Routing: IGRP IGRP
uses an autonomous system (AS) number or process id. This number must be the same on all routers wanting to share IGRP routing updates or they don’t share. Turn RIP off before you turn on IGRP. For this lab we'll be using an AS number of 100.
RouterA
RouterA>en
RouterA#config t
RouterA(config)#no router rip
RouterA(config)#router igrp 100
RouterA(config-router)#network 172.16.12.0 (again, just the network portion of the IP for your Ethernet network, NO subnet mask)
RouterB
RouterB>en
RouterB#config t
Enter configuration commands, one per line. End with CNTL/Z. RouterB(config)#no router rip
RouterB(config)#router igrp 100
RouterB(config-router)#network 172.16.11.0 (again, your Ethernet network IP NO Subnet Address)
Step 6: Adding Default Routes
Good candidates for default routes are routers which are known as the boundary router. This is a router which is normally part of a stub network. Inside the stub network, the routers may be participating in a dynamic routing using a protocol like RIP, but only a static default route is needed to connect the stub network to the Internet.
RouterA
RouterA>en
RouterA#config t
RouterA(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.2
RouterB
RouterB>en
RouterB#config t
RouterB(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.1
Step 7: Adding Static Routes
A static route can be used for different reasons. One reason may be for a router to connect to another router in a lab. You'll need to turn off all routing protocols before you configure the router for static routing.
RouterA
RouterA>en
RouterA#config t
RouterA(config)#no router igrp 100
RouterA(config)#ip route 172.16.11.0 255.255.255.0 172.16.10.2
What we are saying here is: For RouterA to route to the network 172.16.11.0, go to the next hop interface which is the serial1 (172.16.10.2) attached to RouterB. Since RouterB knows about the directed connected Ethernet network of 172.16.11.0, it will have route for it in its routing table proceeded by the letter "C". (See next example)
RouterB#sh ip route
(Output omitted)
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Ethernet0
RouterB#
RouterB
RouterB>en
RouterB#
RouterB#config t
RouterB(config)#no router igrp 100
RouterB(config)#ip route 172.16.12.0 255.255.255.0 172.16.10.1
Step 8: Testing and Monitoring
At this point it is a good idea to start testing your network using various commands. Perform the following on both routers.
RouterA# show ip route
RouterA# show ip interface brief (This command shows the IP and status of all interface)
RouterA# show controller s0 (Shows whether or not the serial cable is DCE or DTE.)
RouterA# ping ip-address
RouterA# trace ip-address
RouterA# debug ip rip (Remember to turn debug off when done, use undebug all, no debug all or un all)
RouterA# terminal monitor (for using debug from a telnet
session, otherwise debug output will go to the console. Caution: This will cause the debug output to go to all telnet sessions on the router.)
Show commands
RouterA# terminal no monitor(To turn off monitoring during a telnet session.)
RouterA# show cdp neighbors
RouterA# show ip protocols
RouterA# #show version
RouterA# #show flash
RouterA# show ip route (shows the routing table)
RouterA# show memory
RouterA# show stacks
RouterA# show buffers
RouterA# show arp
RouterA# show processes
RouterA# show processes cpu
RouterA# show tech-support
Step 9: Finishing up
Once you have your routers up and working you may wish to run some commands to make working on Cisco routers easier and to stop some of the default annoying behavior of Cisco routers.
RouterA(config)# ip host RouterB 172.16.10.2 (This configures a host table entry for the name RouterB. So instead of having to remember the IP of RouterB to ping it, you can now ping it using its name, RouterB. It's the same as using a hosts file on a computer. If you just type in RouterB and hit enter, the router will assume you’re wanting to telnet into RouterB using port 23) RouterA(config)# no ip domain-lookup (When there is no DNS server and you miss spell a single word command, it will try to do a DNS lookup using a broadcast address of 255.255.255.255. To stop this lookup of a non-existent DNS server, we can turn off the DNS lookup capability using this command.)
RouterA(config)# banner motd #!!!!Warning! Authorized Access Only!!!!# (This message will be seen by anyone trying to logon to your router. The # sign is known as a delimiting character and is used to identify the text portion of the MOTD. Notice that the actual message starts and ends with the delimiting character)
RouterA(config)# no service-config (When you reboot a Cisco router, the default behavior is to try and find a configuration file on the network using a number of methods over a broadcast address of 255.255.255.255. To stop this annoying behavior, Use this command.)
RouterA(config)#no logging console (Each time you leave one level of the router and return to the previous level or bring an interface up, you get a read out on the console screen. If you get busy typing and configuring the router this can be distracting and annoying. Use this command to stop the logging of messages to the console screen.)
And don’t forget to…
RouterA# show running-config
RouterA# copy running-config startup-config
Miscellaneous
RouterA#? (the question mark can be used by itself or follow at the end of any partial command line to get the next part of the command syntax)
To have the router CLI finish typing a command for you, just type out a partial command and hit the TAB key. An example would be typing out copy ru and hitting the TAB key. The router CLI with finish the command as copy running-configuration. Now if you add st to that and hit the tab key again, the CLI will add to your last command startup-configuration, making your entire command copy running-configuration startup-configuration. This works because there is only one command the begins with copy ru.
Editing Commands
Control-A: Moves to the beginning of the command line.
Control-E: Moves to the end of the command line.
Esc-B: Moves back one word.
Control F: Moves forward one character.
Control-B: Move back one character.
Esc F: Moves forward one word.
History Commands
Control P or up arrow key - Recalls last (previous command.)
Control N or down arrow key - Recalls most recent command
Tab key: completes the entry.
RouterA# show history
RouterA# terminal history
RouterA# terminal editing
RouterA# no terminal editing
FYI: This lab was designed to show you how to configure basic routing between two routers. If you would like to ping from one PC on one network (RouterA) to another PC on the other network (RouterB), you would need to configure the PC on each network with a host IP that belonged to the Ethernet network IP of each router. An example of that would be that the first available IP for a PC on the Ethernet network of RouterB would be 172.16.11.2. We know that the ".1" is already in use for the e0 interface on RouterB. The subnet mask for the PC would have to be the same as the rest of the network; 255.255.0.0 and the default gateway for the PC would be the e0 that connects the LAN to RouterB.
So if a PC needs to find something that is not local or located on its LAN, the DFGW will take the request to the router by way of the Ethernet Interface that connects the LAN to the Router. An example of that would be, if you ping a PC located on the Ethernet network of RouterB from RouterA’s LAN, the return echo from the PC has to know how to get back to the network on RouterA from which it came. Since the Ethernet network path on RouterA is known to RouterB through a routing table entry, the DFGW on the PC will take the unknown request for the return trip of the packet from the PC and send it to RouterB which will know what to do with it. No default Gateway in the TCP/IP properties of the PC and the packet will just time out and the ping attempt will be unsuccessful. Chances are the ping did reach the PC but the return echo did not know how to find a way back.
End of Lab
Basic Router Configuration Lab NoAnswers
Objective:
In this lab you will configure a simple network to allow two routers to route packets between to remote networks.
Requirements:
* Two Cisco routers with one Ethernet port and one serial port.
* Cisco IOS 10.0 or higher
* One PC for consoling into routers with terminal emulation software
* One serial cable
* One Cisco rollover cable
Setup:
Step 1: Physical Connections
Configure a console session to your router(s) from your PC.
Step 2: Boot up the routers
Do not use the setup mode (setup dialogue) or auto configuration to configure the router. Let the routers finish booting.
Step 3: Host Name and Passwords
Begin your configuration with the hostnames and passwords for both routers.
Configure RouterA and RouterB with their correct hostnames. Configure all telnet sessions on both routers with the password of cisco Exit back to the privileged mode and save your current configuration
Step 4: Adding IP Addresses
Configure the interfaces on both routers with the IPs as per the network diagram. Set a description on all interface. Set the clockrate on the DCE end of the serial cable with a clockrate of 250000. Ensure the interfaces come up.
Step 5a: Adding Dynamic Routing: RIP
Configure both routers for dynamic routing using the routing protocol RIP. Advertise the appropriate networks on both routers.
Check both routers to see if they are receiving RIP routing updates from each other. Ensure connectivity between the routers by using the ping command. Remove RIP before starting step 5b.
Step 5b: Adding Dynamic Routing:
IGRP Configure both routers to use the routing protocol IGRP. Configure both routers to use the same AS number. Advertise the appropriate networks on both routers.
Check both routers to see if they are receiving IGRP routing updates from each other. Check to see what routing protocol the routers are using. Ensure connectivity between the routers by using the ping command. Remove IGRP before starting step 6.
Step 6: Adding Default Routes
Configure both routers with a default route to each other. Use the neighboring router as a smart gateway of last resort.
Check to ensure that the routers have a default route.
Ensure connectivity between the routers by using the ping command and pinging the interface e0 on each router.
Step 7: Adding Static Routes
Configure both routers with static routes to each routers remote network. Tell the routers how to find the path to each others Ethernet network.
Check to ensure that the routers have a static route.
Ensure connectivity between the routers by using the ping command and pinging the interface e0 on each router.
Step 8: Optimize the router performance.
Create a host table entry on each router to be able to ping the name of the router in lieu of the IP address.
Configure both routers to turn off ip domain-lookup so they do not try and use a DNS server.
Configure a MOTD on each router that warns of authorized access only.
Configure both router not to look for a network configuration when they startup.
Disable logging to the console screen on both routers.
Step 9:
Configure your PC(s) for connectivity on the network.
Ping from the PC connected on RouterA's Ethernet 0 network to the PC on the Ethernet 0 of RouterB. If you only have one PC, ping the interface Ethernet 0 on the either router.
End of Lab
Three Router Static Route Lab
Objective
In this lab, you will configure static routes between all three routers. This will allow your routers to route packets so that all routers and all hosts will be able to reach (ping) each other. Once your configuration is complete, you will use basic techniques to test your network’s connectivity.
Scenario
Three separate classful networks need routing between them and their subnets.
Questions:
* What are the different classful networks?
1. ________________
2. ________________
3. ________________
4. ________________
5. ________________
* Are there any subnets? If so, what are they?
1. _______________
2. _______________
3. _______________
4. _______________
5. _______________
Setup
* Configure the cabling as shown in the network diagram
* If the routers have a startup-config, erase it and perform a reload of the routers.
* Important! Configure the routers to include hostnames and the proper interface commands including IP addresses, subnet masks, etc. Each router should be able to ping the interface of the adjacent (neighboring) router and the host on its LAN (Ethernet) interface. Test and troubleshoot as necessary. Use the context sensitive help, previous labs, your books and /or handouts and if your still having problems ask your partner or ask the instructor for assistance.
Step 1 – Configuring Static Routes
On each router configure a separate and specific static route for each network or subnet. You do not need to configure static routes for the router’s directly connected network(s) because like a host, by configuring the IP address and subnet mask on an interface tells the router that it belongs to that network/subnet.
Router1
* Router1(config)# ip route 172.16.3.0 255.255.255.0 172.16.2.1
* Router1(config)# ip route 192.168.2.0 255.255.255.0 192.168.1.1
Router2
* Router2(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.2
* Router2(config)# ip route 192.168.1.0 255.255.255.0 172.16.2.2
* Router2(config)# ip route 192.168.2.0 255.255.255.0 172.16.2.2
Router3
* Router3(config)# ip route 172.16.1.0 255.255.255.0 192.168.1.2
* Router3(config)# ip route 172.16.2.0 255.255.255.0 192.168.1.2
* Router3(config)# ip route 172.16.3.0 255.255.255.0 192.168.1.2
Verify and Validate:
* All hosts and all routers should be able to ping every interface in the network.
* Do a “show running-config” and notice the static routes that you entered.
* Router# show ip route
o What routes to networks do you see?
o Which routes are static and which routes are directly connected?
o What is the administrative distance for a static route?
o What is the administrative distance for a directly connected network?
Questions:
* How does the next-hop-ip-address help with the routing process?
_____________________________________________.
* Does it give the entire route, i.e., subnet mask?
_________________
* What is it actually doing regarding the routing of the packet?
____________________________________________
* How does a packet get from Host 2 to Host 3?
____________________________________________
____________________________________________
____________________________________________
* Instead of a next-hop-ip-address, what else could you have used?
____________________________________________.
* What would you need to do if you added new networks or deleted/modified existing networks?
____________________________________________
____________________________________________
____________________________________________
* Is there any way to summarize several static routes to multiple subnets into a single static route?
_____________________________________________
_____________________________________________
_____________________________________________
Outputs
Router2#show ip route
(Output omitted)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
S 172.16.1.0 [1/0] via 172.16.2.2
C 172.16.2.0 is directly connected, Serial0
C 172.16.3.0 is directly connected, Ethernet0
S 192.168.1.0/24 [1/0] via 172.16.2.2
S 192.168.2.0/24 [1/0] via 172.16.2.2
Router1#show ip route
(output omitted)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
C 172.16.1.0 is directly connected, Ethernet0
C 172.16.2.0 is directly connected, Serial0
S 172.16.3.0 [1/0] via 172.16.2.1
C 192.168.1.0/24 is directly connected, Serial1
S 192.168.2.0/24 [1/0] via 192.168.1.1
Router3#show ip route
(Output omitted)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
S 172.16.1.0 [1/0] via 192.168.1.2
S 172.16.2.0 [1/0] via 192.168.1.2
S 172.16.3.0 [1/0] via 192.168.1.2
C 192.168.1.0/24 is directly connected, Serial0
C 192.168.2.0/24 is directly connected, Ethernet0
Step 2 – Configuring Summary Static Routes
The configuration of the routers in Step 1 works just great and is a valid way to configure routing on these networks. Earlier, we noticed that the network 172.16.0.0 is divided into several subnets. The Router3 router does not really need separate static routes for each subnet, since all of the 172.16.0.0 subnets can be reached via the same next-hop-ip-address, i.e. Router1. Let’s reconfigure the static routes on Router3 so that it only uses a single static route to reach all of the 172.16.0.0 subnets.
Router1
* No changes
Router2
* No changes
Router3
* First, remove the current static routes:
* Router3(config)# no ip route 172.16.1.0 255.255.255.0 192.168.1.2
* Router3(config)# no ip route 172.16.2.0 255.255.255.0 192.168.1.2
* Router3(config)# no ip route 172.16.3.0 255.255.255.0 192.168.1.2
* Now, add the new summary static route:
* Router3(config)# ip route 172.16.0.0 255.255.0.0 192.168.1.2
Verify and Validate:
* All hosts and all routers should be able to ping every interface in the network.
* Do a “show running-config” and notice the static routes that you entered.
* Router3# show ip route
o What routes to networks do you now see?
Questions:
* What made this new summary static route work for all subnets?
_____________________________________________________
_____________________________________________________
_____________________________________________________
* Why is a single summary static route an advantage regarding the size of the routing table?
_____________________________________________________
_____________________________________________________
_____________________________________________________
* Why is a single summary static route an advantage regarding future changes to the 172.16.0.0 network?
_____________________________________________________
_____________________________________________________
_____________________________________________________
Outputs
Router3#show ip route
(Output omitted)
Gateway of last resort is not set
S 172.16.0.0/16 [1/0] via 192.168.1.2
C 192.168.1.0/24 is directly connected, Serial0
C 192.168.2.0/24 is directly connected, Ethernet0
Step 3 – Configuring Default Static Routes
Both Step 1 and Step 2 are acceptable ways to configure routing for these networks. We notice that the 172.16.3.0/24 and the 192.168.2.0/24 networks are “stub networks,” meaning that there is only one way out (both via Router1).
Router1
* No changes
Router2
* First, remove the current static routes:
* Router2(config)# no ip route 172.16.1.0 255.255.255.0 172.16.2.2
* Router2(config)# no ip route 192.168.1.0 255.255.255.0 172.16.2.2
* Router2(config)# no ip route 192.168.2.0 255.255.255.0 172.16.2.2
* Now, add the new default static route:
* Router2(config)# ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router3
* First, remove the current static routes:
* Router3(config)# no ip route 172.16.0.0 255.255.0.0 192.168.1.2
* Now, add the new default static route:
* Router3(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2
Verify and Validate:
* All hosts and all routers should be able to ping every interface in the network.
* Do a “show running-config” and notice the static routes that you entered.
* Router2# show ip route
o What routes to networks do you now see?
* Router3# show ip route
o What routes to networks do you now see?
Questions:
* Do you think static routes are still used even with dynamic routing (RIP, OSPF, etc.)?
_______________. Hint: Think about the administrative distance.
* Do you think default static routes are still used even with dynamic routing (RIP, OSPF, etc.)?
_______________.
* What is the disadvantage of doing this? How would a default static route be properly used in a real world network? (How would a company’s network use a default route when connecting to the Internet?)
________________________________________
________________________________________
________________________________________
Outputs
Router3#show ip route
(Output omitted)
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, Serial0
C 192.168.2.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 192.168.1.2
Save your current configuration to NVRAM.
End of Lab
In this lab, you will configure static routes between all three routers. This will allow your routers to route packets so that all routers and all hosts will be able to reach (ping) each other. Once your configuration is complete, you will use basic techniques to test your network’s connectivity.
Scenario
Three separate classful networks need routing between them and their subnets.
Questions:
* What are the different classful networks?
1. ________________
2. ________________
3. ________________
4. ________________
5. ________________
* Are there any subnets? If so, what are they?
1. _______________
2. _______________
3. _______________
4. _______________
5. _______________
Setup
* Configure the cabling as shown in the network diagram
* If the routers have a startup-config, erase it and perform a reload of the routers.
* Important! Configure the routers to include hostnames and the proper interface commands including IP addresses, subnet masks, etc. Each router should be able to ping the interface of the adjacent (neighboring) router and the host on its LAN (Ethernet) interface. Test and troubleshoot as necessary. Use the context sensitive help, previous labs, your books and /or handouts and if your still having problems ask your partner or ask the instructor for assistance.
Step 1 – Configuring Static Routes
On each router configure a separate and specific static route for each network or subnet. You do not need to configure static routes for the router’s directly connected network(s) because like a host, by configuring the IP address and subnet mask on an interface tells the router that it belongs to that network/subnet.
Router1
* Router1(config)# ip route 172.16.3.0 255.255.255.0 172.16.2.1
* Router1(config)# ip route 192.168.2.0 255.255.255.0 192.168.1.1
Router2
* Router2(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.2
* Router2(config)# ip route 192.168.1.0 255.255.255.0 172.16.2.2
* Router2(config)# ip route 192.168.2.0 255.255.255.0 172.16.2.2
Router3
* Router3(config)# ip route 172.16.1.0 255.255.255.0 192.168.1.2
* Router3(config)# ip route 172.16.2.0 255.255.255.0 192.168.1.2
* Router3(config)# ip route 172.16.3.0 255.255.255.0 192.168.1.2
Verify and Validate:
* All hosts and all routers should be able to ping every interface in the network.
* Do a “show running-config” and notice the static routes that you entered.
* Router# show ip route
o What routes to networks do you see?
o Which routes are static and which routes are directly connected?
o What is the administrative distance for a static route?
o What is the administrative distance for a directly connected network?
Questions:
* How does the next-hop-ip-address help with the routing process?
_____________________________________________.
* Does it give the entire route, i.e., subnet mask?
_________________
* What is it actually doing regarding the routing of the packet?
____________________________________________
* How does a packet get from Host 2 to Host 3?
____________________________________________
____________________________________________
____________________________________________
* Instead of a next-hop-ip-address, what else could you have used?
____________________________________________.
* What would you need to do if you added new networks or deleted/modified existing networks?
____________________________________________
____________________________________________
____________________________________________
* Is there any way to summarize several static routes to multiple subnets into a single static route?
_____________________________________________
_____________________________________________
_____________________________________________
Outputs
Router2#show ip route
(Output omitted)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
S 172.16.1.0 [1/0] via 172.16.2.2
C 172.16.2.0 is directly connected, Serial0
C 172.16.3.0 is directly connected, Ethernet0
S 192.168.1.0/24 [1/0] via 172.16.2.2
S 192.168.2.0/24 [1/0] via 172.16.2.2
Router1#show ip route
(output omitted)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
C 172.16.1.0 is directly connected, Ethernet0
C 172.16.2.0 is directly connected, Serial0
S 172.16.3.0 [1/0] via 172.16.2.1
C 192.168.1.0/24 is directly connected, Serial1
S 192.168.2.0/24 [1/0] via 192.168.1.1
Router3#show ip route
(Output omitted)
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 3 subnets
S 172.16.1.0 [1/0] via 192.168.1.2
S 172.16.2.0 [1/0] via 192.168.1.2
S 172.16.3.0 [1/0] via 192.168.1.2
C 192.168.1.0/24 is directly connected, Serial0
C 192.168.2.0/24 is directly connected, Ethernet0
Step 2 – Configuring Summary Static Routes
The configuration of the routers in Step 1 works just great and is a valid way to configure routing on these networks. Earlier, we noticed that the network 172.16.0.0 is divided into several subnets. The Router3 router does not really need separate static routes for each subnet, since all of the 172.16.0.0 subnets can be reached via the same next-hop-ip-address, i.e. Router1. Let’s reconfigure the static routes on Router3 so that it only uses a single static route to reach all of the 172.16.0.0 subnets.
Router1
* No changes
Router2
* No changes
Router3
* First, remove the current static routes:
* Router3(config)# no ip route 172.16.1.0 255.255.255.0 192.168.1.2
* Router3(config)# no ip route 172.16.2.0 255.255.255.0 192.168.1.2
* Router3(config)# no ip route 172.16.3.0 255.255.255.0 192.168.1.2
* Now, add the new summary static route:
* Router3(config)# ip route 172.16.0.0 255.255.0.0 192.168.1.2
Verify and Validate:
* All hosts and all routers should be able to ping every interface in the network.
* Do a “show running-config” and notice the static routes that you entered.
* Router3# show ip route
o What routes to networks do you now see?
Questions:
* What made this new summary static route work for all subnets?
_____________________________________________________
_____________________________________________________
_____________________________________________________
* Why is a single summary static route an advantage regarding the size of the routing table?
_____________________________________________________
_____________________________________________________
_____________________________________________________
* Why is a single summary static route an advantage regarding future changes to the 172.16.0.0 network?
_____________________________________________________
_____________________________________________________
_____________________________________________________
Outputs
Router3#show ip route
(Output omitted)
Gateway of last resort is not set
S 172.16.0.0/16 [1/0] via 192.168.1.2
C 192.168.1.0/24 is directly connected, Serial0
C 192.168.2.0/24 is directly connected, Ethernet0
Step 3 – Configuring Default Static Routes
Both Step 1 and Step 2 are acceptable ways to configure routing for these networks. We notice that the 172.16.3.0/24 and the 192.168.2.0/24 networks are “stub networks,” meaning that there is only one way out (both via Router1).
Router1
* No changes
Router2
* First, remove the current static routes:
* Router2(config)# no ip route 172.16.1.0 255.255.255.0 172.16.2.2
* Router2(config)# no ip route 192.168.1.0 255.255.255.0 172.16.2.2
* Router2(config)# no ip route 192.168.2.0 255.255.255.0 172.16.2.2
* Now, add the new default static route:
* Router2(config)# ip route 0.0.0.0 0.0.0.0 172.16.2.2
Router3
* First, remove the current static routes:
* Router3(config)# no ip route 172.16.0.0 255.255.0.0 192.168.1.2
* Now, add the new default static route:
* Router3(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.2
Verify and Validate:
* All hosts and all routers should be able to ping every interface in the network.
* Do a “show running-config” and notice the static routes that you entered.
* Router2# show ip route
o What routes to networks do you now see?
* Router3# show ip route
o What routes to networks do you now see?
Questions:
* Do you think static routes are still used even with dynamic routing (RIP, OSPF, etc.)?
_______________. Hint: Think about the administrative distance.
* Do you think default static routes are still used even with dynamic routing (RIP, OSPF, etc.)?
_______________.
* What is the disadvantage of doing this? How would a default static route be properly used in a real world network? (How would a company’s network use a default route when connecting to the Internet?)
________________________________________
________________________________________
________________________________________
Outputs
Router3#show ip route
(Output omitted)
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, Serial0
C 192.168.2.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 192.168.1.2
Save your current configuration to NVRAM.
End of Lab
Subscribe to:
Posts (Atom)
Posts
