Your LAN has been a phenomenal success, and now the CEO is asking you to expand upon the network that you built in Lab #1. After all, this is the 21st Century, and employees expect to have Internet access. Think about it...isn't there more than just a grain of truth in this old joke:
Admit it -- most likely, that's how you found this page, isn't it? :) Anyway...your job is to set up a router to connect your fledgling network to the Internet. You will continue to use the 192.168.1.0/24 network for the LAN, and your ISP has assigned the IP address 100.64.1.22/24 for the outside interface of the router. Set up a basic config on the router (hostname, console, aux and telnet/ssh access), and create a default route to the Internet from your internal network.
Start by connecting FastEthernet0/0 on the LAN switch from Lesson 1 to FastEthernet0/0 on the router (I'm using a 2651 router) with a straight-through Ethernet cable. How can you tell if it's a straight-through or cross-over Ethernet cable? Well, if you hold the ends of the cable in your hand with the clip facing your palm, the wires should be orange-white, orange, green-white, blue, blue-white, green, brown-white, brown from left to right on both cables -- if one end starts with orange-white, orange...and the other end starts with green-white, green...then you've got a cross-over cable, and it won't work. Now connect a laptop or desktop computer to another port on the LAN switch with a second straight-through cable, then connect a console cable to the router and to the serial port on your PC, just like we did in Lesson 1. Once you've got a console connection to the router, type the following list of commands to program the router:
Router# conf t
Router(config)# hostname lab2651rtr
lab2651rtr(config)# enable secret mysecretpassword
lab2651rtr(config)# username root password mysecretpassword
lab2651rtr(config)# ip subnet zero
lab2651rtr(config)# no ip domain-lookup
lab2651rtr(config)# ip domain-name example.com
lab2651rtr(config)# interface FastEthernet0/0
lab2651rtr(config-if)# description LAN
lab2651rtr(config-if)# ip address 192.168.1.1 255.255.255.0
lab2651rtr(config-if)# speed 100
lab2651rtr(config-if)# full-duplex
lab2651rtr(config-if)# interface Serial0/0
lab2651rtr(config-if)# shutdown
lab2651rtr(config-if)# interface FastEthernet0/1
lab2651rtr(config-if)# description Internet
lab2651rtr(config-if)# ip address 100.64.1.22 255.255.255.0
lab2651rtr(config-if)# speed 10
lab2651rtr(config-if)# half-duplex
lab2651rtr(config-if)# interface Serial0/1
lab2651rtr(config-if)# shutdown
lab2651rtr(config-if)# exit
lab2651rtr(config)# ip classless
lab2651rtr(config)# ip route 0.0.0.0 0.0.0.0 100.64.1.1
lab2651rtr(config)# banner motd ~
Enter TEXT message. End with the character '~'.
########################################
# WARNING!!! Unauthorized use is #
# prohibited, etc., etc. Insert dire #
# warnings here for any who would #
# attempt to gain access beyond their #
# authorized privileges, etc., etc. #
########################################
~
lab2651rtr(config)# line con 0
lab2651rtr(config-line)# exec-timeout 30 0
lab2651rtr(config-line)# password mysecretpassword
lab2651rtr(config-line)# logging synchronous
lab2651rtr(config-line)# line 33 48
lab2651rtr(config-line)# flush-at-activation
lab2651rtr(config-line)# line aux 0
lab2651rtr(config-line)# password mysecretpassword
lab2651rtr(config-line)# line vty 0 4
lab2651rtr(config-line)# password mysecretpassword
lab2651rtr(config-line)# login local
lab2651rtr(config-line)# transport input telnet
lab2651rtr(config-line)# exit
lab2651rtr(config)# exit
lab2651rtr#
That's a lot of typing. Make sure that you typed everything correctly, then make sure you can still access the router through the console port and through telnet. If everything is working properly, then enter one more command:
lab2651rtr# write mem
IMPORTANT!!! Do NOT run the "write mem" command until you are SURE that you can still get access to the router! If you botched a config, you can always power the router off to restore it to it's previous state, but once you have run the "write mem" command, rebooting the router will not restore the old config!
A lot of what was entered above may look like gibberish at first. That's okay. Trust me -- as you start to use the Cisco command-line interface, you'll get used to the commands, and they will start to make more sense. For now, there are a couple of things that I want to point out. I started the config by setting the hostname and domain name. These help you to identify the router (and the domain name is required if you want to set up SSH access to the router, which I will discuss later). Next, I set the "enable secret" password, and created a user account and password for telnet access. This can be a little confusing, but keep in mind that creating the user "root" and setting the user's password allows you to telnet (or SSH) to the router, while the "enable secret" password provides the user with permission to enter the "privileged exec" mode. Farther down in the config, I created passwords for all of the lines (console, aux and VTY) which allow management access to the router.
After setting the root user's password and the "enable secret" password, I configured interface "FastEthernet0/0" The "description" line is optional, but helps the you to make sure you are working with the correct interface when troubleshooting or configuring the router. Next, we set the IP address of the interface to 192.168.1.1, and set the subnet mask to 255.255.255.0 -- basically, just another way of saying that this is a /24 subnet. A full discussion of subnet masks, classless addressing and such is a bit beyond the scope of this lesson, which is already growing long enough, but for now, let's just accept that this a way of specifying that we can address up to 254 hosts on the network we just created. Google "CIDR" if you want more information ;) Also, in the interface config, I set speed and duplex for the network interfaces. Originally, the Ethernet specification for twisted pair (CAT-3 and later, CAT-5 and CAT-6 cable) only allowed for speeds of 10Mbps and half-duplex (only one host on a wire can transmit at a time). Later, the Ethernet spec was expanded to 100Mbps (FastEthernet) and full-duplex operation (both hosts on a wire can send and receive at the same time), and now you can find network interfaces that support speeds of up to 10Gbps. I set the interface that is connected to the LAN switch to operate at 100Mbps, full-duplex and the interface that is connected to the ISP router (a 3640 router, in my home lab network) to operate at 10Mbps and half-duplex, since that is what the unused port on my 3640 would support.
After setting the network interfaces, I included the line "ip route 0.0.0.0 0.0.0.0 100.64.1.1." In this line, I am telling the router that all traffic destined for an IP address that does not exist in its routing table should be forwarded to 100.64.1.1 (the ISP router). This is known as a "default gateway" or "gateway of last resort." This is common on a LAN network -- the only way to reach anything not on the local LAN is through the ISP's routers, so anything that isn't local to the LAN router is forwarded to the ISP's routers.
At this point, you may be tempted to try to ping the ISP router from your laptop, but if you do, you will find that the ping request times out. This is because, even though you have a route to the ISP router, the ISP router doesn't know how to reach the network inside your LAN -- it's a private network, and you have only statically configured a route to the Internet, so your traffic will make it outbound, but not back inbound. But don't despair -- there's a solution, called "Network Address Translation" or "NAT", and in our next lab, we will show you how to set up your router to NAT your private network so that you can actually talk to other hosts on the Internet.
Extra Credit: If you just can't wait until the next lab, you can always create a static route to 192.168.1.0/24 on the ISP router. Assuming you are on a Cisco router, log in and run these commands:
ISP# conf t
ISP(config)# ip route 192.168.1.0 0.0.0.255 100.64.1.22
ISP(config)# exit
...then try pinging to the ISP router again. This should work. If not, try to figure out why.
No comments:
Post a Comment