Router - Terminal Server

This configurations sample shows how to setup a router with several low-speed async ports to act as a terminal server.    This is a really good idea where you have remote equipment that is very critical.  For example if you have rack-space in a data center this is a good way to provide out of band management when needed.  The idea behind this is that this router will connect to the console ports of the other networking equipment.  If you can get access to this router, you do what is referred to as a reverse telnet to console into all of the other equipment.  In this example we used an older model 2509, but you could do the same thing with any router that has multiple low speed async ports.  The 2509 router had a 68-pin connector that you could put an octal async cable on.  This breaks out the the 8 lines in the 68 pin connector and has an rj-45 plug at the end of each one.  Plug the rj-45 ends into the console ports of the other networking equipment and plug the 68 pin connector into the router.

#  This configuration was taken from an 2509 running 12.0 version of IOS.

#  I always like debug and log information to show the actual date and time and it is also good security
#  practice to make sure password-encryption is turned on.  

service timestamps debug datetime
service timestamps log datetime
service password-encryption

hostname Terminal-Server

enable secret ciscoconfigs


ip subnet-zero
no ip domain-lookup

#  Okay so here is where it comes together.  First of all we said the 2509 had 8 low speed async lines built 
#  into it that was coming out of the 68 pin connector.  Each line will be listed at the bottom of the config so
#  you will see in this case we have lines 1 - 8.  What we need to do is setup a host command for each device
#  we want to do a reverse telnet to.  The difference in this ip host command is that we include a port 
#  number.  The port number is what ties the host entry to the particular line.  The port number is always 
#  2000 + the line number.  We simply use an IP address that #  is defined in this router in the host name 
#  command.  So basically we created below 4 host entries that all had the same ip address that is defined on
#  this router but each with a different port number that will associate with the given line number.

ip host Internet-Router 2001 1.1.1.1
ip host Firewall 2002 1.1.1.1
ip host Frame-Router 2003 1.1.1.1
ip host Switch 2004 1.1.1.1


#  To ensure accurate time reporting set the timezone properly as well set the new daylight savings time
#  settings.

clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00!

#  We created a loopback interface specifically for the reverse telnet sessions.  We could have used any IP
#  address on the router, such as the Ethernet IP address, but used a loopback address to make sure it
#  is always up.  Another tip, it is very common to create an interface loopback0.  I try to stay away from that
#  because you might have a loopback0 interface that is performing a particular function. Then 6 months 
#  later someone else has the need to add a loopback interface.  They quickly go in and type in
#  interface loopback0 and put an address on it.  Just that quick they changed the ip address that you
#  already had in place and broke something.   If you take the CCIE lab, you will usually need several 
#  loopback interfaces.  If you use loopback0, in your haste later in the exam you might not remember
#  and think you are creating a new loopback0 interface and giving it an address, thereby, breaking 
#  something then.

interface Loopback99
 ip address 1.1.1.1 255.255.255.255
 no ip directed-broadcast

#  Basic IP address on the ethernet interface.  

interface Ethernet0
 ip address 10.1.1.50 255.255.255.0
 no ip directed-broadcast

# Didn't need the serial interface that comes standard so it is shutdown.

interface Serial0
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 shutdown
 no fair-queue

#  Basic commands

ip default-gateway 10.1.1.1

ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1


line con 0
 transport input none

#  Okay so here are the lines 1-8 that are on the router.  This is where the physical connections are made
#  to the rest of the equipment.  The statements apply to all lines.  We set a session-timeout to 30 minutes
#  andwe turn off the exec to make sure any devices can't start a console session into us.  We set up the
#  transport input to telnet so we can make are connections.

line 1 8
 session-timeout 30 
 no exec
 exec-timeout 0 0
 transport input telnet

#  We could add a modem and an analog line to the aux port.  This way if the network is down and we can't
#  telnet to this router, we could dial in to this router and then get console access to all the devices out of
#  band.  This config does not show that as you might need to add the appropriate modem commands here.

line aux 0
 password ciscoconfigs


line vty 0 4
 password ciscoconfigs

end



How it works:

So first you gain access to this router, either by telnet from the inside or by dial-in through the aux port.  Now you start a telnet session to each device by typing in the host name.  So if we type in "Internet-Router" the router will then start a telnet session to 1.1.1.1 but since we defined the port it sends the request back out the port that is associated to it.  Once we hit enter on that command we will be prompted for the login password on the Internet-Router.  To keep that session open and return to this router we would type Ctrl-Shift-6 then x.  You would then be brought back to the prompt of the terminal server router.  To go back to the Internet-Router just type 1 and hit enter.  The Ctrl-Shift-6 x sequence maintained this connection as session 1 so when you type 1 and hit enter, it will take you back to the Internet-Router.  So now we have one session to the Internet-Router.  If we type Firewall the same thing will happen except we will have a session 2.  This way from the terminal server you can bounce around between all of your devices without having to continually sign in.  If you forget which connection number is being used for which session you can enter the command show sessions on the terminal server and it will show them to you.
 . 

Router - Remote Access Server

This configuration snippet shows how to setup a router with a modem bank to act as a dial-in remote access server.  Believe it
or not in this day of broadband everywhere there are still folks who have reasons for keeping a dial-in remote access server.
These days it is more for a backup than anything else. 

#  This configuration was taken from an 2621 running 112.2(17a) IP Plus with a NM-16AM module.  This is a 16 port
#  analog modem bank.  

#  I always like debug and log information to show the actual date and time and it is also good security practice to make sure
#  password-encryption is turned on.

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname RAS-Router

logging buffered 4096 debugging
enable secret cisco


#  These are usernames that the dial-in users will need to use to complete the PPP authentication phase.

username cisco password cisco
username ciscoconfigs password ciscoconfigs


#  To ensure accurate time reporting set the timezone properly as well set the new daylight savings time settings.

clock timezone EST -5
clock summer-time DST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

#  The following command is needed to set the country code for these modems.

modem country microcom_hdms usa

#  It is always good to turn off source-routing on older routers where it is not the default.

ip subnet-zero
no ip source-route

no ip domain-lookup


#  This command enables the use of a global address-pool for the dial-in clients.  The dhcp-proxy-client tag
#  tells the router to act as a proxy dhcp client to an external DHCP server.  This way you don't have to 
#  define a local pool on the router and all your DHCP scopes are in one place.

ip address-pool dhcp-proxy-client

#  Basic IP addressing on an interface.  It is good practice to hard code speed and duplex on all your 
#  networking gear.

interface FastEthernet0/0
 ip address 10.1.1.30 255.255.255.0
 speed 100
 full-duplex

#  It's a 2621 so it has 2 FastEthernets but in this example we aren't using the second one so its shutdown.

interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto


#  The interface Group-Async1 command is used to lump the characteristics for all of the dial in 
#  interfaces.  This saves you from having to create an async interface for each modem line.  So to start
#  off we need to assign it as unnumbered to FastEthernet0/0.  We do this to enable the async 
#  interfaces to be able to process IP packets without actually having to use an IP address. 
#  In some cases it might be advantageous to bind it to a loopback interface instead of a physical 
#  interface.  In this case if this physical interface goes down, nobody is talking so its irrelevant here.  
#  We set the encapsulation type to ppp for a standard ppp connection.  We set to the async mode to 
#  interacive so it can take a slip or ppp command at the EXEC level.   The peer default ip address dhcp 
#  command tells the router that the remote peer that is dialing in will receive its ip address through dhcp.  
#  We then set the ppp authentication method to chap pap which is standard when setting up a ppp 
#  connection from a Microsoft client.  The client will need to authenticate with a username  defined
#  in the local database that was defined above.  We then assign the modem lines which are 33-48 to be
#  controlled by this group interface.

interface Group-Async1
 ip unnumbered FastEthernet0/0
 encapsulation ppp
 async mode interactive
 peer default ip address dhcp
 ppp authentication chap pap
 group-range 33 48


#  This router is running EIGRP so it can receive all of the routes from the rest of the interal network.
#  We do not want to attempt to propagate EIGRP routes over the dial lines so we set the group-async1 
#  interface to passive mode.  We set the network value to 10.0.0.0 which basically states that we will run 
#  EIGRP on any network interface on this router that falls under the class A address of 10.x.x.x.
#  Therefore we see that the only interface that will participate in EIGRP is the FA0/0 interface.

router eigrp 1
 passive-interface Group-Async1
 network 10.0.0.0
 auto-summary

#  IP Classless is always used with EIGRP

ip classless
no ip http server

#  It is good security practice to set up your read and write community strings to something other than
#  public and private.  


snmp-server community ciscoconfigs-pub RO
snmp-server community ciscoconfigs-priv RW



line con 0

#  Line 33 - 48 are the modem lines.  First of all we use the flush-at-activation command to get rid of
#  any garbage that my be in the modem line buffer before we bring up the connection.  We then set 
#  the modem to allow incoming calls with the modem Dialin command, then we set the transport input 
#  to all.  We then use the autoselect ppp command to tell the router to start PPP once we receive
#  PPP packets from the dial-in user.  

line 33 48
 flush-at-activation
 modem Dialin
 transport input all
 autoselect ppp

#  Standard aux and vty 0 4 definitions

line aux 0
line vty 0 4
 password cisco
 login

end

Router - BGP Conditional Advertisement

This configuration snippet shows how to setup an Internet facing router connected to two ISPs.  One ISP is 
connected with a 3Mb/s Ethernet connection, while the other provider is connected with a 1.544Mb/s T1.  
Typically with BGP you can control which provider you send your output to, but you don't have much control 
as to which provider you will receive your input from.  In this scenario, the basic BGP configuration had 
all of the input traffic coming in the lower speed T1.  We tried to make suggestions to the ISP by prepending 
the AS path multiple times, as well as various other methods of which none of them worked.  The problem 
is that since all of the traffic inbound was heading over the T1, the pipe was getting full and traffic was slowing 
down.  We couldn't take advantage of the 3Mb/s speed from the other provider.  To solve this issue we used 
BGP Conditional Advertisements.  The idea is that we will only advertise our network to the ISP on the T1, if 
we don't see the default route that is being advertised from the ISP on the 3Mb/s pipe.  So since we do not 
advertise our network to the T1 ISP, that ISP does not propagate routes for our network.  So now all traffic
will flow inbound from the 3Mb/s pipe.  If the connection to the 3Mb/s pipe is broken, or if we stop receiving 
routing advertisements from the 3Mb/s provider, then the router will start automatically advertising our network 
address to the T1 ISP, who will then propagate our routes.  Then all the inbound traffic will once again flow back
in on the T1.  This process takes about 60 seconds to converge.  This is a good solution for unequal bandwidth 
connections to providers where the inbound traffic is heavily weighted on the lower bandwidth connection.
 
#  This configuration was taken from an ISR 2801 running 12.3(14)T4 SP Services.
   
#  I always like debug and log informatio to show the actual date and time and it is also 
#  good security practice to make sure password-encryption is turned on.

service timestamps debug datetime
service timestamps log datetime
service password-encryption

hostname Internet-Rtr


logging buffered 4096 debugging
enable secret 5 $1$a5qj$ZSB5BF6RNzM26vsJTeiec0

aaa new-model


aaa authentication login default local
aaa authorization exec default local 

aaa session-id common

resource policy

#  To ensure accurate time reporting set the timezone properly as well set the new daylight savings time settings.

clock timezone est -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00


mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero

#  This is an Internet connected router to make sure source routing is turned off

no ip source-route
ip cef

no ip dhcp use vrf connected

ip domain name ciscoconfigs.net
no ftp-server write-enable


#  Defined local usernames with two different levels of access.

username admin privilege 15 password ciscoconfigs
username monitor privilege 9 password ciscoconfigs

archive
 log config
  logging enable

#  This interface is connected to the provider in Autonomous System 200.  This provider is bringing in a 3Mb/s
#  connection over Cat5.  We filter the inbound traffic using access-list 110.

interface FastEthernet0/0
 description Connection to 3Mb/s provider
 ip address 192.168.254.2 255.255.255.252
 ip access-group 110 in
 speed 10
 full-duplex

#  This interface is the inside network.  Normally this would be a public IP address.  We simply changed it
#  to protect the innocent ;)

interface FastEthernet0/1
 description Inside Interface
 ip address 10.1.1.1 255.255.255.0
 speed 100
 full-duplex

#  This interface is connected to the provider in Autonomous System 100.  This provider is bringing in a 1.544Mb/s 
#  connection over a T1.  Again we filter inbound traffic using access-list 110

interface Serial0/3/0
 description Connection to 1.544Mb/s provider
 ip address 192.168.100.2 255.255.255.252
 ip access-group 110 in
 service-module t1 timeslots 1-24

#  Here is the BGP section.  It is broken into certain sections.  The first few lines deal with general BGP parameters.
#  Then there are specific sections for each provider.  Router BGP 10 tells the router that we will run the BGP 
#  protocol and that our Autonomous System number is 10.  BGP normally only advertises a route if it is already
#  known via an interiorl routing protocol (OSPF, EIGRP, RIP, etc.)  The no sync command means that this 
#  BGP process can advertise a route even if it is not in an interior routing protocol.  The log-neighbor-changes will
#  kick off a log entry when the neighbor connections go up and down.

router bgp 10
 no synchronization
 bgp log-neighbor-changes

#  In BGP the network command works differently than in other routing protocols.  Normally the network command
#  defines which interfaces will participate in the given routing protocol.  For BGP the command identifies the
#  network that will originate from this router.  This is basically the network we want to advertise to the two 
#  providers.  So in this case we want to advertise our network to the providers.

 network 10.1.1.0

#  Now the following statements are specific to the neighbor in AS 100 across the T1 pipe.  The first statement
#  simply defines the neighbor as well as that neighbors AS number.  The second statement assigns a 
#  Cisco defined BGP metric called Weight to routes that are being advertised from this neighbor.  In this 
#  case we have asked the provider to only provide us with a default route since we are not a transit AS.
#  So when that provider advertises a default route to us, we will assign the weight of 500 to it.  Good practice
#  for BGP peering is set up a distribution list that defines what networks you will advertise to the provider.
#  In this case distribute-list command says that we will only advertise routes that are in access-list 15, which
#  simply has our public address.  (In this case it is 10.1.1.0 though).  The final command - advertise-map is
#  only listed on this peer.  
#
#  First the problem - After we set up basic BGP with each provider we found that all traffic was coming back
#  in through this provider.  The problem is that this is the 1.5Mb/s provider not the 3Mb/s provider.  So basically
#  we are choking our inbound traffic.  Given this traffic pattern we decided that it would be best to force the 
#  inbound traffic to come in through the other provider.  This statement helps us acheive our goal.  This is 
#  what is says.  This router will only advertise "networks defined in the route-map named ADVERTISE" if
#  and only if "routes that are defined in the route-map named NON-EXISTS" do not appear in the BGP 
#  routing table.  For instance if the other provider (AS 200) is providing us with a default route, then that connection
#  is up and running fine, therefore we will not advertise our network to this provider (AS 100).  If we don't advertise
#  our network to this provider (AS 100) then he will not advertise it out, so no one knows about this route into our
#  network thereby forcing inbound traffic to come in from the other provider (AS 200) who has the bigger pipe.
#
#  Now if the BGP peer connection goes down to the neighbor in AS200, we will no longer receive a default route
#  from that neighbor.  In that case the default route which is defined in the NON-EXIST route map will not be 
#  the BGP routing table.  In that case we will start advertising our network to the provider in AS 100 since our
#  network is listed in the route map ADVERTISE.  There is around 30-60 secs of down time as things converge.

 neighbor 192.168.100.1 remote-as 100
 neighbor 192.168.100.1 weight 500
 neighbor 192.168.100.1 distribute-list 15 out
 neighbor 192.168.100.1 advertise-map ADVERTISE non-exist-map NON-EXIST

#  Here are are peering statements to the neighbor in AS 200 across the 3Mb/s pipe.  Again we define that
#  the neighbor and define his AS number as 200.  Normally eBGP neighbors are directly connected.  In this
#  case the BGP peer in AS 200 is not directly connected to us.  We need to define this with the use of the 
#  ebgp-multihop command.  We then added a weight of 1000 to any routes advertised to us from this neighbor.
#  If we have identical routes advertised to us from both providers, the route from this neighbor will take
#  precedence since it will have a higher weight.  Since we are only getting a default route from each 
#  provider will choose to send our outbound traffic out over this peer as long as they are connected.

 neighbor 192.168.200.1 remote-as 200
 neighbor 192.168.200.1 ebgp-multihop 255
 neighbor 192.168.200.1 weight 1000
 neighbor 192.168.200.1 distribute-list 15 out
 no auto-summary

ip classless

#  Since we are not direclty connected to the BGP neighbor in AS 200, we need to add a static route so 
#  we can reach them.

ip route 192.168.200.1 255.255.255.255 192.168.254.1

#  This is an AS-PATH access-list that defines an AS-path that last came from AS 200.

ip as-path access-list 1 permit ^200

no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000

#  Normally this router would be on the outside of a firewall.  This access-list is used on the virtual
#  terminal lines to only allow this address to be able to gain telnet access.  

access-list 2 permit 10.1.1.2

#  This acl is used in the BGP distribution-list defined in the router BGP section above.

access-list 15 permit 10.1.1.0

#  Used in the route map ADVERTISE to list the network that we want to advertise via BGP if the
#  conditions are met.

access-list 60 permit 10.1.1.0 0.0.0.255

#  Used in the route map NON-EXIST to list the network that we want to make sure does not exist before
#  we advertise the route in ADVERTISE.

access-list 65 permit 0.0.0.0

#  Access-list 110 is not 100% accurate for this snippet.  In this example we have changed the IP addresses
#  to all belong to RFC 1918 private addresses.    The idea behind this access-list is to block any inbound 
#  packets  that are coming from a null address, a loopback address, any of the RFC 1918 addresses because
#  these should not be routed on the Internet anyways (however most ISPs do not perform ingress filtering so
#  they typically aren't stopping someone from sourcing packets with these addresses), and then finally we
#  want to block anyone from sending packets in sourced with your public address.  In this example it would
#  be 10.1.1.0 network, however, normally this would be a public address and the 10 net should be blocked
#  from coming in.  So the X.X.X.0 should be your public address.  So basically we filter out a lof garbage from
#  coming in and then let everything else in.  Hopefully there is a firewall behind this router as well.

access-list 110 deny   ip host 0.0.0.0 any log
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny   ip X.X.X.0 0.0.0.255 any log
access-list 110 permit ip any any
access-list compiled

#  It is good security practice to set up your read and write community strings to something other than
#  public and private.  In this example we also used the access list that defines which hosts we
#  will actually accept an snmp request from.

snmp-server community ciscoconfigs-readonly RO 2
snmp-server community ciscoconfigs-readwrite RW 2
snmp-server enable traps tty

#  Here is the route-map that BGP Conditional Advertisement will use.  This matches a default
#  route coming from AS 200.

route-map NON-EXIST permit 10
 match ip address 65
 match as-path 1

#  Here is the other route-map that BGP Conditional Advertisement will use.  This matches our
#  network that we want to advertise.

route-map ADVERTISE permit 10
 match ip address 60

control-plane

#  Since we have created the username monitor above and gave it a privilege level of 9, we are
#  defining the types of commands that a level 9 user can issue.  A level 15 can do anything.
#  This way we set administrative access to this box that can look but not change anything.

privilege exec level 9 traceroute
privilege exec level 9 ping
privilege exec level 9 show startup-config
privilege exec level 9 show running-config
privilege exec level 1 show

#  On the console and virtual terminal ports 0 - 4 we set the login to local so that we will use user authentication
#  against the local database.  A username was added near the beginning of this configuration.  In addition
#  the logging synchronous command helps you type in commands when the screen is scrolling.  If you are halfway
#  through your command and a console message popped up on the screen it would then take the part of the 
#  command that you already typed in a put it on a new line for you instead of breaking your command accross
#  console messages.  

line con 0
 login local
 logging synchronous
line aux 0
line vty 0 4
 access-class 2 in
 login local
 logging synchronous
 transport input telnet

#  It is always good to have a time server configured so all of your network devices will have the correct
#  time.  This is important when trying to correlate events between devices and logs.

ntp server 128.105.39.11
end