This document shows how to rebuild the baseline state of the various infrastructure devices in the XNetwork. In the configuration commands below, comments run from "//" to the end of the line. Comments are not part of the command.
The following procedures can be used to initialize the routers and switches to their pristine state. The intent is to keep a baseline-config always available so the devices can easily be restored to a baseline configuration. Note that the procedures described here assume the enable secret is known. If it is not, a more complex recovery procedure is needed (not documented here).
For the routers:
Router> enable
Router# erase startup-config // Restores to Cisco defaults.
Router# copy baseline-config startup-config // Restores to XNetwork baseline configuration.
Router# reload
For the switches:
Switch> enable
Switch# show flash // To check for vlan.dat.
Switch# delete vlan.dat // One if vlan.dat exists.
Switch# erase startup-config
Switch# copy baseline-config startup-config
Switch# reload
We are using a very basic configuration for now. Obviously use S2 for the hostname on switch 2.
Switch> enable
Switch# configure terminal
Switch(config)# hostname S0
S0(config)# enable secret hotdog
S0(config)# exit
// The following commands are done by SE/IT faculty after the full configuration.
S0# copy running-config startup-config
S0# copy running-config baseline-config
Switch S0 has span monitoring configuration so that a monitoring system, running tshark, snort, or some other tool, can view the traffic on the 192.168.0.0/24 subnetwork. Note that R1 is connected to port 0/1, Alpha is connected to port 0/22, and Mu's eth1 interface (for "normal" usage) is connected to port 0/23. The destination of the monitoring is interface port 0/24, currently connected to Mu's eth2 interface.
S0(config)# monitor session 1 source interface FastEthernet 0/1
S0(config)# monitor session 1 source interface FastEthernet 0/2
S0(config)# monitor session 1 source interface FastEthernet 0/22
S0(config)# monitor session 1 source interface FastEthernet 0/23
S0(config)# monitor session 1 destination interface FastEthernet 0/24
We are using a very basic configuration for now. Obviously use S3 for the hostname on switch 3.
Switch> enable
Switch# configure terminal
Switch(config)# hostname S1
S1(config)# enable secret hotdog
S1(config)# exit
// The following commands are done by SE/IT faculty after the full configuration.
S1# copy running-config startup-config
S1# copy running-config baseline-config
R2 is configured in a similar way as for R1, except the network addresses are appropriately different. Also, R2 does not have anything connected to its Serial0/0/1 interface.
The basics. Note that the banner text is delimited by '#' characters (which you must type).
Router> enable
Router# configure terminal
Router(config)# hostname R1
R1(config)# enable secret hotdog
R1(config)# no ip domain lookup
R1(config)# banner motd #
Warning! Unauthorized access is prohibited!
#
R1(config)# ipv6 unicast-routing
// The following commands are done by SE/IT faculty after the full configuration.
R1# copy running-config startup-config
R1# copy running-config baseline-config
Configure the interfaces, both IPv4 and IPv6.
R1(config)# interface FastEthernet 0/0
R1(config-if)# ip address 192.168.0.1 255.255.255.0
R1(config-if)# ipv6 address FD25:F376:7B60:1000::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface FastEthernet 0/1
R1(config-if)# ip address 192.168.1.1 255.255.255.0
R1(config-if)# ipv6 address FD25:F376:7B60:1001::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface Serial0/0/0
R1(config-if)# ip address 192.168.255.1 255.255.255.252
R1(config-if)# ipv6 address FD25:F376:7B60:1004::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface Serial0/0/1
R1(config-if)# ip address 192.168.255.5 255.255.255.252
R1(config-if)# ipv6 address FD25:F376:7B60:1005::5/64
R1(config-if)# no shutdown
R1(config-if)# exit
Router R2 should have its serial line configured as a DCE. This is done by specifying the clock rate explicitly on that side when configuring the line. Note that the Packet Tracer model is using a clock rate of 128000 because 115200 isn't an option in Packet Tracer.
R2(config-if)# clock rate 115200
Next, OSPF routing...
R1(config)# router ospf 10
R1(config-router)# network 192.168.0.0 0.0.0.255 area 0
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# network 192.168.255.0 0.0.0.3 area 0
R1(config-router)# network 192.168.255.4 0.0.0.3 area 0
R1(config-router)# exit
R1(config)# ipv6 router ospf 60
R1(config-rtr)# router-id 0.0.0.1
R1(config-rtr)# exit
R1(config)# interface FastEthernet 0/0
R1(config-if)# ipv6 ospf 60 area 0
R1(config-if)# interface FastEthernet 0/1
R1(config-if)# ipv6 ospf 60 area 0
R1(config-if)# interface Serial0/0/0
R1(config-if)# ipv6 ospf 60 area 0
R1(config-if)# interface Serial0/0/1
R1(config-if)# ipv6 ospf 60 area 0
R1(config-if)# exit
... and similarly for R2, with appropriate changes to the addresses and router ID.
On router R1 set a default route to Mu (which may eventually be configured as a NAT gateway to the VTSU LAN). It is also necessary to configure R1 to propagate the default information.
R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.0.99 R1(config)# router ospf 10 R1(config-router)# default-information originate R1(config-router)# exit
Now, Console access. Unlike Packet Tracer, the real 1841 requires the use of an AAA authentication database. Adding a simple line password has no effect by itself, and the `login` command is taken as "incomplete." Furthermore, `login local` is an error. The commands below set up the console to not require user authentication at all.
R1(config)# line console 0
R1(config-line)# logging synchronous
R1(config-line)# exec-timeout 15
R1(config-line)# exit
Now, SSH access. The routers use a 2048-bit RSA key. Notice that even though the `login local` command is not used, SSH access still requires that one of the defined users logs in.
It would be preferred for the student user to log in at privilege level 0 and then enable an appropriate view to gain access to functionality. However, even if privilege level 0 is specified in the `username` command, the user still logs in at privilege level 1. Perhaps the procedure is to have the student log-in directly into the desired, restricted-access view.
R1(config)# ip domain-name cislab.vermontstate.edu
R1(config)# username admin privilege 15 secret hamburger
R1(config)# username student privilege 1 secret frenchfry
R1(config)# crypto key generate rsa
R1(config)# ip ssh version 2
R1(config)# line vty 0 15
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config-line)# logging synchronous
R1(config-line)# exec-timeout 15
R1(config-line)# exit
R1(config)# exit
Finally, to lock this configuration down, save everything.
R1# copy running-config startup-config
R1# copy running-config baseline-config
Student users must not execute either of the commands above to ensure the devices can be easily recovered should there be a configuration mishap.
The basic configuration is the same as for R1 and R2. Note that the banner text is delimited by '#' characters (which you must type).
Router> enable
Router# configure terminal
Router(config)# hostname Shangri-La
Shangri-La(config)# enable secret hotdog
Shangri-La(config)# no ip domain lookup
Shangri-La(config)# banner motd #
Warning! Unauthorized access is prohibited!
#
Shangri-La(config)# ipv6 unicast-routing
Configure the interfaces.
Shangri-La(config)# interface FastEthernet 0/0
Shangri-La(config-if)# ip address 10.0.1.254 255.255.255.0
Shangri-La(config-if)# ipv6 address FD25:F376:7B60:1006::FE/64
Shangri-La(config-if)# no shutdown
Shangri-La(config-if)# exit
Shangri-La(config)# interface Serial0/0/0
Shangri-La(config-if)# ip address 192.168.255.6 255.255.255.252
Shangri-La(config-if)# ipv6 address FD25:F376:7B60:1005::6/64
Shangri-La(config-if)# clock rate 115200
Shangri-La(config-if)# no shutdown
Shangri-La(config-if)# exit
Shangri-La should have its serial line configured as a DCE. This is done by specifying the clock rate explicitly as above. Note that the Packet Tracer model is using a clock rate of 128000 because 115200 isn't an option in Packet Tracer.
Next, OSPF routing.
Shangri-La(config)# router ospf 10
Shangri-La(config-router)# network 10.0.1.0 0.0.0.255 area 0
Shangri-La(config-router)# network 192.168.255.4 0.0.0.3 area 0
Shangri-La(config-router)# exit
Shangri-La(config)# ipv6 router ospf 60
Shangri-La(config-rtr)# router-id 0.0.0.3
Shangri-La(config-rtr)# exit
Shangri-La(config)# interface FastEthernet 0/0
Shangri-La(config-if)# ipv6 ospf 60 area 0
Shangri-La(config-if)# interface Serial0/0/0
Shangri-La(config-if)# ipv6 ospf 60 area 0
R1(config-if)# exit
Now, Console access. Unlike Packet Tracer, the real 1841 requires the use of an AAA authentication database. Adding a simple line password has no effect by itself, and the `login` command is taken as "incomplete." Furthermore, `login local` is an error. The commands below set up the console to not require user authentication at all.
Shangri-La(config)# line console 0
Shangri-La(config-line)# logging synchronous
Shangri-La(config-line)# exec-timeout 15
Shangri-La(config-line)# exit
Now, SSH access. The router uses a 2048-bit RSA key. Notice that even though the `login local` command is not used, SSH access still requires that one of the defined users logs in.
It would be preferred for the student user to log in at privilege level 0 and then enable an appropriate view to gain access to functionality. However, even if privilege level 0 is specified in the `username` command, the user still logs in at privilege level 1. Perhaps the procedure is to have the student log-in directly into the desired, restricted-access view.
Shangri-La(config)# ip domain-name cislab.vermontstate.edu
Shangri-La(config)# username admin privilege 15 secret hamburger
Shangri-La(config)# username student privilege 1 secret frenchfry
Shangri-La(config)# crypto key generate rsa
Shangri-La(config)# ip ssh version 2
Shangri-La(config)# line vty 0 15
Shangri-La(config-line)# transport input ssh
Shangri-La(config-line)# login local
Shangri-La(config-line)# logging synchronous
Shangri-La(config-line)# exec-timeout 15
Shangri-La(config-line)# exit
Shangri-La(config)# exit
Finally, to lock this configuration down, save everything.
R1# copy running-config startup-config
R1# copy running-config baseline-config
Student users must not execute either of the commands above to ensure the devices can be easily recovered should there be a configuration mishap.
A very basic configuration for now.
Switch> enable
Switch# configure terminal
Switch(config)# hostname Portal
Portal(config)# enable secret hotdog
Portal(config)# exit
// The following commands are done by SE/IT faculty after the full configuration.
Portal# copy running-config startup-config
Portal# copy running-config baseline-config
The addresses below are appropriate for StudentR1. Modify the addresses as needed for the other routers.
Router> enable
Router# configure terminal
Router(config)# hostname StudentR1
StudentR1(config)# enable secret hotdog
StudentR1(config)# no ip domain lookup
StudentR1(config)# banner motd #
Warning! Unauthorized access is prohibited!
#
StudentR1(config)# interface FastEthernet 0/0
StudentR1(config-if)# ip address 172.18.0.1 255.254.0.0
StudentR1(config-if)# no shutdown
StudentR1(config-if)# exit
StudentR1(config)# interface FastEthernet 0/1
StudentR1(config-if)# ip address 10.0.1.1 255.255.255.0
StudentR1(config-if)# no shutdown
StudentR1(config-if)# exit
StudentR1(config)# router ospf 10
StudentR1(config-router)# network 172.18.0.0 0.1.255.255 area 0
StudentR1(config-router)# network 10.0.1.0 0.0.0.255 area 0
StudentR1(config-router)# exit
StudentR1(config)# line console 0
StudentR1(config-line)# logging synchronous
StudentR1(config-line)# exec-timeout 15
StudentR1(config-line)# exit
StudentR1(config)# ip domain-name cislab.vermontstate.edu
StudentR1(config)# username admin privilege 15 secret hamburger
StudentR1(config)# username student privilege 1 secret frenchfry
StudentR1(config)# crypto key generate rsa
StudentR1(config)# ip ssh version 2
StudentR1(config)# line vty 0 15
StudentR1(config-line)# transport input ssh
StudentR1(config-line)# login local
StudentR1(config-line)# logging synchronous
StudentR1(config-line)# exec-timeout 15
StudentR1(config-line)# exit
StudentR1(config)# exit
StudentR1# copy running-config startup-config
StudentR1# copy running-config baseline-config
The student switches are almost entirely without configuration. Only their hostnames have been set to facilitate identifying one switch from the other when working at the IOS command prompt.
The console server gives you access to the console lines on the student routers and switches.
TODO: Finish documenting the configuration of Connie!
Last Revised: 2024-01-03
© Copyright 2024 by Peter Chapin <peter.chapin@vermontstate.edu>