Re: 2811 router config dissection

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
On pon, 21 lip 2008 o 18:35 GMT, glearng@gmail.com wrote:
Quoted text here. Click to load it

There is no magic way... just use Cisco Command Lookup Tool and other
cisco documentation.

http://www.cisco.com/cgi-bin/Support/Cmdlookup/home.pl


--
Slawomir Kawala
slwkk@alternatywa.net

Re: 2811 router config dissection


I agree with Slawomir.  This is a breakdown of some of the lines from the
configuration.  Lines omitted are less relevant.  I am phrasing some of this
in a general context as not to get too detailed and lose the meaning of the
result.

     > service timestamps debug datetime localtime
     > service timestamps log datetime localtime

Put a timestamp in the output of the "show log" command and in debug
messages on screen.

     > no service password-encryption

Do not encrypt the passwords when the "show running-config" command is
executed.

     > hostname xxxxxxxxx

This is the device name which will show in the command prompt.

     > logging buffered 65536 debugging

This sets the size of the "show log" capacity to hold log messages and
declares the highest level of logging, debugging.

     > enable secret 5 xxxxxxxxxxxxxxxxx

The enable mode password in an encrypted format.  Look for a 5 or 7 before
encrypted passwords to help indicate that they are shown encrypted.

     > no aaa new-model

AAA is authentication, authorization, and accounting.  This particular form
of the command indicates that there is not any AAA in use and that logins
will be processed against the passwords here in the configuration.

     > clock timezone MST -7
     > clock summer-time MDT recurring
     > clock calendar-valid

Time zone information, pretty self descriptive.

     > ip subnet-zero

Subnet zero is a default setting that I will go ahead and describe.  This
concept is that if a range of IP addresses is subnetted, or broken down into
smaller segments, that the lower range of addresses is usable.  It is to
correct an old concept of address range segmentation which was kind of
wastefull.

     > ip cef

CEF is Cisco Express Forwarding, a method of more rapidly passing traffic
between interfaces.  Without knowing these commands right off, you will very
likely not need to consider this setting in what you are doing.

     > ip domain name xxxxxxxxxxxxxxx

Self explanitory, sets the device domain name.  This might come into play if
you enable SSH logins to this device for management or are having the router
lease an IP address using DHCP from a server that makes DNS updates of the
DHCP clients.

     > no ip dhcp use vrf connected
     > ip dhcp excluded-address 10.101.20.1
     > ip dhcp excluded-address 10.101.20.1
     > !
     > ip dhcp pool VOIP
     > network 10.101.2.12 255.255.255.128
     > default-router 10.101.20.12
     > option 150 ip 10.2.1.5 10.2.1.6
     > !
     > ip dhcp pool DATA
     > network 10.101.2.0 255.255.255.128
     > default-router 10.10.2.1
     > dns-server 10.4.0.1 10.4.0.1

A router can be a DHCP server.  There are two IP address ranges set up on
this router.  If a DHCP request comes to the router on the router interface
in the 10.101.2.0/25 range, it provides an IP address from the VOIP address
pool.  If a DHCP request comes to the router on the router interface in the
10.101.2.0/25 range, it provides an IP address from the DATA pool.  IP
address 10.101.20.1 will not be issued to any DHCP client.

Now that I have written that, I see that as a problem.  Perhaps "ip dhcp
pool DATA" should have had the command "network 10.10.2.0 255.255.255.128"
instead of "network 10.101.2.0 255.255.255.128".  The excluded-address
section also contains a repeat, possibly mis-entered into this e-mail.

     > no ip domain lookup

Cisco routers and switches can perform DNS lookups.  This is sometimes
annoying when a mis-entered command is interpreted as a hostname and the
router attempts to resolve the word to an IP address via DNS.  If DNS
servers are not specified, the Cisco device attempts a broadcast and waits
for a timeout.  What a pain to wait for that every time a command is
mis-entered.  Best to make sure this is in place to specify no DNS lookups
will be done by the router itself.

     > class-map match-all VOIP
     > match ip dscp ef
     > !
     > !
     > policy-map LLQ
     > class VOIP
     > priority 90
     > class class-default
     > fair-queue

Class maps and policy maps are part of the overall QoS contept, also known
as quality of service.  This is, in this case, all about traffic management
when network links are congested with excessive data traffic.  The general
idea of QoS is to classify network traffic types, mark the data packets with
a tag, and then queue traffic based on the tagging (or sometimes just the
classification).
This class map identifies a class called "VOIP" which is any data traffic
tagged with a setting called "expitite forwarding".  It is the highest
markable class of traffic and is common for voice over IP and some video
conference data.  The policy map called "LLQ" goes further by re-marking the
data packets with a setting called "default" which is general everyday
network traffic and then making it the highest priority data to exit the
router with a limitation of 90kb/s.
In this case, it looks like the voice traffic was reset to look like normal
data traffic and is limited in the amount of bandwidth it is using through
the router.

     > interface FastEthernet0/0
     > description xxxxxxxxx fa 1/0/2
     > no ip address
     > duplex auto
     > speed auto
     > max-reserved-bandwidth 100
     > service-policy output LLQ
     > !
     > interface FastEthernet0/0.1
     > description DATA
     > encapsulation dot1Q 1 native
     > ip address 10.101.20.1 255.255.255.128
     > no snmp trap link-status
     > !
     > interface FastEthernet0/0.10
     > description VOIP
     > encapsulation dot1Q 10
     > ip address 10.101.20.1 255.255.255.128
     > no snmp trap link-status

Although there is one twisted-pair ethernet cable from this router's
interface FastEthernet0/0 to an ethernet switch, this cable is carrying the
equivilent of two cables of data traffic.  This is ethernet trunking using
the IEEE 802.1Q standard.  Think of it as multiplexing two (or more) cables
of ethernet traffic into one cable.

The switch connected to this router has its ethernet ports divided into
Vlan1 and Vlan10.  Hosts on Vlan1 have 10.101.20.0/25 IP addresses and hosts
on Vlan10 have 10.101.20.0/25 IP addresses.
Again, I believe that this was mis-entered into this e-mail because you
cannot assign the same IP address to two active interfaces of a router.  The
second interface was probably 10.10.2.0/25.  Anyhow, continuing . .

     > interface FastEthernet0/1
     > no ip address
     > shutdown
     > duplex auto
     > speed auto

This interface is unused and is administratively down.

     > interface ATM0/0/0
     > description ATM Circuit 24.HCGJ.015522
     > no ip address
     > no scrambling-payload
     > no atm ilmi-keepalive
     > max-reserved-bandwidth 100
     > service-policy output LLQ
     > !
     > interface ATM0/0/0.36 point-to-point
     > description xxxxxxxxxxxxxx
     > ip address 10.100.10.1 255.255.255.252
     > pvc 1/36
     > ubr 1382
     > encapsulation aal5snap

This is a single ATM connection.  Although there is a sub-interface, ATM and
frame-relay have a sub-interface kind of like how ethernet trunking works
(above on FastEthernet0/0) except that that it is used for single
connections.  This is a T-1 line which uses ATM signalling, not the common
point-to-point protocol (PPP).  Traffic is queued based on the policy map
declared earlier although I think that it would be applied better to the
sub-interface than ATM0/0/0 itself.  Someone might correct me on that later.

     > ip classless

Classfull and classless are IP addressing concepts.  Classfull is a concept
that all IP address will have certian subnet masks no matter what.
Classless is a concept that any range of IP addresses can be broken down
into smaller subnet ranges which result in different subnet masks than
originally intended.
It is the 21st century - always think classless.

     > ip route 0.0.0.0 0.0.0.0 10.100.100.161
     > ip route 0.0.0.0 0.0.0.0 10.101.20.1

Static routes are entries into a router that specify the path to a remote
subnet of IP addresses.  They are usually in place if a dynamic routing
protocol (RIP, EIGRP, OSPF, BGP) is not used or to override a route to a
specific network that would normally take another path from another
protocol.

     > ip http server
     > no ip http secure-server

A Cisco device can be web browsed for management.  With few exceptions, we
do not recommend this at all and highly encourage removing this setting.

     > snmp-server community dwr RO
     > snmp-server community rwd RW
     > snmp-server enable traps tty

Simple network management protocol is used by nice expensive servers that
can query a network device like this using SNMP protocol and report on
interface utilization, device uptime, and other parameters.  It is usually
not very secure and we use an additional parameter in this command to
specify an access-list of hosts that can perform SNMP against this device
which will make this more secure.
Do not share your SNMP community strings with others.  In general, disable
SNMP unless you know that you will be using it.

     > banner login ^C*****Your contact number is:
     > ^C
     > banner motd ^C*****Welcome!
     > *****This router is the property of  ;
     > *****Use of this network device is restricted to our network team;
     > *****Unauthorized access and/or use is prohibited!
     > ^C

Login banners and message of the day banners are shown at login.
This reminds me of some legal ramification of having the word "welcome" in a
prohibiting login message.

     > (all voice configuration)

I cannot describe the voice configuration section of the router that was in
this section.

     > line con 0
     > password dnr
     > logging synchronous
     > login
     > line aux 0
     > password dnr
     > logging synchronous
     > login
     > line vty 0 4
     > password dnr
     > logging synchronous
     > login
     > transport input telnet

Login is permitted for using the serial line console port to manage the
router.  A password is specified.
Login is permitted for using the auxilary port connected to an external
modem to manage the router.  A password is specified.
Login is permitted for using telnet to remotely connect and manage the
router.  A password is specified.  Up to five telnet sessions can be active
to this device at one time.  Other remote management protocols to this
device such as ssh and rlogin are not being permitted.


Although people may follow up and correct me in several places, there is the
bulk of it.  You have a voice router with a WAN connection and a trunk into
two ethernet LAN segments.  In my opinion, additional configuration is
recommended to tune this router up a bit more.

-----
Scott Perry
Indianapolis, IN
-----

Quoted text here. Click to load it



Site Timeline