Router Configuration Questions

1. Describe the purpose of a serial interface on a router.

A serial interface is typically used to interface to a WAN connection. Serial interfaces are usually configured to support layer 2 technology for the WAN that is typically not used in a LAN environment. On a Cisco router they default to supporting HDLC encapsulation but support other configurations such as PPP encapsulation for layer 2.

2. Explain and provide examples of four commands that may be used to configure a serial interface on a Cisco 2621 router.

ip address 192.168.0.1 255.255.255.0 – Configures the interface with an IP address of 192.168.0.1.

encapsulation ppp – Changes the layer 2 encapsulation of the serial interface to PPP.

no shutdown – This command is used to bring up a serial interface that is administratively down.

clock rate 64000 – Configure a DCE serial interface for speed of 64K.

3. Discuss the methods available to verify a router configuration. How can you save the router configuration? Give examples of each method.

While in enable mode type in write memory or copy run start to save the running configuration that resides in memory to the startup configuration on NVRAM.

To verify router configuration you can use show running-config command on the CLI which will display the current configuration of the router. You can also type show startup-config to review the saved configuration on the router.

4. Propose how you would secure a router. Provide a list of commands and their functions.

To secure a router you would first need to enter the enable mode by typing “enable” on the command line then type in the password for enable mode. Enable mode grants the user permissions to make and save changes to the router configuration. Then type config terminal to enter the configuration mode and then enable secret followed by the password that will be required to enter enable mode. Then type enable password and type the unencrypted password that will be required to enter enable mode ( the enable secret password is what will be required by the router as that has precedence over the enable password configuration). Then if access via IP is needed, from config mode, type in line vty 0 4 and press Enter then type password password where the second “password” is the actual password being set while in line configuration mode. The line vty 0 4 enables four line connections that can be used with the router. Then enable login authentication for line connections by typing login on the command line and pressing Enter. Do the same for the local console by typing line con 0, then password password and then login (same as with vty access above). Then rather than use telnet vty connections, use ssh by typing exit, then in global config mode type the following in global configuration mode:

hostname router1 – This command sets the hostname of the router.

ip domain-name router-domain – This command sets the DNS domain name of the router.

crypto key generate rsa – This command generates rsa keys that will be used to secure the ssh session.

ip ssh time-out 120 – This command sets the timeout for the ssh negotiation phase when establishing an ssh session.

ip ssh authentication-retries 3 – Sets the number of ssh authentication retries before timeout.

ip ssh port 4000 – Changes the ssh port from the default of 22 to a port that will not easily be recognized by attackers.

line vty 0 4 – Enables the lines for ssh connection.

transport input ssh – Changes line mode from telnet to ssh.

For the Virtual lab assignment I started by logging into the router then typed enable followed by the password to enter privilege exec mode. Then typed config t to enter configuration mode in order to use the password encryption command. The password encryption command run from the global configuration mode is service password-encryption. I then typed exit and then saved the setting by using the write memory command followed by Enter then checked the configuration with show running-config. Then I typed config t again then banner motd # and typed in the message Do Not Login followed by # and Enter to complete the message. Then I typed interface serial 0/1 and the prompt changed from config to config-if which let me know that the CLI is in interface configuration mode. Then I followed it with encapsulation ppp and press Enter just to test that command. I also typed interface fa0/0 which changed the interface in interface mode from the serial interface to a fast Ethernet interface. Then to bring up interfaces I used the no shut command while in the interface configuration mode. While still in interface configuration mode I then added IP addresses using the ip address command such as ip address 172.16.0.2 255.255.0.0. Then I used the secondary command to add a second IP address by typing ip address 172.16.0.3 255.255.0.0 secondary. Then I used the interface s0/0 command and typed in clock rate 64000 and pressed Enter then used the bandwidth 64 command to set the routing protocol cost of the link in order to configure the DCE end of a serial link. I then typed Exit and pressed Enter then typed hostname Router while in configuration mode and pressed Enter to set the hostname to Router. Then I typed int fa0/0 and pressed enter to go to the interface configuration mode then typed description FastEth0 and pressed Enter to configure the description for the fa0/0 interface then typed int s0/0 and typed description WAN to set the description for the s0/0 interface as WAN. Then to verify the configurations I typed Exit then Exit again and then used ping and traceroute commands to verify connectivity. Then I used telnet to test connectivity then show interfaces to verify configuration of all interfaces on the device. I then used individual interface show commands such as sh int fa0/0 to see just the one interface and verify it is up and working. I then used sh controllers to check the physical interface then tested the do command within the configuration mode such as running do show interfaces to view interface status.