boot system flash
boot system rom

hostname (customername-gw, like "logic-gw")
enable password (something cryptic)
enable secret (same as above)

interface ethernet 0
description Local LAN at (customer location)
ip address (first available IP address) (subnet mask)
no ip directed-broadcast
no ip redirects
no ip proxy-arp
no shutdown

interface Serial0
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
no shutdown

interface Serial 0.1 point-to-point
description Frame Relay to Logic
frame-relay interface-dlci 16 IETF
ip address (the IP address) 255.255.255.252
no ip route-cache
no ip directed-broadcast
no ip redirects
no ip proxy-arp
cdp enable
no shutdown

interface Serial 0.2 point-to-point
description A second Frame Relay circuit to another site
frame-relay interface-dlci 17 IETF
ip address (some other IP address-range) 255.255.255.252
no ip directed-broadcast
no ip redirects
no ip proxy-arp
no shutdown

ip domain-name ibl.bm
ip name-server 199.172.192.1
ip name-server 199.172.192.2
ip route 0.0.0.0 0.0.0.0 (IP address of upstream Frame Relay port)

ip classless
ip subnet-zero
ip tcp synwait-time 5

service password-encryption
no service udp-small-servers
no service tcp-small-servers
no ip source-route
no service finger
no service config

line vty 0 4
login
password (something cryptic)

Explanation:

Cisco routers have 5 areas of memory: FLASH, Nonvolatile RAM, Operating RAM, I/O Memory, and Boot ROMs.

When the router turns on, the operating system, or "IOS", is loaded from the FLASH, which is only used for storing the IOS. This IOS is loaded into the Operating RAM. Then the configuration paramaters are loaded into this same Operating RAM from the Nonvolatile RAM, which is where the various configuration commands are stored. The I/0 RAM is used for buffers and cache for moving packets in and out of the router. When you configure a router, you are entering commands into the Operating RAM. These commands take effect as soon as you enter them, but in order for them to survive a router reboot you need to save them to Nonvolatile RAM.

The 5th area of memory are the Boot ROMs. This isn't really memory as such, but are ROM's on the circuit board that contain a basic version of IOS that the router can boot from, in the event of a corrupted IOS image in the FLASH. The version of IOS in the Boot ROMs is almost always older than the version if IOS in FLASH.

Click here to see how much memory a router has.

To log into a Cisco, type enable then enter the password. Monitoring commands are issued at the main router-prompt with show commands. Type show ? to see a list of commands. To configure the router, type configure and select terminal from the list of options. When you're done entering your configurations, hit Ctrl-z which will throw you out to the main prompt. Type write memory to save the cofiguration to Nonvolatile RAM. Type show config to see the contents of this saved RAM, and show running-config to see the contents of the currently running config in the Operating RAM. If you just saved the config, and haven't made any changes, both the saved and running configs will be the same. If you haven't saved the config, the contents of Operating RAM and Nonvolatile RAM will be different.

The following list explains what each line in the configuration means:

• boot system flash and boot system rom controls the order in which the IOS boots. The router has 3 areas of memory: Flash, Boot-ROMs, & on-board nonvolatile RAM. When the router boots, it will load the operating system (the IOS) from either Flash or the Boot-ROMs, and then the configuration parameters from the saved image in the on-board nonvolatile RAM. If the Flash-card is present, then the IOS is loaded from there. If not, or there is a problem, then the IOS will be loaded from the Boot-ROMs. The Boot-ROMs contain a basic "bare-bones" version of IOS, so many of the commands in the saved configuration will not be recognised by the Boot-ROM IOS, and will produce "unrecognised command" error-messages on boot-up. The router prompt will appear as "Router(boot)>" when booting from ROM. Never leave a router running from Boot-ROMs. Only run from there while troubleshooting problems with the Flash card.

• hostname is the name of the router, displayed in the prompt.

• enable password and enable secret are the two passwords recognised for granting Enable access. When you are prompted for the Enable password, the router is expecting the enable secret password. If you don't type it right it will then accept the enable password password. It's easy to forget, so just make both passwords the same. The router will complain with a message about not using the same password for both, but ignore the message. It will work anyway.

• interface ethernet 0 is the name of the interface you want to configure. You must always enter the interface before you configure it.

• description is just a comment-line where you can indicate the physical location of the router, such as "Local LAN at AF Smith".

• ip address is the first node-address from the IP address- range assigned to this LAN. This will have been pre-assigned by Neil or Mike and listed on the nocadmin.ibl.bm page for this customer. Look for the LAN assignment, then use the first possible address for the Ethernet port of the router. The rest of the range is available for the customer to use on their LAN.

• no ip directed-broadcast disables the propagation of broadcast packets, which is sometimes used in denial-of-service attacks.

• no ip redirects disables the forwarding of ip packets to subnets other than that which is in the path to a destination, a method also used by denial-of-service attacks.

• no ip proxy-arp turns off proxy-ARPs, which is different from normal ARPing. Whereas in a normal ARP, a host tries to resolve an IP address with a hardware address on the same LAN, a proxy-arp will respond to ARP requests for hosts on different LANs. This feature is another tool used by some denial-of-service attacks, so should be turned off.

• no shutdown activates the interface. shutdown turns it off.

• interface Serial 0
  encapsulation frame-relay IETF defines traffic going over the Serial port as Frame Relay, and encapsulates it accordingly, using the IETF encapsualtion standard. This essentially transforms the physical interface from a standard leased-line interface to a Frame Relay inteface.

• no fair-queue turns off queueing on the port, giving all traffic equal priority. Activating queueing allows you to set different priorities for different kinds of traffic.

• frame-relayt lmi-type ansi defines the type of Link State Management Interface protocol used by BTC's Frame Relay switch. The router listens for these to determine when the circuit is active.

• no shutdown activates the interface.

• interface Serial 0.1 point-to-point is the subinterface of the "major interface" Serial 0. A traditional leased line uses one physical port per circuit. So if a second circuit is needed, the router will need a second physical interface. Frame Relay allows you to create multiple logical interfaces, each one using a portion of the maximum bandwidth of the physical, or "major", interface. The Cisco Serial interface's maximum bandwidth is T1, 1.5 Mb/sec. If each circuit was 56K, you could create as many logical interfaces as you needed until the cumulative maximum reached the T1 bandwidth.

  This is the way the main Frame Relay router, the Cisco 4500, on the Logic backbone is configured. It has 8 physical Serial interfaces, but hundreds of logical interfaces.

• cdp enable turns on the Cisco Discovery Protocol. This allows for the router to self-configure Frame Relay connections and reports back remote router-names when using the show cdp neighbors command.

• no ip route-cache turns off Fast Switching on this interface. Fast Switching does a route lookup using the main processor on the first packet of a "flow" (a continuous stream of packets belonging to the same session) and then writes the forwarding information to a "route cache". Each subsequent packet belonging to this flow is then forwarded based on the route information in this cache, instead of interupting the main processor. This results in much fast packet forwarding. However, it's only appropriate on high-speed interfaces. Using Fast Switching on a Serial interface slower than 64K will produce an over-eager interface, forwarding packets too quickly, causing dropped packets. So leave it on for LAN interfaces, which is the default, but turn it off on any Serial interfaces slower than 64K.

• frame-relay interface-dlci 16 defines the DLCI for this Frame Relay circuit. Each Frame Relay PVC has a local idenitfier, the Data Link Connection Identifier. Each logical interface has to be mapped to the DLCI of it's circuit. BTC always sets this number to 16 at the customer site. The other end of the circuit, which connects to the Frame Relay router on Logic's backbone, is always unique. Usually, the BTC technician will write the number of this Logic-side DLCI on the customer wall-jack. But the customer-side DLCI is always 16. IETF defines the encapsulation standard, as with the encapsulation parameter on the major interface.

• The ip address is found on the nocadmin.ibl.bm page for this customer, as with the LAN IP-assignment. Since Frame Relay circuits only have 2 nodes, one at each end, the smallest possible mask is used, 255.255.255.252 for all customers.

• The various no commands are the same as those used above on the Ethernet interface.

• no shutdown activates the logical subinterface.

• interface Serial 0.2 point-to-point is a second subinterface, if one is needed. Most customers will have only one, back to Logic for Internet-access. But some customers will need a second Frame Relay circuit to some other site, and this is a way of adding one without needing a second physical interface. All of the IP addressing commands are the same as with a physical interface.

• ip domain-name ibl.bm and the 2 addresses under it is the DNS information. This is not needed for the router to work, it's only used for testing connectivity by pinging or telneting to domain names. This info isn't passed on to any other device, it's just used when you ping or telnet from the router.

  You'll want to turn this off after you've verified connectivity, by typing no ip domain-lookup. You'll want this deactivated because if, at the main prompt, you mistype a command the Cisco IOS will assume this is a domain-name and try to telnet to it. If the mistyped command isn't a real domain you'll have to sit there and wait for it to time out. With domain-name lookups turned off the IOS will just respond with "Unknown command" to your twisted fingers, instead of making you wait for telnet timeouts.

• ip route 0.0.0.0 0.0.0.0 is a static route entry, pointing all traffic back to the interface on the router at the Logic backbone. The first group of zeros is an IP address-range meaning "everything" and the second group of zeros is the subnet-mask, which indicates "any mask". The address at the end is the address to which all traffic should be forwarded. This is also known as a "default route" and is usually used on "stub networks", which all of our customers are. That is, there is no other WAN connection, so this is the default.

  This command adds the route to the router's Routing Table, the list of how to get to what networks. To see the entries in the Routing Table, type "show ip route". The output will list all of the possible methods of learning routes - routing protocols - with an abbreviation next to it. Under that will be the Gateway of last resort, which is the address of the router that all traffic will be sent to if a destination is not listed in the Routing Table. Under this is the contents of the Routing Table itself. Each line will list the method used to learn the route (S will indicate that it was learned via a Static Route), the network number followed by the subnet mask. Use this command to troubleshoot networks where users are unable to connect to some remote destination. Their router should either have the route in it's Routing Table, or else have an address listed for it's Gateway of last resort.

• ip classless is needed to avoid strange routing problems where a router will drop packets because it doesn't know how to get to the destination, even if it has a default route. Normally a router will figure out how to reach a destination based on the subnet listed in a packet's destination field - the right-most portion of the address. ip classless causes the router to make it's routing decision based on the supernet - the left-most portion of the address. It basically ensures that packets to unknown destinations are sent to the "Gateway of last resort" address.

• ip subnet-zero allows you to use the first range in a subneted address-range. Without this command, a subnetted address-range of, for instance, 171.68.10.0 255.255.255.192 will require you to begin your addressing at 171.68.10.64. You are prevented from using the range below this, the "zero subnet", since this used to be reserved to indicate the network and not nodes, forcing you to waste a range. Using this command allows you to use it. Make sure all hosts on the LAN also recognise zero subnets, which any Unix, PC, or Mac host will do that has an OS current as of 1990.

• ip tcp synwait-time 5 defines the amount of time, in seconds, to wait for TCP SYN establishments. Keep this number low, to make it harder for TCP syn-hacks to break in.

• service password-encryption encrypts the passwords in the IOS config when viewing it. It doesn't encrypt it across the network, just hides it from any prying eyes who may be looking over your shoulder at your screen.

• no service udp-small-servers turns off UDP echoing commands that are useful for troubleshooting. They also provide useful information for anyone trying to break in. So only turn it on if you need them for troubleshooiting, then turn it off.

• no service tcp-small-servers turns off TCP echoing commands. For the same reasons as above, leave it off.

• no ip source-route prevents the forwarding of packets that have the "source-route" field set, where the exact path through the network is pre-defined. Since you want the router to make it's own decision, and not some hacker, turn this off.

• no service finger prevents the router from responding to "finger" commands. Not much of a threat, really, but it prevents people from finding out who's logged on to your router.

• no service config turns off the ability to load configuration files via TFTP. With this turned on, the router will boot up and immediately start looking for a TFTP server to load it's config file from. It will wait several minutes before timing out and will try several times before giving you access to the router prompt. Very irritating, so turn it off.

• line vty 0 4 defines "Virtual Terminals", which are ports that listen for telnet attempts. 0 4 is a range of telnet ports, which means that 5 concurrent telnets are allowed on the router. Without these, you won't be able to telnet into your router.

• login defines that telnet sessions will prompt for a password.

  password defines that password. If you just enter the "login" config, but forget the "password" config, the router will respond to telnet attempts with an error of "telnet enabled but no password" and will kick you out.

Testing Router Connections

When you're done configuring your router, and all the network connections are in place, test your connections with these commands, which are all issued from the main router-name# prompt:

• Type show ip interface brief. A list will appear with all of the router's interfaces, their IP addresses, and whether they're up or not. This will be indicated as "up up", "up down", or "down down". The first state indicates whether or not the interface is in "no shutdown" state (turned on) or in "shutdown" state (turned off) and the second state indicates whether or not the router sees any traffic coming through the port.

  A status of "up up" means all is well; the router's interface is activated and it sees traffic. A status of "up down" means that the interface is activated but no traffic is seen, meaning that there's a problem with the Ethernet transceiver, cable or hub or there's a problem with the Serial port cable or connection to the CSU, depending on the interface.

• Type sho cdp neighbors to see a short list of what customer routers are connected to what local interface on the router. On a router with a large config this is often faster than scrolling through the whole output.

• Type show arp to see the entries in the ARP table. You'll see what IP addresses the router sees out the Ethernet interface, how long ago it heard from it, each device's hardware address, and what interface the router sees it through. Useful for verifying that the Ethernet port and hub is working right.

• To test the Frame Relay circuit type show frame pvc The output should look like this:
  
  Along the line where the DLCI number is listed you'll see the Status. If it says "Active" then the circuit is up and running and you should be able to ping across it. Try pinging to www.logic.bm If it says "Inactive" or "Deleted" then the circuit is not active from the customer to the BTC switch. It may show up as "Active" from the router on Logic's backbone, but that just means that the path from BTC to Logic is up. Often, BTC will leave the BTC-to-customer path down until you call and ask them to activate it.

  If there is more than one Frame Relay circuit, there will be one page of output per circuit.

• If the circuit is active, or even if it isn't, you can check to see if the router is seeing any LMI packets. The presence of LMI packets is that the router looks for when deciding whether or not the circuit is up. Check this by typing show frame lmi The output will look like this:
  
  Look at the second-to-last line. The presence of LMI packets is indicated where it says Num Status Enq. Sent and Num Status msgs Rcvd. These numbers should be very similar. Type this command several times over a period of about a minute and you should see the numbers increment. (hit the up-arrow on your keyboard to repeat the last command) If they do increment, then LMI is seen and is being responded to. If they don't, or the numbers are both zero, then BTC is asleep at the wheel.

• If the PVC is active and the router is seeing LMI, then trying pinging the upstream address listed in your default route. If it's successful you will see !!!!! characters returned. If you see a bunch of ...... characters, it's failing.

  If you try pinging anything on the Internet you need to specify what source-address the ping command will use. By default, a ping will use the interface-address closest to the destination as the source address, which will be the address of the Frame Relay interface. Since we use private IP addressing for all Frame Relay circuits (which are non-Internet-routable), these return-addresses will be unreachable by the host when it tries to respond. So type "ping" by iteself and hit return. When it asks you for the protocol to use, accept the default "ip". When it prompts you for the target address, type it in. Accept the remaining prompts until you get to Extended commands, at which point you type y. It will ask you for the Source address, at which point you should enter the router's Ethernet port IP address, since this will be a routable address when the destination host responds. Accept the remaining defaults.

• All other troubleshooting commands utilize the debug command, of which there are a million variations. Type debug ? at the main Router# prompt to see a list of all possible debug commands. Use only if you want to read a lot of cryptic output...

• To see how much memory a router has, type show version which will produce this output:
  
  • The size of FLASH in the router is listed in the line, 3rd from the bottom, that says System flash. To see how much of this FLASH space is being used by the IOS, and how much space is free, type show flash. This is where the IOS is stored, so if a router needs an IOS upgrade, the FLASH needs to be big enough to store the image.
    To see whether the router has loaded IOS from FLASH or from the Boot ROMs, look at the line, in the 3rd paragraph, that starts with System image file is.... At the end of this line the source of the IOS boot will be indicated.

  • The size of Nonvolatile RAM in the router is listed in the line, 4th from the bottom, that says non-volatile configuration memory . This is where the configuration file is stored when you write to memory. It is much smaller than the other memory areas, because the configuration file is just a text-file. The IOS file does not get placed here.

  • The size of Operating RAM, and I/O memory, in the router is listed in the line, near the middle, that says with 16384K/4096K bytes of memory. The first amount, before the slash, lists the size of the Operating RAM (where the currently active configuration and IOS are running). The second amount, after the slash, lists the size of the I/O memory (where buffers and caches are created).

  • The size of the Boot ROMs in the router is listed in the line, 2nd from the bottom, that says Boot flash. To see how much of this Boot FLASH is being used by it's version of IOS, and how much space is free, type show boot.

  • The version of IOS present in the FLASH is listed in the line, 2nd from the top, that says Version 11.2(19a). Assuming there is nothing wrong with the FLASH or image on it, this is the version of IOS that will be loaded at bootup.

  • To version of IOS present in the Boot ROMs is listed in the line, in the second paragraph, that begins with BOOTFLASH. Near the end of this line it says Version 10.3(10). This is the version of IOS that will be loaded in the event of a problem with the FLASH.