Configuration Guide

Cisco 2600 Router Mikrotik RouterBOARD 951G-2HnD Cisco Cata !st 2950 series s"itc#

August$ 201%

I. Configuration of the devices.................................................................................... 2 II. Configuration Log for the devices.........................................................................13 III. Applications Used................................................................................................ 19 REFERE CE!............................................................................................................. 2"

&a' e of Contents

() Configuration of t#e de*ices

)i Resetting t#e Cisco 2600 Router Requirements: Console cable ( We used Prolific USB to Serial Converter cable ) Software tools like : Tera Term or Putt

Procedure: !" Connect Cisco #$%% router to PC via console &ort wit' serial cable or USB to serial cable" #" (&en Tera Term )" Connect usin* Serial Port (C(+ &ort w'ic' is available)

," Turn on t'e Cisco #$%% Router -" T'e router will start to boot (Sa s Self.decom&ressin* t'e ima*e/"") $" Send break to t'e router normal bootin* &rocess" T'e scenario will be like as s'own in t'e fi*ure below" 0n Tera Term boot &rocess can be sent break b *oin* to +enu11Control11Send Break"

2" T'e main idea about resettin* t'e router is based on c'an*in* t'e bootu& sequence" Confi*uration re*ister value can affect t'e bootu& sequence" T'e default confi*uration re*ister value is: %3#!%# (%%!%%%%!%%%%%%!%)" default value of confi*uration re*ister is c'an*ed to T'is %3#!,#

(%%!%%%%!%!%%%%!%)" T'is c'an*e i*nores t'e 45R6+ contents b alterin* t'e si3t' bit in confi*uration re*ister" B i*norin* t'e 45R6+ contents we can access t'e router b b &assin* t'e &assword and t'en set t'e &assword of our own" 0t is s'own below after we 'ave send break to t'e normal bootin* &rocess:
Self decompressing the image : ############# monitor: command "boot" aborted due to user interrupt rommon 1 > rommon 1 > confreg 0x2142

rommon 2 > reset System Bootstrap !ersion 12"#$%r&'% ()*)+S) S,-'.+() $fc1& /isco 1%41 $re0ision 1"0& 2ith 1143%%4513#%44 bytes of memory" Self decompressing the image : ########################################################################## 6,47

T'e router boots normall &assword as follows:

888 System /onfiguration 9ialog 888

and finall

we are asked to continue wit'

confi*uration dialo*7 8it 9no: and t'en we can continue to enter our own

/ontinue 2ith configuration dialog: 6yes5no7: no

;ress ()'<(= to get started> (outer>en (outer#config t )nter configuration commands one per line" )nd 2ith /='*5?" (outer$config&#enable secret cisco (outer$config&#line con 0 (outer$config8line&#pass2ord cisco (outer$config8line&#login (outer$config8line&#exit

4ow t'e boot sequence 'as to be set to t'e default so t'at router boots normall "
(outer$config&#config8register 0x2102

4ow t'e runnin* confi*uration 'as to be co&ied to t'e Startu& confi*uration

(outer$config&#exit (outer#copy run start 9estination filename 6startup8config7:

Building configuration""" 6,47

So t'e router 'as been reset successfull "

)ii

Configuring t#e Cisco 2600 router Confi*urin* t'e router is an eas task" We confi*ure wit' ;a%<% 0P address of

!=#"!$>"#%"#! and ;a%<! 0P address of !=#"!$>"$%"! wit' a static route and 46T
@SASBrouter#config t )nter configuration commands one per line" )nd 2ith /='*5?" @SASBrouter$config&#int f050 @SASBrouter$config8if&#ip address 1C2"13%"20"21 211"211"211"0 @SASBrouter$config8if&#no shut @SASBrouter$config8if&#exit @SASBrouter$config&#int f051 @SASBrouter$config8if&#ip address 1C2"13%"30"1 211"211"211"0 @SASBrouter$config8if&#no shut D*@=4818/E+=F)9: @nterface -ast)thernet051 changed state to up @SASBrouter$config8if&#exit @SASBrouter$config&#exit

T'is confi*ures t'e 0P address for t'e router" )iii Configuring static route and static +A& for Cisco 2600 router

,igure 1 Considerin* t'e ;i*ure !? static route and 46T can be set for Cisco #$%% router" Static Route Confi*uration: 0t is done b &rovidin* t'e network and its mask and t'e ne3t 'o& to route to" 8ere it is confi*ured suc' t'at &ackets from an network are 'o&&ed to !=#"!$>"#%"! *atewa "

Static 46T confi*uration: 0t is done b indicatin* t'e inside and outside network" 8ere t'e outside network is !=#"!$>"#%"% network and inside network is !=#"!$>"$%"% network T'e com&lete confi*uration for static route and static 46T is s'own below:

(outer# (outer#config t )nter configuration commands one per line" )nd 2ith /='*5?" (outer$config&#ip route 0"0"0"0 0"0"0"0 1C2"13%"20"1 (outer$config&#access8list 1 permit 1C2"13%"30"0 0"0"0"211 (outer$config&#ip nat inside source list 1 interface fa050 o0erload (outer$config&#int fa050 (outer$config8if&#ip nat outside (outer$config8if&#int fa051

(outer$config8if&#ip nat inside (outer$config8if&#exit

)i*

Configuring Cisco 2600 Router for DHC;or a &rivate network (!=#"!$>"!"%) connected to ;a%<! of t'e router? @8CP can be done wit' followin* confi*uration" 8ere !=#"!$>"!"! is t'e 0P address of ;a%<! &ort of router"
(outer#config t )nter configuration commands one per line" )nd 2ith /='*5?" (outer$config&#int fa051 (outer$config8if&#ip address 1C2"13%"1"1 211"211"211"0 (outer$config8if&#no shut D*@=4818/E+=F)9: @nterface -ast)thernet051 changed state to up (outer$config8if&#ip dhcp excluded8address 1C2"13%"1"1 1C2"13%"1"211 (outer$config&#ip dhcp pool 9E/;B;,,* (outer$dhcp8config&#net2orG 1C2"13%"1"0 211"211"211"0 (outer$dhcp8config&#default8router 1C2"13%"1"1 (outer$dhcp8config&#exit

)*

Configuration of Mikrotik RouterBOARD 951G- 2HnD +ikrotik Router Board was confi*ured wit' followin* lo*in &arameters" Username: admin Password : facult A!#) T'e first t'in* is to connect to t'e Router via Winbo3 a&&lication t'rou*' t'e Bt'ernet cable" T'e cable can be connected to Bt'ernet &ort # t'rou*' -" @ue to t'e firewall installed at Bt'ernet &ort ! we cannot connect usin* &ort !"

&

Figure 2 WinBox login interface

6fter we are connected we can set u& t'e interfaces and confi*ure ever t'in*" T'e environment looks like as s'own in ;i*ure -"

Figure 3 WinBox GUI interface

T'ere are - Bt'ernet interfaces" Bt'ernet ! t'rou*' - and a wireless interface WC64!" Bt'ernet ! is connected to 0nternet enabled network (8ere it is connected to ;a%<! of Cisco #$%% router) and Bt'ernet # is connected to Cisco Catal st #=-% switc'" We start b creatin* a Brid*e between WC64! and Bt'ernet #" 0P addressin* is confi*ured b *oin* to: 0P 116ddress"

'

Confi*uration of (&ertainin* to ;i*ure )) was done as follows: ;or Brid*e 0nterface : 6ddress : !=#"!$>"-%"!<#, ;or Bt'ernet ! : 6ddress : !=#"!$>"$%"#<#, Static Route was defined b *oin* to : 0P11Route Route was confi*ured as : %"%"%"% <% via !=#"!$>"$%"! @4S: !!$"=%"#)=", @C8P: Confi*ured for brid*ed interface of WC64! and Bt'ernet #" 8ots&ot is created b *oin* to 0P118ots&ot and t'en &erformin* 8ots&ot setu&" T'is creates a new 'ots&ot 0P &ool" 6 new 'ots&ot &rofile can be created for t'is &ool (we created !+B&s &rofile)" 6fter &rofile creation? we can create users for t'at &rofile" +ikrotik offers a wide variet of confi*uration for 'ots&ot all of w'ic' cannot be s'own 'ere" 6 *ood video tutorial s'owin* all t'e required information about accessin*? confi*urin* and creatin* 8ots&ot in +ikrotik router can be found in D!E and D#E" )*i Configuring Mikrotik Router for ' ocking certain sites

Sites can be blocked for access b creatin* a rule in Web Pro3 as follows: 0n WinBo3 FU0? Fo to 0P 11 Web Pro3 11 Web Pro3 Settin*s 11 Click on Bnabled 11Port >%>% 11 6&&l 116ccess 0n 6ccess window: Bnter t'e website t'at is to be blocked in @st" 8ost " i"e " @st" 8ost : www" outube"com ? 6ctionGden 11 6nd t'en 6&&l

;or t'is to work &ro&erl ? a trans&arent ;irewall settin*s 'as to be created" T'is is done b *oin* to 0P11;irewall11Click on t'e 46T tab 11 T'en 4ew 46T RUCB 110n Feneral T6B? select
9

C'ain to be : dsnat 11 Protocol : $Dtc&E 11 @st" Port: >% 11 Click on 6ction T6B11 Select 6ction : dsnat 11 To 6ddresses: Bnter network address of our network11 To Ports: >%>% 11 T'en Click (H" )*ii B ocking &orrent sites using Mikrotik Router

Fo to 0P11 ;irewall11Ca er 2 Protocols11 Click on 4ew Rule11 Put an name (e*" Torrent block ) 11 T'en &astin* followin* site names under RBFBIP and t'e click 6PPCJ
K"L(*etMFBT)"N(torrentMt'e&irateba Miso'untMentertaneMdemonoidMbtOunkieMmininovaMfli3flu3MtorrentPMvertorM'))tM btsceneMbitunit Mbitto3icMt'underb tesMentertaneMPooPleMvcdqMbitnovaMbitsou&Mme*anovaMfulldlsMbtbotMfli3flu3Mseed&eerM feno& M*&irateMcommonbits)"LQ

4ow *o to 6dvanced Tab on ;irewall rule and t'en on Ca er 2 &rotocol select t'e name Oust created? 'ere Torrent block" T'en select action in action tab to Rdro&S" T'en click on ;irewall 11 Ca er 2 &rotocol11 4ew Rule and &ut a new name suc' as Rtorrent.dnsS and t'en on RBFBIP add t'e followin* contents:
K"N(torrentMt'e&irateba Miso'untMentertaneMdemonoidMbtOunkieMmininovaMfli3flu3MtorrentPMvertorM'))tMbtsceneMbitunit M bitto3icMt'underb tesMentertaneMPooPleMvcdqMbitnovaMbitsou&Mme*anovaMfulldlsMbtbotMfli3flu3Mseed&eerMfeno& M*&irateM commonbits)"LQ

1"

T'en Foto ;ilter Rules116dd new Rule11Set C'ain : forward11Protocol:!2Dud&E? @st Port:-)" T'en in 6dvanced tab set t'e Ca er 2 &rotocol to our filter rule (torrent.dns)" T'en ;inall click on 6ction and select Rdro&S )*iii Resetting Mikrotik RouterBOARD 951G- 2HnD

Resettin* +ikrotik RouterB(6R@ =-!F. #8n@ can be done in case we wis' to return t'e device to its ori*inal confi*uration" T'is is done b usin* t'e RBSBT button located to t'e left of t'e Bt'ernet &orts" To reset follow t'e followin* ste&s: Power (ff t'e device Press t'e Reset button wit' a s'ar& obOect Connect t'e &ower cable Remove t'e &ower cable as soon as t'e CB@ stats flas'in*"

-oint to 'e noted ..../ 0f t'e Rest button is 'old lon*er t'en t'e flas'in* CB@ turns off t'en Routerboard looks for 4etinstall Servers

)i0

Configuring Cisco Cata !st 2950 series s"itc# Confi*uration starrin* from settin* of Password to creation of 5C64 and assi*nin* of 0P address is s'own 'ere:
;ress ()'<(= to get started> S2itch>en S2itch#config t )nter configuration commands one per line" )nd 2ith /='*5?" S2itch$config&#enable secret cisco S2itch$config&#line con 0 S2itch$config8line&#pass2ord cisco S2itch$config8line&#login

11

S2itch$config8line&#exit

T'e above sets t'e lo*in and enable &assword for t'e switc'" 4ow follows t'e creation of 5C64 == and 5C64 !%%"
S2itch$config&#interface range fastethernet 051810 S2itch$config8if8range&#s2itchport mode access S2itch$config8if8range&#s2itchport access 0lan CC D +ccess !*+= does not exist" /reating 0lan CC S2itch$config8if8range&#exit S2itch$config&#interface range fastethernet 0511824 S2itch$config8if8range&#s2itchport mode access S2itch$config8if8range&#s2itchport access 0lan 100 D +ccess !*+= does not exist" /reating 0lan 100 S2itch$config8if8range&#exit

4ow follows t'e assi*nin* of 0P address to 5C64 == for remote mana*ement of switc'"
S2itch$config&#int 0lan CC D*@=4818/E+=F)9: @nterface !lanCC changed state to up S2itch$config8if&#ip address 1C2"13%"10"11 211"211"211"0 S2itch$config8if&#no shut S2itch$config8if&#exit

)0

Adding 1ecurit! to Cisco Cata !st 2950 series s"itc# Cisco Catal st #=-% switc' was confi*ured for &ort.securit suc' t'at ;astet'ernet &ort f%<# acce&ts onl a sin*le end device wit' a s&ecific +6C address onl " 6nd all ot'er &orts were s'ut down"
S2itch#config t )nter configuration commands one per line" )nd 2ith /='*5?" S2itch$config&#int f052 S2itch$config8if&#s2itchport mode access S2itch$config8if&#s2itchport port8security S2itch$config8if&#s2itchport port8security maximum 1 S2itch$config8if&#s2itchport port8security mac8address 0021"H0fe"331a

12

S2itch$config8if&#exit

4ow s'uttin* all ot'er &orts

S2itch$config&#interface range fastethernet 0511824 S2itch$config8if8range&#shut

(() Configuration 2og for t#e de*ices

Cisco 2600 Router Configuration / Co*in Password : Bnable Password : cisco cisco
13

Detai ed Configuration is s#o"n 'e o"/

@SAS2300#sh run Building configuration""" /urrent configuration : 101C bytes > 0ersion 12"# ser0ice timestamps debug datetime msec ser0ice timestamps log datetime msec no ser0ice pass2ord8encryption > hostname @SAS2300 > boot8start8marGer boot8end8marGer > enable secret 1 I1IfcJtIp"u!rJ1E=0=p<xpn1s?xF" > no net2orG8clocG8participate slot 1 no net2orG8clocG8participate 2ic 0 no aaa ne28model ip subnet8Kero ip cef > > ip dhcp excluded8address 1C2"13%"30"1 1C2"13%"30"CC > ip dhcp pool 9E/;B;,,* net2orG 1C2"13%"30"0 211"211"211"0 default8router 1C2"13%"30"1 > no ftp8ser0er 2rite8enable > > >

1#

> interface -ast)thernet050 ip address 1C2"13%"20"21 211"211"211"0 ip nat outside duplex auto speed auto > interface Serial050 no ip address shutdo2n > interface -ast)thernet051 ip address 1C2"13%"30"1 211"211"211"0 ip nat inside duplex auto speed auto > ip nat inside source list 101 interface -ast)thernet050 o0erload ip classless ip route 0"0"0"0 0"0"0"0 1C2"13%"20"1 no ip http ser0er > access8list 101 permit ip 1C2"13%"30"0 0"0"0"211 any > line con 0 pass2ord cisco login line aux 0 line 0ty 0 4 login > > > )nd

Cisco Cata !st 2950 s"itc# configuration Co*in Password: cisco

1$

Bnable Password: cisco Detai ed Configuration is s#o"n 'e o"/

@SASBs2itch#sho2 run Building configuration""" /urrent configuration : 2401 bytes > 0ersion 12"1 no ser0ice pad ser0ice timestamps debug uptime ser0ice timestamps log uptime no ser0ice pass2ord8encryption > hostname @SASBs2itch > enable secret 1 I1IHALFI00msJm20(rK4rd0a323g.5 > ip subnet8Kero > > spanning8tree mode p0st no spanning8tree optimiKe bpdu transmission spanning8tree extend system8id > > > > interface -ast)thernet051 s2itchport access 0lan CC s2itchport mode access > interface -ast)thernet052 s2itchport access 0lan CC s2itchport mode access s2itchport port8security s2itchport port8security mac8address 0021"H0fe"331a > interface -ast)thernet05#

1%

s2itchport access 0lan CC > interface -ast)thernet054 s2itchport access 0lan CC > interface -ast)thernet051 s2itchport access 0lan CC > interface -ast)thernet053 s2itchport access 0lan CC > interface -ast)thernet05H s2itchport access 0lan CC > interface -ast)thernet05% s2itchport access 0lan CC > interface -ast)thernet05C s2itchport access 0lan CC > interface -ast)thernet0510 s2itchport access 0lan CC > interface -ast)thernet0511 s2itchport access 0lan 100 > interface -ast)thernet0512 s2itchport access 0lan 100 > interface -ast)thernet051# s2itchport access 0lan 100 > interface -ast)thernet0514 s2itchport access 0lan 100 > interface -ast)thernet0511 s2itchport access 0lan 100

1&

s2itchport mode access > interface -ast)thernet0513 s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet051H s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet051% s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet051C s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet0520 s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet0521 s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet0522 s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet052# s2itchport access 0lan 100 s2itchport mode access > interface -ast)thernet0524 s2itchport access 0lan 100 s2itchport mode access

1'

> interface !lan1 ip address 1C2"13%"30"10 211"211"211"0 no ip route8cache shutdo2n > interface !lanCC ip address 1C2"13%"10"11 211"211"211"0 no ip route8cache > interface !lan100 no ip address no ip route8cache shutdo2n > ip http ser0er > line con 0 pass2ord cisco login line 0ty 0 4 pass2ord cisco login line 0ty 1 11 pass2ord cisco login > >end

((() A33 ications 4sed

T'is section of 6&&endi3 000 describes t'e software tools t'at we 'ave used durin* our 0nterns'i& at 0S+S" T'e are listed as follows: !) Cisco Packet Tracer : 4etwork creation and simulation tool #) PuTTJ: 6n o&en source SS8 and Telnet client" )) Tera Term : Similar to PuTTJ ,) WinBo3: Confi*uration tool for +ikrotik Router wit' FU0 interface
19

-) Iirrus Wi.;i 0ns&ector: Wi.;i detection and si*nal anal Pin* tool"

R5,5R5+C51
!" AiGrotiG Eotspot MuicG Setup Fuide in <rdu 'tt&:<<www" outube"com<watc'7vGTATBa@rqR5B #" AiGrotiG (outer +ccess ;oint Basic 0SP Su&&lies? JouTube 5ideo? 6deel 6'med? JouTube 5ideo

'tt&:<<www" outube"com<watc'7vGul@efmf!ces )" Eo2 to configure AiGrotiG (outer to BlocG .ebsite JouTube 5ideo?
2"

'tt&:<<www" outube"com<watc'7vGqtrv.cH(#T* ," Eo2 to Setup Lour ,2n Eotspot 2ith A@4(,'@4 routers 8ots&ots stem"com?

'tt&:<<www"'ots&ots stem"com<en<'ots&ot<installA*uideAmikrotik"'tml -" /isco @,S S2itch Security /onfiguration Fuide 6" BorPa? @"@uester'aus? C"

FrabcP nski? U" Uo'nson? R" Hell ? T"+iller? 4ational Securit 6*enc $" @nformation System Aanagement Section $@SAS& 4athmandu <ni0ersity -act Sheet

Nanuary 201# 'tt&:<<www"ku"edu"n&<isms<;acts'eetA0S+SAOan#%!)"&df

21