You can prevent your router from receiving fraudulent route updates by configuring neighbor router authentication. When configured, neighbor authentication occurs whenever routing updates are exchanged between neighbor routers. This authentication ensures that a router receives reliable routing information from a trusted source. Without neighbor authentication, unauthorized or deliberately malicious routing updates could compromise the security of your network traffic. A security compromise could occur if an unfriendly party diverts or analyzes your network traffic. For example, an unauthorized router could send a fictitious routing update to convince your router to send traffic to an incorrect destination. This diverted traffic could be analyzed to learn confidential information about your organization or merely used to disrupt your organization’s ability to effectively communicate using the network. Neighbor authentication prevents any such fraudulent route updates from being received by your router. When neighbor authentication has been configured on a router, the router authenticates the source of each routing update packet that it receives. This is accomplished by the exchange of an authenticating key (sometimes referred to as a password) that is known to both the sending and the receiving router. There are two types of neighbor authentication used: plain text authentication and Message Digest Algorithm Version 5 (MD5) authentication. Both forms work in the same way, with the exception that MD5 sends a "message digest" instead of the authenticating key itself. The message digest is created using the key and a message, but the key itself is not sent, preventing it from being read while it is being transmitted. Plain text authentication sends the authenticating key itself over the wire.
In plain text authentication, each participating neighbor router must share an authenticating key. This key is specified at each router during configuration. Multiple keys can be specified with some protocols; each key must then be identified by a key number. In general, when a routing update is sent, the following authentication sequence occurs:
MD5 authentication works similarly to plain text authentication, except that the key is never sent over the wire. Instead, the router uses the MD5 algorithm to produce a "message digest" of the key (also called a "hash"). The message digest is then sent instead of the key itself. This ensures that nobody can eavesdrop on the line and learn keys during transmission. Another form of neighbor router authentication is to configure key management using key chains. When you configure a key chain, you specify a series of keys with lifetimes, and the Cisco IOS software rotates through each of these keys. This decreases the likelihood that keys will be compromised. To find complete configuration information for key chains, refer to the "Managing Authentication Keys" section in the Configuring IP Routing Protocol-Independent Features module of the Cisco IOS IP Routing: Protocol-Independent Configuration Guide. Page 2
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 3
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language. Page 4
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module provides basic configuration procedures for the Cisco 800M Series ISR and contains the following sections. To configure the global parameters for your router, follow these steps. 1. configure terminal 2. hostname name 3. enable secret password 4. no ip domain-lookup
You can connect WAN interfaces either by using straight polarity connectors or reversed polarity connectors.
To configure Gigabit Ethernet (GE) WAN interfaces, follow these steps, beginning in global configuration mode. 1. configure terminal 2. interface gigabitethernet slot/port 3. ip address ip-address mask 4. no shutdown 5. exit
The loopback interface acts as a placeholder for the static IP address and provides default routing information. To configure a loopback interface, follow these steps, beginning in global configuration mode. 1. configure terminal 2. interface type number 3. ip address ip-address mask 4. exit
The loopback interface in this sample configuration is used to support Network Address Translation (NAT) on the virtual-template interface. This configuration example shows the loopback interface configured on the gigabit ethernet interface with an IP address of 200.200.100.1/24, which acts as a static IP address. The loopback interface points back to virtual-template1, which has a negotiated IP address. To verify that you have properly configured the loopback interface, enter the show interface loopback command as shown in the following example. You can lso verify the loopback interface by using the ping command as shown in the following example. To configure parameters to control access to the router, perform the following steps. 1. configure terminal 2. line [ aux | console | tty | vty ] line-number 3. password password 4. login 5. exec-timeout minutes [ seconds ] 6. line [ aux | console | tty | vty ] line-number 7. password password 8. login 9. end
To manually configure Gigabit Ethernet (GE) LAN interfaces, follow these steps, beginning in global configuration mode. 1. configure terminal 2. interface gigabitethernet slot/port 3. ip address ip-address mask 4. no shutdown 5. exit
Static routes provide fixed routing paths through the network. They are manually configured on the router. If the network topology changes, the static route must be updated with a new route. Static routes are private routes unless they are redistributed by a routing protocol. To configure static routes, perform these steps in global configuration mode. 1. configure terminal 2. ip route prefix mask { ip-address | interface-type interface-number [ ip-address ]} 3. end
In the following configuration example, the static route sends out all IP packets with a destination IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Gigabit Ethernet interface to another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured PVC. You do not need to enter the command marked “(default).” This command appears automatically in the configuration file generated when you use the show running-config command. To verify that you have properly configured static routing, enter the show ip route command and look for static routes signified by the “S.” You should see verification output similar to the following: In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or topology. Changes in dynamic routes are shared with other routers in the network. The Cisco routers can use IP routing protocols, such as Routing Information Protocol (RIP) or Enhanced Interior Gateway Routing Protocol (EIGRP), to learn routes dynamically. You can configure either of these routing protocols on your router. To configure the RIP routing protocol on the router, follow these steps, beginning in global configuration mode. 1. configure terminal 2. router rip 3. version { 1 | 2 } 4. network ip-address 5. no auto-summary 6. end
The following configuration example shows RIP version 2 enabled in IP network 10.0.0.0 and 192.168.1.0. To see this configuration, use the show running-config command from privileged EXEC mode. To verify that you have properly configured RIP, enter the show ip route command and look for RIP routes signified by “R” as shown in this example. To configure Enhanced Interior Gateway Routing Protocol (EGRP), perform these steps. 1. configure terminal 2. router eigrp as-number 3. network ip-address 4. end
This configuration example shows the EIGRP routing protocol enabled in IP networks 192.145.1.0 and 10.10.12.115. The EIGRP autonomous system number is 109. To see this configuration use the show running-config command, beginning in privileged EXEC mode. To verify that you have properly configured EIGRP, enter the show ip route command, and look for EIGRP routes indicated by “D “ as shown in the following example: A push or reset button is available on the rear side of the Cisco 800M Series ISR and it is designed to provide a disaster recovery method for the router. Push button can be useful for recovery during one of the two scenarios:
Table 2-1 shows the high level functionality when the push button is pressed during ROMMON initialization. Table 2-1 Push Button Functionality During ROMMON Initialization
If you press the push button for more than three seconds and then release the push button after IOS is up and running, IOS detects this event and looks for configuration files in the order of priority.If the IOS finds the configuration file, it copies the configuration file to the startup configuration file. Then the router reloads itself and the new configuration takes effect. If the configuration files cannot be found, pressing reset button has no effect. The order of priority in which the router looks for configuration file is given as follows: 1. usbflash0:customer-config. SN 2. usbflash0:customer-config 3. flash:customer-config. SN 4. flash:customer-config Note SN is the hardware serial number. The Zero Touch Deployment (ZTD) through USB feature in Cisco 800M Series ISRs is an ease-of-use feature that loads a customized configuration from a USB flash drive. This feature requires that the router has no startup configuration in its nonvolatile RAM (NVRAM). The feature also requires that a valid configuration file, with the filename extension.cfg, is stored in the USB flash drive. A valid configuration file can be created by saving the running configuration of a router to flash, USB flash, or to a TFTP Server. When a router with no startup configuration boots up, it checks for a valid configuration file within the USB flash drive. The pre-requisites for deployment using the Zero Touch Deployment through USB feature are:
If the USB flash drive has multiple.cfg files, the router chooses the one with the highest index number in the USB Flash drive. To avoid loading an incorrect.cfg file, ensure that there is only one.cfg file in the USB flash drive. The Cisco 800M Series ISR uses second core and it is actively used in detecting USB flash drive if 3G Wireless WAN module is present on the router. If 3G Wireless WAN module is not present, USB flash drive is detected by the IOS. When 3G Wireless WAN module is present, USB detection is a bit delayed for the Cisco 800M series ISR due to the delay in second core initialization. While system startup is in progress and push button is pressed, a timer is started to check the completion of second core initialization. For some reason if second core takes more time, system reports an error message and continues the normal start up. After second core initialization router waits up to 10 seconds for USB detection and then complete the configuration. In case the USB flash drive does not contain a deployment configuration, router enters the configuration mode. |