Você está na página 1de 7

9 Steps Setting Up Cisco Router | Networking content from Windows IT Pro

Page 1 of 7

Connections Conference




Exchange Server




Systems Management




9 Steps to Setting Up a Cisco Router

Upcoming Training

Practical Networking and IOS

Michael Dragone | Windows IT Pro

May 26, 2008

Exchange Day 2013


Cut through the


marketing hype by
attending Exchange Day
2013. Its THE training


destination for technical information on the

most important new features and functionality
in Exchange Server 2013. From changes in
administration basics and Database Availability
Groups to ensuring high availability and
compliance, youll get the facts you need for
migrating to this new platform. Delivered by
industry experts, register now for the best
Exchange Server 2013 advice available.


Register Now


Executive Summary:

View All Online Trainings


Working with a Cisco router and the Cisco Internetworking Operating System (IOS) is a
great way to experiment with networking concepts and gear and could be good for your
career development. Learn the basic steps of setting up a Cisco router to provide
Internet access to a small network.

Working with a Cisco router and the Cisco Internetworking Operating System (IOS) is a
great way to experiment with networking concepts and gear and could be good for your
career development. You can get some hands-on IOS experience by setting up a Cisco
router at the Internet edge in your test lab at work or in your home office. A Cisco router
allows you greater flexibility (with more granular controls than the Linksys or NETGEAR
hardware commonly used in home offices) if you later want to expand your setup to
include, say, a Microsoft ISA Server firewall on the back end.
Lets go through the basic steps of setting up a Cisco router to provide Internet access to a
small network. Ill assume you have some basic IOS knowledge, including how to log on
and how to save and clear configurations. Ill also assume that you have a solid
understanding of networking, including what Network Address Translation (NAT) is. I
wont cover items such as setting up Secure Shell (SSH) access and hardening access lists.
You can expand into those areas as you feel comfortable and want to experiment more.
What Youll Need

You need a Cisco router with at least two Ethernet interfaces. An 806, 836, 851, or 871 is
ideal for a home or small office setupin fact, thats what those models are geared
towards. You can buy an 851 for a few hundred dollars from various online retailers.
However, a 2610 works just as well, and you might have one sitting in the equipment bin
at your office that you can ask to borrow.

IT/Dev Connections
Mandalay Bay Las Vegas
September 30th - October 4th
For over 13 years we have brought you the
premier training event ... and this year we've
raised the bar.
180+ sessions
100+ well-known experts
VIP Passes (almost gone!)
SharePoint, ASP.NET,
Visual Studio, Windows,
SQL Server, & more!
Networking with peers

Your router should have IOS 12.2 or later. This article is based on a Cisco 851W with IOS
12.4, including the IOS firewall feature set.



9 Steps Setting Up Cisco Router | Networking content from Windows IT Pro

You also need a Cisco console cable (sometimes called a rollover cable). One end has an
eight-position, eight-conductor modular jack to connect to the router; the other end has a
DB-9 serial connector. In recent years, the console cables that Cisco has shipped with its
equipment have been light blue.

Page 2 of 7

Register Now!

Windows IT Pro Community

Sign up for Windows IT Pro UPDATE newsletter.

You need a computer with a DB-9 serial port. In my experience, USB-to-serial converters
work just fine for this application. You also need a computer with a terminal emulation
program. Hilgraeves HyperTerminal is available with Windows XP, but it was removed
from Windows Vista. Vista users can download Hyper- Terminal Private Edition 6.3 at
www.hilgraeve.com/htpe/download.html. Mac OS X users can Google for ZTerm, and
Linux users, for minicom.

email address
By submitting I agree to this site's terms of use & privacy

1. Connect the router to the PC, and start a terminal emulation program

Connect your router to your PC with the console cable, and fire up your terminal
emulation program. The port settings are 9600,8,N,1. If youve never before accessed a
device directly via an asynchronous serial connection, you might want to ask a Cisco
veteran for some assistance.
Start with the command enable to get into privileged EXEC mode. Then type the
command erase startup-config to get a blank configuration. Next, restart the router with
the reload command. Make sure to say no to an IOS prompt that asks if youd like to enter
the initial configuration dialog.
These steps might sound confusing if youve worked only with Cisco devices that are up
and running in production. In that case, youre probably more accustomed to using
Telnet, or preferably SSH, to configure the equipment. That isnt an option when you
want to start with a blank configuration, which will prevent any Telnet or SSH access to
the equipment for the time being.
2. Identify the routers interfaces

Current Issue
July 2013 - With System
Center 2012, Microsoft
has completely changed
how System Center is
licensed for the
management server,
managed servers,
desktops, and other hardware on the

Windows Forums

Take a look at the back of your router and identify which Ethernet ports youll be using for
what. One will connect to your WAN device, such as a cable modem; another will connect
to your LAN. If youre using an 851W, like me, youll notice that the ports are labeled for
youFastEthernet4 is the WAN interface and FastEthernet0 through FastEthernet3 are
the LAN interfaces. The 851 includes a built-in four-port switch, hence the four LAN
If your routers interfaces arent labeled, you can type the command

Get answers to questions,

share tips, and engage with
the Windows Community in
our Forums.

Featured Products

show ip interface brief

from privileged EXEC mode to find the names.

3. Configure IP addresses

Windows IT Pro, Digital Edition

You'll Receive:
The inside scoop Microsoft won't give
you about Windows Server 2008,

Now you can begin the actual setup. You should still be in privileged EXEC mode (if not,
enter the enable command), and start terminal configuration mode by entering
configure terminal


VIP - Premium Membership

For the IT Professional that needs
access to training, premium content,

Type the command

no ip domain lookup

to prevent IOS from attempting to convert any spelling mistakes you make into domain
names. You can skip this step if youre a perfect typist, I suppose.

discounts, and more, joining our VIP

group just...




You might also want to enter the command

no logging console

to prevent IOS from outputting syslog messages to the console as youre working. These
can interfere greatly with your typing.
Now youre ready to set up an IP address for the LAN interface. In the case of the 851W
that this article is based on, you do this on a virtual interface called BVI1 that relates to
the physical LAN interfaces. On other routers, you might do this on the actual physical
interface. Type
interface <interface_name>



9 Steps Setting Up Cisco Router | Networking content from Windows IT Pro

Page 3 of 7

to enter the configuration mode for that interface. For the 851W, the command was
interface BVI1

Now, assign the interface an IP address:

ip address <address> <netmask>

Im using with a Class C mask, so my command looked like this:

ip address

(The command is on two lines for publication purposes, but be sure to enter it all on one
line.) You can also use Classless Inter-Domain Routing (CIDR) notation if you prefer,
which would look like this:
ip address

Youll also need to set the WAN interface to use DHCP to obtain its IP address. To do this,
interface FastEthernet4

followed by the command

ip address dhcp

followed by the exit command to leave the interface configuration mode.

4. Set up access lists

Next, you need to configure two access lists, both of which will be applied in the inbound
direction. Note that in the remainder of this article, I use the terms inbound and
outbound frequently. As Figure 1 shows, inbound refers to traffic entering the interface;
outbound refers to traffic leaving the interface.

Listing 1 shows the two access lists: The first will be applied to the LAN interface (in my
case, BVI1), and the second will be applied to the WAN interface (in my case,



9 Steps Setting Up Cisco Router | Networking content from Windows IT Pro

Page 4 of 7

Access list 100 will be applied to the LAN interface. The first line sets up the access list
and places the router in access list configuration mode. The next line allows any IP traffic
matching the network ( to pass into the interface. If the subnet mask
looks odd to you, thats not a typo. IOS uses inverse subnet masks in its access lists. You
can compute these manually quite easily by subtracting each octet of your standard mask
from 255. So mask becomes, becomes,
and so on.
The third line denies any other traffic from entering the LAN interface. Although all
access lists have an implicit deny all at the end, including an explicit deny line is a good
practice so that you know where your access list ends and to aid the readability of your
configuration. The final line takes the router out of access list configuration mode.
Access list 101 will be applied to the WAN interface. The first line sets up the access list
and places the router in access list configuration mode. I use a cable modem, so the next
line allows DHCP (bootps and bootpc) traffic to enter the WAN interface. Without this
entry, my WAN interface would never receive a public IP address, and Id never get on the
Internet. You can use the same configuration in a test lab as long as you have a DHCP
server set up and your networking team is OK with what youre doing. The third and
fourth lines allow any TCP and UDP traffic from any source destined for anywhere to
enter the WAN interface.
The fifth, sixth, and seventh lines allow any Internet Control Message Protocol (ICMP)
traffic thats from any source; is headed for any destination; and is an echo-reply, timeexceeded, or unreachable message to enter the WAN interface. You should be cautious
about which types of ICMP traffic you allow on your network because ICMP can be used
for various exploits, especially Denial of Service (DoS) attacks. However, you need these
three lines to use ping and traceroute for troubleshooting. The last two lines are the same
as in the LAN access list.
5. Configure basic TCP/UDP/ ICMP inspection

My IOS version includes the IOS firewall feature set. If yours does as well, youll definitely
want to use it. Although the IOS firewall doesnt offer the deep application-layer
inspection that, say, an ISA Server firewall does, enabling it is a good idea for two reasons.
The first is to ensure that traffic which is claiming to be TCP, UDP, or ICMP is in fact TCP,
UDP, or ICMP. The second is that enabling this inspection also enables Context-Based
Access Control. CBAC allows IOS to create dynamic access list entries that allow return
traffic to flow through the router. Although our access lists above are very generic (e.g., all
TCP is allowed), once your setup is working, youll certainly want to harden them, set up
internal servers reachable from the Internet, and so on. After youve done that, CBAC will
allow return traffic to pass through the router. For example, if you browse to
Amazon.com, CBAC will dynamically place entries in the inbound access list applied to
your external (WAN) interface to allow return traffic from Amazon.com to enter the
router. When the connection is closed, these entries are dynamically removed.
First, set up a TCP SYN timeout threshold to help mitigate SYN flood DoS attacks:
ip tcp synwait-time 30

This command tells IOS to drop any TCP session thats not established within 30 seconds.
Next, set up an inspection rule each for ICMP, TCP, and UDP:
ip inspect name InspectRule icmp
ip inspect name InspectRule tcp
ip inspect name InspectRule udp

(You can substitute a name you prefer for InspectRule.)

6. Apply the access lists and inspection rules

Now, apply both the access lists and the inspection rules to the appropriate interfaces in
the inbound direction. For the WAN interfacein my case, FastEthernet4 first enter the
interface configuration mode:
interface FastEthernet4

Then apply the access list:

ip access-group 101 in



9 Steps Setting Up Cisco Router | Networking content from Windows IT Pro

Page 5 of 7

(Note that you use access-group, not access-list here.) Then apply the inspection rule:
ip inspect InspectRule in

And finally, exit the interface configuration mode:


Next, for the LAN interface (BVI1, in this example), type:

interface BVI1
ip access-group 100 in
ip inspect InspectRule in

Some of you sharpies might be wondering if you could apply the IP inspection rule in the
outbound direction as well as or in place of the inbound direction. The answer is yes, you
7. Set up NAT

You now need to set up NAT to translate addresses between the internal network and the public Internet. First, set up an access list to be used
only for NAT:
ip access-list standard 10
deny any

As before, the first line places the router in access list configuration mode. Note that the
access list here is standard and not extended. Standard access lists allow only traffic from
specific IP addresses or networks to be permitted or denied. They dont let you specify the
destination or type of traffic as extended access lists do. The second line identifies the
traffic that you want to translate. The above code allows any traffic on the internal LAN to
be translated for the Internet. The third line prevents any other traffic from being
translated, and the fourth line takes the router out of access list configuration mode.
Next, you identify to IOS which interfaces will participate in NAT:
interface BVI1
ip nat inside
interface FastEthernet4
ip nat outside

These lines tell IOS that the LAN interface, BVI1, will contain the addresses that need to
be translated, while the WAN interface, FastEthernet4, contains the external addresses to
which the internal addresses will be translated.
Finally, you enter the actual NAT statement (all on one line):
ip nat inside source list 10
interface FastEthernet4 overload

This command tells IOS to translate any address identified in access list 10 to the address
assigned to FastEthernet4. The overload keyword allows one public address to be shared
among several internal private addresses.
8. Enable interfaces, and disable STP

Youre almost ready to test your configuration. First, though, you need to ensure that each
interface is not in a shutdown state. To do so for FastEthernet4, type:
interface FastEthernet4
no shutdown

Youll want to do this for every physical interface on your router.

At this point, you can disconnect the console cable and connect the PC to a LAN port on
the router with an Ethernet cable. You can then access the router by opening a Telnet
connection (preferably secured with SSH) to the routers LAN IP address. Keep the
console cable handy, though, in case you make a configuration change that prohibits
Telnet access. A Telnet client is included with most OSs.



9 Steps Setting Up Cisco Router | Networking content from Windows IT Pro

Page 6 of 7

You also might want to disable Spanning Tree Protocol (STP) on your internal LAN
interface(s) if your router allows that. If you plan on setting up a complex network of
switches on your network, then dont disable STP; but for a small network, disabling STP
lets your internal LAN devices connect to your router up to 30 seconds faster. For each
LAN interface (in my case, FastEthernet0 through FastEthernet3), enter
interface FastEthernet0
spanning-tree portfast

9. Test your configuration

Now is a good time to save your configuration. Type

copy running-config startup-config

to save your work to nonvolatile memory and ensure that your configuration is retained
across router restarts, power outages, and so on.
You should also enter the command
show running-config

to output a copy of the configuration you just created to your screen. You can copy and
paste this configuration to a text editor for later reference. You can also edit the
configuration in a text editor and paste it into a terminal session to make changes to the
router. Your configuration should look similar to Listing 2 at this point. Note that Listing
2 omits many configuration lines that are automatically inserted or included by default.
Listing 2 focuses on the commands that you entered above.
You can now connect an Ethernet cable to the routers WAN port, and try to get on the
Internet. Note that your internal LAN hosts will need to use static IP addressing if you
dont have a DHCP server present.
Whats Next?

The possibilities from here are endless. You will most certainly want to set up usernames
and passwords for access to your router, set up Telnet and/or SSH access (if you havent
already), and limit that access to various IP addresses. You should also consider
modifying your access lists to deny private, non-routable (aka bogon) IP ranges from
being able to reach your network.
You can also make your router a DHCP server, set up VPN access with the router as an
endpoint, add NAT statements and access list entries to access a Web server on your
internal network from the Internet, or put an ISA Server firewall between your router and
your LAN clients. Over time, Ive tweaked my setup to become much more complex than
the one presented in this article. Dont be afraid to read some additional documentation (I
highly suggest the Cisco Field Manual series published by Cisco Press), ask questions of
your resident Cisco gurus, and experiment!


Discuss this Article

John (not verified)

on Jun 29, 2008

Login or register to post comments

Prince (not verified)

on Jun 2, 2008

Good Article..... it helps.... also one should refer Cisco's ICND Books (2 Books) if this article
doesnt helps
Login or register to post comments


on Oct 7, 2008

How do I get the remaining text of the article? There's not Next button or link and the article
ends with ...



9 Steps Setting Up Cisco Router | Networking content from Windows IT Pro

Page 7 of 7

Login or register to post comments

Please Log In or Register to post comments.

Related Articles
Use RAT to Improve Your Network's Router Security
Cisco's Simple Route to a Secure Lab Environment
Setting Up a Cisco Router
How to Set Up a DMZ with ISA Server
NT Workstations Using an IP Router

Windows Exchange Server SharePoint Virtualization Cloud Systems Management

Site Features


Contact Us

Privacy Statement


Terms of Use

Media Center



Search WindowsITPro.com

Follow Us

Site Archive
View Mobile Site

Related Sites
Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows IT/Dev Connections

Copyright 2013 Penton