WWW.DUMAIS.IO
ARTICLES
OVERLAY NETWORKS WITH MY SDN CONTROLLERSIMPLE LEARNING SWITCH WITH OPENFLOWINSTALLING KUBERNETES MANUALLYWRITING A HYPERVISOR WITH INTEL VT-X CREATING YOUR OWN LINUX CONTAINERSVIRTIO DRIVER IMPLEMENTATIONNETWORKING IN MY OSESP8266 BASED IRRIGATION CONTROLLERLED STRIP CONTROLLER USING ESP8266.OPENVSWITCH ON SLACKWARESHA256 ASSEMBLY IMPLEMENTATIONPROCESS CONTEXT ID AND THE TLBTHREAD MANAGEMENT IN MY HOBBY OSENABLING MULTI-PROCESSORS IN MY HOBBY OSNEW HOME AUTOMATION SYSTEMINSTALLING AND USING DOCKER ON SLACKWARESYSTEM ON A CHIP EMULATORUSING JSSIP AND ASTERISK TO MAKE A WEBPHONEC++ WEBSOCKET SERVERSIP ATTACK BANNINGBLOCK CACHING AND WRITEBACKBEAGLEBONE BLACK BARE METAL DEVELOPEMENTARM BARE METAL DEVELOPMENTUSING EPOLLMEMORY PAGINGIMPLEMENTING HTTP DIGEST AUTHENTICATIONSTACK FRAME AND THE RED ZONE (X86_64)AVX/SSE AND CONTEXT SWITCHINGHOW TO ANSWER A QUESTION THE SMART WAY.REALTEK 8139 NETWORK CARD DRIVERREST INTERFACE ENGINECISCO 1760 AS AN FXS GATEWAYHOME AUTOMATION SYSTEMEZFLORA IRRIGATION SYSTEMSUMP PUMP MONITORINGBUILDING A HOSTED MAILSERVER SERVICEI AM NOW HOSTING MY OWN DNS AND MAIL SERVERS ON AMAZON EC2DEPLOYING A LAYER3 SWITCH ON MY NETWORKACD SERVER WITH RESIPROCATEC++ JSON LIBRARYIMPLEMENTING YOUR OWN MUTEX WITH CMPXCHGWAKEUPCALL SERVER USING RESIPROCATEFFT ON AMD64CLONING A HARD DRIVECONFIGURING AND USING KVM-QEMUUSING COUCHDBINSTALLING COUCHDB ON SLACKWARENGW100 MY OS AND EDXS/LSENGW100 - MY OSASTERISK FILTER APPLICATIONCISCO ROUTER CONFIGURATIONAASTRA 411 XML APPLICATIONSPA941 PHONEBOOKSPEEDTOUCH 780 DOCUMENTATIONAASTRA CONTACT LIST XML APPLICATIONAVR32 OS FOR NGW100ASTERISK SOUND INJECTION APPLICATIONNGW100 - DIFFERENT PROBLEMS AND SOLUTIONSAASTRA PRIME RATE XML APPLICATIONSPEEDTOUCH 780 CONFIGURATIONUSING COUCHDB WITH PHPAVR32 ASSEMBLY TIPAP7000 AND NGW100 ARCHITECTUREAASTRA WEATHER XML APPLICATIONNGW100 - GETTING STARTEDAASTRA ALI XML APPLICATION

CISCO ROUTER CONFIGURATION

2012-02-25

My private network is built around a cisco 2620xm router and a cisco catalyst 3448-XL My router's image is c2600-adventerprisek9-mz.124-25c.bin, and for the switch: c3500xl-c3h2s-mz.120-5.WC17.bin.

DSL connection

My router has a WIC-1ADSL card. Using this, I can connect with my ISP. Note that these settings might only work for my ISP (Teksavvy, in ottawa)

vpdn enable no ip cef interface ATM0/0 no ip address atm restart timer 300 no atm ilmi-keepalive bundle enable ! dsl operating-mode auto hold-queue 224 in pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface Dialer1 ip address negotiated ip access-group 120 in ip mtu 1492 ip nat outside ip nat enable ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username your_username password 0 your_password ppp ipcp dns request accept ppp ipcp address accept ! ip forward-protocol nd ! set default route to go through Dialer1 interface ip route 0.0.0.0 0.0.0.0 Dialer1 ! deny telenet access from outside. access-list 120 deny tcp any any eq telnet access-list 120 permit tcp any any access-list 120 permit ip any any dialer-list 1 protocol ip permit

With these settings, your DSL connection should come up. Any host from the outside of your network will be able to access TCP ports (except 23) on your network. More details on NAT will follow.

VLAN trunking

Consider the following configuration:
VLAN 1 hosts the 10.0.0.0/24 network
VLAN 3 hosts the 10.0.3.0/24 network
VLAN 10 hosts the 10.0.10.0/24 network
VLAN 1 and VLAN3 can talk to each other and to the WAN
VLAN 10 can only talk to the WAN

interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip address 10.0.0.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 10.0.3.0 255.255.255.0 ip access-group 103 in no ip unreachables ip nat inside ip virtual-reassembly ! interface FastEthernet0/0.10 encapsulation dot1Q 3 ip address 10.0.10.0 255.255.255.0 ip access-group 110 in no ip unreachables ip nat inside ip virtual-reassembly

A subinterface (ie: 0.10) defines a vlan. In this setup, interface 0 is configured to handle VLANs 1,3 and 10 by separating it in 3 different sub-interface. Note that with this configuration, nothing more needs to be done for inter-vlan routing. By assigning an IP paddress to subinterfaces, you tell the router how to route between vlans.

With this configuration, all 3 networks will be able to talk to each other. To prevent VLAN10 to talk to VLAN 1 and 3, you could do the following:

access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255 access-list 100 permit ip any any access-list 100 permit udp any any access-list 103 deny ip 10.0.3.0 0.0.0.255 10.0.10.0 0.0.0.255 access-list 103 permit ip any any access-list 103 permit udp any any access-list 110 deny ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 110 deny ip 10.0.10.0 0.0.0.255 10.0.3.0 0.0.0.255 ! deny telneting in gateway from guest network access-list 110 deny tcp 10.0.10.0 0.0.0.255 host 10.0.10.1 eq telnet access-list 110 permit ip any any access-list 110 permit udp any any

DHCP

The following configuration will setup a DHCP server on the router with a different pool for each networks.

! only hand out ip addresses from 10.0.0.100-10.0.0.149 ip dhcp excluded-address 10.0.0.1 10.0.0.99 ip dhcp excluded-address 10.0.0.150 10.0.0.255 ! only hand out ip addresses from 10.0.3.100-10.0.3.149 ip dhcp excluded-address 10.0.3.1 10.0.3.99 ip dhcp excluded-address 10.0.3.150 10.0.3.255 ! only hand out ip addresses from 10.0.10.100-10.0.10.149 ip dhcp excluded-address 10.0.10.1 10.0.10.99 ip dhcp excluded-address 10.0.10.150 10.0.10.255 ip dhcp pool pool_vlan1 import all network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.1 ip dhcp pool pool_vlan3 import all network 10.0.3.0 255.255.255.0 default-router 10.0.3.1 dns-server 10.0.3.1 ip dhcp pool pool_vlan10 import all network 10.0.10.0 255.255.255.0 default-router 10.0.10.1 dns-server 10.0.10.1

DNS

To use the cisco router as a DNS forwarder, the following simple configuration can be usd

ip dns server

NAT / Port forwarding

I never got port range forwarding to work on my router. I ended up writing 100 lines for a range of 100 ports. But this is not shown here for for sake of simplicity

ip nat translation timeout 3600 ip nat translation tcp-timeout 1200 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ! forward port 80 to 10.0.0.4:80 ip nat inside source static tcp 10.0.0.4 80 interface Dialer1 80 ! enable NAT on Dialer1 interface ip nat inside source list 1 interface Dialer1 overload access-list 1 permit 192.168.0.0 0.0.255.255