Cisco 1812 as Home Router

This lab delves into configuring a Cisco 1812 router, a legacy device with 100 Mbps interfaces. While it might seem outdated, the lab focuses on functionalities still relevant in modern networks. This makes it a valuable resource for understanding Cisco IOS configuration principles.

However, it's important to acknowledge the limitations of the 1812. Cisco itself recommends using modern routers for real-world deployments. These newer routers boast Gigabit Ethernet interfaces and improved processing power, making them better equipped to handle today's network demands.

That being said, the configuration steps outlined in this lab can still be beneficial, particularly for those with a home Cisco IOS router. As long as you're aware of the 1812's hardware limitations, you can use the lab as a practical way to learn Cisco IOS configuration. Think of it as a training ground for the skills you'd need on a more powerful router in a demanding network environment.

Lab Objectives:

Configure the router to act as a:

• DNS and DHCP server for internal LAN devices
• Secure Shell (SSH) server for remote access
• Network Address Translator (NAT) using Port Address Translation (PAT) for Internet access
• NTP client to synchronize time
• Point-to-Point Protocol over Ethernet (PPPoE) client for Internet connection
• Dynamic DNS (DDNS) client for dynamic IP management
• Secure Shell (SSH) server for remote access

Hardware CISCO1812/K9:

• RAM: 256 MB
• Flash: 64 MB
• IOS: c181x-advipservicesk9-mz.151-4.M12a.bin

Figure 1 - Home Network with Cisco 1812 Router

The final configuration, which we will create in the next section, is stored in the R1-config.txt. file. We have removed sensitive information such as usernames, passwords, and password hashes, and replaced them with fabricated data.

1. Hostname  and Boot Particular IOS Image

The user mode (initial prompt) offers limited access. To configure the router, you need to enter privileged mode. Use the enable command at the user mode prompt:

R1> enable

Enter configuration mode:

R1# conf term

Create a user account named "admin" with the highest privilege level (privilege level 15) on a Cisco router. This account will have full administrative access to the router, equivalent to the "enable" command.

R1(config)# username your-username privilege 15 secret your-password

Set the hostname of the Cisco router to "R1".

Router(config)# hostname R1

Specify the Cisco IOS image that the router should boot from upon startup. This command is  useful in scenarios where multiple IOS images are stored in the flash memory of the router, allowing the administrator to specify which image should be used for booting.

R1(config)# boot system flash c181x-advipservicesk9-mz.151-4.M12a.bin

Note: If there is no IOS image specified with the boot system command on a Cisco router, the router will attempt to boot from the first IOS image it finds in flash memory.

2. Console, Privileged Mode and VTY Lines

2.2 Hardening access to privileged mode

Configure password for privileged EXEC mode. This password is used to restrict access to privileged mode, which allows users to make configuration changes. In our case, the password is cisco.

R1(config)# enable secret cisco

2.3 Hardening access to VTY lines and SSH server configuration

Enter line configuration mode for VTY lines 0 through 15. Enable local authentication, meaning users will be authenticated against the locally configured username and password database. Only SSH transport protocol will be allowed for accessing the VTY lines.

R1(config)# line vty 0 15
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exec-timeout 0
R1(config-line)# logging synchronous

Sets the SSH version to 2, which is a more secure and preferred option compared to SSH version 1. Configure the domain name used for generating the RSA key pairs. It's a good practice to use a domain name to ensure uniqueness and security of the generated keys.

Finally, Generate RSA key pairs for the router with a modulus size of 4096 bits, which provides stronger security for SSH connections.

R1(config)# ip ssh version 2
R1(config)# ip domain-name home.local
R1(config)# crypto key generate rsa modulus 4096

Block password-guessing attacks. If someone make 3 unsuccessful attempts to login within 60 seconds, we will block his access for 120 seconds. Authentication retries within session is limited to two. SSH timeout lowered to 60 seconds. Failed attempts will be logged.

R1(config)# login block-for 120 attempts 3 within 60
R1(config)# ip ssh authentication-retries 2
R1(config)# ip ssh time-out 60
R1(config)# login on-failure log

Enable logging for SSH-related events on a Cisco router. When this command is configured, the router will generate log messages for various SSH-related events, such as successful or failed SSH connections.

R1(config)# ip ssh logging events

Note: To restrict SSH access to the router only from devices within the subnet 192.168.88.0/24, create a standard named access list VTY-ACL:

R1(config)# ip access-list standard VTY-ACL
R1(config)# permit 192.168.88.0 0.0.0.255

Apply the access list to VTY lines:

R1(config)# line vty 0 15
R1(config-line)# access-class VTY-ACL in

2.4 SSH negotiation issue between Linux SSH client and Cisco router

Linux client cannot connect to vty lines of the legacy Cisco 1812 and ends up with the error message:

Unable to negotiate with 192.168.88.1 port 22: No matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Here is the log from the Cisco 1812 router:

*Apr 30 18:33:27.523: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec1

A temporary workaround is to use the diffie-hellman-group1-sha1 KEX algorithm when connecting to the Cisco 1812 router:

$ ssh admin@192.168.88.1 -o KexAlgorithms=+diffie-hellman-group1-sha1

For a permanent workaround, add the specified encryption and hash methods to the end of the ssh_config file in your Linux host. It ensures compatibility with the Cisco 1812 router. After adding these configurations, restart the SSH service to apply the changes.

$ echo -e "\n# Access to legacy Cisco 1812" | sudo tee -a /etc/ssh/ssh_config
$ echo "Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" | sudo tee -a /etc/ssh/ssh_config
$ echo "KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" | sudo tee -a /etc/ssh/ssh_config

Finally, restart ssh service:

$ sudo systemctl restart ssh

3. VLAN Interface - Default Gateway Address, DNS and DHCP Server

3.1 VLAN interface

Configure the IP address 192.168.88.1 with a subnet mask of 255.255.255.0 on interface VLAN 1. The IP address represents a default gateway IP for the hosts on the LAN subnet 192.168.88.0/24.

R1(config)# int vlan 1
R1(config-if)# ip address 192.168.88.1 255.255.255.0

3.2 DNS server

Enable the DNS (Domain Name System) server functionality on a Cisco router. The router can act as a DNS server, allowing it to resolve domain names to IP addresses for devices on the network.

R1(config)# ip dns server

3.3 DHCP server

Configure DHCP pool named "MY_DHCP" on the Cisco router, assigning IP addresses from the range 192.168.88.1 to 192.168.88.254 to DHCP clients. The default gateway and the DNS server assigned to clients is 192.168.88.1. This IP is excluded from the DHCP assignment.

R1(config)# ip dhcp pool MY_DHCP
R1(dhcp-config)# network 192.168.88.0 /24
R1(dhcp-config)# default-router 192.168.88.1
R1(dhcp-config)# dns-server 192.168.88.1

R1(config)# ip dhcp excluded-address 192.168.88.1

4. PPoE Client

Configure the router to establish a PPPoE client connection over the FastEthernet interface, authenticate using CHAP, and obtain IP addressing information dynamically from the PPPoE server.

Remove the previously assigned IP address from the FastEthernet interface. Enables PPPoE on the interface using the global group settings. Configure the interface as a PPPoE client and assign it to dialer pool number 1.

R1(config)# interface fa0
R1(config-if)# no ip address
R1(config-if)# pppoe enable group global
R1(config-if)# pppoe-client
R1(config-if)# pppoe-client dial-pool-number 1
R1(config-if)# exit

Configure the Dialer1 interface with PPP encapsulation and dynamic IP address negotiation. Set the maximum transmission unit (MTU) to 1452, and associate it with dialer pool number 1.

Configure CHAP (Challenge Handshake Authentication Protocol) authentication for incoming calls and specify the CHAP hostname and password.

Configure IPCP (Internet Protocol Control Protocol) to obtain the default gateway and DNS server IP address from the PPPoE server. Finally, disable CDP (Cisco Discovery Protocol) on the Dialer 1 interface.

R1(config)# int dialer 1
R1(config-if)# encapsulation ppp
R1(config-if)# ip address negotiated
R1(config-if)# mtu 1452
R1(config-if)# dialer pool 1
R1(config-if)# ppp authentication chap callin
R1(config-if)# ppp chap hostname your_username@yourdomain
R1(config-if)# ppp chap password 0 your_password
R1(config-if)# ppp ipcp route default 
R1(config-if)# ppp ipcp dns request
R1(config-if)# no cdp enable

Permit IP protcol for diale-group 1:

R1(config)# dialer-list 1 protocol ip permit

To check if the PPPoE session connection has been established successfully, use the following command:

R1# show ppp all

Figure 2 - Checking PPoE Connection

To display information about caller za-post-bras-1, we will use the  command bellow.

R1# show caller user za-post-bras-1

Figure 3 - Checking PPoE Call

• Caller User: za-post-bras-1 - This identifies the username assigned to the PPP (Point-to-Point Protocol) connection.
• Assigned IP: 95.103.181.195 - This is the IP address allocated by the ISP (Internet Service Provider) to the dialer 1 interface on the router.
• Remote Peer: 213.81.232.250 - This indicates the IP address of the remote peer (likely the ISP) that the router is connected to.
• State: Up - This confirms that the PPP connection is currently active and functioning.
• Duration: 15:40:57 - This shows the total duration for which the PPP connection has been active. In this case, it's been up for 15 hours, 40 minutes, and 57 seconds.

5. Network Adress Translation (NAT)

Set up NAT on a Cisco router, with VLAN1 designated as the inside interface and Dialer1 as the outside interface. NAT translation is configured on the Dialer1 interface. It allows multiple internal hosts in LAN network to share a single public IP address when accessing external networks. This is a form of the NAT called Port Address Translation (PAT).

R1(config)# int vlan1
R1(config-if)# ip nat inside

R1(config)# interface dialer 1
R1(config-if)# ip nat outside

An access list (ACL) permits traffic from the internal network (192.168.88.0/24):

R1(config)# access-list 1 permit 192.168.88.0 /24

R1(config-if)# ip nat inside source list 1 interface Dialer1 overload

6. Network Time Protocol (NTP)

Set up NTP on the Cisco router by configuring it to use the public NTP server "0.sk.pool.ntp.org" for time synchronization. Additionally, create a new timezone named "UTC+1" with an offset of +1 hour from Coordinated Universal Time (UTC). It ensures that the router's internal clock aligns with the specified timezone for accurate timekeeping and logging purposes.

R1(config)# ntp server 0.sk.pool.ntp.org
R1(config)# clock timezone UTC+1 +1

7. Logging

Configure logging to buffer (RAM) messages up to 32,768 bytes.

R1(config)# logging buffered 32768

Set the console logging level to errors, ensuring only error-level messages are displayed on the console.

R1(config)# logging console errors

Configure monitoring logging level to informational, allowing the router to display informational-level messages on the monitor terminal.

R1(config)# logging monitor informational
R1(config)# exit

Create the directory structure "flash:/var/log/" for storing persistent logs:

R1# mkdir flash:/var
R1# cd flash:/var
R1# mkdir log
R1# cd flash:/

Set up persistent logging to flash memory, allocating space for logs with a maximum size of 100,000 bytes and setting the maximum log file size to 100,000 bytes as well. Logs will be stored in the "flash:/var/log/" directory.

R1(config)# logging persistent url flash:/var/log/ size 100000 filesize 100000

8. Dynamic DNS (DDNS)

DDNS automatically updates your network's DNS record with your current public IP address. This ensures you can access your network remotely using a simple, consistent hostname, even if your IP address changes.

Before proceeding with the DDNS setup on the router, ensure to create an account at Dynu and configure your hostname and password accordingly. Then, update the hostname and password in the provided configuration:

R1(config)# ip dns server
R1(config)# ip ddns update method DYNU
R1(1DDNS-update-method)# HTTP
R1(DDNS-HTTP)# add http://api.dynu.com/nic/update?hostname=a102.mywire.org&password=yourpassword
R1(DDNS-HTTP)# interval maximum 0 0 5 0

R1(DDNS-update-method)# interface dialer1
R1(config-if)# ip ddns update hostname dynu.com
R1(config-if)# ip ddns update DYNU

Note: Interval = day, hour, minute, second
Note: To insert the special character ? in the IP update URL, first you need to use the combination of Ctrl+v and then Shift+?.

Conclusion

The lab you've completed focused on configuring essential features for a Cisco router, mirroring best practices used in modern network setups. Think of this configuration as a blueprint – when applied to a powerful, high-performance router, it can form the backbone of a robust network.

This lab serves as a valuable learning experience, but it's important to consider the hardware limitations of the specific router used. While the configuration itself is relevant, real-world deployments would benefit from a modern router with faster processing power and Gigabit Ethernet interfaces to handle the demands of today's networks.