DHCP stands for Dynamic Host Configuration Protocol. Basically it’s a mechanism which assigns IP addresses to computers dynamically. Usually DHCP is a service running on a server machine in the network in order to assign dynamic IP addresses to hosts. All Cisco 800 series models have the ability to work as DHCP servers, thus assigning addresses to the internal LAN hosts. Without a DHCP server in the network, you would have to assign IP addresses manually to each host. These manually assigned addresses are also called “static IP addresses”.

In this post I will show you how to configure a Cisco 851 or 871 router to work as DHCP server. The same configuration applies for other 800 series models as well.

Router> enable

Router# config t

! define an IP address pool name and range
Router(config)# ip dhcp pool LANPOOL

! define a network range for the addresses that will be assigned
Router(dhcp-config)# network 192.168.1.0 255.255.255.0

! define a dns name to assign to clients
Router(dhcp-config)# domain-name mycompany.com

! define a default gateway for the clients
Router(dhcp-config)# default-router 192.168.1.1

! define the dns server for the clients
Router(dhcp-config)# dns-server 100.100.100.1

! define a WINS server if you have one
Router(dhcp-config)# netbios-name-server 192.168.1.2
Router(dhcp-config)# exit

!The following addresses will not be given out to clients
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10

Cisco manufactures routers for all markets, ranging from SOHO up to large service provider models. The Cisco Router 800 series belongs to the lowest SOHO end. The most popular models in the 800 series are the 850 and 870 broadband access models which come with different types of WAN broadband interfaces (the difference between 850 and 870 is that the 870 models have higher throughput, support 10 VPN tunnels instead of 5 and also support VLANs with the proper IOS version). The 851 and 871 are equipped with a 10/100 Ethernet WAN interface which means that your ISP should provide you with a broadband modem offering an Ethernet connection towards the customer.

I’m getting a lot of questions about the interfaces of 851/871 routers and how they are arranged. I hope this post will clarify some things. The figure below shows the back panel of Cisco Router 851/871.

Ports FE0 up to FE3 under the LAN group can be used to connect internal computers or maybe to an internal switch to expand the number of internal ports (see points 1,2 in the figure above). These ports are actually Layer 2 switch ports, and not regular Layer 3 router ports. They are assigned by default to VLAN 1. You can create more VLANs and assign each port to a different VLAN (870 series), thus creating extra segmentation for your internal LAN. You can not configure IP addresses directly on the interface ports. The IP address must be configured on the Interface VLAN 1 (we will see example below).

Port FE4 is the WAN interface which must be connected to the ISP DSL broadband modem (see point 3 in the figure above). This port is a normal Layer 3 router port, which means you can configure IP address directly on the interface port.

Default Configuration for 851 – 871 Router

The Cisco 851 and 871 routers come with some preconfigured parameters (IP addresses etc) which might be in conflict with your current network topology. What I suggest is to erase the factory’s default startup configuration before you begin configuring your router for the first time. This allows you to start with a clean state and configure the router with all the features you need and leave off any that you don’t want. Connect with a console cable and after you get a command prompt execute the following:

Router> enable
Router# erase start

After you confirm the command, all the default configuration will be deleted. Power off the router device and then power on again. You will get a prompt as below:

Would you like to enter the initial configuration dialog [yes/no]

Type no and press Enter. This will give you a command prompt (Router>) and you are ready to configure your router from scratch.

Type show run to see the current configuration which looks like the following:

(some output omitted)

interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
duplex auto
speed auto

interface Vlan1
no ip address

Initial Interface Configuration

From the above output you can see that FE0 up to FE3 are shutdown and also there are no IP addresses configured to any ports. You need first to enable FE0 to FE4 and then configure IP address under the “interface Vlan 1” and also under the “interface FastEthernet4” port. Notice that you CAN NOT configure IP addresses under the “interface FastEthernet0″ up to “interface FastEthernet3″ ports. Those ports are Layer 2 switch ports and will inherit the IP address you assign under “interface Vlan1″.

Example:

Assume that the internal LAN has IP network range 192.168.10.0/24. Also, our ISP has assigned us a static public IP address of  200.200.200.1 . Let’s see the interface configuration below:

Router(config)# interface fastethernet 0
Router(config-int)# no shutdown
Router(config-int)# exit

Router(config)# interface fastethernet 1
Router(config-int)# no shutdown
Router(config-int)# exit

Router(config)# interface fastethernet 2
Router(config-int)# no shutdown
Router(config-int)# exit

Router(config)# interface fastethernet 3
Router(config-int)# no shutdown
Router(config-int)# exit

Router(config)# interface fastethernet 4
Router(config-int)# no shutdown
Router(config-int)# ip address 200.200.200.1 255.255.255.252
Router(config-int)# exit

Router(config)# interface vlan1
Router(config-int)# no shutdown
Router(config-int)# ip address 192.168.10.1 255.255.255.0
Router(config-int)# exit

Notice that we configured IP addresses only to fastethernet 4 and vlan1. By default, interfaces fastethernet 0 to 3 are assigned to VLAN1 so anything you connect to those interfaces (internal LAN hosts) will belong to vlan1 network range 192.168.10.0/24 and they must have as default gateway the address 192.168.10.1.

For a low budget firewall functionality, a Cisco router with the proper IOS version can work as a network firewall providing stateful protocol inspection using the Context-Based Access Control (CBAC) feature. Many people use normal Access Control Lists on Cisco routers for traffic filtering and protection. However, a normal ACL is just a static packet filtering mechanism and nothing else. With a CBAC configuration, the router acts like a firewall. That is, it inspects protocols and sessions and keeps a state of the connection in memory. This means that an outbound packet (from inside the network to the outside) is inspected and a connection state of the session is kept in memory. The reply packet which belongs to the original outbound connection is allowed to pass through the router/firewall and reach the internal system which originated the connection. This stateful functionality is achieved by the IOS Firewall CBAC mechanism by opening temporary holes on an Access List in order to allow the reply packets.

A normal ACL checks traffic up to the transport layer. CBAC on the other hand inspects traffic up to the application layer to learn about the state of the session and to apply firewall filtering on the specific application. The protocols supported by CBAC for inspection are the following:

CUSeeMe Protocol, ftp, h323, http, rcmd, realaudio, rpc, smtp, sqlnet, streamworks, tcp, tftp, udp, vdolive. CBAC helps to protect also against DoS attacks such as SYN-floods or fragmentation attacks.

CBAC is applied either inbound or outbound on a specific router interface. CBAC applied “Inbound” on an interface inspects traffic entering the interface and CBAC applied “Outbound” on an interface inspects traffic exiting the interface. CBAC cooperates with an ACL applied on the same interface in order to provide the firewall stateful functionality that we described above. Lets see a simple example below.

In the figure above, assume that there is an inbound ACL applied on S0 on the router. The ACL is configured to block Telnet traffic initiated from the outside. Assume also that there is a CBAC rule applied “outbound” on S0. An internal user (User1) initiates a Telnet session from inside to outside. When the connection request for User1′s Telnet session passes through the firewall, CBAC inspects the Telnet traffic when exits interface S0 and creates a temporary opening in the inbound access list at S0 to permit returning Telnet traffic for User1′s Telnet session. (If the same access list is applied to both S0 and S1, the same opening would appear at both interfaces.)

Important Note: CBAC which inspects outbound traffic from an interface, will create temporary openings on the Access List which is applied Inbound on the interface. This is required to allow the return packets to pass through the ACL.

Let us see a configuration example below to get a better picture.

Configuration Example:

Refer to the diagram below for our configuration example:

We have a border Cisco router connecting the internal LAN 192.168.1.0/24 to the Internet. We have a static public IP address 50.50.50.1 on interface Serial0/0. Also, we have a DMZ segment (interface FE0/0) hosting a DMZ Web Server 10.1.1.1. We want to allow access from Internet towards the Web Server only. We use static NAT to hide the Web server private address behind our public address. Also, we use PAT on interface S0/0 for all outbound communication from the internal LAN towards the internet.

Lets see a snapshot of the configuration below:

! Create the outbound CBAC inspection rules
ip inspect name CBAC-IN-OUT tcp
ip inspect name CBAC-IN-OUT ftp
ip inspect name CBAC-IN-OUT h323
ip inspect name CBAC-IN-OUT rcmd
ip inspect name CBAC-IN-OUT http
ip inspect name CBAC-IN-OUT netshow
ip inspect name CBAC-IN-OUT realaudio
ip inspect name CBAC-IN-OUT rtsp
ip inspect name CBAC-IN-OUT sqlnet
ip inspect name CBAC-IN-OUT streamworks
ip inspect name CBAC-IN-OUT tftp
ip inspect name CBAC-IN-OUT udp
ip inspect name CBAC-IN-OUT vdolive

! Create the inbound CBAC to inspect inbound HTTP
ip inspect name CBAC-OUT-IN http

! DMZ interface
interface FastEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!
! Internal LAN interface
interface FastEthernet0/1
ip address 192.168.1.254 255.255.255.0
ip nat inside
full-duplex
no cdp enable
!

! External Internet Interface
! Notice that we apply an inbound ACL and CBAC rules for both in and out inspection
interface Serial0/0
description CONNECTED TO INTERNET
bandwidth 1024
ip address 50.50.50.1 255.255.255.252
ip access-group FIREWALL in
ip nat outside
ip inspect CBAC-OUT-IN in
ip inspect CBAC-IN-OUT out

ip nat inside source list 122 interface Serial0/0 overload
ip nat inside source static tcp 10.1.1.1 80 50.50.50.1 80 extendable no-alias
ip classless
ip route 0.0.0.0 0.0.0.0 50.50.50.2

! This ACL will be used by the CBAC out rule to open temporary holes for return traffic
ip access-list extended FIREWALL
permit icmp any any echo-reply
permit tcp any host 50.50.50.1 eq 80
deny   ip any any log

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

This post is by no means an exhaustive tutorial about Cisco Routers and how to configure their numerous features. It is just a step-by-step guide for the most basic configuration needed to make the router operational. When you first power on a new Cisco Router, you have the option of using the “setup” utility which allows you to create a basic initial configuration. However, in this post I will show you how to do this basic setup with the Command Line Interface (CLI). Mastering the Cisco Router CLI is essential for more complex configuration tasks and it is the most important knowledge you should acquire if you want to become a Cisco network administrator.

The basic CLI modes that we will be referring below are as following:

Router>  <– User EXEC Mode
Router#  <– Privileged EXEC mode
Router(config)#  <– Global Configuration Mode
Router(config-if)# <– Interface Configuration Mode
Router(config-line)# <– Line Configuration Mode

I assume that you already have some basic knowledge of CLI and how to navigate between different configuration modes (user mode, privileged exec mode etc), so let’s get started:

Step1: Configure Access Passwords

The first step is to secure your access to the router by configuring a global secret password and also passwords for Telnet or Console as needed.

Enter into Global Configuration mode from the Privileged EXEC mode:

Router# configure terminal  <– Privileged EXEC mode
Router(config)#  <– Global Configuration Mode

In Global Configuration Mode you configure parameters that affect the whole router device. Here we will configure the Enable Secret password that you will be using from now own to enter into Privileged EXEC Mode from User EXEC Mode.

Router(config)#  enable secret “somestrongpassword”

From now on, when you log in from user EXEC mode you will be asked for a password.

It is suggested also to configure a password for the Telnet Lines (VTY lines) which will secure your access when connecting via Telnet over the network.

Router(config)#  line vty 0 4
Router(config-line)# password “strongTelnetPass” 
Router(config-line)# login

Step2: Configure a Router Hostname

To differentiate your Router from other devices in the network, you should configure a Hostname for your device.

Router(config)#  hostname My-Router
My-Router(config)#

Notice that your Router prompt changes to the new hostname that you have just set.

Step3: Configure IP addresses for Router Interfaces

This is an essential step in order for your router to be able to forward packets in the network. The most basic parameter for a Router Interface is the IP address. From Global Configuration Mode you need to enter into Interface Configuration Mode:

My-Router(config)# interface serial 1/1
My-Router(config-if)# ip address 100.100.100.1 255.255.255.252
My-Router(config-if)# no shutdown
My-Router(config-if)# exit

My-Router(config)# interface fastethernet 0/1
My-Router(config-if)# ip address 192.168.10.1 255.255.255.0
My-Router(config-if)# no shutdown
My-Router(config-if)# exit

Step4: Configure Routing (Static or Dynamic)

The Router’s main purpose is to find the best route path towards a destination network and forward packets according to the best path. There are two main ways a router knows where to send packets. The administrator can assign static routes, or the router can learn routes by using a dynamic routing protocol. For simple network topologies, static routing is preferred over dynamic routing. Let’s see how to configure static routes from Global Configuration Mode.

My-Router(config)#  ip route [destination network] [subnet mask] [gateway]   

My-Router(config)#  ip route 200.200.200.0 255.255.255.0 100.100.100.2

The command above tells the router that network 200.200.200.0/24 is reachable via gateway address 100.100.100.2.

Another popular static route that we usually configure on Internet Border routers is the default static route:

My-Router(config)#  ip route 0.0.0.0 0.0.0.0 50.50.50.1

The default static route above instructs the router to send ALL packets that the router does not have a more specific route entry to gateway address 50.50.50.1 (which might be the ISP gateway address).

Step5: Save your configuration

Save your current running configuration into NVRAM. This will overwrite the startup configuration.

My-Router(config)# exit
My-Router# copy running-config startup-config

You can display your current configuration to verify your settings as following:

My-Router# show running-config