Sunday, 11 April 2010

Branch Office Router Config

Branch or not to branch that is the question?
I've been asked a few times this week for a branch office router configuration, now I'm not a big fan of branch offices as I would rather have one big office because it's easier to support. Nevertheless I agree to show how this can be done, so branch office and the problems with them.

1) There is most likely no IT staff onside so they can be a pain for hardware configuration, if something breaks you have to send someone to fix it.
2) Staff at branch office offen are unregualted and therefor install anything they like, making them more likely to contract malware and virus, not to mention ilegal downloading.

However there are ways around this.

So lets get down to the basics before you can start you need to setup you security on the router, now I personaly like to use privilege levels to make sure only good admins have access however if your the only admin you might use just enable passwords.

You might also want to turn off the web server for configuration as its a security risk but for this example I've left it on (up to you really)

service password-encryption
hostname [Router-Name]
enable secret [Some-Password]
enable password [Some-Other-Password]
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip http server
ip http secure-server
line con 0
password [Some-Password]
line vty 0 4
password [Some-Password]
ip domain name [Domain-name]
no ip domain lookup
username [Your-username] privilege 15 password [Your-password]

so these are your basic steps, so you should now have enable password and console password protection at least and TELNET/SSH password as well.

Now we have a secure system we can start to add the configuration first is most likely to be DHCP service if you don't have a DHCP server in the branch office then you'll need to set this up.

Now in our example we are going to have two VLAN's so will need to scopes also know as pools, another thing to note is the "import all" this takes Imports DHCP settings for DNS from your ISP (doesn't work for PPPoE) you might not want to do this and can use dns-server if you want to manually configure it and there are sometimes you might want to do this, but that is too much detail for this blog.

ip dhcp excluded-address [Start-exclude-10] [End-exclude-10]
ip dhcp excluded-address [Start-exclude-20] [End-exclude-20]
service dhcp
ip dhcp pool VLAN10
network [Network10-ID] [Subnet-mask-10]
default-router [Gateway-10]
import all
domain-name [Domain-name]
lease 4
ip dhcp pool VLAN20
network [Network20-ID] [Subnet-mask-20]
default-router [Gateway-20]
import all
domain-name [Domain-name]
lease 4

So now you should have your two DHCP pools, remember the gateway should be the VLAN interfaces we are about to set up and the IP ranges should match the VLAN IP's

Before you can do that you need to setup dialer interface, now this time I'm going to use PPPoE however depending on how your internet is pressented you could be using PPPoA

PPPoE example
vpdn enable
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username [DSL-Username] password [DSL-Password]
ppp ipcp dns request
ppp ipcp address accept
access-list 1 permit [Network10-ID] [Reverse-mask-10]
access-list 1 permit [Network20-ID] [Reverse-mask-20]
dialer-list 1 protocol ip list 1
ip nat inside source list 1 interface Dialer1 overload
ip access-list extended Guest-ACL
deny ip any [Network10-ID] [Reverse-mask-10]
permit ip any any
interface FastEthernet4
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
ip route 0.0.0.0 0.0.0.0 Dialer1


PPPoA example
interface ATM0
dsl operating-mode auto
exit
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
exit
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap sent-username [DSL-Username] password [DSL-Password]
ppp ipcp dns request
ppp ipcp address accept
access-list 1 permit [Network10-ID] [Reverse-mask-10]
access-list 1 permit [Network20-ID] [Reverse-mask-20]
dialer-list 1 protocol ip list 1
ip nat inside source list 1 interface Dialer1 overload
ip access-list extended Guest-ACL
deny ip any [Network10-ID] [Reverse-mask-10]
permit ip any any
ip route 0.0.0.0 0.0.0.0 Dialer1

Next we are going to assign the switch ports to VLAN, now you might have FastEthernet4 in use as well depending on if you are using PPPoE or not

interface FastEthernet0
switchport access vlan 20
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
spanning-tree portfast


Since we have WLAN on this example I'm also going to use a bridge interface so that both fastethernet ports and Dot11Radio0 can act as one on each VLAN, if you didn't have a WLAN then you could use the VLAN interfaces to assign the IP addresses too.

Before all of that you'll need to setup the wireless if your router has one, in this example it does, and we are going to set two SSID's

bridge irb
interface Dot11Radio0
encryption vlan 10 mode ciphers tkip
encryption vlan 20 mode ciphers tkip
ssid [WLAN20]
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii [WPA-secret-for-guests]
ssid [WLAN10]
vlan 10
authentication open
authentication key-management wpa
wpa-psk ascii [WPA-secret-for-internal]
channel [BG-channel]
no cdp enable
no dot11 extension aironet
interface Dot11Radio0.10
encapsulation dot1Q 10
no snmp trap link-status
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.20
encapsulation dot1Q 20
no snmp trap link-status
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

Now we need to create the bridge interface that will be used for access list and VLAN assignment.

interface BVI20
description Bridge to Guest Network
ip address [Gateway-20] [Subnet-mask-20]
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
interface BVI10
description Bridge to Internal Network
ip address [Gateway-10] [Subnet-mask-10]
ip nat inside
ip virtual-reassembly
bridge 10 route ip
bridge 20 route ip


next we need to create the VLAN's and assign them to the bridge interfaces.

interface Vlan10
description Internal Network
ip nat inside
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
interface Vlan20
description Guest Network
ip nat inside
ip virtual-reassembly
bridge-group 20
bridge-group 20 spanning-disabled
interface BVI20
description Bridge to Guest Network
ip address [Gateway-20] [Subnet-mask-20]
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
interface BVI10
description Bridge to Internal Network
ip address [Gateway-10] [Subnet-mask-10]
ip nat inside
ip virtual-reassembly
bridge 10 route ip
bridge 20 route ip

And finally the ACL and firewall, but I won't go into deep detail as I've covered this is other postings.

ip inspect name MYFW tcp
ip inspect name MYFW udp
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
int dialer1
ip inspect MYFW out
ip access-group Internet-inbound-ACL in

And this is now the end of the example however their is one more thing I'd like to add that I never like to give guess networks full speed access to the internet at the expense of others so I've added one list point about setting rate-limit

interface BVI20
rate-limit output access-group 102 16000 1000 2000 conform transmit exceed drop
rate-limit input access-group 102 16000 1000 2000 conform transmit exceed drop


102 = the access-list
16000 = bits/second
1000 = burst bytes
2000 = max burst bytes

The above example would limit anything matched in ACL 102 (imaginary) to approx 2kbytes/second, that's a bit low I know but its an example normally I limit to around 512kbytes.

No comments: