Cisco IOS basic configuration

Course: Generel networking (no course) Title: Cisco IOS basic configuration Author: Thomas Ivarsson Last edit: March 16, 2012 Cisco IOS basic config...
Author: Eugene Barton
1 downloads 0 Views 128KB Size
Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

Cisco IOS basic configuration A brief introduction to the Cisco IOS

Basic navigation The Cisco Internetwork Operating System (IOS) is built in hierarchical layers, each with its own functions, privileged level and purpose. The three base layers och modes are the user executive mode, privileged executive mode and global configuration mode. Each of the modes have their own prompt: Router> Router# Router(config)#

// user executive mode // privileged executive mode // global configuration mode

There are also a number of special configuration modes such as the interface, line and router configuration mode: Router(config-if)# // interface configuration mode Router(config-line)# // line configuration mode Router(config-router)# // router configuration mode

To navigate up one level in the hierarchy, for example from the user executive mode to the privileged executive mode, use the specific command to reach that mode. To move back down, use the exit command. A few examples: Router>enable Router#configure terminal Router(config)#exit Router#configure terminal Router(config)#interface FastEthernet 0/1 Router(config-if)#exit Router(config)#line console 0 Router(config-line)#end Router#disable Router>

As can be seen by the last two commands, end and disable, there are actually a few command besides exit that will let you move back down. The end command moves you directly from a special configuration mode back to the privileged executive mode, bypassing the global configuration mode. The disable command moves you from the privileged to the unprivileged executive mode. Using exit in privileged executive mode will disconnect you from the device.

1/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

A brief introduction to the different modes The user executive mode is limited to examining the device. It is possible to get a good view of how the device is functioning only by accessing this mode. Though it's not possible to change any of the device configuration a basic troubleshooting session can be conducted in this mode, giving enough information to decide if the devices is causing the problem. The privileged executive mode have access to all the commands from the user executive mode but it also adds commands with regard to the configuration and handling of the configuration of the router. Once a user have access to the privileged executive mode the user can access any configuration mode, so having privileged executive mode access can be compared to having root access in a Unix-like operating system. Global configuration mode handles configuration that affects the device as a whole. The global configuration mode also the level used to gain access to more specific configuration modes such as the interface configuration mode where configuration for a specific interface is made or the router configuration mode where configuration for a specific routing process (protocol) is configured.

A brief introduction to the command structure The commands in Cisco IOS are multiple-word commands where there command for a tree of possible commands. In previous the configure terminal command was used move from privileged executive mode to global configuration mode. But there are other commands starting with the keyword configure: Router#configure ? confirm memory network overwrite-network replace revert terminal

Confirm replacement of runningconfig with a new config file Configure from NV memory Configure from a TFTP network host Overwrite NV memory from TFTP network host Replace the running-config with a new config file Parameters for reverting the configuration Configure from the terminal

As seen from the example, there are quite a few commands starting with the configure keyword in the privileged executive mode. Another thing worth noting is the question mark. By using the question mark you tell the device to feed you all possible commands based on the string of characters before the question 2/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

mark. It can be used as in the example as a way to find the commands that follow the configure command or it can be used to find out what commands starts with a specified group of characters, for example: Router#con? configure connect

One more thing worth noting is that the IOS will interpret a command based on the characters given, allow shortening of commands if a keyword is the only command using that set of characters. While con is not enough for the devices to tell that you mean configure, conf is – since no other command starts with conf the device will interpret it as configure: Router#con t % Ambiguous command: Router#conf t Router(config)#

"con t"

When there's no ambiguity as to what keyword is being entered, the TAB key can be used to complete the word: Router#con Router#con Router#conf t Router#conf terminal

// // // //

'con' is ambiguous so the result is 'con' 't' is not ambiguous so the result is 'terminal'

Naming the device When a device is booted without a configuration file, it will take its name from the kind of device it is. It's a good idea to change this name, making it easier to identify what devices one is connected to. The device name is also used by the Cisco Discovery Protocol (CDP), a link protocols used by Cisco devices to exchange information over a link. CDP can be quite useful when troubleshooting and correct naming is surly be a blessing when trying to document an undocumented network built with Cisco devices. To change the name of the device, enter global configuration mode and execute the following command: Switch(config)#hostname LION LION(config)#

Notice how the prompt changes, indicating that the word Switch (or Router in previous commands) actually was the name of the device. If you want to give the device a complete domain name, such as lion.example.com you add the domain name as a separate configuration command: LION(config)#ip domain-name example.com

The domain name is actually a sub-command to the ip keyword, indicating its 3/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

connection to the Internet Protocol (IP). The domain name configured with the command will be the default domain name, used when querying the DNS for IP addresses or doing a reverse look-up.

DNS look-up and the 'no' keyword When speaking of look-ups, the Cisco IOS have a somewhat annoying feature (annoying if you don't know about it): whenever you feed it an IP address as a command in user or privileged executive mode, the device will try to make a telnet connection to that IP address. Example: Router>192.168.231.11 Trying 192.168.231.11 ...

The IP address is interpreted as the command telnet - this is not the annoying part. The problem is that anything that can be interpreted as a name or FQDN will also result in an attempt to make a telnet connection. In fact, any string of characters that can't be interpreted as a command but can be interpreted as a name will result in an attempted telnet connection. Example: Router#not-a-command Translating "not-a-command"...domain server (255.255.255.255) Translating "not-a-command"...domain server (255.255.255.255) Translating "not-a-command"...domain server (255.255.255.255) % Unknown command or computer name, or unable to find computer address

The switch in the example tries to find a DNS server (at IP address 255.255.255.255), waiting for a time out for every translation attempt. There are two ways around this waiting period. Either you have a working DNS server that can tell the device that there's no host named not-a-command, or you can disable to DNS look-up all together. To configure one (or more) DNS server for the device to use, the ip nameserver command is used for every server: Router(config)#ip name-server 192.168.231.10

To disable DNS look-ups, use: Router(config)#no ip domain-lookup

The 'no' keyword used in the command is the standard way to negate a command. Issuing the command no ip name-server 192.168.231.10 would remove that IP address from the list of possible name servers and using the command no 4/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

shutdown in interface configuration mode will active the interface.

Configuring passwords Passwords can be configured to control who has access to what. A password can be set to protect the privileged executive mode, forcing the user to type a password in order to move from user executive mode and up to privileged executive mode.This password is known as the 'enable' password. Keeping track of that name also helps in finding the first keyword in the command: Switch(config)#enable secret password

Using the above command will force the user the enter the password 'password' directly after issuing the enable command. Switch>enable Password: Switch#

// enter 'password', not shown

The keyword secret tells the device to encrypt the password in the configuration file. The algorithm used for the encryption is a modified MD5 hash function that is cryptographically weaker than the original MD5 algorithm, but at least it wards of most of the nosy shoulder surfers. It's possible to replace the secret keyword with the keyword password, but this will leave the password unencrypted. Both keywords can be used at the same time: Switch(config)#enable password class Switch(config)#enable secret password Switch(config)#exit Switch#disable Switch>enable Password: // enter 'class', not shown Password: // enter 'password', not shown Switch#disable Switch>enable Password: // enter 'password', not shown Switch#

As can be seen from the example, the password configured with the keyword password is ignored as long as the 'secret' password is present in the configuration. If the 'secret' password is removed, 'class' will be the password used to access the privileged executive mode: Switch(config)#no enable secret Switch(config)#exit Switch#disable Switch>enable Password: // enter 'class', not shown Switch#

5/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

Protecting the console port Initial configuration of a device is usually done through a specific port, the console port. To access the device via the console port, one usually need physical contact with the devices, non the less, it's recommended to protect this port with a password. To configure a password for the port and to force anyone that connects via the console to enter the password 'cisco', do the following: Router(config)#line console 0 Router(config-line)#password cisco Router(config-line)#login

The last line of the configuration is very important, without it, the password is configured but the user is not forced to use it to log in – connect to the port, you're presented with the prompt. Using the login command, the user will in see something like this: User Access Verification Password:

Enter the correct password (in our example cisco) and you're in.

Passwords for network access It's often a good idea to create a network facing management interface for the devices in a network. If something is wrong, the administrator will be able to troubleshoot by examining multiple devices without having to leave desk. Without the ability to administrate the devices using the network, the administrator might have to travel for hours just to find out that the problem was not in the device that is currently being visited. The general interface for network management is not bound to any particular network protocol and is configured via a line configuration mode in the same way as the console port is. The line is named vty an it's a virtual terminal. There are several virtual terminals in most devices and they can be configured in groups. When configuring the console port, the port number '0' was given to indicate the console port being configured (since the device only has one console port the number has to be '0'). Routers have five (0 through 4) VTY lines by default and switches have 16 (0 through 4 and 5 thorough 15). It's possible to configure all or a subset. Let's configure line 0 through 3 and give them password 'class': Switch(config)#line vty 0 3 Switch(config-line)#password class Switch(config-line)#login

While it might be a good idea to give the login command, it should be the default for the VTY line – then again, it doesn't hurt to be on the safe side. Once 6/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

the devices (in this case the switch) have an active network interface with a valid address, it's possible to make telnet connections to the devices using that address.

Encrypting the passwords When configuring the 'enable' password, there was a choice to make it encrypted or unencrypted using the secret or password keyword before the password. The passwords for the console and VTY lines are always unencrypted. But it is possible to mask the passwords in the configuration file. If one looks at the default configuration file when a non configured devices is first started, this line can be found close to the top of the file: no service password-encryption

By giving the command in global configuration mode without the no keyword, the password-encryption services is enabled and all unencrypted password in the 'hidden', that is hashed into a HEX-value. The hash is cryptographically weak (really weak), but once again, some one ready over your shoulder might have a harder time remembering 121A0C041104 the the password used for the VTY line (all depending on the password policy or strength of the password).

Configuring banners It is often recommended that users trying to connect to a device is 'greeted' by a banner, telling them that it's a private system, that only authorized personnel should access it and that any attempt to access the device will be logged. There are several banners available in Cisco IOS and while Cisco always promotes the message-of-the-day banner, this example shows how to configure a 'login banner': Router(config)#banner login * Enter TEXT message. End with the character '*' This is the text of the banner * Router(config)#

The thing worth noting here is the star character '*'. That's the character used to tell the device that the banner is finished. Pick one that won't be used in the banner text by placing it after the banner and once the text is in place (just type it as you would in a text editor) end it by using the character again. The banner will now be displayed anytime someone tries to connect to the device:

7/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

Trying 10.228.4.2 Connected to 10.228.4.2. Escape character is '^]'. This is the text of the banner User Access Verification Password:

Working with the configuration The configuration typed into the devices is applied and stored in RAM. Once the devices powers down or reloads, the configuration is lost. To view the configuration that is currently stored in RAM, use the following command: Router#show running-config

Use 'space' to move 'a page' forward and use 'enter' to step one line at a time. If you want to quit before you make it to the end, type 'q'. It is possible to view sections of the configuration or to start reading from a given string. To only view the configuration for the interface FastEthernet 0/0: Router#show running-config interface FastEthernet 0/0

To view all lines with the keyword ip, use: Router#show running-config | include ip

To view the configuration, starting at the first interface (provided the configuration don't contain a line with the string 'interface' that is before the first interface configuration line) use: Router#show running-config | begin interface

Saving the configuration The current 'running' configuration can be stored to NVRAM where the devices will find it and read it at reboot with the command: Switch#copy running-config startup-config

To view the configuration that will be used on reboot, just create a show command in the same way as when viewing the 'running' configuration but use startupconfig instead of running-config. Use the copy keyword along with the question mark to find out other ways that the configuration can be stored or moved around. 8/9

Course: Generel networking (no course) Title: Cisco IOS basic configuration

Author: Thomas Ivarsson Last edit: March 16, 2012

Removing the configuration Sometimes you want to remove the configuration. The configuration stored in NVRAM might be dated or the maybe the there's something wrong with the configuration and it need to be removed. The following command can be used to remove the configuration stored in NVRAM: Switch#erase startup-config

Sometimes there is something wrong with parts of the current configuration, for example, an interface might have been misconfiguration with a lot of unwanted configuration. To negate that configuration use the default keyword to take the interface back to the default configuration: Router(config)#default interface FastEthernet 0/0

Try it before you buy it Sometimes an administrator might find that new configuration is needed but it's not clear if the configuration will work or not. A nightmare is to be looked out of network devices physically located hours away, especially in the middle of the night where people are depending on the device to be functioning in the morning. Since the configurations is only stored in RAM and will disappear at reboot if not stored, this can be used to try new configuration with a potential lockout without having to travel to resolve the problem: Router#reload in 5 Reload scheduled in 5 minutes by vty0 (192.168.230.56) Reload reason: Reload Command Proceed with reload? [confirm] Router# *** *** --- SHUTDOWN in 0:05:00 --*** Router#reload cancel Router# *** *** --- SHUTDOWN ABORTED --***

The first command tells the device to automatically reload in five minutes. Once the command has been applied and it's confirmed that everything is works as expected, the reload can be canceled and the configuration saved using the second command. Since the configuration wasn't saved, the reload would've remove it ... 9/9