Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
The show version command will provide basic configuration for the system hardware as well
as the software version and the boot images. Here’s an example:
yourname#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version
12.4(12), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
The preceding section of output describes the Cisco IOS running on the router. The following
section describes the read-only memory (ROM) used to boot the router and hold the POST:
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
The next section shows how long the router has been running, how it was restarted (if you
see a system restarted by bus error, that is a very bad thing), where the Cisco IOS was
loaded from, and the IOS name. Flash is the default:
yourname uptime is 2 hours, 30 minutes
System returned to ROM by power-on
System restarted at 09:04:07 UTC Sat Aug 25 2007
System image file is "flash:c2800nm-advsecurityk9-mz.124-12.bin"
This next section displays the processor, the amount of DRAM and flash memory, and the
interfaces the POST found on the router:
[some output cut]
Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory.
Processor board ID FTX1049A1AB
2 FastEthernet interfaces
4 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
The configuration register value is listed last—it’s something I’ll cover in Chapter 5.
In addition, the show interfaces and show ip interface brief commands are very
useful in verifying and troubleshooting a router as well as network issues. These commands
are covered later in this chapter. Don’t miss it!
200 Chapter 4 Introduction to the Cisco IOS and SDM
Router and Switch Administrative
Configurations
Even though this section isn’t critical to making a router or switch work on a network, it’s still
really important; in it, I’m going to lead you through configuring commands that will help you
administer your network.
The administrative functions that you can configure on a router and switch are as follows:
Hostnames
Banners
Passwords
Interface descriptions
Remember, none of these will make your routers or switches work better or faster, but trust
me, your life will be a whole lot better if you just take the time to set these configurations on each
of your network devices. That’s because doing this makes troubleshooting and maintaining your
network sooooo much easier—seriously! In this next section, I’ll be demonstrating commands
on a Cisco router, but these commands are exactly the same on a Cisco switch.
Hostnames
You can set the identity of the router with the hostname command. This is only locally significant,
which means that it has no bearing on how the router performs name lookups or
how the router works on the internetwork. However, I’ll use the hostname in Chapter 10
for authentication purposes when I discuss PPP (Point-to-Point Protocol).
Here’s an example:
yourname#config t
Enter configuration commands, one per line. End with
CNTL/Z.
yourname(config)#hostname Todd
Todd(config)#hostname Atlanta
Atlanta(config)#hostname Todd
Todd(config)#
Even though it’s pretty tempting to configure the hostname after your own name, it’s definitely
a better idea to name the router something pertinent to the location. This is because giving
it a hostname that’s somehow relevant to where the device actually lives will make finding it a
whole lot easier. And it also helps you confirm that you are, indeed, configuring the right device.
For this chapter, we’ll leave it at Todd for now.
Router and Switch Administrative Configurations 201
Banners
A banner is more than just a little cool—one very good reason for having a banner is to give
any and all who dare attempt to telnet or dial into your internetwork a little security notice.
And you can create a banner to give anyone who shows up on the router exactly the information
you want them to have.
Make sure you’re familiar with these four available banner types: exec process creation
banner, incoming terminal line banner, login banner, and message of the day banner (all illustrated
in the following code):
Todd(config)#banner ?
LINE c banner-text c, where 'c' is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
Message of the day (MOTD) is the most extensively used banner. It gives a message to every
person dialing into or connecting to the router via Telnet or an auxiliary port, or even through
a console port as seen here:
Todd(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
Todd(config)#banner motd #
Enter TEXT message. End with the character '#'.
$ Acme.com network, then you must disconnect immediately.
#
Todd(config)#^Z
Todd#
00:25:12: %SYS-5-CONFIG_I: Configured from console by
console
Todd#exit
Router con0 is now available
Press RETURN to get started.
If you are not authorized to be in Acme.com network, then you must
disconnect immediately.
Todd#
202 Chapter 4 Introduction to the Cisco IOS and SDM
The preceding MOTD banner essentially tells anyone connecting to the router to get lost
if they’re not on the guest list! The part to understand is the delimiting character—the thing
that’s used to tell the router when the message is done. You can use any character you want
for it, but (I hope this is obvious) you can’t use the delimiting character in the message itself.
Also, once the message is complete, press Enter, then the delimiting character, and then Enter
again. It’ll still work if you don’t do that, but if you have more than one banner, they’ll be combined
as one message and put on a single line.
For example, you can set a banner on one line as shown:
Todd(config)#banner motd x Unauthorized access prohibited! x
This example will work just fine, but if you add another MOTD banner message, they would
end up on a single line.
Here are some details of the other banners I mentioned:
Exec banner You can configure a line-activation (exec) banner to be displayed when an
EXEC process (such as a line activation or incoming connection to a VTY line) is created. By
simply starting a user exec session through a console port, you’ll activate the exec banner.
Incoming banner You can configure a banner to be displayed on terminals connected to reverse
Telnet lines. This banner is useful for providing instructions to users who use reverse Telnet.
Login banner You can configure a login banner to be displayed on all connected terminals.
This banner is displayed after the MOTD banner but before the login prompts. The login banner
can’t be disabled on a per-line basis, so to globally disable it, you’ve got to delete it with the no
banner login command.
Here is an example of a login banner:
!
banner login ^C
-----------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege
level of 15.
Please change these publicly known initial credentials using SDM or the IOS
CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use.
For more information about SDM please follow the instructions in the QUICK
START
Router and Switch Administrative Configurations 203
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------
^C
!
The above login banner should look pretty familiar—it’s the banner that Cisco has in its
default configuration for its ISR routers. Again, this banner is displayed before the login
prompts but after the MOTD banner.
Setting Passwords
Five passwords are used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable
password, and enable secret. The enable secret and enable password are used to set the password
that’s used to secure privileged mode. This will prompt a user for a password when the
enable command is used. The other three are used to configure a password when user mode
is accessed through the console port, through the auxiliary port, or via Telnet.
Let’s take a look at each of these now.
Enable Passwords
You set the enable passwords from global configuration mode like this:
Todd(config)#enable ?
last-resort Define enable action if no TACACS servers
respond
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords
The following points describe the enable password parameters:
last-resort Allows you to still enter the router if you set up authentication through a
TACACS (Terminal Access Controller Access System) server and it’s not available. But it isn’t
used if the TACACS server is working.
password Sets the enable password on older, pre-10.3 systems, and isn’t ever used if an
enable secret is set.
secret This is the newer, encrypted password that overrides the enable password if it’s set.
use-tacacs This tells the router to authenticate through a TACACS server. It’s convenient
if you have anywhere from a dozen to multitudes of routers because, well, would you like
to face the fun task of changing the password on all those routers? If you’re sane, no, you
wouldn’t. So instead, just go through the TACACS server and you only have to change the
password once—yeah!
204 Chapter 4 Introduction to the Cisco IOS and SDM
Here’s an example of setting the enable passwords:
Todd(config)#enable secret todd
Todd(config)#enable password todd
The enable password you have chosen is the same as your
enable secret. This is not recommended. Re-enter the
enable password.
If you try to set the enable secret and enable passwords the same, the router will give you
a nice, polite warning to change the second password. If you don’t have older legacy routers,
don’t even bother to use the enable password.
User-mode passwords are assigned by using the line command:
Todd(config)#line ?
<0-337> First Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
x/y Slot/Port for Modems
x/y/z Slot/Subslot/Port for Modems
Here are the lines to be concerned with:
aux Sets the user-mode password for the auxiliary port. It’s usually used for attaching a
modem to the router, but it can be used as a console as well.
console Sets a console user-mode password.
vty Sets a Telnet password on the router. If this password isn’t set, then Telnet can’t be used
by default.
To configure the user-mode passwords, you configure the line you want and use either the
login or no login command to tell the router to prompt for authentication. The next sections
will provide a line-by-line example of the configuration of each line.
Auxiliary Password
To configure the auxiliary password, go into global configuration mode and type line aux ?.
You can see here that you only get a choice of 0–0 (that’s because there’s only one port):
Todd#config t
Enter configuration commands, one per line. End with CNTL/Z.
Todd(config)#line aux ?
<0-0> First Line number
Todd(config)#line aux 0
Todd(config-line)#login
Router and Switch Administrative Configurations 205
% Login disabled on line 1, until 'password' is set
Todd(config-line)#password aux
Todd(config-line)#login
It’s important to remember the login command or the auxiliary port won’t prompt for
authentication.
Notice that Cisco has begun this process of not letting you set the login command before
a password is set on a line because, if you set the login command under a line and then don’t
set a password, the line won’t be usable. And it will prompt for a password that doesn’t exist.
So this is a good thing—a feature, not a hassle!
Definitely remember that although Cisco has this new “password feature” on
its routers starting in its newer IOS (12.2 and above), it’s not in all of its IOSes.
Console Password
To set the console password, use the line console 0 command. But look at what happened
when I tried to type line console 0 ? from the (config-line)# prompt—I received an
error. You can still type line console 0 and it will accept it, but the help screens just don’t
work from that prompt. Type exit to get back one level and you’ll find that your help screens
now work. This is a “feature.” Really.
Here’s the example:
Todd(config-line)#line console ?
% Unrecognized command
Todd(config-line)#exit
Todd(config)#line console ?
<0-0> First Line number
Todd(config-line)#password console
Todd(config-line)#login
Since there’s only one console port, I can only choose line console 0. You can set all your
line passwords to the same password, but for security reasons, I’d recommend that you make
them different.
There are a few other important commands to know for the console port.
For one, the exec-timeout 0 0 command sets the time-out for the console EXEC session
to zero, which basically means to never time out. The default time-out is 10 minutes. (If you’re
feeling mischievous, try this on people at work: Set it to 0 1. That will make the console time out
in 1 second! And to fix it, you have to continually press the down arrow key while changing the
time-out time with your free hand!)
logging synchronous is a very cool command, and it should be a default command, but
it’s not. It stops annoying console messages from popping up and disrupting the input you’re
trying to type. The messages still pop up, but you are returned to your router prompt without
your input interrupted. This makes your input messages oh-so-much easier to read.
206 Chapter 4 Introduction to the Cisco IOS and SDM
Here’s an example of how to configure both commands:
Todd(config-line)#line con 0
Todd(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Todd(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
<cr>
Todd(config-line)#exec-timeout 0 0
Todd(config-line)#logging synchronous
You can set the console to go from never timing out (0 0) to timing out in
35,791 minutes and 2,147,483 seconds. The default is 10 minutes.
Telnet Password
To set the user-mode password for Telnet access into the router, use the line vty command.
Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines,
0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best
way to find out how many lines you have is to use that question mark:
Todd(config-line)#line vty 0 ?
% Unrecognized command
Todd(config-line)#exit
Todd(config)#line vty 0 ?
<1-1180> Last Line number
<cr>
Todd(config)#line vty 0 1180
Todd(config-line)#password telnet
Todd(config-line)#login
Remember, you cannot get help from your (config-line)# prompt. You must go back to
privileged mode in order to use the question mark (?).
You may or may not have to set the login command before the password
on the VTY lines—it depends on the IOS version. The result is the same
either way.
Router and Switch Administrative Configurations 207
So what will happen if you try to telnet into a router that doesn’t have a VTY password set?
You’ll receive an error stating that the connection is refused because, well, the password isn’t
set. So, if you telnet into a router and receive the message
Todd#telnet SFRouter
Trying SFRouter (10.0.0.1)…Open
Password required, but none set
[Connection to SFRouter closed by foreign host]
Todd#
then the remote router (SFRouter in this example) does not have the VTY (Telnet) password set.
But you can get around this and tell the router to allow Telnet connections without a password
by using the no login command:
SFRouter(config-line)#line vty 0 4
SFRouter(config-line)#no login
I do not recommend using the no login command to allow Telnet connections
without a password unless you are in a testing or classroom environment! In a
production network, you should always set your VTY password.
After your routers are configured with an IP address, you can use the Telnet program to configure
and check your routers instead of having to use a console cable. You can use the Telnet program
by typing telnet from any command prompt (DOS or Cisco).
No comments:
Post a Comment