The practical guide to practical networking – Part 2 – The initial router setup

Share on facebook
Share on linkedin
Share on twitter
Share on reddit

tamaranth_basic-cisco-ios-commandsWelcome to part 2 of our networking and welcome to what is the start of hands on. In this article we are going to go through the initial setup of a router, which trust me, is way more fun than it sounds. I encourage you to try everything and all these commands in your new lab

Before we start

But before we get into this there is some important pieces of information that you need to know. Routers configurations are hierarchical, what this means is that in order to change certain parts of the configuration you need to change levels.

These levels are:

Enable or Privileged – This is the level at which all “show” commands are run, these commands allow you to navigate around the router and view or show information. Some commands include show ip interface brief which will show all IP addresses associated with attached interfaces.

This level is represented as a hashtag # and to get here you would type in the command enable.

An example on a router would be Router1#.

Configure – This is the minimum level that the router can be configured at. An example command would be hostname RouterNew which will change the routers name from Router1 to RouterNew.

This level is represented as (config)# and to get here you will need to type configure terminal at the enable level.

An example on a router would be Router1(config)#

Sub-configuration menus – When configuring routers, you will be often brought to sub-configuration menus. A good example will be when you configure an interface you will be brought into that interface’s menu.

This level is represent as something like (config-if)# and to get here you will need to enter a configuration command like interface ethernet0/0.

An example on a router would be Router1(config-if)#

To go back one level, you will need to type in exit. To go all the way back to enable you will need to type in end.

Time for the basic configuration

There are a few things you need to make a configuration basic and secure.

  1. A hostname
  2. An IP Domain-name
  3. A local user account
  4. Password encryption
  5. Valid SSH certificate is created and SSH Turned on and Telnet disabled
  6. A loopback address

IMPORTANT: After every major configuration step, make sure to save your work, because all changes you will have done are stored in volatile memory. To save the configuration you will need to enter the following at the enable level – Router1#write memory

A Hostname is useful for identifying a device, there is nothing worse than having access to multiple devices at the same time and now knowing which is which and then making a mistake. To configure a hostname from enable mode you will need to do the following:

Router1# configure terminal
Router1(config)# hostname RouterNew
RouterNew(config)# end
RouterNew# write memory

An IP Domain-name is used for creating self-signed SSH certificates, without creating a domain you will not be able to create a certificate. So this should be one of your first steps. To configure a hostname from the enable mode you will need to do the following:

Router1# configure terminal
Router1(config)# ip domain-name wywm.local
Router1(config)# end
Router1# write memory

A local user account is used to secure a device against unauthorised access there is 3 methods.

  1. Creating a password that is applied on initial login.
  2. Creating a local user account that requires a username and password to login.
  3. Using an external identity source like TACACS+ or RADIUS to authenticate a user account.

We are going through the second method as it is the most secure without connect to an external identity source. To create a local user account we must create the account and then make sure the account will be used on SSH and serial connections.

Router1# configure terminal
Router1(config)# username Greg privilege 15 secret Supersecretpassword1
Router1(config)# line con 0
Router1(config-line)# login local
Router1(config-line)# line vty 0-4
Router1(config-line)# end

NOTE: This will be covered in later lessons, but routers have privilege levels with 15 being the highest. 15 allows you to use any command, whereas the lower levels have a restricted command set. 

NOTE 2: We use the word secret rather than password as the command secret makes sure that the password is encrypted.

NOTE 3: line con 0 - With this command we are entering the configuration level of the serial cable, all settings edited here change the parameters around plugging a console cable directly into the router.

NOTE 4: login local - With this command we are changing the authentication type from just a password to a local account.

NOTE 5: line vty 0 4 - With this command we are changing the configuration of the virtual lines, or the connection parameters that are used for SSH and Telnet.

Password encryption, as the name suggests, after we enter this command, any password that was in plain text will be encrypted.

Router1# configure terminal
Router1(config)# service password-encryption
Router1(config)# end
Router1# write memory

Valid SSH certificate is the next to be created and Telnet disabled. Telnet has been a long-time insecure means of configuring devices and is a fallback at best. The reason being is that telnet transmits everything in plain text, whereas SSH uses a tough form of encryption. To enable this we need to take two steps, step 1 generate the certificate, step 2 disable telnet and make sure only SSH is available.

Router1# configure terminal
Router1(config)# crypto key generate rsa modulus 2048
Router1(config)# line vty 0 4
Router1(config-line)# transport input ssh
Router1(config-line)# end
Router1# write memory

NOTE: crypto key generate rsa modulus 2048 - With this command we are generating a self-signed certificate that is using an RSA 2048 bit encryption
NOTE 2: transport input ssh - With this command we are changing the connection method from all to only permitting SSH.

A Loopback address is a virtual interface, these interfaces are always available and will never go down. They are great for troubleshooting and due to them being stable, they are useful for configurations that depend on an interface being always available, like IPSec tunnels. Loopback addresses are also used as a management address and can often be thought of as the IP address of the router. Due to the fact that they are virtual they are created and assigned a number, this number will be usually defined by company policy or standard. Another important note is that loopback addresses do not connect to another IP address, so to reduce IP wastage they can have a /32 subnet or 255.255.255.255. In this example I will be using loopback number 100 and the IP address of 192.168.100.1/32.

Router1# configure terminal
Router1(config)# interface loopback 100
Router1(config-if)# ip address 192.168.100.1 255.255.255.255
Router1(config-if)# end
Router1# write memory

As you can see throughout this practical you are working at the different sub levels. I am now going to go through some basic show commands that will allow you to review what you have done. The best way to understand these commands is to run them and see what happens.

Show running configuration – This will display all the configuration in the volatile memory. The volatile memory is where the router is currently working from and any changes here affect the router. Without saving this volatile memory, on reboot, all changes will be gone.

Show ip interface brief – This will display all the IP addresses associated with the router’s interfaces.

Show interfaces – This will show the detailed statistics of all of the interfaces

Show ip route – This will display all learnt routes, there is a glossary at the top of the results from the command.

Show ip arp – This will display the ARP table

Show mac-address-table – This will display the MAC address table Now for the practical.

 

Time for the lab – Lab 1

In this practical and each one after I will be creating a basic network topology for you to work from. All the details for the router are in the top left. At the bottom of the page I will show you my running configuration so you can compare it to your configuration to know if it is correct.

Instructor – Lab 1 – Running Config

WYWM-Lab-R1#show running-config 
Building configuration...

Current configuration : 1303 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WYWM-Lab-R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 15
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
ip domain name wywm.local
!
multilink bundle-name authenticated
!
!
!
!
!
username Gerald privilege 15 secret 5 $1$jTjr$onaI5OunP.jOtvHm5qSei.
archive
 log config
  hidekeys
! 
!
!
!
ip tcp synwait-time 5
!
!
!
interface Loopback100
 ip address 172.16.0.1 255.255.255.255
!
interface Ethernet0/0
 no ip address
 shutdown
 half-duplex
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet1/3
 no ip address
 shutdown
 half-duplex
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!         
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login local
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login local
 transport input ssh
!
!
end

WYWM-Lab-R1#

Thankyou for reading everyone I hope you had fun doing your first lab!

Help out a mate

Help a friend kickstart their career through thought leading digital career content. Everything from Data Analytics through to Cyber Security. 

Share on facebook
Share on linkedin
Share on twitter
Share on reddit