tamaranth_basic-cisco-ios-commandsWelcome to part 2 of our networking and welcome to what is the start of hands on. In this article we are going to go through the initial setup of a router, which trust me, is way more fun than it sounds. I encourage you to try everything and all these commands in your new lab
Before we start
But before we get into this there is some important pieces of information that you need to know. Routers configurations are hierarchical, what this means is that in order to change certain parts of the configuration you need to change levels.
These levels are:
Enable or Privileged – This is the level at which all “show” commands are run, these commands allow you to navigate around the router and view or show information. Some commands include show ip interface brief which will show all IP addresses associated with attached interfaces.
This level is represented as a hashtag # and to get here you would type in the command enable.
An example on a router would be Router1#.
Configure – This is the minimum level that the router can be configured at. An example command would be hostname RouterNew which will change the routers name from Router1 to RouterNew.
This level is represented as (config)# and to get here you will need to type configure terminal at the enable level.
An example on a router would be Router1(config)#
Sub-configuration menus – When configuring routers, you will be often brought to sub-configuration menus. A good example will be when you configure an interface you will be brought into that interface’s menu.
This level is represent as something like (config-if)# and to get here you will need to enter a configuration command like interface ethernet0/0.
An example on a router would be Router1(config-if)#
To go back one level, you will need to type in exit. To go all the way back to enable you will need to type in end.
Time for the basic configuration
There are a few things you need to make a configuration basic and secure.
- A hostname
- An IP Domain-name
- A local user account
- Password encryption
- Valid SSH certificate is created and SSH Turned on and Telnet disabled
- A loopback address
IMPORTANT: After every major configuration step, make sure to save your work, because all changes you will have done are stored in volatile memory. To save the configuration you will need to enter the following at the enable level – Router1#write memory
A Hostname is useful for identifying a device, there is nothing worse than having access to multiple devices at the same time and now knowing which is which and then making a mistake. To configure a hostname from enable mode you will need to do the following:
Router1# configure terminal Router1(config)# hostname RouterNew RouterNew(config)# end RouterNew# write memory
An IP Domain-name is used for creating self-signed SSH certificates, without creating a domain you will not be able to create a certificate. So this should be one of your first steps. To configure a hostname from the enable mode you will need to do the following:
Router1# configure terminal Router1(config)# ip domain-name wywm.local Router1(config)# end Router1# write memory
A local user account is used to secure a device against unauthorised access there is 3 methods.
- Creating a password that is applied on initial login.
- Creating a local user account that requires a username and password to login.
- Using an external identity source like TACACS+ or RADIUS to authenticate a user account.
We are going through the second method as it is the most secure without connect to an external identity source. To create a local user account we must create the account and then make sure the account will be used on SSH and serial connections.
Router1# configure terminal Router1(config)# username Greg privilege 15 secret Supersecretpassword1 Router1(config)# line con 0 Router1(config-line)# login local Router1(config-line)# line vty 0-4 Router1(config-line)# end
NOTE: This will be covered in later lessons, but routers have privilege levels with 15 being the highest. 15 allows you to use any command, whereas the lower levels have a restricted command set. NOTE 2: We use the word secret rather than password as the command secret makes sure that the password is encrypted. NOTE 3: line con 0 - With this command we are entering the configuration level of the serial cable, all settings edited here change the parameters around plugging a console cable directly into the router. NOTE 4: login local - With this command we are changing the authentication type from just a password to a local account. NOTE 5: line vty 0 4 - With this command we are changing the configuration of the virtual lines, or the connection parameters that are used for SSH and Telnet.
Password encryption, as the name suggests, after we enter this command, any password that was in plain text will be encrypted.
Router1# configure terminal Router1(config)# service password-encryption Router1(config)# end Router1# write memory
Valid SSH certificate is the next to be created and Telnet disabled. Telnet has been a long-time insecure means of configuring devices and is a fallback at best. The reason being is that telnet transmits everything in plain text, whereas SSH uses a tough form of encryption. To enable this we need to take two steps, step 1 generate the certificate, step 2 disable telnet and make sure only SSH is available.
Router1# configure terminal Router1(config)# crypto key generate rsa modulus 2048 Router1(config)# line vty 0 4 Router1(config-line)# transport input ssh Router1(config-line)# end Router1# write memory
NOTE: crypto key generate rsa modulus 2048 - With this command we are generating a self-signed certificate that is using an RSA 2048 bit encryption NOTE 2: transport input ssh - With this command we are changing the connection method from all to only permitting SSH.
A Loopback address is a virtual interface, these interfaces are always available and will never go down. They are great for troubleshooting and due to them being stable, they are useful for configurations that depend on an interface being always available, like IPSec tunnels. Loopback addresses are also used as a management address and can often be thought of as the IP address of the router. Due to the fact that they are virtual they are created and assigned a number, this number will be usually defined by company policy or standard. Another important note is that loopback addresses do not connect to another IP address, so to reduce IP wastage they can have a /32 subnet or 255.255.255.255. In this example I will be using loopback number 100 and the IP address of 192.168.100.1/32.
Router1# configure terminal Router1(config)# interface loopback 100 Router1(config-if)# ip address 192.168.100.1 255.255.255.255 Router1(config-if)# end Router1# write memory
As you can see throughout this practical you are working at the different sub levels. I am now going to go through some basic show commands that will allow you to review what you have done. The best way to understand these commands is to run them and see what happens.
Show running configuration – This will display all the configuration in the volatile memory. The volatile memory is where the router is currently working from and any changes here affect the router. Without saving this volatile memory, on reboot, all changes will be gone.
Show ip interface brief – This will display all the IP addresses associated with the router’s interfaces.
Show interfaces – This will show the detailed statistics of all of the interfaces
Show ip route – This will display all learnt routes, there is a glossary at the top of the results from the command.
Show ip arp – This will display the ARP table
Show mac-address-table – This will display the MAC address table Now for the practical.
Time for the lab – Lab 1
In this practical and each one after I will be creating a basic network topology for you to work from. All the details for the router are in the top left. At the bottom of the page I will show you my running configuration so you can compare it to your configuration to know if it is correct.
Instructor – Lab 1 – Running Config
WYWM-Lab-R1#show running-config Building configuration... Current configuration : 1303 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname WYWM-Lab-R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model memory-size iomem 15 no ip icmp rate-limit unreachable ip cef ! ! ! ! no ip domain lookup ip domain name wywm.local ! multilink bundle-name authenticated ! ! ! ! ! username Gerald privilege 15 secret 5 $1$jTjr$onaI5OunP.jOtvHm5qSei. archive log config hidekeys ! ! ! ! ip tcp synwait-time 5 ! ! ! interface Loopback100 ip address 172.16.0.1 255.255.255.255 ! interface Ethernet0/0 no ip address shutdown half-duplex ! interface Serial0/0 no ip address shutdown ! interface Serial0/1 no ip address shutdown ! interface Ethernet1/0 no ip address shutdown half-duplex ! interface Ethernet1/1 no ip address shutdown half-duplex ! interface Ethernet1/2 no ip address shutdown half-duplex ! interface Ethernet1/3 no ip address shutdown half-duplex ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! no cdp log mismatch duplex ! ! ! ! control-plane ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous login local line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login local transport input ssh ! ! end WYWM-Lab-R1#
Thankyou for reading everyone I hope you had fun doing your first lab!