Professional Documents
Culture Documents
Chapter-02
Router and Switch
Baessa K.
Mettu University
Faculty of Engineering and Technology
Department of Information Technology
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
4 Verifying
Outline
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
4 Verifying
I sometimes refer to the CLI as Cash Line Interface because if you can
create advanced configurations on Cisco routers and switches using the
CLI, then you’ll get the cash!
• After the interface status messages appear and you press Enter, the
Router¿ prompt will appear.
• This is called user exec mode (user mode), and it’s mostly used to
view statistics, but it’s also a stepping stone to logging in to
privileged mode.
• You can only view and change the configuration of a Cisco router in
privileged exec mode (privileged mode), which you can enter with the
enable command.
• To go back from privileged mode into user mode by using the disable
command, as seen here:
1 Router > disable
2 Router #
• At this point, you can type logout from either mode to exit the
console:
1 Router > logout
2 Router con0 is now available
3 Press RETURN to get started .
Hostnames I
Hostnames II
Banners I
• One very good reason for having a banner is to give any and all who
dare attempt to telnet or dial into your internetwork a little security
notice.
• And you can create a banner to give anyone who shows up on the
router exactly the information you want them to have.
• Make sure you’re familiar with these four available banner types:
• exec process creation banner
• incoming terminal line banner
• login banner, and
• message of the day banner(MOTD)
Banners II
Banners III
Outline
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
4 Verifying
Setting Passwords I
Outline
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
4 Verifying
Enable password I
• You set the enable passwords from global configuration mode like this:
Enable password II
3 secret
• This is the newer, encrypted password that overrides the enable
password if it’s set.
4 use-tacacs
• This tells the router to authenticate through a TACACS server.
Outline
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
4 Verifying
Console Password I
• There are a few other important commands to know for the console
port.
• the exec-timeout 0 0 command sets the time-out for the console EXEC
session to zero, which basically means to never time out.
• The default time-out is 10 minutes
Telnet Password I
• You need to have VTY passwords set on the routers for this to work.
Telnet Password II
• To set the user-mode password for Telnet access into the router, use
the line vty command.
• vty lines allow access to a Cisco device via Telnet
• number of vty lines supported varies with the type of device and the
IOS version
• Routers that aren’t running the Enterprise edition of the Cisco IOS
default to five VTY lines, 0 through 4.
• But if you have the Enterprise edition, you’ll have significantly more.
• The best way to find out how many lines you have is to use that
question mark:
• Now let’s try this again. Here I’m connecting to the router from the
Corp ISR console:
1 Corp # telnet 10.2.2.2
2 Trying 10.2.2.2 ... Open
3 User Access Verification
4 Password :
5 R1 >
Telnet Password IV
• Instead of Telnet, you can use Secure Shell, which creates a more
secure session than the Telnet application that uses an unencrypted
data stream.
• Secure Shell (SSH) is a protocol that provides a secure (encrypted)
command-line based connection to a remote device
• SSH is commonly used in UNIX-based systems
• Cisco IOS also supports SSH
• A version of the IOS software including cryptographic (encrypted)
features an capabilities is required in order to enable SSH on Catalyst
2960 switches
• Because its strong encryption features, SSH should replace Telnet for
management connections
• SSH uses TCP port 22 by default. Telnet uses TCP port 23
• SSh Operation
1 Set your hostname:
1 Router ( config ) # hostname R1
2 Set the domain name (both the hostname and domain name are
required for the encryption keys to be generated):
3 Set your hostname:
• service password-encryption
• prevents passwords from showing up as plain text when viewing the
configuration
• purpose of this command is to keep unauthorized individuals from
viewing passwords in the configuration file
• once applied, removing the encryption service does not reverse the
encryption
Outline
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
4 Verifying
Configuration Files I
running-config vs startup-config
• You can manually save the file from DRAM to NVRAM by using the
copy running-config startup-config command (you can use the
shortcut copy run start also):
1 R1 # copy running - config startup - config
• Also, when the command asked for the destination filename, the
default answer was startup-config.
• You can view the files by typing show running-config or show
startup-config from privileged mode.
• The sh run command, which is a a shortcut for show running-config,
tells us that we are viewing the current configuration:
1 S1 # show running - config
Configuration Files II
running-config vs startup-config . . .
• show startup-config command
• shows us the configuration that will be used the next time the router is
reloaded.
• It also tells us how much NVRAM is being used to store the
startup-config file
1 S1 # show startup - config
1 Switch # reload
2 System configuration has been modified . Save ?[ yes / no ]: n
3 Proceed with reload ? [ confirm ]
Outline
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
4 Verifying
Active Configuration
• show running-config
• show startup-config
1 Router # sh int f0 /0
2 FastEthernet0 /0 is up , line protocol is up
3 Hardware is MV96340 Ethernet , address is 001 a .2 f55 . c9e8
( bia 001 a .2 f55 . c9e8 )
4 Internet address is 192.168.1.33/27
5 MTU 1500 bytes , BW 100000 Kbit , DLY 100 usec ,
reliability 255/255 , txload 1/255 , rxload 1/255
6 .....
7 Router #
• Notice that serial 0/0 has a DTE cable, whereas the serial 0/1
connection has a DCE cable.
• Serial 0/1 would have to provide clocking with the clock rate
command.
• Serial 0/0 would get its clocking from the DSU.