CH 02

Network device and configuration
Chapter-02
Router and Switch
Baessa K.
Mettu University
Faculty of Engineering and Technology
Department of Information Technology
April 24, 2019

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 1 / 46
Lecture Topics : #
1 Basic Configuration
2 Passwords
Securing Privileged EXEC Access
Securing User EXEC Access
3 Viewing, Saving, and Erasing Configurations
4 Verifying

Basic Configuration
Outline
2 Passwords
4 Verifying

Basic Configuration
Command-Line Interface (CLI) I
I sometimes refer to the CLI as Cash Line Interface because if you can
create advanced configurations on Cisco routers and switches using the
CLI, then you’ll get the cash!
• After the interface status messages appear and you press Enter, the
Router¿ prompt will appear.
• This is called user exec mode (user mode), and it’s mostly used to
view statistics, but it’s also a stepping stone to logging in to
privileged mode.
• You can only view and change the configuration of a Cisco router in
privileged exec mode (privileged mode), which you can enter with the
enable command.

Basic Configuration
Command-Line Interface (CLI) II
1 Router > enable

2 Router #
• To go back from privileged mode into user mode by using the disable
command, as seen here:
1 Router > disable
2 Router #
• At this point, you can type logout from either mode to exit the
console:
1 Router > logout
2 Router con0 is now available
3 Press RETURN to get started .

Basic Configuration
Global Configuration Mode I
• To configure network devices from a CLI, you can make global

changes to the router/switch by typing configure terminal (or config t
for short),
• which puts you in global configuration mode and changes what’s
known as the running config.
• A global command (a command run from global config) is set only
once and affects the entire router.
• You can type config from the privileged-mode prompt and then just
press Enter to take the default of terminal, as seen here:

Basic Configuration
Router and Switch Administrative Configurations I
• The administrative functions that you can configure on a router and

switch are as follows:
• Hostnames
• Banners
• Passwords
• Interface descriptions

Basic Configuration
Hostnames I
• Hostnames allow devices to be identified by network administrators

over a network or the Internet.
• Without names, network devices are difficult to identify for
configuration purposes.
• Some guidelines for naming conventions are that names should:

• Start with a letter
• Contain no spaces
• End with a letter or digit
• Use only letters, digits, and dashes
• Be less than 64 characters in length

Basic Configuration
Hostnames II

Basic Configuration
Banners I
• One very good reason for having a banner is to give any and all who
dare attempt to telnet or dial into your internetwork a little security
notice.
• And you can create a banner to give anyone who shows up on the
router exactly the information you want them to have.
• Make sure you’re familiar with these four available banner types:
• exec process creation banner
• incoming terminal line banner
• login banner, and
• message of the day banner(MOTD)

Basic Configuration
Banners II
• Message of the day (MOTD) is the most extensively used banner.

• It gives a message to every person dialing into or connecting to the
router via Telnet or an auxiliary port, or even through a console port
as seen here:
1 Todd ( config ) # banner motd # Unauthorized access prohibited !

#

Basic Configuration
Banners III

Passwords
Outline
2 Passwords
4 Verifying

Passwords
Setting Passwords I
• Five passwords are used to secure your Cisco routers

1 Console password
• Limits device access using the console connection
2 Auxiliary
3 VTY password
• Limits device access over Telnet
4 Enable password
• Limits access to the privileged EXEC mode
5 Enable secret
• Encrypted, limits access to the privileged EXEC mode
• This will prompt a user for a password when the enable command is
used.

Passwords Securing Privileged EXEC Access
Outline
2 Passwords
4 Verifying

Enable password I
• You set the enable passwords from global configuration mode like this:
• Enable password parameters:

1 last-resort
• Allows you to still enter the router if you set up authentication through
a TACACS server and it’s not available.
• But it isn’t used if the TACACS server is working.
2 password
• Sets the enable password on older, pre-10.3 systems, and isn’t ever
used if an enable secret is set.

Enable password II
3 secret
• This is the newer, encrypted password that overrides the enable
password if it’s set.
4 use-tacacs
• This tells the router to authenticate through a TACACS server.

Enable password III

enable secret vs enable password
• use the enable secret command, not the older enable password
command
• enable secret provides greater security because the password is
encrypted

Passwords Securing User EXEC Access
Outline
2 Passwords
4 Verifying

Console Password I
• To set the console password, use the line console 0 command.

• This port must be secured
• reduces the chance of unauthorized personnel physically plugging a
cable into the device and gaining device access
• Since there’s only one console port, I can only choose line console 0.
• There are a few other important commands to know for the console
port.
• the exec-timeout 0 0 command sets the time-out for the console EXEC
session to zero, which basically means to never time out.
• The default time-out is 10 minutes

Telnet Password I
• Telnet, part of the TCP/IP protocol suite, is a virtual terminal

protocol that allows you to make connections to remote devices,
gather information, and run programs.
• you can use the Telnet program to reconfigure and/or check up on
your routers and switches without using a console cable.
• You run the Telnet program by typing telnet from any command
prompt (DOS or Cisco).
1 Corp # telnet 10.2.2.2
2 Trying 10.2.2.2 ... Open
3 Password required , but none set
4 [ Connection to 10.2.2.2 closed by foreign host ]
5 Corp #
• You need to have VTY passwords set on the routers for this to work.

Telnet Password II
• To set the user-mode password for Telnet access into the router, use
the line vty command.
• vty lines allow access to a Cisco device via Telnet
• number of vty lines supported varies with the type of device and the
IOS version
• Routers that aren’t running the Enterprise edition of the Cisco IOS
default to five VTY lines, 0 through 4.
• But if you have the Enterprise edition, you’ll have significantly more.
• The best way to find out how many lines you have is to use that
question mark:

Telnet Password III

1 R1 # config t
2 Enter configuration commands , one per line .
3 R1 ( config ) # line vty 0 ?
4 <1 -15 > Last Line number
5 <cr >
6 R1 ( config ) # line vty 0 4
7 R1 ( config - line ) # password telnet
8 R1 ( config - line ) # login
9 R1 ( config - line ) # ^ Z
10 R1 ( config ) #
• Now let’s try this again. Here I’m connecting to the router from the
Corp ISR console:
1 Corp # telnet 10.2.2.2
2 Trying 10.2.2.2 ... Open
3 User Access Verification
4 Password :
5 R1 >

Telnet Password IV
• Remember that the VTY password is the user-mode password, not

the enable-mode password.
• Watch what happens when I try to go into privileged mode after
telnetting into router R1:
1 R1 > en
2 % No password set
3 R1 >

Setting Up Secure Shell (SSH) I
• Instead of Telnet, you can use Secure Shell, which creates a more
secure session than the Telnet application that uses an unencrypted
data stream.
• Secure Shell (SSH) is a protocol that provides a secure (encrypted)
command-line based connection to a remote device
• SSH is commonly used in UNIX-based systems
• Cisco IOS also supports SSH
• A version of the IOS software including cryptographic (encrypted)
features an capabilities is required in order to enable SSH on Catalyst
2960 switches
• Because its strong encryption features, SSH should replace Telnet for
management connections
• SSH uses TCP port 22 by default. Telnet uses TCP port 23

Setting Up Secure Shell (SSH) II

Setting Up Secure Shell (SSH) III
• SSh Operation
1 Set your hostname:
1 Router ( config ) # hostname R1
2 Set the domain name (both the hostname and domain name are
required for the encryption keys to be generated):
3 Set your hostname:
1 R1 ( config ) # ip domain - name cisco . com
4 Generate the encryption keys for securing the session:

1 R1 ( config ) # crypto key generate rsa general - keys
modulus ?
2 <360 -2048 > size of the key modulus [360 -2048]
3 R1 ( config ) # crypto key generate rsa general - keys
modulus 1024

Setting Up Secure Shell (SSH) IV
5 Set the SSH version

1 R1 ( config ) # ip ssh version 2
6 Set the max idle timer for a SSH session:

1 R1 ( config ) # ip ssh time - out ?
2 <1 -120 > SSH time - out interval ( secs )
3 R1 ( config ) # ip ssh time - out 60
7 Set the max failed attempts for an SSH connection:

1 R1 ( config ) # ip ssh authentication - retries ?
2 <0 -5 > Number of authentication retries
3 R1 ( config ) # ip ssh authentication - retries 2
8 Connect to the vty lines of the router:

1 R1 ( config ) # line vty 0 4

Setting Up Secure Shell (SSH) V
9 Last, configure SSH and then Telnet as access protocols:

1 R1 ( config - line ) # transport input ssh
2 R1 ( config - line ) # login local
3 R1 ( config - line ) # exit
4 R1 ( config ) # username admin password ccna

Setting Up Secure Shell (SSH) VI

Setting Up Secure Shell (SSH) VII

• Verifying SSH

Encrypting Password Display
• service password-encryption
• prevents passwords from showing up as plain text when viewing the
configuration
• purpose of this command is to keep unauthorized individuals from
viewing passwords in the configuration file
• once applied, removing the encryption service does not reverse the
encryption

Viewing, Saving, and Erasing Configurations
Outline
2 Passwords
4 Verifying

Configuration Files I
running-config vs startup-config
• You can manually save the file from DRAM to NVRAM by using the
copy running-config startup-config command (you can use the
shortcut copy run start also):
1 R1 # copy running - config startup - config
• Also, when the command asked for the destination filename, the
default answer was startup-config.
• You can view the files by typing show running-config or show
startup-config from privileged mode.
• The sh run command, which is a a shortcut for show running-config,
tells us that we are viewing the current configuration:
1 S1 # show running - config

Configuration Files II
running-config vs startup-config . . .
• show startup-config command
• shows us the configuration that will be used the next time the router is
reloaded.
• It also tells us how much NVRAM is being used to store the
startup-config file
1 S1 # show startup - config

Configuration Files III
1 Switch # reload
2 System configuration has been modified . Save ?[ yes / no ]: n
3 Proceed with reload ? [ confirm ]

Deleting the Configuration and Reloading the Router I
erase startup-config vs reload

• Startup configuration is removed by using the erase startup-config :
1 Switch # erase startup - config
2 Erasing the nvram filesystem will remove all
configuration files !
3 Continue ? [ confirm ][ enter ]
4 [ OK ]
5 Erase of nvram : complete
6 Switch #
7 * Feb 28 23:51:21.179: % SYS -7 - NV_BLOCK_INIT : Initialized
the geometry of nvram
8 Switch # sh startup - config
9 startup - config is not present

Deleting the Configuration and Reloading the Router II
• On a switch you must also issue the delete vlan.dat

1 Sitch # reload
2 Proceed with reload ? [ confirm ] System configuration
has been modified .
3 Save ? [ yes / no ]: n
4 Switch # delete vlan . dat
5 Delete filename [ vlan . dat ]?
6 Delete flash : vlan . dat ? [ confirm ]

Verifying
Outline
2 Passwords
4 Verifying

Verifying
Verifying Your Configuration I
Active Configuration
• show running-config
• show startup-config

Verifying
Verifying Your Configuration II
Verifying with the show interface Command

• The show interfaces command displays the configurable parameters
and statistics of all interfaces on a router.
1 Router # sh int ?
1 Router # sh int f0 /0
2 FastEthernet0 /0 is up , line protocol is up
3 Hardware is MV96340 Ethernet , address is 001 a .2 f55 . c9e8
( bia 001 a .2 f55 . c9e8 )
4 Internet address is 192.168.1.33/27
5 MTU 1500 bytes , BW 100000 Kbit , DLY 100 usec ,
reliability 255/255 , txload 1/255 , rxload 1/255
6 .....
7 Router #

Verifying
Verifying Your Configuration III
• It reveals to us the hardware address, logical address, and

encapsulation method as well as statistics on collisions

Verifying
Verifying Your Configuration IV
Using the show controllers Command

• The show controllers command displays information about the
physical interface itself
• It’ll also give you the type of serial cable plugged into a serial port.
• Usually, this will only be a DTE cable that plugs into a type of data
service unit (DSU).
1 Router # sh controllers serial 0/0
2 HD unit 0 , idb = 0 x1229E4 , driver structure at 0 x127E70
3 buffer size 1524 HD unit 0 , V .35 DTE cable
4 cpb = 0 xE2 , eda = 0 x4140 , cda = 0 x4000
5 Router # sh controllers serial 0/1
6 HD unit 1 , idb = 0 x12C174 , driver structure at 0 x131600
7 buffer size 1524 HD unit 1 , V .35 DCE cable
8 cpb = 0 xE3 , eda = 0 x2940 , cda = 0 x2800

Verifying
Verifying Your Configuration V
• Notice that serial 0/0 has a DTE cable, whereas the serial 0/1
connection has a DCE cable.
• Serial 0/1 would have to provide clocking with the clock rate
command.
• Serial 0/0 would get its clocking from the DSU.

Verifying
Verifying with the show ip interface Command I

• The show ip interface command will provide you with information
regarding the layer 3 configurations of a router’s interfaces:
1 Router # sh ip interface
2 FastEthernet0 /0 is up , line protocol is up
3 Internet address is 1.1.1.1/24
4 Broadcast address is 255.255.255.255
5 Address determined by setup command
6 MTU is 1500 bytes
7 Helper address is not set
8
9 ....
10 Router #

Verifying
Verifying with the show ip interface Command II
• Using the show ip interface brief Command

• The show ip interface brief command is probably one of the most
helpful commands that you can ever use on a Cisco router.
• This command provides a quick overview of the router’s interfaces,
including the logical address and status:
1 Router # sh ip int brief

2 Interface IP - Address OK ? Method Status Protocol
3 ... ... ... ... ... ...

CH 02

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CH 02

Uploaded by

Copyright:

Available Formats

Network device and configuration

April 24, 2019

3 Viewing, Saving, and Erasing Configurations

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 2 / 46

3 Viewing, Saving, and Erasing Configurations

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 3 / 46

Command-Line Interface (CLI) I

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 4 / 46

Command-Line Interface (CLI) II

1 Router > enable

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 5 / 46

Global Configuration Mode I

• To configure network devices from a CLI, you can make global

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 6 / 46

Router and Switch Administrative Configurations I

• The administrative functions that you can configure on a router and

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 7 / 46

• Hostnames allow devices to be identified by network administrators

• Some guidelines for naming conventions are that names should:

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 8 / 46

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 9 / 46

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 10 / 46

• Message of the day (MOTD) is the most extensively used banner.

1 Todd ( config ) # banner motd # Unauthorized access prohibited !

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 11 / 46

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 12 / 46

3 Viewing, Saving, and Erasing Configurations

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 13 / 46

• Five passwords are used to secure your Cisco routers

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 14 / 46

3 Viewing, Saving, and Erasing Configurations

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 15 / 46

• Enable password parameters:

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 16 / 46

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 17 / 46

Enable password III

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 18 / 46

3 Viewing, Saving, and Erasing Configurations

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 19 / 46

• To set the console password, use the line console 0 command.

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 20 / 46

• Telnet, part of the TCP/IP protocol suite, is a virtual terminal

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 21 / 46

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 22 / 46

Telnet Password III

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 23 / 46

• Remember that the VTY password is the user-mode password, not

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 24 / 46

Setting Up Secure Shell (SSH) I

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 25 / 46

Setting Up Secure Shell (SSH) II

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 26 / 46

Setting Up Secure Shell (SSH) III

1 R1 ( config ) # ip domain - name cisco . com

4 Generate the encryption keys for securing the session:

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 27 / 46

Setting Up Secure Shell (SSH) IV

5 Set the SSH version

6 Set the max idle timer for a SSH session:

7 Set the max failed attempts for an SSH connection:

8 Connect to the vty lines of the router:

Baessa K. (Mettu University) 02 Router and Switch April 24, 2019 28 / 46