Cisco IOS basic configuration
Cisco IOS basic configuration
Cisco IOS basic configuration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
<strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
A brief introduction to the <strong>Cisco</strong> <strong>IOS</strong><br />
Basic navigation<br />
The <strong>Cisco</strong> Internetwork Operating System (<strong>IOS</strong>) is built in hierarchical layers,<br />
each with its own functions, privileged level and purpose. The three base layers<br />
och modes are the user executive mode, privileged executive mode and global<br />
<strong>configuration</strong> mode. Each of the modes have their own prompt:<br />
Router><br />
Router#<br />
Router(config)#<br />
// user executive mode<br />
// privileged executive mode<br />
// global <strong>configuration</strong> mode<br />
There are also a number of special <strong>configuration</strong> modes such as the interface, line<br />
and router <strong>configuration</strong> mode:<br />
Router(config-if)#<br />
Router(config-line)#<br />
Router(config-router)#<br />
// interface <strong>configuration</strong> mode<br />
// line <strong>configuration</strong> mode<br />
// router <strong>configuration</strong> mode<br />
To navigate up one level in the hierarchy, for example from the user executive<br />
mode to the privileged executive mode, use the specific command to reach that<br />
mode. To move back down, use the exit command. A few examples:<br />
Router>enable<br />
Router#configure terminal<br />
Router(config)#exit<br />
Router#configure terminal<br />
Router(config)#interface FastEthernet 0/1<br />
Router(config-if)#exit<br />
Router(config)#line console 0<br />
Router(config-line)#end<br />
Router#disable<br />
Router><br />
As can be seen by the last two commands, end and disable, there are actually a<br />
few command besides exit that will let you move back down. The end command<br />
moves you directly from a special <strong>configuration</strong> mode back to the privileged<br />
executive mode, bypassing the global <strong>configuration</strong> mode. The disable<br />
command moves you from the privileged to the unprivileged executive mode.<br />
Using exit in privileged executive mode will disconnect you from the device.<br />
1/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
A brief introduction to the different modes<br />
The user executive mode is limited to examining the device. It is possible to get a<br />
good view of how the device is functioning only by accessing this mode. Though<br />
it's not possible to change any of the device <strong>configuration</strong> a <strong>basic</strong> troubleshooting<br />
session can be conducted in this mode, giving enough information to decide if the<br />
devices is causing the problem.<br />
The privileged executive mode have access to all the commands from the user<br />
executive mode but it also adds commands with regard to the <strong>configuration</strong> and<br />
handling of the <strong>configuration</strong> of the router. Once a user have access to the<br />
privileged executive mode the user can access any <strong>configuration</strong> mode, so having<br />
privileged executive mode access can be compared to having root access in a<br />
Unix-like operating system.<br />
Global <strong>configuration</strong> mode handles <strong>configuration</strong> that affects the device as a<br />
whole. The global <strong>configuration</strong> mode also the level used to gain access to more<br />
specific <strong>configuration</strong> modes such as the interface <strong>configuration</strong> mode where<br />
<strong>configuration</strong> for a specific interface is made or the router <strong>configuration</strong> mode<br />
where <strong>configuration</strong> for a specific routing process (protocol) is configured.<br />
A brief introduction to the command structure<br />
The commands in <strong>Cisco</strong> <strong>IOS</strong> are multiple-word commands where there command<br />
for a tree of possible commands. In previous the configure terminal<br />
command was used move from privileged executive mode to global <strong>configuration</strong><br />
mode. But there are other commands starting with the keyword configure:<br />
Router#configure ?<br />
confirm<br />
Confirm replacement of runningconfig<br />
with a new config file<br />
memory<br />
Configure from NV memory<br />
network<br />
Configure from a TFTP network<br />
host<br />
overwrite-network Overwrite NV memory from TFTP<br />
network host<br />
replace<br />
Replace the running-config with<br />
a new config file<br />
revert<br />
Parameters for reverting the<br />
<strong>configuration</strong><br />
terminal<br />
Configure from the terminal<br />
<br />
As seen from the example, there are quite a few commands starting with the<br />
configure keyword in the privileged executive mode. Another thing worth<br />
noting is the question mark. By using the question mark you tell the device to feed<br />
you all possible commands based on the string of characters before the question<br />
2/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
mark. It can be used as in the example as a way to find the commands that follow<br />
the configure command or it can be used to find out what commands starts with<br />
a specified group of characters, for example:<br />
Router#con?<br />
configure connect<br />
One more thing worth noting is that the <strong>IOS</strong> will interpret a command based on<br />
the characters given, allow shortening of commands if a keyword is the only<br />
command using that set of characters. While con is not enough for the devices to<br />
tell that you mean configure, conf is – since no other command starts with conf<br />
the device will interpret it as configure:<br />
Router#con t<br />
% Ambiguous command: "con t"<br />
Router#conf t<br />
Router(config)#<br />
When there's no ambiguity as to what keyword is being entered, the TAB key can<br />
be used to complete the word:<br />
Router#con<br />
Router#con<br />
Router#conf t<br />
Router#conf terminal<br />
Naming the device<br />
// 'con' is ambiguous<br />
// so the result is 'con'<br />
// 't' is not ambiguous<br />
// so the result is 'terminal'<br />
When a device is booted without a <strong>configuration</strong> file, it will take its name from<br />
the kind of device it is. It's a good idea to change this name, making it easier to<br />
identify what devices one is connected to. The device name is also used by the<br />
<strong>Cisco</strong> Discovery Protocol (CDP), a link protocols used by <strong>Cisco</strong> devices to<br />
exchange information over a link. CDP can be quite useful when troubleshooting<br />
and correct naming is surly be a blessing when trying to document an<br />
undocumented network built with <strong>Cisco</strong> devices.<br />
To change the name of the device, enter global <strong>configuration</strong> mode and execute<br />
the following command:<br />
Switch(config)#hostname LION<br />
LION(config)#<br />
Notice how the prompt changes, indicating that the word Switch (or Router in<br />
previous commands) actually was the name of the device. If you want to give the<br />
device a complete domain name, such as lion.example.com you add the<br />
domain name as a separate <strong>configuration</strong> command:<br />
LION(config)#ip domain-name example.com<br />
The domain name is actually a sub-command to the ip keyword, indicating its<br />
3/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
connection to the Internet Protocol (IP). The domain name configured with the<br />
command will be the default domain name, used when querying the DNS for IP<br />
addresses or doing a reverse look-up.<br />
DNS look-up and the 'no' keyword<br />
When speaking of look-ups, the <strong>Cisco</strong> <strong>IOS</strong> have a somewhat annoying feature<br />
(annoying if you don't know about it): whenever you feed it an IP address as a<br />
command in user or privileged executive mode, the device will try to make a<br />
telnet connection to that IP address. Example:<br />
Router>192.168.231.11<br />
Trying 192.168.231.11 ...<br />
The IP address is interpreted as the command telnet - this is not the<br />
annoying part. The problem is that anything that can be interpreted as a name or<br />
FQDN will also result in an attempt to make a telnet connection. In fact, any<br />
string of characters that can't be interpreted as a command but can be interpreted<br />
as a name will result in an attempted telnet connection. Example:<br />
Router#not-a-command<br />
Translating "not-a-command"...domain server<br />
(255.255.255.255)<br />
Translating "not-a-command"...domain server<br />
(255.255.255.255)<br />
Translating "not-a-command"...domain server<br />
(255.255.255.255)<br />
% Unknown command or computer name, or unable to find<br />
computer address<br />
The switch in the example tries to find a DNS server (at IP address<br />
255.255.255.255), waiting for a time out for every translation attempt. There are<br />
two ways around this waiting period. Either you have a working DNS server that<br />
can tell the device that there's no host named not-a-command, or you can disable<br />
to DNS look-up all together.<br />
To configure one (or more) DNS server for the device to use, the ip nameserver<br />
command is used for every server:<br />
Router(config)#ip name-server 192.168.231.10<br />
To disable DNS look-ups, use:<br />
Router(config)#no ip domain-lookup<br />
The 'no' keyword used in the command is the standard way to negate a command.<br />
Issuing the command no ip name-server 192.168.231.10 would remove<br />
that IP address from the list of possible name servers and using the command no<br />
4/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
shutdown in interface <strong>configuration</strong> mode will active the interface.<br />
Configuring passwords<br />
Passwords can be configured to control who has access to what. A password can<br />
be set to protect the privileged executive mode, forcing the user to type a<br />
password in order to move from user executive mode and up to privileged<br />
executive mode.This password is known as the 'enable' password. Keeping track<br />
of that name also helps in finding the first keyword in the command:<br />
Switch(config)#enable secret password<br />
Using the above command will force the user the enter the password 'password'<br />
directly after issuing the enable command.<br />
Switch>enable<br />
Password:<br />
Switch#<br />
// enter 'password', not shown<br />
The keyword secret tells the device to encrypt the password in the <strong>configuration</strong><br />
file. The algorithm used for the encryption is a modified MD5 hash function that<br />
is cryptographically weaker than the original MD5 algorithm, but at least it wards<br />
of most of the nosy shoulder surfers. It's possible to replace the secret keyword<br />
with the keyword password, but this will leave the password unencrypted. Both<br />
keywords can be used at the same time:<br />
Switch(config)#enable password class<br />
Switch(config)#enable secret password<br />
Switch(config)#exit<br />
Switch#disable<br />
Switch>enable<br />
Password:<br />
// enter 'class', not shown<br />
Password:<br />
// enter 'password', not shown<br />
Switch#disable<br />
Switch>enable<br />
Password:<br />
// enter 'password', not shown<br />
Switch#<br />
As can be seen from the example, the password configured with the keyword<br />
password is ignored as long as the 'secret' password is present in the<br />
<strong>configuration</strong>. If the 'secret' password is removed, 'class' will be the password used<br />
to access the privileged executive mode:<br />
Switch(config)#no enable secret<br />
Switch(config)#exit<br />
Switch#disable<br />
Switch>enable<br />
Password:<br />
// enter 'class', not shown<br />
Switch#<br />
5/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
Protecting the console port<br />
Initial <strong>configuration</strong> of a device is usually done through a specific port, the<br />
console port. To access the device via the console port, one usually need physical<br />
contact with the devices, non the less, it's recommended to protect this port with a<br />
password. To configure a password for the port and to force anyone that connects<br />
via the console to enter the password 'cisco', do the following:<br />
Router(config)#line console 0<br />
Router(config-line)#password cisco<br />
Router(config-line)#login<br />
The last line of the <strong>configuration</strong> is very important, without it, the password is<br />
configured but the user is not forced to use it to log in – connect to the port, you're<br />
presented with the prompt. Using the login command, the user will in see<br />
something like this:<br />
User Access Verification<br />
Password:<br />
Enter the correct password (in our example cisco) and you're in.<br />
Passwords for network access<br />
It's often a good idea to create a network facing management interface for the<br />
devices in a network. If something is wrong, the administrator will be able to<br />
troubleshoot by examining multiple devices without having to leave desk. Without<br />
the ability to administrate the devices using the network, the administrator might<br />
have to travel for hours just to find out that the problem was not in the device that<br />
is currently being visited.<br />
The general interface for network management is not bound to any particular<br />
network protocol and is configured via a line <strong>configuration</strong> mode in the same way<br />
as the console port is. The line is named vty an it's a virtual terminal. There are<br />
several virtual terminals in most devices and they can be configured in groups.<br />
When configuring the console port, the port number '0' was given to indicate the<br />
console port being configured (since the device only has one console port the<br />
number has to be '0'). Routers have five (0 through 4) VTY lines by default and<br />
switches have 16 (0 through 4 and 5 thorough 15). It's possible to configure all or<br />
a subset. Let's configure line 0 through 3 and give them password 'class':<br />
Switch(config)#line vty 0 3<br />
Switch(config-line)#password class<br />
Switch(config-line)#login<br />
While it might be a good idea to give the login command, it should be the<br />
default for the VTY line – then again, it doesn't hurt to be on the safe side. Once<br />
6/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
the devices (in this case the switch) have an active network interface with a valid<br />
address, it's possible to make telnet connections to the devices using that address.<br />
Encrypting the passwords<br />
When configuring the 'enable' password, there was a choice to make it encrypted<br />
or unencrypted using the secret or password keyword before the password. The<br />
passwords for the console and VTY lines are always unencrypted. But it is<br />
possible to mask the passwords in the <strong>configuration</strong> file. If one looks at the default<br />
<strong>configuration</strong> file when a non configured devices is first started, this line can be<br />
found close to the top of the file:<br />
no service password-encryption<br />
By giving the command in global <strong>configuration</strong> mode without the no keyword, the<br />
password-encryption services is enabled and all unencrypted password in the<br />
'hidden', that is hashed into a HEX-value. The hash is cryptographically weak<br />
(really weak), but once again, some one ready over your shoulder might have a<br />
harder time remembering 121A0C041104 the the password used for the VTY line<br />
(all depending on the password policy or strength of the password).<br />
Configuring banners<br />
It is often recommended that users trying to connect to a device is 'greeted' by a<br />
banner, telling them that it's a private system, that only authorized personnel<br />
should access it and that any attempt to access the device will be logged. There<br />
are several banners available in <strong>Cisco</strong> <strong>IOS</strong> and while <strong>Cisco</strong> always promotes the<br />
message-of-the-day banner, this example shows how to configure a 'login banner':<br />
Router(config)#banner login *<br />
Enter TEXT message. End with the character '*'<br />
This is the text of the banner<br />
*<br />
Router(config)#<br />
The thing worth noting here is the star character '*'. That's the character used to<br />
tell the device that the banner is finished. Pick one that won't be used in the<br />
banner text by placing it after the banner and once the text is in place (just type it<br />
as you would in a text editor) end it by using the character again. The banner will<br />
now be displayed anytime someone tries to connect to the device:<br />
7/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
Trying 10.228.4.2<br />
Connected to 10.228.4.2.<br />
Escape character is '^]'.<br />
This is the text of the banner<br />
User Access Verification<br />
Password:<br />
Working with the <strong>configuration</strong><br />
The <strong>configuration</strong> typed into the devices is applied and stored in RAM. Once the<br />
devices powers down or reloads, the <strong>configuration</strong> is lost. To view the<br />
<strong>configuration</strong> that is currently stored in RAM, use the following command:<br />
Router#show running-config<br />
Use 'space' to move 'a page' forward and use 'enter' to step one line at a time. If<br />
you want to quit before you make it to the end, type 'q'.<br />
It is possible to view sections of the <strong>configuration</strong> or to start reading from a given<br />
string. To only view the <strong>configuration</strong> for the interface FastEthernet 0/0:<br />
Router#show running-config interface FastEthernet 0/0<br />
To view all lines with the keyword ip, use:<br />
Router#show running-config | include ip<br />
To view the <strong>configuration</strong>, starting at the first interface (provided the<br />
<strong>configuration</strong> don't contain a line with the string 'interface' that is before the first<br />
interface <strong>configuration</strong> line) use:<br />
Router#show running-config | begin interface<br />
Saving the <strong>configuration</strong><br />
The current 'running' <strong>configuration</strong> can be stored to NVRAM where the devices<br />
will find it and read it at reboot with the command:<br />
Switch#copy running-config startup-config<br />
To view the <strong>configuration</strong> that will be used on reboot, just create a show command<br />
in the same way as when viewing the 'running' <strong>configuration</strong> but use startupconfig<br />
instead of running-config. Use the copy keyword along with the<br />
question mark to find out other ways that the <strong>configuration</strong> can be stored or<br />
moved around.<br />
8/9
Course: Generel networking (no course)<br />
Title: <strong>Cisco</strong> <strong>IOS</strong> <strong>basic</strong> <strong>configuration</strong><br />
Author: Thomas Ivarsson<br />
Last edit: March 16, 2012<br />
Removing the <strong>configuration</strong><br />
Sometimes you want to remove the <strong>configuration</strong>. The <strong>configuration</strong> stored in<br />
NVRAM might be dated or the maybe the there's something wrong with the<br />
<strong>configuration</strong> and it need to be removed. The following command can be used to<br />
remove the <strong>configuration</strong> stored in NVRAM:<br />
Switch#erase startup-config<br />
Sometimes there is something wrong with parts of the current <strong>configuration</strong>, for<br />
example, an interface might have been mis<strong>configuration</strong> with a lot of unwanted<br />
<strong>configuration</strong>. To negate that <strong>configuration</strong> use the default keyword to take the<br />
interface back to the default <strong>configuration</strong>:<br />
Router(config)#default interface FastEthernet 0/0<br />
Try it before you buy it<br />
Sometimes an administrator might find that new <strong>configuration</strong> is needed but it's<br />
not clear if the <strong>configuration</strong> will work or not. A nightmare is to be looked out of<br />
network devices physically located hours away, especially in the middle of the<br />
night where people are depending on the device to be functioning in the morning.<br />
Since the <strong>configuration</strong>s is only stored in RAM and will disappear at reboot if not<br />
stored, this can be used to try new <strong>configuration</strong> with a potential lockout without<br />
having to travel to resolve the problem:<br />
Router#reload in 5<br />
Reload scheduled in 5 minutes by vty0 (192.168.230.56)<br />
Reload reason: Reload Command<br />
Proceed with reload? [confirm]<br />
Router#<br />
***<br />
*** --- SHUTDOWN in 0:05:00 ---<br />
***<br />
Router#reload cancel<br />
Router#<br />
***<br />
*** --- SHUTDOWN ABORTED ---<br />
***<br />
The first command tells the device to automatically reload in five minutes. Once<br />
the command has been applied and it's confirmed that everything is works as<br />
expected, the reload can be canceled and the <strong>configuration</strong> saved using the second<br />
command. Since the <strong>configuration</strong> wasn't saved, the reload would've remove it ...<br />
9/9