- Access and utilize the router to set basic parameters (including: CLI/SDM)
- Manage Cisco IOS
As mentioned in Chapter 7, “Foundation Cisco IOS Operations,” Global Configuration commands affect the entire router or switch’s operations. Recall also that you enter Global Configuration by typing configure terminal from Privileged EXEC, which changes the prompt to Router(config)#. This section looks at the syntax and functions of some basic Global Configuration parameters that you can configure in a switch or a router.
The majority of configuration commands discussed throughout this entire book can be negated or removed if you type the keyword no, followed by the command again. The same syntax rules must apply when removing the command (you must type the command correctly and you must be in the correct level of the IOS hierarchy where the original command exists).
Altering the Boot Sequence
The previous chapter discussed two means of altering the default boot sequence of a router. Namely, you learned that by changing certain fields in the configuration register, you can force the Cisco device to perform actions such as booting from ROM and ignoring the startup configuration. In Global Configuration, the config-register command enables you to manipulate
those fields and ultimately change the normal default operations of the router or switch.
For example, if you wanted to manipulate the configuration register to enter ROMmon on the next reboot, the Global Configuration command would look like this on a router:
On the next boot, this router instructs the bootstrap to immediately boot into ROMmon in ROM. The prompt displays rommon 1 >, signifying that the manipulation was successful and you are indeed in the mini-IOS.
Don’t Change Configuration Register Fields Unless Necessary In this book, we mention only a couple of the boot field values and the configuration field values. Do not randomly experiment with the configuration register to see the outcome. You could very well change a configuration parameter that will cause the router or switch to boot abnormally, change the console speed (leaving you guessing what speed you need to use to get terminal connectivity), or not boot at all. If you accidentally change these settings, you can try to change the configuration register back by forcing the device to go directly to ROMmon mode on boot-up. From a console connection, turn on the device and send a break sequence (Ctrl+Break Key in HyperTerminal) from your terminal window in the first 60 sec onds. You see the rommon 1 > prompt, indicating that you are in ROM Monitor. From here, enter the fol
rommon 1 >confreg 0x2102
You should see a response similar to the following:
You must reset or power cycle for new config to take effect
rommon 2 >
At this point, you can recycle the power on the device or type the ROMmon-specific command, reset, to reboot the device because you have restored the default configuration register to ensure normal operations.
The second Global Configuration command to globally affect the startup sequence that was mentioned in the previous chapter is the boot system command. With this command, you can optionally instruct the bootstrap to boot from specific locations, and even tell it which file to load if there are multiple IOS files at that location. Two different examples of the boot system commands are as follows:
Router(config)#boot system tftp c2600-do3s-mz.120-5.T1 172.16.1.1
Router(config)#boot system flash c2600-do3s-mz.120-5.T1
The first command instructs the bootstrap to locate the IOS on the TFTP server located at 172.16.1.1. The second boot system command configures the bootstrap to specifically load the IOS file c2600-do3s-mz.120-5.T1 in the possible event that Flash has multiple IOS image files on it. In examples where you have multiple boot system commands in a sequence, such as the example just given, the bootstrap tests each command in successive order until it successfully locates and loads an IOS.
Changing the Hostname
Throughout this and the last chapter, you saw that the default prompt for a router starts with the hostname Router. You should change the hostname to uniquely identify the Cisco device in your internetwork. This is especially useful if you are using Telnet to remotely manage multiple devices and you need to identify to which device you are connected. The syntax for the command
to change the hostname of the Cisco device is hostname, followed by the name you have chosen (up to 25 characters) as illustrated here:
Notice that once we type the hostname command, the prompt immediately is changed to its new hostname (in this case, CCNA2811).
Creating a Login Banner
It is advisable to display a login banner as a means to provide notice of acceptable use or as a warning to anyone attempting to gain unauthorized access to your Cisco device. In Cisco terms, this is known as the message of the day. This message is displayed to any user attempting to gain an EXEC session on all terminal lines in the IOS. An example configuration for
the message of the day is as follows:
CCNA2811(config)#banner motd # This is a private system and may be accessed only by authorized users. Unauthorized access is strictly prohibited and will be enforced to the full extent of the law. #
Notice that the banner motd (message of the day) command example contains a # character before and after the message. This is known as a delimiting character and is used to inform the IOS where your banner begins and ends. This can be any character, so it makes sense to use a character that is not present in the banner itself. For instance, if the delimiting character were
“v”, the banner would be displayed as This is a pri.
Remember that the command to configure a login banner is banner motd.
No Need for a Warm Welcome Be extremely careful of the message that you choose in your login ban ner. A login banner can be useful if you need to seek legal action against an intruder to your Cisco device. On the flip side, however, the wrong login banner can work against you. For example, if your login con tains the word “welcome” or similar inviting words, this can be used as grounds for defense for an unauthorized user to gain access because it can be considered as invitation to your device.
Assigning a Password for Privileged EXEC Mode
- Implement basic router security
Gaining access to Privileged EXEC essentially means you have access to all the functionality of the IOS, including those commands that can detrimentally affect the router or switch. With that being said, it makes sense to secure access to Privileged EXEC to ensure those who gain access are indeed skilled and authorized to do so. This is achieved in Global Configuration with the creation of an enable password, which prompts anyone attempting to access Privileged EXEC with a password that is known only by those who truly are privileged.
The command to assign a password to gain access to Privileged EXEC can be achieved with one of the following two commands:
CCNA2811(config)#enable password myenablepassword
CCNA2811(config)#enable secret mysecretpassword
Be careful not to accidentally put the additional keyword password after the enable secret command. Otherwise, your secret password would be “password,” followed by your actual password. In addition, the commands are case sensitive, so make sure you don’t accidentally put the wrong case in the command.
So what is the difference between the two commands? The enable secret password is secure because it utilizes a non-reversible one-way MD5 (Message Digest 5) cryptographic hash of the password so it cannot be deciphered by anybody who can see the configuration. On the other hand, the enable password command is in clear text and can be seen by anyone that gains access to that configuration. In practice, it is customary to utilize the enable secret command for the security that it provides over the enable password command. The following configuration demonstrates a secure enable password configuration, and the resulting prompt that occurs when you try to re-enter Privileged EXEC:
Enter configuration commands, one per line. End with CNTL/Z.
CCNA1841(config)#enable secret giforgot
*Aug 12 21:46:38.055: %SYS-5-CONFIG_I: Configured from console by console
When the enable password command and the enable secret password command are used in the same configuration, the enable secret command overrides the enable password com mand. For example, using the preceding configuration examples above, the password would be “mysecretpassword” to enter Privileged EXEC.
It is possible to encrypt the password used in the enable password command by using the following Global Configuration command:
This command actually encrypts all clear text passwords in your configuration, including passwords you assign to the EXEC lines (discussed later). This is useful in case anyone happens to actually see your configuration because the password cannot be distinguished visually upon initial sight. Be advised, however, that the encryption used is a Cisco proprietary encryption, which is easily broken to reveal the actual password. When choosing between this method and the enable secret method for secure Privileged EXEC, use enable secret because its encryption is exponentially stronger.
The service password-encryption command encrypts all clear text passwords in the configuration with a Cisco proprietary encryption.
Domain Name–Specific Commands
- Configure, verify and troubleshoot DHCP and DNS operation on a router (including: CLI/SDM)
Quite often, you have to test connectivity or connect to a multitude of devices from your router or switch. Unless you have all their IP addresses memorized or you have a trusty topology map with you wherever you go, you might find it difficult to accurately recall their IP address information. To assist you when such challenges arise, the Cisco IOS can statically or dynamically support domain name resolution on the Cisco device. This way, you can refer to the devices by a recognizable hostname versus an IP address.
The command to create a static entry in the IOS configuration file is ip host. For example, given the following command:
CCNA2811(config)#ip host corerouter 172.16.1.1
The IOS automatically forms a name-to-IP association in a host table so that every time you refer to corerouter, it translates that hostname to the IP of 172.16.1.1.
In instances where there are far too many devices to create individual static host entries, you might be better suited to have a DNS server keep the hostname-to-IP records. With that infrastructure in place, you can have your Cisco device use these servers for the name translation. The command to specify the DNS sever(s) (up to 6) is the ip name-server command as shown here: CCNA2811(config)#ip name-server 172.16.1.254 172.16.1.100 172.16.1.2
Given the previous ip name-server command, when referencing a device by its hostname, the router will query the DNS servers with the IP addresses of 172.16.1.254, 172.16.1.100, and 172.16.1.2 to resolve that hostname to an IP address.
Domain resolution is automatically enabled on your Cisco device. If you have not configured a DNS server, it tries to resolve hostnames by sending a broadcast out all its active interfaces. This can be irksome when you accidentally type a command in User or Privileged EXEC and the IOS attempts to resolve the command thinking that it is a hostname. To disable this feature, use the following command:
CCNA2811(config)#no ip domain lookup
One final domain-specific command is to assign your Cisco device to an IP domain. This command has several purposes in a Cisco networking environment; however for our purposes, it will be crucial in enabling SSH connectivity to our Cisco device as discussed in the next section. The command to assign a default domain name to a Cisco device is ip domain-name as
CCNA2811(config)#ip domain-name examprep.com
- Implement basic router security
As mentioned in Chapter 7, SSH is a secure (and Cisco preferred) method of remote access to Cisco devices because of the terminal connection which uses RSA public key cryptography for authentication and encryption of the data sent over the terminal connection. Because this terminal connection utilizes encryption, two prerequisites for configuring SSH are to have IPsec (DES or 3DES) IOS feature-set on the Cisco device and have an SSH-supported terminal client such as Putty and SecureCRT.
Assuming your Cisco device meets the prerequisites for SSH, the first step in enabling SSH connectivity to the Cisco IOS is to configure a hostname (other than its default) and assign the device to a domain as previously discussed. The only remaining step in the SSH process is to
generate an RSA key for the encryption. The default key length is 512 bits, however, it is recommended to have a key of at least 1024 bits in length for additional security strength. The command to generate this key is crypto key generate rsa as demonstrated here:
CCNA2811(config)#crypto key generate rsa
The name for the keys will be: CCNA2811.examprep.com
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose
Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus : 1024
Generating RSA keys ...
7w1d: %SSH-5-ENABLED: SSH 1.5 has been enabled
Notice how the key generating process uses the hostname and domain name of the device when generating the key; therefore, those configuration steps must be performed first. Also notice that at the completion of the key generation, SSH is automatically enabled.
Starting with Cisco IOS Software Release 12.3(4)T, Cisco IOS devices support SSH version 2. Version 2 is more flexible and addressed some active attack vulnerabilities from version 1.
One final element to the SSH configuration is to define a username and password for authentication. This username/password pair will be used when you configure your SSH client to connect to the IOS. The command to define this username and password pair is username username password password in Global Configuration. For instance, if you want to use SSHusername as your username and SSHpassword as our password, the configuration would look like the following:
CCNA2811(config)#username SSHusername password SSHpassword