Chapter 3: Router Configuration
In This Chapter
Configuring a router
Configuring passwords for different interfaces
Running the Setup Wizard
Managing users
In the previous chapter, I discuss in depth what routers do and how they do it. This chapter reviews the steps you take to connect to your router and to make configuration or setup changes. You start this process by making a physical connection to your router (see Book I, Chapter 5 for more on this topic). After you establish the connection, you can make changes to the configuration of your router. This chapter walks you through the basic configurations for both your network and the interfaces. Advanced routing configuration is covered in later chapters of this minibook as you examine each type of routing protocol.
Getting to Know the Internetwork Operating System (IOS) for Routers
I introduce the IOS in Book I, Chapter 5. The command set in the IOS used with routers and switches (see Book III for more on switches) have many of the same commands and share the same basic structure. You should only see a small selection of commands that are specific to a router. You generally follow the same method of navigating the commands on the router and moving between command modes, as you do on any Cisco IOS device. If you are not familiar with User EXEC mode, Privileged EXEC mode, and Global Configuration mode, read the content in Book I, Chapter 5.
Getting help in the IOS is easy: Type a question mark (?) at any point on the command line to see the commands that are available or to find out how to complete a command. In conjunction with tab completion, you can usually quickly figure out most commands.
If you are new to router configuration, you can download a complete command reference guide for each IOS routing component from Cisco by going to www.cisco.com/cisco/web/psa/reference.html and selecting the Support section. After you get to the reference page, select your IOS version from the Product selection dialog box.
Making Router Connections
In Book I, Chapter 5, I introduce how to connect to your router and make changes to the configuration. Here are the three basic ways to make configuration changes to a router:
• Console connection: This method involves having direct access to the router. You make the changes through the computer’s serial port and a rollover cable. This is command line access to a router.
Because, initially, you can always make a console connection to the router, be sure to take a few minutes to locate a rollover cable for the router as well as the console port on the router. If you do not have a serial port on your computer, make plans to get a USB serial port adapter for the computer and test it with your Cisco router. Be sure to do this before you need to make an emergency connection to your router.
• Telnet or SSH: These options give you remote command-line access to the router to make configuration changes.
If you have already enabled SSH access to your router, ensure that you also disabled Telnet access. SSH is as easy to use as Telnet and is the only secure remote access option to the command-line interface.
• Security Device Manager (SDM): Represents the most popular graphical configuration interface for your routers.
Performing a Basic Configuration
You have only a few issues to worry about in order to get a basic routing configuration on your router. This section looks at each of these issues.
Setting the hostname
The hostname is the name the router goes by on your network. The routername does not change how the router functions, but when you are making remote connections to the router, this name enables you to be sure you are working on the correct device on the network. Few things are worse than applying the incorrect configuration to a central production router.
To apply a descriptive name to your router, you can use code similar to the following snippet, using perhaps an even more descriptive name:
Router>enable
Password:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router2
Router2(config)#exit
Configuring standard router ports
You find several ports on your router; these ports include the ones described in this list:
• Aux port: This auxiliary port is used to connect a modem to the router, which can then be used to remotely modify the configuration on the router. This port is shown in Figure 3-1.
Figure 3-1:
Most routers have both console and AUX ports.
• Attachment Unit Interface (AUI) port: Before the WIC became a standard for providing expansion through an add-on port, the AUI allowed transceivers to be used, providing you with the ability to add various types of network connections, such as fiber or copper Ethernet connections.
A transceiver is a small electronic device that converts electrical signals from the AUI specification on one side of the transceiver to that of the connection type on the other side of the transceiver. An AUI port is shown in Figure 3-2.
• Serial: Connects a modem or other serial device to allow a WAN network interface to be used on the router. Two serial ports are shown in Figure 3-2.
• Ethernet/Fast Ethernet/Gigabit Ethernet: Standard network interfaces used to connect different network segments.
• Console: Serial configuration port for command-line access to router management and configuration. Refer to Figure 3-1 to see the console port.
Figure 3-2: Most WAN interface or network interface connections are managed through AUI and serial ports.
• WAN Interface Card (WIC) port: Because a wide variety of WAN connectivity options are available (for example, T1, ISDN, ADSL), you can use this port to add different interfaces to a standard router. See Figure 3-3.
• Hardware WAN Interface Card (HWIC) port: With the integration of services into routers, the WIC interface became too limiting. The HWIC interface was created to support a wider variety of hardware expansion options, such as switches and service cards. This port is backward compatible with most older WIC hardware.
Figure 3-3:
A T1 WIC card and 8-port switch installed in HWIC interface ports.
Configuring interfaces
In this section, I examine only the basics of configuring Ethernet, Fast Ethernet, and Gigabit Ethernet connections. Serial connections are covered in Chapter 5 of this minibook.
Connecting to your router
To start your configuration, you need to connect to your router and get into Configuration mode using the following set of commands:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
The next option is to choose the port by number (it is also known as an interface because it is a networking port), which is how to correctly identify the specific interface with which you want to work. You can choose from Ethernet, Fast Ethernet, or Gigabit Ethernet interfaces. Then you specify the port number.
All devices in current IOS versions are numbered starting at the motherboard in one of these formats:
• network-module-slot/port
• 0/interface-card-slot/port
• network-module-slot/interface-card-slot/port
All modules are effectively connected to the motherboard slot on the router, which is always slot 0 and is represented by the first 0 in the interface name. After that, the numbers are for an integrated interface, or for another expansion slot in your router. For example, if you have WIC or HWIC installed, you specify the motherboard slot (0), and then the slot into which the card is installed (0), and then you specify the interface number; 0 is the first interface for routers, and 1 is the first interface for switches (which can be installed into a router HWIC). So the first switch port for an HWIC switch is 0/0/1:
Router2(config)#interface FastEthernet 0/0
Using auto settings
You can set the specifics of the network connection or use the auto settings for duplex and speed settings. Duplex modes include Full Duplex mode or Half Duplex mode, whereas speeds typically are from 10 Mbps up to the speed of the interface.
Router2(config-if)#duplex auto
Router2(config-if)#speed auto
Adding a description
You might not want to use this feature for switches, but on your router, providing a description helps to prevent changing the configuration on the wrong interface. “Oops, was that the corporate WAN interface I just changed the IP address on? Time to polish up that resumé.” A description does not assist with the configuration; it just helps prevent human error.
Router2(config-if)#description Internal Interface
Configuring a VLAN identifier
Because the interface works similarly to a switchport — and if you do not want to use the access settings on the switch to which you have connected the router — you can configure a VLAN identifier for the interface. You do so with the vlan-id or vlan-range command:
Router2(config-if)#vlan-id dot1q 1
Router2(config-if-vlan-id)#exit
Setting a routing interface
Because you plan to route from this interface, you need to give the client devices an IP address to connect to, as follows:
Router2(config-if)#ip address 192.168.1.240 255.255.255.0
You do have the option of configuring your router to use DHCP using the command ip address dhcp, but typically this command is not used for static network devices such as routers. Connecting this router as a Network Address Translation (NAT) device to an ISP represents the only case where a DHCP-configured interface is likely to be used. See Book VI, Chapter 3 for more on NAT.
Enabling your interface
Now, you have done all of this work, and there is a good chance you want to use this interface; however, if you exit the configuration and check the running configuration, you will notice one configuration item that is a little strange.
Router2#show running-config interface FastEthernet 0/0
Building configuration...
Current configuration : 199 bytes
!
interface FastEthernet0/0
description Internal LAN Interface
ip address 192.168.1.240 255.255.255.0
shutdown
speed auto
full-duplex
vlan-id dot1q 1
exit-vlan-config
!
no mop enabled
end
One important item is missing — or, one item is present that should not be present. Unlike switches, all interfaces on your router should be, by default, shut down using the shutdown command. At first, this may seem strange, but think about where routers are used; in many cases, they exist as a gateway between you and the unprotected Internet. Setting the port as disabled gives you some additional security around your router until you are ready to open the flood gates. As with switch interfaces, the command to get rid of the shutdown command is no shutdown. So you need to complete the configuration of your router interface with the following command:
Router2(config-if)#no shutdown
If you are working on the console or have terminal monitor enabled, you should receive a status message telling you that the interface has been enabled. This message will be similar to the following:
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
Double-checking your settings
After you have the interface up and running, if you are using an auto setting for the speed and duplex settings, examine the interface to ensure that it has detected settings you are happy with. Do so with the show interface command, as shown here:
Router2#show interfaces FastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 000f.8f4b.a600 (bia 000f.8f4b.a600)
Description: Internal LAN Interface
Internet address is 192.168.1.240/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:07, output 00:00:02, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
417167 packets input, 39317868 bytes
Received 415431 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
149499 packets output, 17447327 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
4 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
In the preceding information, notice that the interface and line protocols should both be up. In this case, the interface detected Full-duplex as well as a speed of 100 Mbps. From here, you can verify the IP address of the interface, and you can see if any packet errors are on the interface.
Incorrect duplex settings between ends of a connection can cause packet errors.
Configuring your router’s IP settings
You have already set the IP address on the interface, but in most cases, you must do more. For example, with the configuration of network devices, you need to configuration at least a default gateway. In this case, the default gateway is not set in the interface, but for the entire router. The default gateway will appear in the configuration as the Gateway of last resort, which means if no specific route is specified, the router uses this gateway. When you look at the routing table with the show ip route command, the gateway will appear as the gateway of last resort:
Router2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.10 to network 0.0.0.0
C 192.168.5.0/24 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
S 192.168.100.0/24 [1/0] via 192.168.5.2
S 192.168.100.75/32 [1/0] via 192.168.5.5
S* 0.0.0.0/0 [1/0] via 192.168.5.10
To set the gateway of last resort, enter Global Configuration mode and use the ip route command to set a route to a universal system. Numerically, it is the opposite of a broadcast address, which is 255.255.255.255. You can specify that you want to route to all systems with the network ID of 0.0.0.0 and mask of 0.0.0.0 or 0.0.0.0/0 in Classless InterDomain Routing (CIDR) notation. So in this case, your network ID is defined as all binary zeros, and your mask says that all bits are host bits, which effectively defines all networks and all hosts. The only other thing that the route command needs is the actual gateway or router to use to get your data one step closer to its destination; this router needs to be on a network segment to which your router is connected. The complete command looks like this:
Router2(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.1
Enabling routing
You are now in a situation where you should be able to use the ping command to test a connection to a remote address through your gateway of last resort. If you configure a device and connect it to your router interface, you can attempt to use the ping command to test the connection to a remote host (a host on another router segment). If you attempt to do so, you find that you do not receive a reply. Remember, the remote host needs to have a path back to your network segment, so you must configure the other host to use the other router interface to connect back to your local host, similar to what is shown in Figure 3-4. If this figure is representative of your configuration, with the router configured with two interfaces similar to the preceding description, you still will not able to test the connection from one host to the other.
Figure 3-4: A basic two-segment network.
Well, what is missing? Even though you have a router, by default the router will not route traffic. Again, you can think of this as a security feature or as an optional configuration. Some people will install the router as a gateway device, using private addresses inside their network and public addresses outside, and their router will send Network Address Translation (NAT) traffic between the interfaces rather than routing. So until you enable ip routing with the following command, your router will not route IP-based traffic.
Router2(config)#ip routing
Now, you should be able to test the connection (with the ping command) from one side of your router to the other side.
Testing your routing by using the ping command the remote side of the router is not a good test that everything is working, because even without enabling routing, the router will respond from any of its configured interfaces. The only way to test that routing is actually working through the router is to use a command like ping to get a response from a remote host.
Configuring passwords
Although it is not necessary to have a password on your router, doing so is a very good idea. If you do not configure any passwords and enable Telnet, anyone can connect to your router, from any interface, and reconfigure your router to their hearts desire, giving themselves access to your entire internal network.
The last several versions of the Cisco IOS for routers force you to set up passwords on the first boot if you have not already enabled passwords.
Several types of passwords can be configured on a Cisco router, such as for Telnet and SSH connections, the console port, the enable password, and the secret password. All these password locations represent good access locations for passwords, but if you have only one password on only one access location, you should at least have an enable password.
Setting the enable password
You use the enable password every time you move from User EXEC mode to Privileged EXEC mode. This password gives you security on your router, because Privileged EXEC mode is where all the dangerous commands are located, including access to Global Configuration mode. To set an enable password, use the following command:
Router2>enable
Router2#configure terminal
Router2(config)#enable password mypassword
This command creates an enable password that is stored in your configuration file. To view this password, show the running configuration using the following command:
Router2>enable
Password:
Router2#show running-config | include enable password
enable password mypassword
You may immediately see the problem here. The password is stored in plain text in your configuration file, thus anyone who has access to your configuration file can easily read the password.
Setting the secret password
Cisco’s solution to the enable password’s inherent problem was to create a new type of password called the secret password. When you configure both an enable and a secret password, the secret password is the password that will be used to switch from User Exec mode to Priv Exec mode. The following code sets both passwords for your router:
Router2>enable
Router2#configure terminal
Router2(config)#enable password mypassword
Router2(config)#enable secret mysecretpassword
To see your enable passwords in your configuration, use the following command:
Router2>enable
Password:
Router2#show running-config | include enable
enable secret 5 $1$BSX4$FZp.ZFvYSAGUEDn8dvr140
enable password mypassword
Most encrypted passwords in your configuration file use a weak reversible encryption and are identified by a 7 in the password line, whereas the secret password is encrypted with a one-way MD5 hash with a 5 denoted in the password line. You may also see a 0, which identifies it as an unencrypted password.
Setting the Telnet password
If you need to remotely manage your router, you can choose between Telnet and SSH. I discuss the dangers of Telnet in the section “Connecting remotely via Telnet or SSH,” in Book I, Chapter 5 — that is, Telnet sends data over the network in clear text, which makes it less secure than SSH. Some people justify the use of Telnet, and granted, if they are running it on a secured management network, some of the risks are mitigated.
In spite of the risks, it is good to know how Telnet works and how to administer it. Telnet accesses the router through the Virtual Terminal ports or vty ports. To see if you are set up with vty ports on your router, use the following command:
Router2>enable
Password:
Router2#show running-config | include line vty
line vty 0 4
So, you are set up with five vty ports on your router, numbered from 0 to 4, which means you can host up to five Telnet connections simultaneously on your router. The chance of having five network administrators making connections to this router at the same time is somewhat low. To find out how many connections your router will support, use the following command:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#line vty 0 ?
<1-181> Last Line number
<cr>
By typing the ?, the router lets you know that it can support up to 182 total vty ports, but you can configure it to as low as 2 ports by typing 1.
To set the password for a Telnet or vty port, use the following commands:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#line vty 0 4
Router2(config-line)#password vtypass
Router2(config-line)#exit
Router2(config)#exit
Note the appearance of the Line Configuration mode prompt (config-line), which has not yet appeared in this minibook. It is one more mode that you see when managing your router.
To have access to the router for Telnet, you need to have both an enable password and the Telnet password specified in your configuration.
Setting the SSH password
To set up access to the router for SSH, you must perform a few more steps. SSH access is not possible with only a password; you also need a user account created on your router. You discover how to create users in the section “Working with Users,” later in this chapter. For now, assume that you have a user named remote with a password of remote. (Please do not use this type of password policy on your production network!)
To set up SSH access, you must change the default vty terminal or create a new one. In this case, you create a new vty for SSH access using the following commands:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip domain-name edtetz.net
Router2(config)#crypto key generate rsa
The name for the keys will be: Router2.edtetz.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys ...[OK]
Router2(config)#
*Mar 17 00:59:53.971: %SSH-5-ENABLED: SSH 1.99 has been enabled
Router2(config)#line vty 5
Router2(config-line)#login local
Router2(config-line)#transport input ssh
Router2(config-line)#exit
Router2(config)#exit
The preceding commands accomplish four key things:
• Creates a set of ssl encryption keys and enabled SSH.
• Creates a vty terminal pool of one terminal.
• Enables the incoming transport to SSH, rather than to Telnet or the other supported protocols.
• Sets the login option to use the local user account database.
The crypto key command needs to be issued only once on the router.
At this point, you should now be able to use a program like putty (discussed in Book I, Chapter 5) to connect to this router on TCP port 22. Because Telnet is still enabled on vty ports 0 through 4, you can use the following command to disable Telnet access or all remote access through that set of vty ports. By disabling the four default vty ports, you reduce the remote management of this switch to one SSH user at a time and eliminate unencrypted Telnet management traffic on the network. So, you can still manage the switch remotely, though you are required to use SSH.
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#line vty 0 4
Router2(config-line)#transport input none
Router2(config-line)#exit
Router2(config)#exit
Setting the console port password
Anyone with access to the console port on your router can connect to it and have, at least, access to the User Exec mode. If they happen to know the enable or secret password, they can enter Priv Exec mode. To prevent this access, you can add an additional password to the configuration, which require users to enter a password in order to gain access to the console port.
In a case such as this, the bigger security question is why anyone who is not authorized has physical access to your router, which I cover in Book VI, Chapter 4.
To place a password on the console port, you use a system that is very similar to that of the vty ports. Examine the following commands:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#line con 0
Router2(config-line)#password conpass
Router2(config-line)#login
Router2(config-line)#exit
Router2(config)#exit
By implementing a console port password you add an extra layer of security on connections to this port.
Setting the Auxiliary Port (AUX) password
The AUX port is used to configure a modem to allow dial-in access to the router. You can use this modem connection as a backup configuration interface if you make a configuration error and lose other forms of remote configuration access, such as SSH or Telnet. By having a configured modem attached to the AUX port, you can connect to the router and correct the problem from any location where you have a modem connection.
Unfortunately, by default, anyone is able to dial in to your modem and get access to User Exec mode on your router. To make it more difficult for unauthorized people to access your router, you can configure a password on the AUX port. To do so, use the following configuration commands:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#line aux 0
Router2(config-line)#password conpass
Router2(config-line)#login
Router2(config-line)#exit
Router2(config)#exit
Finding out where passwords live
Now that you have looked at all the available types of passwords, display the running configuration to see how they are stored:
Router2#show running-config
Building configuration...
Current configuration : 921 bytes
!
version 12.3
!
(output omitted for briefness)
!
enable secret 5 $1$exG2$cxsOWeiMWa7a8SMo5dw51/
enable password enablepass
!
(Output omitted for brevity)
!
line con 0
password conpass
login
line aux 0
password auxpass
login
line vty 0 4
password termpass
login
!
end
Notice that the only password that is not stored in clear text is the enable secret password. All other passwords are clearly readable to anyone who has access to the configuration file or command.
Because all of these passwords are stored in the configuration file in clear text, they are not very secure. You have an option to encrypt all passwords in your configuration file, and I cover encrypted passwords in Book VI, Chapter 4 as a security best practice.
Setting banners
A banner is a message that is presented to someone using the router. When this message is shown to the user depends on the type of banner you configured. You can configure three main types of banners on a Cisco router.
• Message of the Day (MOTD): This type of logon message has been around for a long time on Unix and mainframe systems. The idea was to display a temporary notice to users, such as issues with system availability. However, because it displays when you connect to the device prior to login, most network administrators now use it to display legal notices regarding access to the router, such as unauthorized access to this device is prohibited and violators will be prosecuted to the full extent of the law.
• Login: This banner displays before login to the system but after the MOTD banner is displayed. Typically, this banner displays a permanent message to users.
• Exec: This banner displays after the login is completed when the connecting user enters User EXEC mode. Whereas the other banners are seen by all people who attempt to connect to the router, this banner is seen only by users who successfully log on to the router. This banner can be used to post reminders to network administrators.
To configure each of these banners, examine the following commands, which set all three banners up on your router:
Router2(config)#banner motd #
Enter TEXT message. End with the character ‘#’.
This device is for authorized personnel only.
If you have not been provided with permission to
access this device - disconnect at once.
#
Router2(config)#banner login #
Enter TEXT message. End with the character ‘#’.
*** Login Required. Unauthorized use is prohibited ***
#
Router2(config)#banner exec #
Enter TEXT message. End with the character ‘#’.
*** Ensure that you update the system configuration ***
*** documentation after making system changes. ***
#
Router2(config)#exit
Notice that each of the banner lines ends with a hash symbol (#) to delimit the end of the message. You can specify any character you want, but you will be using it to end the banner message. Here is what these messages look like when you connect to the router:
Router2 Con0 is now available
Press RETURN to get started!
This device is for authorized personnel only.
If you have not been provided with permission to
access this device - disconnect at once.
*** Login Required. Unauthorized use is prohibited ***
User Access Verification
Password:
*** Ensure that you update the system configuration ***
*** documentation after making system changes. ***
Router2>
Running Setup Wizard
Although I explain how to configure elements of your router, you have to follow a specific procedure the first time you power up a new router, or when you erase the configuration. When the router boots for the first time, it automatically enters setup. If your router does not, you have the option of running setup from Privileged EXEC mode. Here is the basic setup process; within just a few minutes, you can have your router up and running.
Router#setup
--- System Configuration Dialog ---
Continue with configuration dialog? [yes/no]: yes
At any point you may enter a question mark ‘?’ for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets ‘[]’.
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: yes
Configuring global parameters:
Enter host name [Router]: Router2
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: secretpass
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
Enter enable password: enablepass
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: termpass
Configure SNMP Network Management? [no]:
Current interface summary
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.108 YES DHCP up up
FastEthernet0/1 unassigned YES unset administratively down down
Enter interface name used to connect to the
management network from the above interface summary: FastEthernet0/0
Configuring interface FastEthernet0/0:
Use the 100 Base-TX (RJ-45) connector? [yes]:
Operate in full-duplex mode? [no]:yes
Configure IP on this interface? [yes]:
IP address for this interface [192.168.1.108]: 192.168.1.240
Subnet mask for this interface [255.255.255.0] :
Class C network is 192.168.1.0, 24 subnet bits; mask is /24
The following configuration command script was created:
hostname Router2
enable secret 5 $1$exG2$cxsOWeiMWa7a8SMo5dw51/
enable password enablepass
line vty 0 4
password termpass
no snmp-server
!
no ip routing
!
interface FastEthernet0/0
no shutdown
media-type 100Base-TX
full-duplex
ip address 192.168.1.240 255.255.255.0
no mop enabled
!
interface FastEthernet0/1
shutdown
no ip address
!
end
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]:
Building configuration...
[OK]
Use the enabled mode ‘configure’ command to modify this configuration.
Notice how little information you need to enter to get basic management access to your router over the network, including Telnet access to the router. After the Setup Wizard is complete, enter Configuration mode to update your configuration to disable Telnet in favor of SSH, configure your other network interfaces, and enable routing.
Working with Users
As mentioned in the earlier section “Setting the SSH password,” with SSH, user accounts are required in order to log in. These accounts can be stored in a local database on the router or on a central access server named Terminal Access Controller Access-Control System (TACACS), which is an industry-standard authentication server.
Most small organizations and even some larger ones rely on the local database for user authentication, so this is the user creation option that I will describe in this book.
To use the local database for authentication, you need to follow these two steps:
1. Create at least one user account.
2. Configure your router to use the local database rather than a password, which is done on an interface basis.
Creating a user in the account database
To create a user in the account database, use a command like the following to specify the username and password:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#username remoteuser password remotepass
Router2(config)#username edt password edpass
Router2(config)#exit
Removing a user
To remove a user, you can use the standard no command and then specify the username in the same way that following the command removes the user named remoteuser from the local database.
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#no username remoteuser
Router2(config)#exit
Enable user-level protection
Finally, you need to enable the login local setting on the interfaces you want to protect with this user-level protection, using a command similar to the following:
Router2>enable
Password:
Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#line aux 0
Router2(config-line)#login local
Router2(config-line)#exit
Router2(config)#exit
Showing connected users
At times, you will want to find out who is connected to your router and performing management operations. You can easily do so using the show users command. Here is an example of the output:
Router2>enable
Password:
Router2#show users all
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
65 aux 0 00:00:00
66 vty 0 idle 00:02:01 192.168.1.3
67 vty 1 00:00:00
68 vty 2 00:00:00
69 vty 3 00:00:00
70 vty 4 00:00:00
71 vty 5 remoteuser idle 00:01:05 192.168.1.137
Interface User Mode Idle Peer Address
One line, listed with an asterisk, identifies the connection from which you ran the command. In addition, connections that do not show a user in the User column, such as vty 0, represent connections where a password was used for authentication, whereas the connection on vty 5 was made with user authentication. Forcing systems to use user-based authentication lets you see who is connected to the management interfaces.