ICND1 100-105

ICND1 100-105

Starting a Router

There is no better way to understand routing functions than configuring a real router device, so in this lesson we're going to start up a Cisco router and initialize it using Cisco IOS command-line interface (CLI). We will then log into the router to complete the configuration and monitor its hardware and software status.

Initial Startup of the Cisco Router

The router initialization processes is similar to that of a switch. The device will run the power on self tests (POST) to test the hardware first and then try to find the limits of the operating systems in multiple locations having fallback options if the default location of flash fails. After loading up the configuration in RAM, it will find and apply the configuration statements found in the configuration file in NVRAM. It also has fallback options for the configuration files, and it will fall back to those alternatives if needed.

An example of that is the auto install feature, which will allow the router to obtain an IP address dynamically from the network, and it obviously needs one because it would be booting up without configuration, so it obtains the IP address dynamically and then it tries to load the configuration files from a TFTP server on the network.

In order to follow the process, you should verify that the power cabling and console connections are in place. The console will allow you to look into the output of IOS software during initialization and of course the device has to be set to on, and this time routers do have an on switch, as opposed to switches.

Bootup Output from the Router

If the router has no configuration file in NVRAM, it will fall back to auto install and if that fails, then it is going to enter setup mode. Set up mode is the system configuration dialog similar to layer 2 switches that executes a question-driven initial configuration routine. This time it is going to ask different questions because now we are talking about a layer 3 device. Setup mode is not intended for entering complex protocol features or complex configurations in the router. This is used to bring up a minimal configuration. If the router has a valid configuration file, then you will be sent to the command-line interface (Cisco CLI) in EXEC mode. The default is to fall into user mode prompt with no special privileges; you could then go into a privileged mode by issuing the command enable.

Setup: The Initial Configuration Dialog

You can also invoke the setup routine by typing the command setup. You need to be at privileged configuration mode and again you can tell you are in that mode if the prompt has a pound (#) sign. When entering the Setup Configuration dialog box, you will be prompted to confirm that you want to go in and then you will be prompted to confirm whether you want to go into basic management setup.

If you enter no at the basic management setup prompt, then you enter extended setup and you can use this to configure more specific system parameters; the basic management setup will take you through just a few questions to set up a host name, passwords, basic interface parameters, and some other settings. Remember at all times the default settings will be in square brackets and you can simply hit enter to accept the defaults. Another important set of keystrokes is Ctrl+C, which is used to terminate the process and start over at any time. When pressing Ctrl+C, you will be returned to priviliged EXEC mode and you will be able to continue configuring the router.

Setup Interface Summary

If you enter yes at the basic management setup prompt, then you are prompted with another question to allow you to see the current interface summary. If you enter yes, you will see something that looks like this, where interfaces are listed along with their status at layer 1 and layer 2. In this example, some of the interfaces have an IP address. This output is the output of the show IP interfaces brief, command.

Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES NVRAM  administratively down down
BRI0:1                     unassigned      YES unset  administratively down down
BRI0:2                     unassigned      YES unset  administratively down down
FastEthernet0              192.168.0.65    YES NVRAM  up                    up
FastEthernet1              unassigned      YES NVRAM  administratively down down
FastEthernet2              unassigned      YES unset  down                  down
FastEthernet3              unassigned      YES unset  down                  down
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    down
FastEthernet6              unassigned      YES unset  up                    up
FastEthernet7              unassigned      YES unset  up                    up
FastEthernet8              unassigned      YES unset  up                    up
FastEthernet9              unassigned      YES unset  down                  down
NVI0                       192.168.0.65    YES unset  up                    up
Tunnel1                    10.10.1.65      YES NVRAM  up                    up
Tunnel2                    10.10.2.65      YES NVRAM  up                    up
Vlan1                      192.168.65.192  YES NVRAM  up                    up

Cisco AutoSecure

Among the questions you may get are those related to enabling AutoSecure. AutoSecure is a security feature available in certain versions of the operating systems, which allows you to eliminate the complexity of securing or routing and knowing the commands to go about doing that by creating this CLI command that automates the configuration of those security features. So it is a one-stop shop for securing your router and auditing the current configuration policies. By saying yes to this question, you will be enabling AutoSecure, which is nothing more than the auto secure command and that will start the process of locking of the router. It is very strict in doing so and it will attempt to ensure maximum security by, for example, disabling global services, also disabling services at the interface level, enabling things like password encryption and logging, auditing your router to make sure that you have passwords, line passwords, and enable secret and make sure that things like SSH are configured. It disables SNMP management if it is not being used. It will even go ahead and implement antispoofing features as well as TCP intercept and TCP connection timeouts. It is very comprehensive and you should only enable it when you are fully aware of the consequences of doing so.

Setup Script Review and Use

Similar to the Setup Configuration dialog in switches, this process will end with the router displaying the script that was created according to your answers, followed by your decision as to whether to go back to the prompt without saving, go back to the first questions of the setup or initiate the Setup dialog again without saving, or whether to save this configuration and exit to the prompt.

Logging in to the Cisco Router

So after the Setup Configuration dialog is finished, you can go back to the prompt and reconfigure the router or perform additional configuration. This is an IOS device, so it will be similar to a switch in that it has EXEC mode, which has two sub-modes, the user mode and privileged mode, and you can go from user mode to privileged mode by using the enable command. You can leave privileged mode by using the disable command and log out completely by using the log out command. The command exit will also do. Notice that again, similar to switches, the user mode is indicated by the greater than sign at the prompt whereas the privileged mode is indicated by the pound sign at the prompt.

Router>
Router>enable
Password:
Router#

Router User-Mode Command List

All levels of access, including the various configuration modes, will include the question mark at the user prompt, in order to display the list of commands available in that mode. Notice the screen scrolling with the more keyword. It will stop the scrolling and you can hit the Spacebar to continue page by page or you can hit the Enter key or Return key in order to go line by line or you can simply use the Q key in order to stop scrolling and quit. Ctrl+C will do the same thing.

Router>?
Exec commands:
  <1-99>           Session number to resume
  access-enable    Create a temporary Access-List entry
  access-profile   Apply user-profile to interface
  clear            Reset functions
  connect          Open a terminal connection
  crypto           Encryption related commands.
  disable          Turn off privileged commands
  disconnect       Disconnect an existing network connection
  dot11            IEEE 802.11 commands
  emm              Run a configured Menu System
  enable           Turn on privileged commands
  exit             Exit from the EXEC
 --More--

The listed commands depend on the version and feature set on your operating system and will be different in the different access modes and configuration modes. For example, the user mode has a limited set of commands that will allow you to monitor the router whereas the privileged mode can go into configuration levels and also perform maintenance commands.

Router Privileged-Mode Command List

This is the sample and partial list of available commands at privileged mode as indicated by the question mark; notice that the configure command is available. This allows you to go into configuration mode and also the copy command is available, which allows you to copy images to and from your router, operating system images that is, and/or configuration files. Also, the erase command to erase images from the filesystem.

Router#?
Exec commands:
  <1-99>           Session number to resume
  access-enable    Create a temporary Access-List entry
  access-profile   Apply user-profile to interface
  access-template  Create a temporary Access-List entry
  archive          manage archive files
  auto             Exec level Automation
  beep             Blocks Extensible Exchange Protocol commands
  bfe              For manual emergency modes setting
  calendar         Manage the hardware calendar
  cd               Change current directory
  clear            Reset functions
  clock            Manage the system clock
  cns              CNS agents
  configure        Enter configuration mode
  connect          Open a terminal connection
  copy             Copy from one file to another
  crypto           Encryption related commands.
  debug            Debugging functions (see also 'undebug')
  delete           Delete a file
  dir              List files on a filesystem
  disable          Turn off privileged commands
  disconnect       Disconnect an existing network connection
 --More--

Show Version Command

We are now ready to move on configuring and maintaining our router; perhaps one of the most important commands in terms of realizing the capabilities of the device is the show version command. This is similar to the show version on layer 2 switches; it displays the current version of the operating system and feature sets display the operating system in ROM, which is used as a fallback option. Router up time is also there, as well as physical characteristics including the amount of RAM, the physical interfaces on the router, the amount of NVRAM, the amount of flash, and the configuration registered value.

Router#sh ver
Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 23-Aug-11 05:42 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YH12, RELEASE SOFTWARE (fc1)

Router uptime is 1 day, 2 hours, 38 minutes
System returned to ROM by Reload Command
System restarted at 17:27:50 EET Wed Nov 28 2012
System image file is "flash:c181x-adventerprisek9-mz.124-24.T6.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1812 (MPC8500) processor (revision 0x400) with 236544K/25600K bytes of memory.
Processor board ID XXXXXXXXXXX, with hardware revision 0000

10 FastEthernet interfaces
1 ISDN Basic Rate interface
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Verifying basic Router configuration

In verifying the router initial configuration, you typically use commands like show running. This one will display the whole configuration, and you can start looking for the pieces you need to verify. This may be cumbersome and not too efficient, and so one of the tools you can use is the ability to show sections of this show running configuration.

Router#sh run
Building configuration...

Current configuration : 3807 bytes
!
! Last configuration change at 19:41:49 EET Thu Nov 29 2012 by admin
! NVRAM config last updated at 19:43:50 EET Thu Nov 29 2012 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65535
enable secret 5 $1$kqJ2$BwXEBY.OC1Fzj4QvofZXx/
!
no aaa new-model
clock timezone EET 2
!
!
dot11 syslog
ip source-route
!
!
ip cef
no ip domain lookup
ip domain name cisco.com
ip name-server 172.16.4.10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
 --More--

So you can use, for example, the interface keyword and display only the configuration as it relates to a particular interface.

Router#sh run int fa 0
Building configuration...

Current configuration : 186 bytes
!
interface FastEthernet0
 description ### Sales Dept. ###
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
end

You can also use the show run | options and start including lines that have a certain keyword like the word “password.” And so, if I do that, it is going to show me that there are no passwords are set. The only line that includes the word “password” is the no service password encryption line, and so it is very useful.

Router#sh run | in password
service password-encryption

You can actually use the show running | section command and display whole sections, for example the line sections, and go ahead and include or display only those line sections as they relate to console, VTYs, etc.

You can also use things like begin, and start displaying the configuration beginning with a certain keyword or at the line that has a certain keyword. So begin line with display configuration starting with the line command and then everything below that.

Router#sh run | b line
line con 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 0
 login local
 transport preferred ssh
 transport input ssh
 transport output all
!
ntp server 172.16.4.10
end

You can also apply same tools to other commands. For example, show IP in brief will display all of the interfaces and their status and IP addresses, but I could use a pipe to display only those interfaces that have an unassigned IP address by simply looking at the keyword unassigned. And this one shows me that those interfaces do not have an IP address, so helpful tools and helpful information to verify your configuration.

Router#sh ip int brie | in unassigned
BRI0                       unassigned      YES NVRAM  administratively down down
BRI0:1                     unassigned      YES unset  administratively down down
BRI0:2                     unassigned      YES unset  administratively down down
FastEthernet1              unassigned      YES NVRAM  administratively down down
FastEthernet2              unassigned      YES unset  down                  down
FastEthernet3              unassigned      YES unset  down                  down
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    down
FastEthernet6              unassigned      YES unset  up                    up
FastEthernet7              unassigned      YES unset  up                    up
FastEthernet8              unassigned      YES unset  up                    up
FastEthernet9              unassigned      YES unset  down                  down

As you can see, the Fa0 is not in the list, as well as Vlan1, which already has set IP address.