Getting started with a cisco router

To get started with a cisco router, you’ll first need a console cable.  The newer equipment uses USB, but needs a special driver for use under Microsoft Windows.  The older stuff uses the venerable RS232 protocol, however depending on the age of the equipment it could be a DB25 or a DB9, or perhaps even a RJ45 port in which you’ll need to plug into for the first time to configure the router.  They all start up a 9600 baud, no parity, eight databits, one stop bit (N81).  With newer computers getting a working RS232 port can be a challenge, so don’t throw away any computer that has a working RS232 port.  It may save your life one day.

Since I am using dynagen/dynamips for my example I open up my configuration with dynagen, then start all my routers like this

=> start /all
100-VM ‘nycrtr1’ started
100-VM ‘corewan1’ started
100-VM ‘corertr1’ started
100-VM ‘hkgrtr1’ started
=>

Then I can console to my selected router by typing in console (router)

=> console corertr1
=>

From there it will act like a real console port, just as if I had plugged in a serial console cable. With the console connected, and the router powered up you’ll eventually find the following question being asked:

% Please answer ‘yes’ or ‘no’.
Would you like to enter the initial configuration dialog? [yes/no]:

This is the first thing you’ll be greeted with on the console port of a virgin cisco router.  Honestly I don’t like the intial configuration, and prefer to do this all by myself.

From there the router will prompt you with the cheery:

Press RETURN to get started!

And once you press enter, a status of all the interfaces will be displayed, and you’ll be dumped at the router prompt.

Router>

From here we are in an unprivileged mode, only able to enter in some basic commands, but unable to change the configuration, or do anything really meaningful. You can view what commands are available by typing in a question mark (hit enter!), and the list will scroll by. To change to the enabled (supervisor) mode, we simply type in enable.

Router>enable
Router#

Notice how the prompt changed from > to #.  Now try the ‘?’ command again, and notice that we can do far more commands.

Some useful commands include

  • show version
  • show running-config
  • show log
  • who
  • dir

Take note that the ‘show’ command has many, many possible options to give it.  This will be the command you will use the most to figure out what is going on, inside of your network.

The ‘show running-config’ command will show us the current configuration that the router has.  Take note that it will ask you to hit ‘more’ as you go through the configuration as this has more than 24 lines to display.  This is because your ‘console’ is configured by default for 24 lines (show line 0).  Like everything else it too can be changed, but for now we’ll leave the paging function in.

This is what a ‘blank’ or empty configuration looks like:

Router#sho run
Building configuration…

Current configuration : 974 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
!
!
ip cef
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
interface Ethernet1/4
no ip address
shutdown
duplex half
!
interface Ethernet1/5
no ip address
shutdown
duplex half
!
interface Ethernet1/6
no ip address
shutdown
duplex half
!
interface Ethernet1/7
no ip address
shutdown
duplex half
!
ip classless
no ip http server
!
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
!
end

You may be thinking that for a ‘blank’ router there is a lot of things in here.  The important thing to notice right now is all the interfaces, and that they are currently in shutdown mode.  By default a router will have all of its interfaces turned OFF.  This is to prevent things from automatically “working” or screwing things up in spectacular ways. Also notice with ethernet interfaces they are typically configured at half duplex.  You very well may want to change this on a real router, emulated ones don’t matter, but if you connect a cisco router to a cisco switch, and the duplex is mismatched they will both let you know.  Quite a bit.  So do pay attention to things like that.  In between each bang (!) is a section of the configuration that can be altered by the user as you see fit.  But right now it just allows a console to plug in, and have full access.

So what are some basic things I like to setup on my routers?  Well to start a name is nice.  We enter the configuration mode from within the enable mode by typing in ‘configure terminal’.  From there we change the hostname by simply typing in hostname along with the name that we want to give the router.  Notice that the name of the router now appears on the prompt.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname corewan1
corewan1(config)#

We can now exit the configure mode by hitting CONTROL+Z.

corewan1(config)#^Z
corewan1#
02:26:53: %SYS-5-CONFIG_I: Configured from console by console

Notice that the router will trigger a syslog event, and display it on the console.  All of this is configurable but right now this is the factory default behaviour.

It is important to take note that cisco routers have two configurations, the running configuration, and the startup configuration. When you make changes to a live system, you alter the running configuration, not the startup configuration.  This is done this way that in the event that you lock yourself out of the router (removing ip routing, changing the WAN ip address, typoing the passwords.. mistakes happen) a simple power cycle will restore the router to the prior configuration.  It is imperative to test what you can when you make major changes from a second telnet console before saving the configuration.  It can take valuable time to track people down in remote countries, and walking them through a power cycle of the routers can be daunting as they usually don’t ever touch the routers.

To make this change now ‘permanent’ by committing it to the NVRAM, we can issue the command ‘copy running-config startup-config’

corewan1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
corewan1#

Take note that we *MUST* be out of the configuration mode to issue this command.

The ultimate test is to reboot the router, and verify that it does come up with the new configuration.  To reboot a router the command is simply reload. However with dynamips reloading the router will cause it to crash.

corertr1#reload
Proceed with reload? [confirm]y
00:20:13: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

ROM: reload requested…

%ALIGN-1-FATAL: Corrupted program counter
pc=0x0, ra=0xBFC011A4, sp=0x62B819D8

%ALIGN-1-FATAL: Corrupted program counter
pc=0x0, ra=0xBFC011A4, sp=0x62B819D8

But switching to dynagen we can quickly restart the router process.

=> stop corertr1
100-VM ‘corertr1’ stopped
=> start corertr1
100-VM ‘corertr1’ started
=> console corertr1
=>

And now we are booted into the router.

00:00:05: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:00:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
corertr1>

I should also point out that from dynagen I also save the router configuration, which will attach it to the network config file.

=> save corertr1
saved configuration from: corertr1
=>

It should be as easy as that.

Now let’s get to some nice things to add.

I always like banners to at least let you know where you are.  Some people like to have legal disclaimers warning against unauthorized access, or even ascii art.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#banner motd Z
Enter TEXT message. End with the character ‘Z’.
|\ _,,,—,,_
/,`.-‘`’ -. ;-;;,_
|,4- ) )-,_..;\ ( `’-‘
‘—”(_/–‘ `-‘\_) Welcome to the corertr1

Authorized users ONLY!!!!

Z
corertr1(config)#^Z
corertr1#
00:07:23: %SYS-5-CONFIG_I: Configured from console by console

Notice the ‘Z’ which is how I let it know that I’m done with my banner.

Passwords are also a good thing, for now I’m not going to put one on the console, but instead on the ‘vty’ ports which we will configure later for telnet access into the router.  Why not the console?  Well right now I’m operating under the idea that if you have physical access to the router, you are into the network anyways.  Obviously this may not meet your needs, but it is fine for my simple introduction.

I’m going to use a simple password of ‘cisco’.

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#line vty 0 4
corertr1(config-line)#password 0 cisco
corertr1(config-line)#exit
corertr1(config)#enable password 0 cisco
corertr1(config)#^Z
corertr1#

First the vty part has the parameter 0 4 which gives the router the ability to handle five connected telnet sessions.  Maybe you want more, maybe you want less.  The next part is that after the password keyword, I’m using the number 0 which means the password is unencrypted.  It has been my experience that you ALWAYS ALWAYS ALWAYS configure the passwords using a 0, as some versions change things, and your encrypted strings may not work how you expected them to.

Another fun feature in IOS 12 is the pipe (|) which you can use to filter output from the show command.  Right now our passwords are in clear text, so we are going to encrypt them.  First to verify that they are clear:

corertr1#sho run | include password
no service password-encryption
enable password cisco
password cisco

Now we enable encryption, and re-run the command:

corertr1#config t
Enter configuration commands, one per line. End with CNTL/Z.
corertr1(config)#service password-encryption
corertr1(config)#^Z
corertr1#sho run | include password
00:11:36: %SYS-5-CONFIG_I: Configured from console by console
service password-encryption
enable password 7 060506324F41
password 7 121A0C041104
corertr1#

Now our passwords are not so obvious!  But be aware that there are ways to crack these simple passwords.

Screen Shot 2013-09-19 at 9.11.21 AM

My password was cracked!

You can check the site for more information on a more ‘secure’ approach to passwords, but for now it doesn’t matter.

With all of this done, we should save our configuration, and proceed to the next step.

Another popular thing to do is turn off DNS queries.  If you make a typo at the command line, the router will assume that you are trying to telnet to a host.  By default with no DNS servers specified, it will then do a broadcast twice trying to find a DNS server.  This can delay you for 30 seconds to a minute which when you are in a network downtime scenario is very annoying.  To disable this ‘feature’ simply add this to your configuration

no ip-domain lookup

And you’ll never have to worry about this!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.