Router and Switch Administrative Configurations
Even though the following sections aren't critical to making a router or switch work on a network, they're still really important; in them, I'm going to lead you through configuring commands that will help you administer your network.
The most popular and most important administrative functions that you can configure on a router and switch are as follows:
- Hostnames
- Banners
- Passwords
- Interface descriptions
Remember, none of these will make your routers or switches work better or faster, but trust me, your life will be a whole lot better if you just take the time to set these configurations on each of your network devices. That's because doing this makes troubleshooting and maintaining your network sooooo much easier—seriously! In this next section, I'll be demonstrating commands on a Cisco router, but these commands are exactly the same on a Cisco switch.
Hostnames
You can set the identity of the router with the hostname command. This is only locally significant, which means that it has no bearing on how the router performs name lookups or how the router works on the internetwork. However, I'll use the hostname in Chapter 10 for authentication purposes when I discuss the WAN protocol PPP.
Here's an example:
Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Todd Todd(config)#hostname Atlanta Atlanta(config)#hostname Todd Todd(config)#
Even though it's pretty tempting to configure the hostname after your own name, it's definitely a better idea to name the router something pertinent to the location. This is because giving it a hostname that's somehow relevant to where the device actually lives will make finding it a whole lot easier. And it also helps you confirm that you are, indeed, configuring the right device. For this chapter, I'll leave it as Todd for now because it's fun.
Banners
A banner is more than just a little cool—one very good reason for having a banner is to give any and all who dare attempt to telnet or dial into your internetwork a little security notice. And you can create a banner to give anyone who shows up on the router exactly the information you want them to have.
Make sure you're familiar with these four available banner types: exec process creation banner, incoming terminal line banner, login banner, and message of the day banner (all illustrated in the following code):
Todd(config)#banner ?
LINE c banner-text c, where ‘c’ is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
Message of the day (MOTD) is the most extensively used banner. It gives a message to every person dialing into or connecting to the router via Telnet or an auxiliary port, or even through a console port, as shown here:
Todd(config)#banner motd ? LINE c banner-text c, where ‘c’ is a delimiting character Todd(config)#banner motd # Enter TEXT message. End with the character ‘#’. $ Acme.com network, then you must disconnect immediately. # Todd(config)#^Z Todd# 00:25:12: %SYS-5-CONFIG_I: Configured from console by console Todd#exit Router con0 is now available Press RETURN to get started. If you are not authorized to be in Acme.com network, then you must disconnect immediately. Todd#
The preceding MOTD banner essentially tells anyone connecting to the router to get lost if they're not on the guest list! The part to understand is the delimiting character—the thing that's used to tell the router when the message starts and finishes. You can use any character you want for it, but (I hope this is obvious) you can't use the delimiting character in the message itself. Also, once the message is complete, press Enter, then the delimiting character, and then Enter again. It'll still work if you don't do that, but if you have more than one banner, they'll be combined as one message and put on a single line.
For example, you can set a banner on one line, as shown here:
Todd(config)#banner motd x Unauthorized access prohibited! x
This example will work just fine, but if you add another MOTD banner message, they would end up on a single line.
Here are some details of the other banners I mentioned:
Exec Banner You can configure a line-activation (exec) banner to be displayed when an EXEC process (such as a line activation or incoming connection to a VTY line) is created. By simply starting a user exec session through a console port, you'll activate the exec banner.
Incoming Banner You can configure a banner to be displayed on terminals connected to reverse Telnet lines. This banner is useful for providing instructions to users who use reverse Telnet.
Login Banner You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner but before the login prompts. The login banner can't be disabled on a per-line basis, so to globally disable it, you have to delete it with the no banner login command.
The login banner is displayed before the login prompts but after the MOTD banner.
Setting Passwords
Five passwords can be used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable password, and enable secret. The enable secret and enable password are used to set the password that's used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed through the console port, through the auxiliary port, or via Telnet.
Let's take a look at each of these now.
Enable Passwords
You set the enable passwords from global configuration mode like this:
Todd(config)#enable ?
last-resort Define enable action if no TACACS servers
respond
password Assign the privileged level password
secret Assign the privileged level secret
use-tacacs Use TACACS to check enable passwords
The following points describe the enable password parameters:
last-resort This allows you to still enter the router if you set up authentication through a TACACS server and it's not available. But it isn't used if the TACACS server is working.
password This originally set the enable password on older, pre-10.3 systems, and it is superseded if an enable secret is set.
secret This is the newer, encrypted password that overrides the enable password if it's set.
use-tacacs This tells the router to authenticate through a TACACS server. It's convenient if you have anywhere from a dozen to multitudes of routers because, well, would you like to face the fun task of changing the password on all those routers? If you're sane, no, you wouldn't. So instead, just go through the TACACS server and you have to change the password only once—yeah! Now, whenever someone tries to log into privileged mode, they will be forced to authenticate through the TACACS server.
Here's an example of setting the enable passwords:
Todd(config)#enable secret todd Todd(config)#enable password todd The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password.
If you try to set the enable secret and enable passwords the same, the router will give you a nice, polite warning to change the second password. If you don't have older legacy routers, don't even bother to use the enable password—it is outdated and not used anymore, but it could be, so just be aware of the differences between the enable password and the enable secret.
User-mode passwords are assigned by using the line command.
Todd(config)#line ?
<0-337> First Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
Here are the lines to be concerned with for the exam objectives:
aux Sets the user-mode password for the auxiliary port. It's usually used for attaching a modem to the router, but it can be used as a console as well.
console Sets a console user-mode password.
vty Sets a Telnet password on the router. If this password isn't set, then Telnet can't be used by default.
To configure the user-mode passwords, you configure the password on the line you want and follow it with either the login or no login command to tell the router to either prompt for or not prompt for authentication. The next sections will provide a line-by-line example of the configuration of each line.
Auxiliary Password
To configure the auxiliary password, go into global configuration mode and type line aux ?. You can see here that you only get a choice of 0–0 (that's because there's only one port):
Todd#config t Enter configuration commands, one per line. End with CNTL/Z. Todd(config)#line aux ? <0-0> First Line number Todd(config)#line aux 0 Todd(config-line)#login % Login disabled on line 1, until ‘password’ is set Todd(config-line)#password aux Todd(config-line)#login
It's important to remember the login command or the auxiliary port won't prompt for authentication.
Cisco has begun this process of not letting you set the login command before a password is set on a line because if you set the login command under a line and then don't set a password, the line won't be usable. And it will prompt for a password that doesn't exist. So, this is a good thing—a feature, not a hassle!
Definitely remember that although Cisco has this “password feature” on its routers starting in its newer IOS (12.2 and newer), it's not in all its IOSs.
Console Password
To set the console password, use the line console 0 command. But look at what happened when I tried to type line console ? from the (config-line)# prompt—I received an error. You can still type line console 0, and it will accept it, but the help screens just don't work from that prompt. Type exit to get back one level, and you'll find that your help screens now work. This is a “feature.” Really.
Here's the example:
Todd(config-line)#line console ? % Unrecognized command Todd(config-line)#exit Todd(config)#line console ? <0-0> First Line number Todd(config-line)#password console Todd(config-line)#login
Since there's only one console port, I can choose only line console 0. You can set all your line passwords to the same password, but for security reasons, I recommend you make them different.
There are a few other important commands to know for the console port.
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which means to never time out. The default timeout is 10 minutes. (If you're feeling mischievous, try this on people at work: set it to 0 1. That will make the console time out in one second! And to fix it, you have to continually press the down arrow key while changing the timeout time with your free hand!)
logging synchronous is a very cool command, and it should be a default command, but it's not. It stops annoying console messages from popping up and disrupting the input you're trying to type. The messages still pop up, but you are returned to your router prompt without your input interrupted. This makes your input messages oh-so-much easier to read.
Here's an example of how to configure both commands:
Todd(config-line)#line con 0 Todd(config-line)#exec-timeout ? <0-35791> Timeout in minutes Todd(config-line)#exec-timeout 0 ? <0-2147483> Timeout in seconds <cr> Todd(config-line)#exec-timeout 0 0 Todd(config-line)#logging synchronous
You can set the console to go from never timing out (0 0) to timing out in 35,791 minutes and 2,147,483 seconds. The default is 10 minutes. I recommend leaving this at the default for security reasons.
Telnet Password
To set the user-mode password for Telnet access into the router, use the line vty command. Routers that aren't running the Enterprise edition of the Cisco IOS default to five VTY lines, 0 through 4. But if you have the Enterprise edition, you'll have significantly more. The best way to find out how many lines you have is to use that question mark.
Todd(config-line)#line vty 0 ? % Unrecognized command Todd(config-line)#exit Todd(config)#line vty 0 ? <1-1180> Last Line number <cr> Todd(config)#line vty 0 1180 Todd(config-line)#password telnet Todd(config-line)#login
Remember, you cannot get help from your (config-line)# prompt. You must go back to global config mode in order to use the question mark (?).
So, what will happen if you try to telnet into a router that doesn't have a VTY password set? You'll receive an error stating that the connection is refused because, well, the password isn't set. So, if you telnet into a router and receive the message
Todd#telnet SFRouter
Trying SFRouter (10.0.0.1)…Open
Password required, but none set
[Connection to SFRouter closed by foreign host]
Todd#
then the remote router (SFRouter in this example) does not have the VTY (Telnet) password set. But you can get around this and tell the router to allow Telnet connections without a password by using the no login command.
SFRouter(config-line)#line vty 0 4 SFRouter(config-line)#no login
I do not recommend using the no login command to allow Telnet connections without a password unless you are in a testing or classroom environment! In a production network, you should always set your VTY password.
After your routers are configured with an IP address, you can use the Telnet program to configure and check your routers instead of having to use a console cable. You can use the Telnet program by typing telnet from any command prompt (DOS or Cisco). Anything Telnet is covered more thoroughly in Chapter 7.
Setting Up Secure Shell (SSH)
Instead of Telnet, you can use Secure Shell, which creates a more secure session than the Telnet application that uses an unencrypted data stream. SSH uses encryption keys to send data so that your username and password are not sent in the clear.
Here are the steps to setting up SSH:
- Set your hostname.
Router(config)#hostname Todd - Set the domain name (both the hostname and domain name are required for the encryption keys to be generated).
Todd(config)#ip domain-name Lammle.com - Set the username to allow SSH client access.
Todd(config)#username Todd password Lammle - Generate the encryption keys for securing the session.
Todd(config)#crypto key generate rsa general-keys modulus ? <360-2048> size of the key modulus [360-2048] Todd(config)#crypto key generate rsa general-keys modulus 1024 The name for the keys will be: Todd.Lammle.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable…[OK] *June 24 19:25:30.035: %SSH-5-ENABLED: SSH 1.99 has been enabled
- Enable SSH version 2 on the router; although this isn't mandatory, it is highly suggested.
Todd(config)#ip ssh version 2 - Connect to the VTY lines of the router.
Todd(config)#line vty 0 1180 - The next command tells the router where the password is stored and you are now using the local database on the router:
Todd(config-line)#login local - Last, configure the VTY lines to allow only SSH.
Todd(config-line)#transport input sshAlternately, you can use both SSH and Telnet on the VTY lines with the following:
Todd(config-line)#transport input ssh telnetOr you can use any input on the VTY lines with the following:
Todd(config-line)#transport input all
If you do not use the keyword telnet or any at the end of the command string, then only SSH will work on the router. I am not suggesting you use either way, but just understand that SSH is more secure than Telnet.
Encrypting Your Passwords
Because only the enable secret password is encrypted by default, you'll need to manually configure the user-mode and enable passwords for encryption.
Notice that you can see all the passwords except the enable secret when performing a show running-config on a router.
Todd#sh running-config
Building configuration…
[output cut]
!
enable secret 5 $1$2R.r$DcRaVo0yBnUJBf7dbG9XE0
enable password todd
!
[output cut]
!
line con 0
exec-timeout 0 0
password console
logging synchronous
login
line aux 0
password aux
login
line vty 0 4
password telnet
login
transport input telnet ssh
line vty 5 15
password telnet
login
transport input telnet ssh
line vty 16 1180
password telnet
login
!
end
To manually encrypt your passwords, use the service password-encryption command. Here's an example of how to do it:
Todd#config t Enter configuration commands, one per line. End with CNTL/Z. Todd(config)#service password-encryption Todd(config)#exit Todd#sh run Building configuration… [output cut] ! enable secret 5 $1$2R.r$DcRaVo0yBnUJBf7dbG9XE0 enable password 7 131118160F ! [output cut] ! line con 0 exec-timeout 0 0 password 7 0605002F5F41051C logging synchronous login line aux 0 password 7 03054E13 login line vty 0 4 access-class 23 in password 7 01070308550E12 login transport input telnet ssh line vty 5 15 password 7 01070308550E12 login transport input telnet ssh line vty 16 1180 password 7 120D001B1C0E18 login ! end Todd#config t Todd(config)#no service password-encryption Todd(config)#^Z Todd#
There you have it! The passwords will now be encrypted. You just encrypt the passwords, perform a show run, and then turn off the command. You can see that the enable password and the line passwords are all encrypted.
But before I get into showing you all about setting descriptions on your routers, let's talk about encrypting passwords a bit more. As I said, if you set your passwords and then turn on the service password-encryption command, you have to perform a show running-config before you turn off the encryption service or your passwords won't be encrypted. You don't have to turn off the encryption service at all; you'd do that only if your router is running low on processes. And if you turn the service on and leave it on before you set your passwords, then you don't even have to view them to get them encrypted.
The service password-encryption command encrypts all current and future passwords in the plain-text configuration file.
Setting Interface Descriptions
Setting descriptions on an interface is helpful to the administrator and, as with the hostname, only locally significant. The description command is a helpful one because you can, for instance, use it to keep track of circuit numbers.
Here's an example:
Todd#config t Todd(config)#int s0/0/0 Todd(config-if)#description Wan to SF circuit number 6fdda12345678 Todd(config-if)#int fa0/0 Todd(config-if)#description Sales VLAN Todd(config-if)#^Z Todd#
You can view the description of an interface with either the show running-config command or the show interface command
Todd#sh run [output cut] ! interface FastEthernet0/0 description Sales VLAN ip address 10.10.10.1 255.255.255.248 duplex auto speed auto ! interface Serial0/0/0 description Wan to SF circuit number 6fdda 12345678 no ip address shutdown ! [output cut] Todd#sh int f0/0 FastEthernet0/0 is up, line protocol is down Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8 (bia 001a.2f55.c9e8) Description: Sales VLAN [output cut] Todd#sh int s0/0/0 Serial0/0/0 is administratively down, line protocol is down Hardware is GT96K Serial Description: Wan to SF circuit number 6fdda12345678
Real World Scenario
description: A Helpful Command
Bob, a senior network administrator at Acme Corporation in San Francisco, has more than 50 WAN links to various branches throughout the United States and Canada. Whenever an interface goes down, Bob spends a lot of time trying to figure out the circuit number as well as the phone number of the provider of the WAN link.
The interface description command would be very helpful to Bob because he can use this command on his LAN links to discern exactly where every router interface is connected. And Bob would benefit tremendously by adding circuit numbers to each and every WAN interface, along with the phone number of the responsible provider.
So, by spending the few hours it would take to add this information to each and every router interface, Bob can save a huge amount of precious time when his WAN links go down—and you know they will!
Doing the do Command
Beginning with IOS version 12.3, Cisco has finally added a command to the IOS that allows you to view the configuration and statistics from within configuration mode. (In the examples I gave you in the previous section, all show commands were run from privileged mode.)
In fact, with any IOS, you'd get the following error if you tried to view the configuration from global config:
Router(config)#sh run
^
% Invalid input detected at ‘^’ marker.
Compare that to the output I get from entering that same command on my router that's running the 12.4 IOS and using the do syntax:
Enter configuration commands, one per line. End with CNTL/Z. Todd(config)#do show run Building configuration… Current configuration : 3276 bytes ! [output cut] Todd(config)#do sh int f0/0 FastEthernet0/0 is up, line protocol is down Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8 (bia 001a.2f55.c9e8) Description: Sales VLAN [output cut]
So, basically, you can pretty much run any command from any configuration prompt now—cool, huh? Going back to the example of encrypting your passwords, the do command would definitely have gotten the party started sooner—so, my friends, this is a very, very good thing indeed!