Several Cisco devices do not have a default IP address that can be utilized to gain access to the IOS. Therefore, administrators gain initial out-of-band terminal access to Cisco devices via the console port. After an EXEC access is gained, you can configure the device via the CLI of IOS.

To connect to a console port, Cisco supplies you with a flat rollover cable. As illustrated in Figure 7.1, the pins in a rollover cable are reverse images of each other when the cable is viewed with both sides of the tabs in the same orientation. Cisco console cables either come with two RJ-45 connectors in which a DB-9 adapter is required for connection to the PC, or come with the DB-9 connector attached to one end of the cable. The 9-pin connector of the console cable connects to your terminal PC’s COM port. Keep in mind that this management connection is for initial terminal access only and should not be confused with an actual networking Ethernet cable of any sort.

Figure 7.1. Cisco console cable pinouts.

An ASCII terminal emulation software program must be running on your management PC if it is to interact with the Cisco IOS. There are several different terminal programs available, such as HyperTerminal, TeraTerm, SecureCRT, and others. The terminal setup of the COM port connected to the rollover console cable must be set to the following default console parameters: 9600 baud, 8 data bits, no parity bits, 1 stop bit, and no flow control. After the terminal is set up correctly and you have powered on the Cisco device, you should see the output from your console EXEC session in the terminal window.

Certain Cisco models may contain another out-of-band management port called an auxiliary (AUX) port. This port is very similar to the console port in that it uses a rollover cable and has an RJ-45 connection to the Cisco device. The difference between the auxiliary and the console port is that the auxiliary port has flow control capability, which is useful for analog modem connectivity. By connecting an external modem to this management port, you can dial into the modem remotely and gain an EXEC session without being physically next to the Cisco device.

As discussed in Chapter 1, “Standard Internetworking Models,” Telnet is an Application layer protocol of the TCP/IP protocol suite that uses TCP port 23 to gain virtual terminal emulation to a device. Telnet is considered in-band management because it is required to have IP connectivity to the Cisco device into which you are trying to Telnet. Most Cisco devices allow at least five Telnet EXEC sessions to be connected for remote terminal access. For the sake of security, there is some configuration involved to allow Telnet access into the Cisco devices. Telnet is discussed in further detail in Chapter 8, “Foundation Cisco Configurations.”

Similar to Telnet, HTTP and HTTPS are also Application layer protocols of the TCP/IP protocol suite. HTTP uses TCP port 80 to establish a management connection to the Cisco device. HTTPS is a secure version of HTTP over Secure Socket Layer (SSL) and uses TCP port 443. HTTP and HTTPS terminal sessions require IP connectivity to the Cisco device, making it an in-band management communication methodology. The key difference between HTTP/HTTPS and Telnet is that when you use HTTP or HTTPS, you can have a graphical interface to the configuration and administration features of the Cisco IOS.

The HTTP EXEC session is made possible by a HTTP server service that can run if configured on the Cisco device. For security purposes, some Cisco routers do not have this functionality enabled by default. If this functionality is not going to be utilized, it is recommended that you disable this service to avoid any security vulnerabilities.

Imagine you have Telntetted into a Cisco device and it is prompting you for a password. If an attacker has the capability to eavesdrop on that Telnet terminal session, he could very well detect the password because the Telnet communications are in clear text.

With SSH (Secure Shell), you are provided a secure terminal EXEC connection through the use of encrypted communications between your terminal client and the Cisco device. Your terminal application must support SSH to connect securely to your Cisco device. Some terminal programs that support SSH are SecureCRT and Putty. In addition, the version and feature set of the Cisco IOS must support SSH. Similar to its brother in-band protocols, SSH also requires initial configurations before gaining access to an EXEC session. Granted, this additional configuration may seem tedious; however, the benefit of having secure remote terminal connections to the Cisco device outweighs the work involved.

When you first apply power to a Cisco router or switch, a specialized ROM performs a series of tests of the critical hardware components that are pertinent for startup and basic operation such as Flash memory, CPU, and interfaces. It makes sense to utilize ROM chips for this service because they are already hard-coded with their programs and they do not require constant power to keep those programs stored in the memory. If a failure occurs during this stage of the startup process, you may encounter one of several outcomes, ranging from a non-functioning interface all the way to complete device failure. In any case, your equipment should be under warranty or you have an active support contract in place to fix the failing hardware.

After the hardware passes all its tests (if only the ICND1 was that easy), another ROM seeks out the operating system in accordance to its programming routines. The code that is run in the ROM is commonly referred to as the bootstrap code. If a failure occurs at this stage of the boot-up process, your Cisco device could very likely enter what is known as ROM Monitor or commonly called ROMmon.

Up to this point, the Cisco router or switch has performed only initial diagnostics. With that being said, the IOS itself still has not been located or loaded. The bootstrap’s programming has a specific search order in which it typically follows to locate and load the IOS. I say “typically” because you can alter the natural order of things with the router or switch’s startup process if you manipulate something called the configuration register.

Located in NVRAM, the configuration register is a 16-bit (4 hexadecimal characters) value that specifies how the router or switch should operate during initialization. For instance, 0x2102 (0x signifies all characters that follow are hexadecimal) is a common configuration register that specifies that the router or switch should boot in its typical fashion. However, if you manipulate certain characters in the configuration register, you can manually modify the startup process to load the IOS from locations other than the default. Specifically, the last hexadecimal character in the configuration register, known as the boot field, is the value that dictates where the bootstrap code can find the IOS. The possible boot field values are as follows:

Assuming the configuration register is 0x2102 (the default configuration register), the next step for initialization is to have the bootstrap search the configuration located in NVRAM to see whether the Cisco administrator has placed a command telling the router or switch specifically where to boot. The tools to do this are known as boot system commands. For example, if you have previously configured your device and put in the boot system tftp c2600-do3s-mz.123-5.T1 172.16.1.1 command, you have instructed the bootstrap to load the IOS file c2600-do3s-mz.123-5.T1 from a TFTP server located at 172.16.1.1.

If the default configuration register is utilized and you have not configured the device with any boot system commands, the default action of the bootstrap is to load the first IOS file in Flash memory. After the file is found, it is decompressed and loaded into RAM. At this point, the IOS is successfully loaded and running on your Cisco device.

What would happen if the IOS image were corrupted or missing? As with many functions of Cisco devices, a couple of failsafes are put in place to keep the device in an operating state or a mode in which you can get it back to an operating state. Specifically, if the Cisco router or switch cannot locate a working IOS file, it broadcasts out all interfaces in the hopes that a backup IOS file is stored on a TFTP server on its connected segments. If there isn’t a TFTP server or the TFTP server does not contain a valid IOS file, the next failsafe for the IOS is to boot to ROMmon where you can copy the IOS over via the console or TFTP.

With the IOS loaded, the router or switch is now able to apply any saved configuration parameters. NVRAM is the first location where the device searches for the configuration. Here, a file called startup-config contains all the previous configurations that were present the last time an administrator saved the configuration. As the name states, this is the configuration that is loaded each time the Cisco device starts up. Similar to the IOS, after this configuration file is found, it is loaded into RAM as well. After the configuration is loaded and running at this point, it is conveniently referred to as running-config.

Cisco devices do not ship with a complete startup configuration, which is why you might have to initially configure your Cisco device through some means of out-of-band management such as the console or auxiliary port. So the question begs, what happens when you initially turn on a new Cisco router or switch, or if someone erases the startup configuration?

Many Cisco devices attempt to do an autoinstall by downloading a configuration file from an active TFTP server (similarly to the IOS) when they detect that the startup-config is not located in NVRAM. Typically, these files contain enough configuration parameters (such as IP addresses for interfaces) for you to Telnet into the device and configure the remaining parameters. If the Cisco device finds an autoinstall configuration file from a TFTP server, the device loads the file and makes that the running-config. On the chance that you were not proactive enough to have an autoinstall configuration on your TFTP server, the router or switch prompts you for something called Setup Mode.

Setup Mode

With non-CCNA technicians in mind, Cisco created Setup Mode so you can build a working configuration on a device without having to memorize the nuances of the CLI of the IOS. Setup Mode is a friendly interactive dialog in which the IOS asks the administrator questions about common configuration parameters that enable the Cisco device to have basic operations. Illustrated in Figure 7.2, the Setup Mode dialog initially asks you whether you wish to continue with Setup Mode. If you answer “no” to this question, you exit out of Setup Mode and are brought immediately to a CLI EXEC session. In addition, if you want to cancel at any point in the Setup Mode and get to the command prompt, you can use Ctrl+C to terminate the setup dialog. After you complete all questions, Setup Mode displays the parameters that you specified and asks you whether you want to use this configuration. If you answer “yes,” the Cisco device saves your configuration and applies the settings to the device’s operations.

Figure 7.2. Setup Mode dialog.

Tip

Throughout the configuration with the IOS, you may encounter several different types of interactive dialogs similar to Setup Mode. To save yourself from unnecessary typing, you can use the default value that is located in the brackets to answer any single-answer question by simply hitting the Enter key. For example, notice in Figure 7.2, the Enter host name prompt contains the word Router in brackets. If you were to press the Enter key at that prompt, this Cisco router would have a host name of Router.

At your organization, you may have Level 1 technicians who are not strong in Cisco fundamentals; thus, you want to ensure only that they have access to basic troubleshooting and statistics without worrying that they might change the configuration or cause some other network catastrophe. Because a multitude of administrators might need to gain access to these Cisco devices, it makes sense to ensure that the first level of IOS hierarchy they encounter is somewhat limited in the extent of what can be done. This is the nature of User EXEC.

In User EXEC, you are limited in the number and type of commands that are available to you. For instance, the majority of show commands are available at this level of the IOS hierarchy because they do not detrimentally affect the router or the switch to perform these commands. In addition, you can test IP connectivity to other devices with ping as well as remotely administer other devices or troubleshoot all the way up to Layer 7 with Telnet. The Cisco IOS prompt for User EXEC is signified by the greater than sign (>) following the hostname of the Cisco device. For example, a Cisco router and switch with their default hostnames would look like Router> and Switch>, respectively. Figure 7.3 displays the commands that you have available at User EXEC.

Figure 7.3. User EXEC command display.

Assuming you need to acquire more functionality from your Cisco devices beyond basic troubleshooting and statistical displays, you have to have another layer of the Cisco IOS hierarchy in which you have access to all commands. Happily named, Privileged EXEC is the next level of the IOS, in which you have the same commands as you do in User EXEC, as well as some commands that can alter the Cisco device’s functionality.

For example, in Privileged EXEC, you can perform debug commands that can show you hundreds of real-time routing and switching functions and report them to the console. Because this can cause quite a processing strain on the device, these commands are reserved for only those who can access Privileged EXEC. Additionally, some show commands such as show startup-config and show running-config can be seen only by those who should be able (privileged) to see the configuration of the devices (including passwords). Some other new and dangerous commands available in Privileged EXEC include delete, clear, erase, configure, copy, and reload (reboots the device), to name a few.

To gain access to Privileged EXEC, type the command enable from User EXEC. After you press Enter, the prompt changes from > to #, signifying that you are now in Privileged EXEC mode. Because anybody can read this section and learn how to get to these commands, it makes sense to have some way for the IOS to prompt for a password to authorize those who truly should be granted access. The next chapter discusses how to apply these passwords to restrict who gains access from User EXEC to Privileged EXEC. To return back to User EXEC, the reverse command is disable.

One of the commands that you can access through Privileged EXEC is configure. This means that we have to enter yet another level of the Cisco IOS to make any configuration changes to the Cisco device. By typing the configure terminal command, you are telling the Cisco IOS that you are going to configure the Cisco device via your terminal window. The new level you enter after you complete this command is called Global Configuration. You can recognize it by looking at the command prompt, which will reflect Router(config)# for routers and Switch(config)# for switches.

Figure 7.4 displays a partial output of just some of the commands that are available in Global Configuration. Note that the commands delete, debug, clear, configure, and copy do not show up in the list of commands. You have a different set of commands available to you at this level of the IOS versus Privileged and User EXEC. This means that you must exit Global Configuration to use these commands as well as show, reload, and other Privileged EXEC-specific commands.

Figure 7.4. Partial Global Configuration command display.

Of equal note, after you enter a command in the IOS, it is immediately applied to running-config and applied to the device’s operation. The configurations are not listed and then applied later like batch files or executed compiled programs. Configuration help is shown in Figure 7.4.

As the name states, any configuration that is applied in this level applies globally to the Cisco router or switch. Here we can perform configuration tasks such as changing the hostname of the router or switch, creating a login banner, creating a password to prompt users trying to gain access to Privileged EXEC, and many others. It is also at this level of the Cisco IOS hierarchy that you can enter several different sub-configuration modes to apply specific configurations for things such as interfaces, routing protocols, and EXEC lines (which are discussed throughout this book).

Even though the Cisco IOS is a command-line interface, it is not without its help features to help you through your navigation of the IOS. Specifically, to see what commands are available at any level of the IOS, you can use the help feature of the IOS, the question mark. By typing ? (no Enter keystroke necessary) at any level of the IOS, you get a listing of all the commands available and a brief description of the command, such as you saw in Figures 7.3 and 7.4.

Quite often, the list of available commands may extend beyond one terminal screen. This is apparent because the string —More— is displayed at the bottom of the list on the screen. To see the next page of listed commands, you can press the space bar and the command list scrolls another terminal screen’s length. If you prefer to see the commands line by line, you can keep hitting the Enter key and it displays only the next command each time you press it. On the chance that you have found the command you were looking for in the list, you can hit any key (pause for inevitable “where’s the any key?” joke) to get back to the command prompt.

In some instances, you may not recall the command that you are looking for, but you do remember the first letter of the command. Let’s say, for example, the command is in Global Configuration and starts with the letter l. You could use the question mark and scroll through all the commands; however, the IOS enables you to see the commands starting with l if you type the letter, followed immediately by the question mark (no space in between), as demonstrated below. Similarly, if you remembered that the command started with log, you can type those characters, followed immediately by the question mark, to see the commands logging and login-string.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#l?
l2tp-class  lane   li-view       line
logging     login  login-string
Router(config)#l

Keep in mind that many commands in the IOS require a string of keywords to comprehend what you are trying to achieve with the command. For instance, if I was searching for the command logging and hit the Enter key, the IOS would report back an error to the terminal screen that the command was incomplete because it does not understand where I want to send my logging information. If you are unsure of the commands available, once again, you use the question mark for command help. In this case, you must put a space after the first keyword followed by the question mark. The IOS then displays a list of commands that are valid after the keyword logging, as displayed here:

Router(config)#logging ?
  Hostname or A.B.C.D  IP address of the logging host
  buffered             Set buffered logging parameters
  buginf               Enable buginf logging for debugging
  cns-events           Set CNS Event logging level
  console              Set console logging parameters
  count                Count every log message and timestamp last occurrence
  exception            Limit size of exception flush output
  facility             Facility parameter for syslog messages
  filter               Specify logging filter
  history              Configure syslog history table
  host                 Set syslog server IP address and parameters
  monitor              Set terminal line (monitor) logging parameters
  on                   Enable logging to all enabled destinations
  origin-id            Add origin ID to syslog messages
  queue-limit          Set logger message queue size
  rate-limit           Set messages per second limit
  reload               Set reload logging level
  server-arp           Enable sending ARP requests for syslog servers when
                       first configured
  source-interface     Specify interface for source address in logging
                       transactions
  trap                 Set syslog server logging level
  userinfo             Enable logging of user info on privileged mode enabling

Router(config)#logging

To make things easy for administration, the Cisco IOS enables you to abbreviate commands as long as you type enough characters for the IOS to interpret the command that you want to input. For instance, the previous example involved trying to locate the command that started with 1 in Global Configuration. Because there were several commands that started with 1, you would need to type in more characters to find the logging command. Specifically, you would need to type logg, which is just enough characters for the IOS to understand that you want to use the logging command. If you want the IOS to complete typing the command for you, you can hit the Tab key and it autocompletes the command when you provide enough characters.

To make terminal editing simpler and faster, Cisco has created several shortcut keystrokes that can speed up IOS navigation. The most useful of these shortcuts enables you to cycle through your command history to re-use or edit previously typed commands. You can use both the up and down arrow keys or Ctrl+N and Ctrl+P (if arrow keys are not supported at your terminal) to cycle through the last 10 commands in the history buffer relative to the level of the IOS you are currently located. Table 7.2 lists some other useful terminal editing keystrokes that will help you navigate within a command line.

The terminal editing keys discussed so far are very useful for moving within a particular level of the IOS. However, you need to know how to navigate back from those different levels of the Cisco IOS. Namely, if you need to go back one level of the IOS, simply type the command exit. For instance, if you are in the Interface Configuration mode of the IOS and you need to go back to Global Configuration, just type exit, and your prompt display should change from Router(config-if)# to Router(config)#.

Suppose you are back in the interface configuration and you need to ping or traceroute to your neighbor or do a show command to verify that the interface is working. Recall that this variety of commands can be performed only in Privileged EXEC or User EXEC. To return to these levels of the IOS hierarchy, you can type exit until you are all the way back. You can also use the keystroke Ctrl+Z or the keyword end, which will automatically take you back to Privileged EXEC, regardless of how deep in the configuration levels you happen to be.

As mentioned before, the IOS reports back error messages if you have not provided the correct syntax for a command. The three syntax error messages that you may encounter are as follows:

Below is an example for each of these three error console messages. Also notice that this configuration snapshot now includes abbreviations to get into Privileged EXEC and Global Configuration.

Router>
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#r
% Ambiguous command: "r"
Router(config)#router
% Incomplete command.
Router(config)#routre rip
                  ^
% Invalid input detected at '^' marker.

! Step 1
Router>
Router>en
! Step 2
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.o
! Step 3
Router(config)#line con 0
! Step 4
Router(config-line)#?
Line configuration commands:
  absolute-timeout            Set absolute timeout for line
 disconnection
  access-class                Filter connections based on an IP
 access list
  activation-character        Define the activation character
  autocommand                 Automatically execute an EXEC command
  autocommand-options         Autocommand options
  autohangup                  Automatically hangup when last
 connection closes
  autoselect                  Set line to autoselect
--More--
! Step 5
  buffer-length               Set DMA buffer length
***Output Removed for Brevity
! Step 6
Router(config-line)#exit
! Step 7
Router(config)#int ser 0/0
! Step 8
Router(config-if)#end
Router#
*Sep 26 23:40:41.019: %SYS-5-CONFIG_I: Configured from console by
 console