Cisco IOS

The Cisco IOS is a proprietary kernel that provides routing, switching, internetworking, and telecommunications features. The first IOS was written by William Yeager in 1986 and enabled networked applications. It runs on most Cisco routers as well as a growing number of Cisco Catalyst switches, like the Catalyst 2960 and 3560 series switches used in this book. And it’s an essential for the Cisco exam objectives!

Here’s a short list of some important things that the Cisco router IOS software is responsible for:

• Carrying network protocols and functions
• Connecting high-speed traffic between devices
• Adding security to control access and stopping unauthorized network use
• Providing scalability for ease of network growth and redundancy
• Supplying network reliability for connecting to network resources

You can access the Cisco IOS through the console port of a router or switch, from a modem into the auxiliary (or aux) port on a router, or even through Telnet and Secure Shell (SSH). Access to the IOS command line is called an EXEC session.

Connecting to a Cisco IOS Device

We connect to a Cisco device to configure it, verify its configuration, and check statistics, and although there are different approaches to this, the first place you would usually connect to is the console port. The console port is usually an RJ45, 8-pin modular connection located at the back of the device, and there may or may not be a password set on it by default.

You can also connect to a Cisco router through an auxiliary port, which is really the same thing as a console port, so it follows that you can use it as one. The main difference with an auxiliary port is that it also allows you to configure modem commands so that a modem can be connected to the router. This is a cool feature because it lets you dial up a remote router and attach to the auxiliary port if the router is down and you need to configure it remotely, out-of-band. One of the differences between Cisco routers and switches is that switches do not have an auxiliary port.

The third way to connect to a Cisco device is in-band, through the program Telnet or Secure Shell (SSH). In-band means configuring the device via the network, the opposite of out-of-band. We covered Telnet and SSH in Chapter 3, “Introduction to TCP/IP,” and in this chapter, I’ll show you how to configure access to both of these protocols on a Cisco device.

Figure 6.1 shows an illustration of a Cisco 2960 switch. Really focus in on all the different kinds of interfaces and connections! On the right side is the 10/100/1000 uplink. You can use either the UTP port or the fiber port, but not both at the same time.

The 3560 switch I’ll be using in this book looks a lot like the 2960, but it can perform layer 3 switching, unlike the 2960, which is limited to only layer 2 functions.

I also want to take a moment and tell you about the 2800 series router because that’s the router series I’ll be using in this book. This router is known as an Integrated Services Router (ISR) and Cisco has updated it to the 2900 series, but I still have plenty of 2800 series routers in my production networks. Figure 6.2 shows a new 1900 series router. The new ISR series of routers are nice; they are so named because many services, like security, are built into them. The ISR series router is a modular device, much faster and a lot sleeker than the older 2600 series routers, and it’s elegantly designed to support a broad new range of interface options. The new ISR series router can offer multiple serial interfaces, which can be used for connecting a T1 using a serial V.35 WAN connection. And multiple Fast Ethernet or Gigabit Ethernet ports can be used on the router, depending on the model. This router also has one console via an RJ45 connector and another through the USB port. There is also an auxiliary connection to allow a console connection via a remote modem.

You need to keep in mind that for the most part, you get some serious bang for your buck with the 2800/2900—unless you start adding a bunch of interfaces to it. You’ve got to pony up for each one of those little beauties, so this can really start to add up and fast!

A couple of other series of routers that will set you back a lot less than the 2800 series are the 1800/1900s, so look into these routers if you want a less-expensive alternative to the 2800/2900 but still want to run the same IOS.

So even though I’m going to be using mostly 2800 series routers and 2960/3560 switches throughout this book to demonstrate examples of IOS configurations, I want to point out that the particular router model you use to practice for the Cisco exam isn’t really important. The switch types are, though—you definitely need a couple 2960 switches as well as a 3560 switch if you want to measure up to the exam objectives!

Bringing Up a Switch

When you first bring up a Cisco IOS device, it will run a power-on self-test—a POST. Upon passing that, the machine will look for and then load the Cisco IOS from flash memory if an IOS file is present, then expand it into RAM. As you probably know, flash memory is electronically erasable programmable read-only memory—an EEPROM. The next step is for the IOS to locate and load a valid configuration known as the startup-config that will be stored in nonvolatile RAM (NVRAM).

Once the IOS is loaded and up and running, the startup-config will be copied from NVRAM into RAM and from then on referred to as the running-config.

But if a valid startup-config isn’t found in NVRAM, your switch will enter setup mode, giving you a step-by-step dialog to help configure some basic parameters on it.

You can also enter setup mode at any time from the command line by typing the command setup from privileged mode, which I’ll get to in a minute. Setup mode only covers some basic commands and generally isn’t really all that helpful. Here’s an example:

Would you like to enter the initial configuration dialog? [yes/no]: y

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: y
Configuring global parameters:

  Enter host name [Switch]: Ctrl+C
Configuration aborted, no changes made.

I highly recommend going through setup mode once, then never again because you should always use the CLI instead!

Entering the CLI

After the interface status messages appear and you press Enter, the Switch> prompt will pop up. This is called user exec mode, or user mode for short, and although it’s mostly used to view statistics, it is also a stepping stone along the way to logging in to privileged exec mode, called privileged mode for short.

You can view and change the configuration of a Cisco router only while in privileged mode, and you enter it via the enable command like this:

Switch>enable
Switch#

The Switch# prompt signals you’re in privileged mode where you can both view and change the switch configuration. You can go back from privileged mode into user mode by using the disable command:

Switch#disable
Switch>

You can type logout from either mode to exit the console:

Switch>logout
Switch con0 is now available
Press RETURN to get started.

Next, I’ll show how to perform some basic administrative configurations.

Overview of Router Modes

To configure from a CLI, you can make global changes to the router by typing configure terminal or just config t. This will get you into global configuration mode where you can make changes to the running-config. Commands run from global configuration mode are predictably referred to as global commands, and they are typically set only once and affect the entire router.

Type config from the privileged-mode prompt and then press Enter to opt for the default of terminal like this:

Switch#config
Configuring from terminal, memory, or network [terminal]? [press enter]
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#

At this point, you make changes that affect the router as a whole (globally), hence the term global configuration mode. For instance, to change the running-config—the current configuration running in dynamic RAM (DRAM)—use the configure terminal command, as I just demonstrated.

CLI Prompts

Let’s explore the different prompts you’ll encounter when configuring a switch or router now, because knowing them well will really help you orient yourself and recognize exactly where you are at any given time while in configuration mode. I’m going to demonstrate some of the prompts used on a Cisco switch and cover the various terms used along the way. Make sure you’re very familiar with them, and always check your prompts before making any changes to a router’s configuration!

We’re not going to venture into every last obscure command prompt you could potentially come across in the configuration mode world because that would get us deep into territory that’s beyond the scope of this book. Instead, I’m going to focus on the prompts you absolutely must know to pass the exam plus the very handy and seriously vital ones you’ll need and use the most in real-life networking—the cream of the crop.

Switch(config)#interface ?
  Async              Async interface
  BVI                Bridge-Group Virtual Interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  FastEthernet       FastEthernet IEEE 802.3
  Filter             Filter interface
  Filtergroup        Filter Group interface
  GigabitEthernet    GigabitEthernet IEEE 802.3z
  Group-Async        Async Group interface
  Lex                Lex interface
  Loopback           Loopback interface
  Null               Null interface
  Port-channel       Ethernet Channel of interfaces
  Portgroup          Portgroup interface
  Pos-channel        POS Channel of interfaces
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing
  Vlan               Catalyst Vlans
  fcpa               Fiber Channel
  range              interface range command
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#)

Switch(config)#line ?
  <0-16>   First Line number
  console  Primary terminal line
  vty      Virtual terminal
Switch(config)#line console 0
Switch(config-line)#

Switch#config t
Switch(config)#ip access-list standard Todd
Switch(config-std-nacl)#

Switch(config)#router rip
IP routing not enabled
Switch(config)#ip routing
Switch(config)#router rip
Switch(config-router)#

Editing and Help Features

The Cisco advanced editing features can also help you configure your router. If you type in a question mark (?) at any prompt, you’ll be given a list of all the commands available from that prompt:

Switch#?
Exec commands:
  access-enable    Create a temporary Access-List entry
  access-template  Create a temporary Access-List entry
  archive          manage archive files
  cd               Change current directory
  clear            Reset functions
  clock            Manage the system clock
  cns              CNS agents
  configure        Enter configuration mode
  connect          Open a terminal connection
  copy             Copy from one file to another
  debug            Debugging functions (see also 'undebug')
  delete           Delete a file
  diagnostic       Diagnostic commands
  dir              List files on a filesystem
  disable          Turn off privileged commands
  disconnect       Disconnect an existing network connection
  dot1x            IEEE 802.1X Exec Commands
  enable           Turn on privileged commands
  eou              EAPoUDP
  erase            Erase a filesystem
  exit             Exit from the EXEC
 ––More–– ?
Press RETURN for another line, SPACE for another page, anything else to quit

And if this is not enough information for you, you can press the spacebar to get another whole page of information, or you can press Enter to go one command at a time. You can also press Q, or any other key for that matter, to quit and return to the prompt. Notice that I typed a question mark (?) at the more prompt and it told me what my options were from that prompt.

Here’s a shortcut: To find commands that start with a certain letter, use the letter and the question mark with no space between them, like this:

Switch#c?
cd       clear  clock  cns  configure
connect  copy
Switch#c

Okay, see that? By typing c?, I got a response listing all the commands that start with c. Also notice that the Switch#c prompt reappears after the list of commands is displayed. This can be really helpful when you happen to be working with long commands but you’re short on patience and still need the next possible one. It would get old fast if you actually had to retype the entire command every time you used a question mark!

So with that, let’s find the next command in a string by typing the first command and then a question mark:

Switch#clock ?
  set  Set the time and date

Switch#clock set ?
  hh:mm:ss  Current Time

Switch#clock set 2:34 ?
% Unrecognized command

Switch#clock set 2:34:01 ?
  <1-31>  Day of the month
  MONTH   Month of the year

Switch#clock set 2:34:01 21 july ?
  <1993-2035>  Year

Switch#clock set 2:34:01 21 august 2013
Switch#
00:19:45: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:19:45
UTC Mon Mar 1 1993 to 02:34:01 UTC Wed Aug 21 2013, configured from console
by console.

I entered the clock ? command and got a list of the next possible parameters plus what they do. Make note of the fact that you can just keep typing a command, a space, and then a question mark until <cr> (carriage return) is your only option left.

And if you’re typing commands and receive

Switch#clock set 11:15:11
% Incomplete command.

no worries—that’s only telling you that the command string simply isn’t complete quite yet. All you need to do is to press the up arrow key to redisplay the last command entered and then continue with the command by using your question mark.

But if you get the error

Switch(config)#access-list 100 permit host 1.1.1.1 host 2.2.2.2
                                      ^
% Invalid input detected at '^' marker.

all is not well because it means you actually have entered a command incorrectly. See that little caret—the ^? It’s a very helpful tool that marks the exact point where you blew it and made a mess.

Here’s another example of when you’ll see that caret:

Switch#sh fastethernet 0/0
            ^
% Invalid input detected at '^' marker.

This command looks right, but be careful! The problem is that the full command is show interface fastethernet 0/0.

Now if you receive the error

Switch#sh cl
% Ambiguous command:  "sh cl"

you’re being told that there are multiple commands that begin with the string you entered and it’s not unique. Use the question mark to find the exact command you need:

Switch#sh cl?
class-map  clock  cluster

Case in point: There are three commands that start with show cl.

Table 6.2 lists the enhanced editing commands available on a Cisco router.

Another really cool editing feature you need to know about is the automatic scrolling of long lines. In the following example, the command I typed reached the right margin and automatically moved 11 spaces to the left. How do I know this? Because the dollar sign [$] is telling me that the line has been scrolled to the left:

Switch#config t
Switch(config)#$ 100 permit ip host 192.168.10.1 192.168.10.0 0.0.0.255

You can review the router-command history with the commands shown in Table 6.3.

The following example demonstrates the show history command as well as how to change the history’s size. It also shows how to verify the history with the show terminal command. First, use the show history command, which will allow you to see the last 20 commands that were entered on the router (even though my particular router reveals only 10 commands because that’s all I’ve entered since rebooting it). Check it out:

Switch#sh history
  sh fastethernet 0/0
  sh ru
  sh cl
  config t
  sh history
  sh flash
  sh running-config
  sh startup-config
  sh ver
  sh history

Okay—now, we’ll use the show terminal command to verify the terminal history size:

Switch#sh terminal
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 2 stopbits, 8 databits
Status: PSI Enabled, Ready, Active, Ctrl-c Enabled, Automore On
  0x40000
Capabilities: none
Modem state: Ready
[output cut]
Modem type is unknown.
Session limit is not set.
Time since activation: 00:17:22
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters

Hostnames

We use the hostname command to set the identity of the router and switch. This is only locally significant, meaning it doesn’t affect how the router or switch performs name lookups or how the device actually works on the internetwork. But the hostname is still important in routes because it’s often used for authentication in many wide area networks (WANs). Here’s an example:

Switch#config t
Switch(config)#hostname Todd
Todd(config)#hostname Chicago
Chicago(config)#hostname Todd
Todd(config)#

I know it’s pretty tempting to configure the hostname after your own name, but it’s usually a much better idea to name the device something that relates to its physical location. A name that maps to where the device lives will make finding it a whole lot easier, which among other things, confirms that you’re actually configuring the correct device. Even though it seems like I’m completely ditching my own advice by naming mine Todd, I’m not, because this particular device really does live in “Todd’s” office. Its name perfectly maps to where it is, so it won’t be confused with those in the other networks I work with!

Banners

A very good reason for having a banner is to give any and all who dare attempt to telnet or sneak into your internetwork a little security notice. And they’re very cool because you can create and customize them so that they’ll greet anyone who shows up on the router with exactly the information you want them to have!

Here are the three types of banners you need to be sure you’re familiar with:

• Exec process creation banner
• Login banner
• Message of the day banner

And you can see them all illustrated in the following code:

Todd(config)#banner ?
  LINE            c banner-text c, where 'c' is a delimiting character
  exec            Set EXEC process creation banner
  incoming        Set incoming terminal line banner
  login           Set login banner
  motd            Set Message of the Day banner
  prompt-timeout  Set Message for login authentication timeout
  slip-ppp        Set Message for SLIP/PPP

Message of the day (MOTD) banners are the most widely used banners because they give a message to anyone connecting to the router via Telnet or an auxiliary port or even through a console port as seen here:

Todd(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
Todd(config)#banner motd #
Enter TEXT message. End with the character '#'.
$ Acme.com network, then you must disconnect immediately.
#
Todd(config)#^Z (Press the control key + z keys to return to privileged mode)
Todd#exit
con0 is now available
Press RETURN to get started.
If you are not authorized to be in Acme.com network, then you
must disconnect immediately.
Todd#

This MOTD banner essentially tells anyone connecting to the device to get lost if they’re not on the guest list. The part to focus upon here is the delimiting character, which is what informs the router the message is done. Clearly, you can use any character you want for it except for the delimiting character in the message itself. Once the message is complete, press Enter, then the delimiting character, and then press Enter again. Everything will still work if you don’t follow this routine unless you have more than one banner. If that’s the case, make sure you do follow it or your banners will all be combined into one message and put on a single line!

You can set a banner on one line like this:

Todd(config)#banner motd x Unauthorized access prohibited! x

Let’s take a minute to go into more detail about the other two types of banners I mentioned:

Exec banner You can configure a line-activation (exec) banner to be displayed when EXEC processes such as a line activation or an incoming connection to a VTY line have been created. Simply initiating a user exec session through a console port will activate the exec banner.

Login banner You can configure a login banner for display on all connected terminals. It will show up after the MOTD banner but before the login prompts. This login banner can’t be disabled on a per-line basis, so to globally disable it you’ve got to delete it with the no banner login command.

Here’s what a login banner output looks like:

!
banner login ^C
——————————————————————————————————————————————————————————————————————————–
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password
have a privilege level of 15.
Please change these publicly known initial credentials using
SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and
password you want to use.
For more information about SDM please follow the instructions
in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/sdm
————————————————————————————————————————————————————————————————————————————–
^C
!

The previous login banner should look pretty familiar to anyone who’s ever logged into an ISR router because it’s the banner Cisco has in the default configuration for its ISR routers.

Setting Passwords

There are five passwords you’ll need to secure your Cisco routers: console, auxiliary, telnet/SSH (VTY), enable password, and enable secret. The enable secret and enable password are the ones used to set the password for securing privileged mode. Once the enable commands are set, users will be prompted for a password. The other three are used to configure a password when user mode is accessed through the console port, through the auxiliary port, or via Telnet.

Let’s take a look at each of these now.

Todd(config)#enable ?
 last-resort Define enable action if no TACACS servers
             respond
 password    Assign the privileged level password
 secret      Assign the privileged level secret
 use-tacacs  Use TACACS to check enable passwords

Todd(config)#enable secret todd
Todd(config)#enable password todd
The enable password you have chosen is the same as your
  enable secret. This is not recommended. Re-enter the
  enable password.

Todd(config)#line ?
  <0-16>   First Line number
  console  Primary terminal line
  vty      Virtual terminal

Todd(config-line)#line console ?
% Unrecognized command
Todd(config-line)#exit
Todd(config)#line console ?
  <0-0>  First Line number
Todd(config)#line console 0
Todd(config-line)#password console
Todd(config-line)#login

Todd(config-line)#line con 0
Todd(config-line)#exec-timeout ?
  <0-35791>  Timeout in minutes
Todd(config-line)#exec-timeout 0 ?
  <0-2147483>  Timeout in seconds
  <cr>
Todd(config-line)#exec-timeout 0 0
Todd(config-line)#logging synchronous

Todd(config-line)#line vty 0 ?
% Unrecognized command
Todd(config-line)#exit
Todd(config)#line vty 0 ?
  <1-15>  Last Line number
  <cr>
Todd(config)#line vty 0 15
Todd(config-line)#password telnet
Todd(config-line)#login

Todd#telnet SwitchB
Trying SwitchB (10.0.0.1)...Open

Password required, but none set
[Connection to SwitchB closed by foreign host]
Todd#

SwitchB(config-line)#line vty 0 15
SwitchB(config-line)#no login

Todd#config t
Todd(config)#line aux ?
  <0-0>  First Line number
Todd(config)#line aux 0
Todd(config-line)#login
% Login disabled on line 1, until 'password' is set
Todd(config-line)#password aux
Todd(config-line)#login

Todd(config-line)#transport input ssh telnet

Encrypting Your Passwords

Because only the enable secret password is encrypted by default, you’ll need to manually configure the user-mode and enable passwords for encryption.

Notice that you can see all the passwords except the enable secret when performing a show running-config on a switch:

Todd#sh running-config
Building configuration...

Current configuration : 1020 bytes
!
! Last configuration change at 00:03:11 UTC Mon Mar 1 1993
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Todd
!
enable secret 4 ykw.3/tgsOuy9.6qmgG/EeYOYgBvfX4v.S8UNA9Rddg
enable password todd
!
[output cut]
!
line con 0
 password console
 login
line vty 0 4
 password telnet
 login
line vty 5 15
 password telnet
 login
!
end

To manually encrypt your passwords, use the service password-encryption command. Here’s how:

Todd#config t
Todd(config)#service password-encryption
Todd(config)#exit
Todd#show run
Building configuration...
!
!
enable secret 4 ykw.3/tgsOuy9.6qmgG/EeYOYgBvfX4v.S8UNA9Rddg
enable password 7 1506040800
!
[output cut]
!
!
line con 0
 password 7 050809013243420C
 login
line vty 0 4
 password 7 06120A2D424B1D
 login
line vty 5 15
 password 7 06120A2D424B1D
 login
!
end
Todd#config t
Todd(config)#no service password-encryption
Todd(config)#^Z
Todd#

Nicely done—the passwords will now be encrypted. All you need to do is encrypt the passwords, perform a show run, then turn off the command if you want. This output clearly shows us that the enable password and the line passwords are all encrypted.

Before we move on to find out how to set descriptions on your interfaces, I want to stress some points about password encryption. As I said, if you set your passwords and then turn on the service password-encryption command, you have to perform a show running-config before you turn off the encryption service or your passwords won’t be encrypted. You don’t have to turn off the encryption service at all—you’d only do that if your switch is running low on processes. And if you turn on the service before you set your passwords, then you don’t even have to view them to have them encrypted.

Descriptions

Setting descriptions on an interface is another administratively helpful thing, and like the hostname, it’s also only locally significant. One case where the description command comes in really handy is when you want to keep track of circuit numbers on a switch or a router’s serial WAN port.

Here’s an example on my switch:

Todd#config t
Todd(config)#int fa0/1
Todd(config-if)#description Sales VLAN Trunk Link
Todd(config-if)#^Z
Todd#

And on a router serial WAN:

Router#config t
Router(config)#int s0/0/0
Router(config-if)#description WAN to Miami
Router(config-if)#^Z

You can view an interface’s description with either the show running-config command or the show interface—even with the show interface description command:

Todd#sh run
Building configuration...

Current configuration : 855 bytes
!
interface FastEthernet0/1
 description Sales VLAN Trunk Link
!
 [output cut]
Todd#sh int f0/1
FastEthernet0/1 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is ecc8.8202.8282 (bia ecc8.8202.8282)
  Description: Sales VLAN Trunk Link
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
 [output cut]

Todd#sh int description
Interface                      Status         Protocol Description
Vl1                            up             up
Fa0/1                          up             up     Sales VLAN Trunk Link
Fa0/2                          up             up

Todd(config)#sh run
                  ^
% Invalid input detected at '^' marker.

Todd(config)#do show run
Building configuration...

Current configuration : 759 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Todd
!
boot-start-marker
boot-end-marker
!
[output cut]

Bringing Up an Interface

You can disable an interface with the interface command shutdown and enable it with the no shutdown command. Just to remind you, all switch ports are enabled by default and all router ports are disabled by default, so we’re going to talk more about router ports than switch ports in the next few sections.

If an interface is shut down, it’ll display as administratively down when you use the show interfaces command (sh int for short):

Router#sh int f0/0
FastEthernet0/1 is administratively down, line protocol is down
[output cut]

Another way to check an interface’s status is via the show running-config command. You can bring up the router interface with the no shutdown command (no shut for short):

Router(config)#int f0/0
Router(config-if)#no shutdown
*August 21 13:45:08.455: %LINK-3-UPDOWN: Interface FastEthernet0/0,
     changed state to up
Router(config-if)#do show int f0/0
FastEthernet0/0 is up, line protocol is up
[output cut]

Todd(config)#int f0/1
Todd(config-if)#ip address 172.16.10.2 255.255.255.0

Todd(config-if)#ip address 172.16.20.2 255.255.255.0 ?
  secondary  Make this IP address a secondary address
  <cr>
Todd(config-if)#ip address 172.16.20.2 255.255.255.0 secondary
Todd(config-if)#do sh run
Building configuration...
[output cut]

interface FastEthernet0/1
 ip address 172.16.20.2 255.255.255.0 secondary
 ip address 172.16.10.2 255.255.255.0
 duplex auto
 speed auto
!

Router#sh run | ?
  append    Append redirected output to URL (URLs supporting append
            operation only)
  begin     Begin with the line that matches
  exclude   Exclude lines that match
  include   Include lines that match
  redirect  Redirect output to URL
  section   Filter a section of output
  tee       Copy output to URL

Router#sh run | begin interface
interface FastEthernet0/0
 description Sales VLAN
 ip address 10.10.10.1 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.20.2 255.255.255.0 secondary
 ip address 172.16.10.2 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 description Wan to SF circuit number 6fdda 12345678
 no ip address
!

Todd#sh ip route | include 192.168.3.32
R       192.168.3.32 [120/2] via 10.10.10.8, 00:00:25, FastEthernet0/0
Todd#

Serial Interface Commands

But wait! Before you just jump in and configure a serial interface, you need some key information, like knowing the interface will usually be attached to a CSU/DSU type of device that provides clocking for the line to the router. Check out Figure 6.3 for an example.

Here you can see that the serial interface is used to connect to a DCE network via a CSU/DSU that provides the clocking to the router interface. But if you have a back-to-back configuration, such as one that’s used in a lab environment like the one in Figure 6.4, one end—the data communication equipment (DCE) end of the cable—must provide clocking!

By default, Cisco router serial interfaces are all data terminal equipment (DTE) interfaces, which means that you must configure an interface to provide clocking if you need it to act like a DCE device. Again, you would not provide clocking on a production WAN serial connection because you would have a CSU/DSU connected to your serial interface, as shown in Figure 6.3.

You configure a DCE serial interface with the clock rate command:

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int s0/0/0
Router(config-if)#clock rate ?
        Speed (bits per second)
  1200
  2400
  4800
  9600
  14400
  19200
  28800
  32000
  38400
  48000
  56000
  57600
  64000
  72000
  115200
  125000
  128000
  148000
  192000
  250000
  256000
  384000
  500000
  512000
  768000
  800000
  1000000
  2000000
  4000000
  5300000
  8000000

  <300-8000000>    Choose clockrate from list above
Router(config-if)#clock rate 1000000

The clock rate command is set in bits per second. Besides looking at the cable end to check for a label of DCE or DTE, you can see if a router’s serial interface has a DCE cable connected with the show controllers int command:

Router#sh controllers s0/0/0
Interface Serial0/0/0
Hardware is GT96K
DTE V.35idb at 0x4342FCB0, driver data structure at 0x434373D4

Here is an example of an output depicting a DCE connection:

Router#sh controllers s0/2/0
Interface Serial0/2/0
Hardware is GT96K
DCE V.35, clock rate 1000000

The next command you need to get acquainted with is the bandwidth command. Every Cisco router ships with a default serial link bandwidth of T1 (1.544 Mbps). But this has nothing to do with how data is transferred over a link. The bandwidth of a serial link is used by routing protocols such as EIGRP and OSPF to calculate the best cost path to a remote network. So if you’re using RIP routing, the bandwidth setting of a serial link is irrelevant since RIP uses only hop count to determine this.

Here’s an example of using the bandwidth command:

Router#config t
Router(config)#int s0/0/0
Router(config-if)#bandwidth ?
  <1-10000000>  Bandwidth in kilobits
  inherit       Specify that bandwidth is inherited
  receive       Specify receive-side bandwidth
Router(config-if)#bandwidth 1000

Did you notice that, unlike the clock rate command, the bandwidth command is configured in kilobits per second?

Deleting the Configuration and Reloading the Device

You can delete the startup-config file by using the erase startup-config command:

Todd#erase start
% Incomplete command.

First, notice that you can no longer use the shortcut commands for erasing the backup configuration. This started in IOS 12.4 with the ISR routers.

Todd#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
Todd#
*Mar  5 01:59:45.206: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Todd#reload
Proceed with reload? [confirm]

Now if you reload or power the router down after using the erase startup-config command, you’ll be offered setup mode because there’s no configuration saved in NVRAM. You can press Ctrl+C to exit setup mode at any time, but the reload command can only be used from privileged mode.

At this point, you shouldn’t use setup mode to configure your router. So just say no to setup mode, because it’s there to help people who don’t know how to use the command line interface (CLI), and this no longer applies to you. Be strong—you can do it!

Verifying Your Configuration

Obviously, show running-config would be the best way to verify your configuration and show startup-config would be the best way to verify the configuration that’ll be used the next time the router is reloaded—right?

Well, once you take a look at the running-config, if all appears well, you can verify your configuration with utilities like Ping and Telnet. Ping is a program that uses ICMP echo requests and replies, which we covered in Chapter 3. For review, Ping sends a packet to a remote host, and if that host responds, you know that it’s alive. But you don’t know if it’s alive and also well; just because you can ping a Microsoft server does not mean you can log in! Even so, Ping is an awesome starting point for troubleshooting an internetwork.

Did you know that you can ping with different protocols? You can, and you can test this by typing ping ? at either the router user-mode or privileged-mode prompt:

Todd#ping ?
  WORD  Ping destination address or hostname
  clns  CLNS echo
  ip    IP echo
  ipv6  IPv6 echo
  tag   Tag encapsulated IP echo
  <cr>

If you want to find a neighbor’s Network layer address, either you go straight to the router or switch itself or you can type show cdp entry * protocol to get the Network layer addresses you need for pinging.

You can also use an extended ping to change the default variables, as shown here:

Todd#ping
Protocol [ip]:
Target IP address: 10.1.1.1
Repeat count [5]:
% A decimal number between 1 and 2147483647.
Repeat count [5]: 5000
Datagram size [100]:
% A decimal number between 36 and 18024.
Datagram size [100]: 1500
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: FastEthernet 0/1
Source address or interface: Vlan 1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5000, 1500-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1

Notice that by using the question mark, I was able to determine that extended ping allows you to set the repeat count higher than the default of 5 and the datagram size larger. This raises the MTU and allows for a more accurate testing of throughput. The source interface is one last important piece of information I’ll pull out of the output. You can choose which interface the ping is sourced from, which is really helpful in certain diagnostic situations. Using my switch to display the extended ping capabilities, I had to use my only routed port, which is named VLAN 1, by default.

However, if you want to use a different diagnostic port, you can create a logical interface called a loopback interface as so:

Todd(config)#interface loopback ?
   <0-2147483647>  Loopback interface number

Todd(config)#interface loopback 0
*May 19 03:06:42.697: %LINEPROTO-5-UPDOWN: Line prot
  changed state to ups
Todd(config-if)#ip address 20.20.20.1 255.255.255.0  

Now I can use this port for diagnostics, and even as my source port of my ping or traceroute, as so:

Todd#ping
Protocol [ip]:
Target IP address: 10.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 20.20.20.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 20.20.20.1

The logical interface are great for diagnostics and for using them in our home labs where we don’t have any real interfaces to play with, but we’ll also use them in our OSPF configurations in ICND2.

Traceroute uses ICMP with IP time to live (TTL) time-outs to track the path a given packet takes through an internetwork. This is in contrast to Ping, which just finds the host and responds. Traceroute can also be used with multiple protocols. Check out this output:

Todd#traceroute ?
  WORD       Trace route to destination address or hostname
  aaa        Define trace options for AAA events/actions/errors
  appletalk  AppleTalk Trace
  clns       ISO CLNS Trace
  ip         IP Trace
  ipv6       IPv6 Trace
  ipx        IPX Trace
  mac        Trace Layer2 path between 2 endpoints
  oldvines   Vines Trace (Cisco)
  vines      Vines Trace (Banyan)
  <cr>

And as with ping, we can perform an extended traceroute using additional parameters, typically used to change the source interface:

Todd#traceroute
Protocol [ip]:
Target IP address: 10.1.1.1
Source address: 172.16.10.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]: 255
Maximum Time to Live [30]:
Type escape sequence to abort.
Tracing the route to 10.1.1.1

Telnet, FTP, and HTTP are really the best tools because they use IP at the Network layer and TCP at the Transport layer to create a session with a remote host. If you can telnet, ftp, or http into a device, you know that your IP connectivity just has to be solid!

Todd#telnet ?
 WORD IP address or hostname of a remote system
 <cr>
Todd#telnet 10.1.1.1

When you telnet into a remote device, you won't see console messages by default. For example, you will not see debugging output. To allow console messages to be sent to your Telnet session, use the terminal monitor command, as shown on the SF router.

SF#terminal monitor

From the switch or router prompt, you just type a hostname or IP address and it will assume you want to telnet—you don’t need to type the actual command, telnet.

Coming up, I’ll show you how to verify the interface statistics.

Router#sh int ?
  Async              Async interface
  BVI                Bridge-Group Virtual Interface
  CDMA-Ix            CDMA Ix interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  FastEthernet       FastEthernet IEEE 802.3
  Loopback           Loopback interface
  MFR                Multilink Frame Relay bundle interface
  Multilink          Multilink-group interface
  Null               Null interface
  Port-channel       Ethernet Channel of interfaces
  Serial             Serial
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-PPP        Virtual PPP interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing
  accounting         Show interface accounting
  counters           Show interface counters
  crb                Show interface routing/bridging info
  dampening          Show interface dampening info
  description        Show interface description
  etherchannel       Show interface etherchannel information
  irb                Show interface routing/bridging info
  mac-accounting     Show interface MAC accounting info
  mpls-exp           Show interface MPLS experimental accounting info
  precedence         Show interface precedence accounting info
  pruning            Show interface trunk VTP pruning information
  rate-limit         Show interface rate-limit info
  status             Show interface line status
  summary            Show interface summary
  switching          Show interface switching
  switchport         Show interface switchport information
  trunk              Show interface trunk information
  |                  Output modifiers
  <cr>

Router#sh int f0/0
FastEthernet0/0 is up, line protocol is up
  Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8 (bia 001a.2f55.c9e8)
  Internet address is 192.168.1.33/27
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto Speed, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:02:07, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     16 packets output, 960 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Router#

Router#sh int fa0/0
FastEthernet0/0 is up, line protocol is up

Router#sh int s0/0/0
Serial0/0 is up, line protocol is down

Router#sh int s0/0/0
Serial0/0 is down, line protocol is down

Router#sh int s0/0/0
Serial0/0 is administratively down, line protocol is down

Router#sh int s0/0/0
Serial0/0 is up, line protocol is up
 Hardware is HD64570
 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
   reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation HDLC, loopback not set, keepalive set
  (10 sec)
 Last input never, output never, output hang never
 Last clearing of "show interface" counters never
 Queueing strategy: fifo
 Output queue 0/40, 0 drops; input queue 0/75, 0 drops
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
   0 packets input, 0 bytes, 0 no buffer
   Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored,
   0 abort
   0 packets output, 0 bytes, 0 underruns
   0 output errors, 0 collisions, 16 interface resets
   0 output buffer failures, 0 output buffers swapped out
   0 carrier transitions
   DCD=down DSR=down DTR=down RTS=down CTS=down

Router#clear counters ?
  Async              Async interface
  BVI                Bridge-Group Virtual Interface
  CTunnel            CTunnel interface
  Dialer             Dialer interface
  FastEthernet       FastEthernet IEEE 802.3
  Group-Async        Async Group interface
  Line               Terminal line
  Loopback           Loopback interface
  MFR                Multilink Frame Relay bundle interface
  Multilink          Multilink-group interface
  Null               Null interface
  Serial             Serial
  Tunnel             Tunnel interface
  Vif                PGM Multicast Host interface
  Virtual-Template   Virtual Template interface
  Virtual-TokenRing  Virtual TokenRing
  <cr>

Router#clear counters s0/0/0
Clear "show interface" counters on this interface
  [confirm][enter]
Router#
00:17:35: %CLEAR-5-COUNTERS: Clear counter on interface
  Serial0/0/0 by console
Router#

  275496 packets input, 35226811 bytes, 0 no buffer
     Received 69748 broadcasts (58822 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 58822 multicast, 0 pause input
     0 input packets with dribble condition detected
     2392529 packets output, 337933522 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/2 (not
half duplex)

Router#sh ip interface
FastEthernet0/0 is up, line protocol is up
  Internet address is 1.1.1.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
[output cut]

Router#sh ip int brief
Interface         IP-Address      OK? Method Status  Protocol
FastEthernet0/0    unassigned      YES unset  up       up
FastEthernet0/1    unassigned      YES unset  up       up
Serial0/0/0        unassigned      YES unset  up       down
Serial0/0/1        unassigned      YES unset  administratively down down
Serial0/1/0        unassigned      YES unset  administratively down down
Serial0/2/0        unassigned      YES unset  administratively down down

Router#sh protocols
Global values:
  Internet Protocol routing is enabled
Ethernet0/0 is administratively down, line protocol is down
Serial0/0 is up, line protocol is up
  Internet address is 100.30.31.5/24
Serial0/1 is administratively down, line protocol is down
Serial0/2 is up, line protocol is up
  Internet address is 100.50.31.2/24
Loopback0 is up, line protocol is up
  Internet address is 100.20.31.1/24

Using the show controllers Command

The show controllers command displays information about the physical interface itself. It’ll also give you the type of serial cable plugged into a serial port. Usually, this will only be a DTE cable that plugs into a type of data service unit (DSU).

Router#sh controllers serial 0/0
HD unit 0, idb = 0x1229E4, driver structure at 0x127E70
buffer size 1524 HD unit 0, V.35 DTE cable

Router#sh controllers serial 0/1
HD unit 1, idb = 0x12C174, driver structure at 0x131600
buffer size 1524 HD unit 1, V.35 DCE cable

Notice that serial 0/0 has a DTE cable, whereas the serial 0/1 connection has a DCE cable. Serial 0/1 would have to provide clocking with the clock rate command. Serial 0/0 would get its clocking from the DSU.

Let’s look at this command again. In Figure 6.5, see the DTE/DCE cable between the two routers? Know that you will not see this in production networks!

Router R1 has a DTE connection, which is typically the default for all Cisco routers. Routers R1 and R2 can’t communicate. Check out the output of the show controllers s0/0 command here:

R1#sh controllers serial 0/0
HD unit 0, idb = 0x1229E4, driver structure at 0x127E70
buffer size 1524 HD unit 0, V.35 DCE cable

The show controllers s0/0 command reveals that the interface is a V.35 DCE cable. This means that R1 needs to provide clocking of the line to router R2. Basically, the interface has the wrong label on the cable on the R1 router’s serial interface. But if you add clocking on the R1 router’s serial interface, the network should come right up.

Let’s check out another issue in Figure 6.6 that you can solve by using the show controllers command. Again, routers R1 and R2 can’t communicate.

Here’s the output of R1’s show controllers s0/0 command and show ip interface s0/0:

R1#sh controllers s0/0
HD unit 0, idb = 0x1229E4, driver structure at 0x127E70
buffer size 1524 HD unit 0,
DTE V.35 clocks stopped
cpb = 0xE2, eda = 0x4140, cda = 0x4000
R1#sh ip interface s0/0
Serial0/0 is up, line protocol is down
  Internet address is 192.168.10.2/24
  Broadcast address is 255.255.255.255

If you use the show controllers command and the show ip interface command, you’ll see that router R1 isn’t receiving the clocking of the line. This network is a nonproduction network, so no CSU/DSU is connected to provide clocking for it. This means the DCE end of the cable will be providing the clock rate—in this case, the R2 router. The show ip interface indicates that the interface is up but the protocol is down, which means that no keepalives are being received from the far end. In this example, the likely culprit is the result of bad cable, or simply the lack of clocking.

Hands-on Lab 6.1: Erasing an Existing Configuration

The following lab may require the knowledge of a username and password to enter privileged mode. If the router has a configuration with an unknown username and password for privileged mode, this procedure will not be possible. It is possible to erase a configuration without a privileged mode password, but the exact steps depend on the model and will not be covered until Chapter 7.

1. Start the switch up and when prompted, press Enter.
2. At the Switch> prompt, type enable.
3. If prompted, enter the username and press Enter. Then enter the correct password and press Enter.
4. At the privileged mode prompt, type erase startup-config.
5. At the privileged mode prompt, type reload, and when prompted to save the configuration, type n for no.

Hands-on Lab 6.2: Exploring User, Privileged, and Configuration Modes

In the following lab, you’ll explore user, privileged, and configuration modes:

1. Plug the switch in, or turn the router on. If you just erased the configuration as in Hands-on Lab 6.1, when prompted to continue with the configuration dialog, enter n for no and press Enter. When prompted, press Enter to connect to your router. This will put you into user mode.
2. At the Switch> prompt, type a question mark (?).
3. Notice the –more– at the bottom of the screen.
4. Press the Enter key to view the commands line by line. Press the spacebar to view the commands a full screen at a time. You can type q at any time to quit.
5. Type enable or en and press Enter. This will put you into privileged mode where you can change and view the router configuration.
6. At the Switch# prompt, type a question mark (?). Notice how many options are available to you in privileged mode.
7. Type q to quit.
8. Type config and press Enter.
9. When prompted for a method, press Enter to configure your router using your terminal (which is the default).
10. At the Switch(config)# prompt, type a question mark (?), then q to quit, or press the spacebar to view the commands.
11. Type interface f0/1 or int f0/1 (or even int gig0/1) and press Enter. This will allow you to configure interface FastEthernet 0/1 or Gigabit 0/1.
12. At the Switch(config-if)# prompt, type a question mark (?).
13. If using a router, type int s0/0, interface s0/0 or even interface s0/0/0 and press Enter. This will allow you to configure interface serial 0/0. Notice that you can go from interface to interface easily.
14. Type encapsulation ?.
15. Type exit. Notice how this brings you back one level.
16. Press Ctrl+Z. Notice how this brings you out of configuration mode and places you back into privileged mode.
17. Type disable. This will put you into user mode.
18. Type exit, which will log you out of the router or switch.

Hands-on Lab 6.3: Using the Help and Editing Features

This lab will provide hands-on experience with Cisco’s help and editing features.

1. Log into your device and go to privileged mode by typing en or enable.
2. Type a question mark (?).
3. Type cl? and then press Enter. Notice that you can see all the commands that start with cl.

4. Type clock ? and press Enter.

5. Set the clock by typing clock ? and, following the help screens, setting the time and date. The following steps walk you through setting the date and time.
6. Type clock ?.
7. Type clock set ?.
8. Type clock set 10:30:30 ?.
9. Type clock set 10:30:30 14 May ?.
10. Type clock set 10:30:30 14 May 2011.
11. Press Enter.
12. Type show clock to see the time and date.
13. From privileged mode, type show access-list 10. Don’t press Enter.
14. Press Ctrl+A. This takes you to the beginning of the line.
15. Press Ctrl+E. This should take you back to the end of the line.
16. Ctrl+A takes your cursor back to the beginning of the line, and then Ctrl+F moves your cursor forward one character.
17. Press Ctrl+B, which will move you back one character.
18. Press Enter, then press Ctrl+P. This will repeat the last command.
19. Press the up arrow key on your keyboard. This will also repeat the last command.
20. Type sh history. This shows you the last 10 commands entered.
21. Type terminal history size ?. This changes the history entry size. The ? is the number of allowed lines.
22. Type show terminal to gather terminal statistics and history size.
23. Type terminal no editing. This turns off advanced editing. Repeat steps 14 through 18 to see that the shortcut editing keys have no effect until you type terminal editing.
24. Type terminal editing and press Enter to re-enable advanced editing.
25. Type sh run, then press your Tab key. This will finish typing the command for you.
26. Type sh start, then press your Tab key. This will finish typing the command for you.

Hands-on Lab 6.4: Saving a Configuration

In this lab, you will get hands-on experience saving a configuration:

1. Log into your device and go into privileged mode by typing en or enable, then press Enter.
2. To see the configuration stored in NVRAM, type sh start and press Tab and Enter, or type show startup-config and press Enter. However, if no configuration has been saved, you will get an error message.
3. To save a configuration to NVRAM, which is known as startup-config, you can do one of the following:
   • Type copy run start and press Enter.
   • Type copy running, press Tab, type start, press Tab, and press Enter.
   • Type copy running-config startup-config and press Enter.
4. Type sh start, press Tab, then press Enter.
5. Type sh run, press Tab, then press Enter.
6. Type erase startup-config, press Tab, then press Enter.
7. Type sh start, press Tab, then press Enter. The router will either tell you that NVRAM is not present or display some other type of message, depending on the IOS and hardware.
8. Type reload, then press Enter. Acknowledge the reload by pressing Enter. Wait for the device to reload.
9. Say no to entering setup mode, or just press Ctrl+C.

Hands-on Lab 6.5: Setting Passwords

This hands-on lab will have you set your passwords.

1. Log into the router and go into privileged mode by typing en or enable.
2. Type config t and press Enter.
3. Type enable ?.
4. Set your enable secret password by typing enable secret password (the third word should be your own personalized password) and pressing Enter. Do not add the parameter password after the parameter secret (this would make your password the word password). An example would be enable secret todd.
5. Now let’s see what happens when you log all the way out of the router and then log in. Log out by pressing Ctrl+Z, and then type exit and press Enter. Go to privileged mode. Before you are allowed to enter privileged mode, you will be asked for a password. If you successfully enter the secret password, you can proceed.
6. Remove the secret password. Go to privileged mode, type config t, and press Enter. Type no enable secret and press Enter. Log out and then log back in again; now you should not be asked for a password.

7. One more password used to enter privileged mode is called the enable password. It is an older, less secure password and is not used if an enable secret password is set. Here is an example of how to set it:

   config t
   enable password todd1

8. Notice that the enable secret and enable passwords are different. They should never be set the same. Actually, you should never use the enable password, only enable secret.
9. Type config t to be at the right level to set your console and auxiliary passwords, then type line ?.
10. Notice that the parameters for the line commands are auxiliary, vty, and console. You will set all three if you’re on a router; if you’re on a switch, only the console and VTY lines are available.
11. To set the Telnet or VTY password, type line vty 0 4 and then press Enter. The 0 4 is the range of the five available virtual lines used to connect with Telnet. If you have an enterprise IOS, the number of lines may vary. Use the question mark to determine the last line number available on your router.

12. The next command is used to set the authentication on or off. Type login and press Enter to prompt for a user-mode password when telnetting into the device. You will not be able to telnet into a Cisco device if the password is not set.

13. One more command you need to set for your VTY password is password. Type password password to set the password. (password is your password.)

14. Here is an example of how to set the VTY password:

    config t
    line vty 0 4
    password todd
    login

15. Set your auxiliary password by first typing line auxiliary 0 or line aux 0 (if you are using a router).
16. Type login.
17. Type password password.
18. Set your console password by first typing line console 0 or line con 0.
19. Type login.

20. Type password password. Here is an example of the last two command sequences:

    config t
    line con 0
    password todd1
    login
    line aux 0
    password todd
    login

21. You can add the Exec-timeout 0 0 command to the console 0 line. This will stop the console from timing out and logging you out. The command sequence will now look like this:

    config t
    line con 0
    password todd2
    login
    exec-timeout 0 0

22. Set the console prompt to not overwrite the command you’re typing with console messages by using the command logging synchronous.

    config t
    line con 0
    logging synchronous

Hands-on Lab 6.6: Setting the Hostname, Descriptions, IP Address, and Clock Rate

This lab will have you set your administrative functions on each device.

1. Log into the switch or router and go into privileged mode by typing en or enable. If required, enter a username and password.

2. Set your hostname by using the hostname command. Notice that it is one word. Here is an example of setting your hostname on your router, but the switch uses the exact same command:

   Router#config t
   Router(config)#hostname RouterA
   RouterA(config)#

   Notice that the hostname of the router changed in the prompt as soon as you pressed Enter.

3. Set a banner that the network administrators will see by using the banner command, as shown in the following steps.
4. Type config t, then banner ?.
5. Notice that you can set at least four different banners. For this lab we are only interested in the login and message of the day (MOTD) banners.

6. Set your MOTD banner, which will be displayed when a console, auxiliary, or Telnet connection is made to the router, by typing this:

   config t
   banner motd #
   This is an motd banner
   #

7. The preceding example used a # sign as a delimiting character. This tells the router when the message is done. You cannot use the delimiting character in the message itself.

8. You can remove the MOTD banner by typing the following command:

   config t
   no banner motd

9. Set the login banner by typing this:

   config t
   banner login #
   This is a login banner
   #

10. The login banner will display immediately after the MOTD but before the user-mode password prompt. Remember that you set your user-mode passwords by setting the console, auxiliary, and VTY line passwords.

11. You can remove the login banner by typing this:

    config t
    no banner login

12. You can add an IP address to an interface with the ip address command if you are using a router. You need to get into interface configuration mode first; here is an example of how you do that:

    config t
    int f0/1
    ip address 1.1.1.1 255.255.0.0
    no shutdown

    Notice that the IP address (1.1.1.1) and subnet mask (255.255.0.0) are configured on one line. The no shutdown (or no shut for short) command is used to enable the interface. All interfaces are shut down by default on a router. If you are on a layer 2 switch, you can set an IP address only on the VLAN 1 interface.

13. You can add identification to an interface by using the description command. This is useful for adding information about the connection. Here is an example:

    config t
    int f0/1
    ip address 2.2.2.1 255.255.0.0
    no shut
    description LAN link to Finance

14. You can add the bandwidth of a serial link as well as the clock rate when simulating a DCE WAN link on a router. Here is an example:

    config t
    int s0/0
    bandwidth 1000
    clock rate 1000000