Chapter 14. Configuring a Cisco Router
This chapter provides information and commands concerning the following topics:
Configuring a router, specifically
Device name
Router Modes
Router> |
User mode |
Router# |
Privileged EXEC mode (also known as EXEC-level mode) |
Router(config)# |
Global configuration mode |
Router(config-if)# |
Interface mode |
Router(config-subif)# |
Subinterface mode |
Router(config-line)# |
Line mode |
Router(config-router)# |
Router configuration mode |
Tip
There are other modes than these. Not all commands work in all modes. Be careful. If you type in a command that you know is correct—show running-config, for example—and you get an error, make sure that you are in the correct mode.
Entering Global Configuration Mode
Router> |
Limited viewing of configuration. You cannot make changes in this mode |
Router> enable |
Moves to privileged EXEC mode |
Router# |
You can see the configuration and move to make changes |
|
Moves to global configuration mode. This prompt indicates that you can start making changes |
Configuring a Router Name
This command works on both routers and switches
Router(config)# hostname Cisco |
The name can be any word you choose. The name should start with a letter and contain no spaces |
Cisco(config)# |
Notice that the name of the router has changed from the default Router to Cisco |
Configuring Passwords
These commands work on both routers and switches.
Router(config)# enable password cisco |
Sets enable password to cisco |
Router(config)# enable secret class |
Sets enable secret password to class |
Router(config)# line console 0 |
Enters console line mode |
Router(config-line)# password console |
Sets console line mode password to console |
Router(config-line)# login |
Enables password checking at login |
Router(config)# line vty 0 4 |
Enters vty line mode for all five vty lines |
Router(config-line)# password telnet |
Sets vty password to telnet |
Router(config-line)# login |
Enables password checking at login |
Router(config)# line aux 0 |
Enters auxiliary line mode Note This is not available on Cisco switches |
Router(config-line)# password backdoor |
Sets auxiliary line mode password to backdoor |
Router(config-line)# login |
Enables password checking at login |
Caution
The enable secret password is encrypted by default. The enable password is not. For this reason, recommended practice is that you never use the enable password command. Use only the enable secret password command in a router or a switch configuration. You cannot set both enable secret password and enable password to the same password. Doing so defeats the use of encryption.
Password Encryption
Router(config)# service password-encryption |
Clear text passwords will be hidden using a weak encryption algorithm |
Router(config)# enable password cisco |
Sets enable password to cisco |
Router(config)# line console 0 |
Moves to console line mode |
Router(config-line)# password Cisco |
Continue setting passwords as above |
. . . |
|
Router(config)# no service password-encryption |
Turns off password encryption |
Caution
If you have turned on service password-encryption, used it, and then turned it off, any passwords that you have encrypted stay encrypted. New passwords remain unencrypted.
Interface Names
One of the biggest problems that new administrators face is the interface names on the different models of routers. With all the different Cisco devices in production networks today, some administrators are becoming confused about the names of their interfaces. Using Cisco devices that are no longer in production but are still valuable in a lab or classroom setting can also complicate matters. Older devices are still a great (and inexpensive) way to learn the basics (and in some cases the more advanced methods) of router configuration.
The following chart is a sample of some of the different interface names for various routers. This is by no means a complete list. Refer to the hardware guide of the specific router that you are working on to see the various combinations, or use the following command to see which interfaces are installed on your particular router:
router# show ip interface brief
Note
An “on-board” port is a fixed port that is built directly into the motherboard. A “slot” is used to expand port density of a device by inserting a module that plugs into the motherboard. A module may contain several ports. Depending on the router, you may have no slots or many.
| Router Model | Port Location/Slot Number | Slot/Port Type | Slot Numbering Range | Example |
| 2501 | On board | Ethernet | Interface-type number | ethernet0 (e0) |
| On board | Serial | Interface-type number | serial0 (s0) and s1 | |
| 2514 | On board | Ethernet | Interface-type number | e0 and e1 |
| On board | Serial | Interface-type number | s0 and s1 | |
| 1721 | On board | Fast Ethernet | Interface-type number | fastethernet0 (fa0) |
| Slot 0 | Wireless Access Controller (WAC) | Interface-type number | s0 and s1 | |
| 1760 | On board | Fast Ethernet | Interface-type 0/port | fa0/0 |
| Slot 0 | WAN Interface Card (WIC)/Voice Interface Card (VIC) | Interface-type 0/port | s0/0 and s0/1 v0/0 and v0/1 | |
| Slot 1 | WIC/VIC | Interface-type 1/port | s1/0 and s1/1 v1/0 and v1/1 | |
| Slot 2 | VIC | Interface-type 2/port | v2/0 and v2/1 | |
| Slot 3 | VIC | Interface-type 3/port | v3/0 and v3/1 | |
| 2610 | On board | Ethernet | Interface-type 0/port | e0/0 |
| Slot 0 | WIC (serial) | Interface-type 0/port | s0/0 and s0/1 | |
| 2611 | On board | Ethernet | Interface-type 0/port | e0/0 and e0/1 |
| Slot 0 | WIC (serial) | Interface-type 0/port | s0/0 and s0/1 | |
| 2620 | On board | Fast Ethernet | Interface-type 0/port | fa0/0 |
| Slot 0 | WIC (serial) | Interface-type 0/port | s0/0 and s0/1 | |
| 2621 | On board | Fast Ethernet | Interface-type 0/port | fa0/0 and fa0/1 |
| Slot 0 | WIC (serial) | Interface-type 0/port | s0/0 and s0/1 | |
| 1841 | On board | Fast Ethernet | Interface-type 0/port | fa0/0 and fa0/1 |
| Slot 0 | High-speed WAN Interface Card (HWIC)/WIC/Voice WAN Interface Card (VWIC) | Interface-type 0/slot/port | s0/0/0 and s0/0/1 | |
| Slot 1 | HWIC/WIC/VWIC | Interface-type 0/slot/port | s0/1/0 and s0/1/1 | |
| 2801 | On board | Fast Ethernet | Interface-type 0/port | fa0/0 and fa0/1 |
| Slot 0 | VIC/VWIC (voice only) | Interface-type 0/slot/port | voice0/0/0–voice0/0/3 | |
| Slot 1 | HWIC/WIC/VWIC | Interface-type 0/slot/port | 0/1/0–0/1/3 (single-wide HWIC) 0/1/0–0/1/7 (double-wide HWIC) | |
| Slot 2 | WIC/VIC/VWIC | Interface-type 0/slot/port | 0/2/0–0/2/3 | |
| Slot 3 | HWIC/WIC/VWIC | Interface-type 0/slot/port | 0/3/0–0/3/3 (single-wide HWIC) 0/3/0–0/3/7 (double-wide HWIC) | |
| 2811 | Built in to chassis front | USB | Interface-type port | usb0 and usb1 |
| Built in to chassis rear | Fast Ethernet Gigabit Ethernet | Interface-type 0/port | fa0/0 and fa0/1 gi0/0 and gi0/1 | |
| Slot 0 | HWIC/HWIC-D/WIC/VWIC/VIC | Interface-type 0/slot/port | s0/0/0 and s0/0/1 fa0/0/0 and 0/0/1 | |
| Slot 1 | HWIC/High-Speed WAN Interface Card-Double-wide (HWIC-D)/WIC/VWIC/VIC | Interface-type 0/slot/port | s0/1/0 and s0/1/1 fa0/1/0 and 0/1/1 | |
| NME slot | Network Module (NM)/Network Module Enhanced (NME) | Interface-type 1/port | gi1/0 and gi1/1 s1/0 and s1/1 | |
| 1941 / 1941w | On board | Gigabit Ethernet | Interface-type 0/port | gi0/0 and gi0/1 |
| Slot 0 | Enhanced High-Speed WAN Interface Card (EHWIC) | Interface-type 0/slot/port | s0/0/0 and s0/0/1 | |
| Slot 1 | EHWIC | Interface-type 0/slot/port | s0/1/0 and s0/1/1 | |
| Built in to chassis back | USB | Interface-type port | usb0 and usb 1 | |
2901 2911 |
On board | Gigabit Ethernet | Interface-type 0/port | gi0/0 and gi0/1 gi0/2 (2911 only) |
| Slot 0 | EHWIC | Interface-type 0/slot/port | s0/0/0 and s0/0/1 | |
| Slot 1 | EHWIC | Interface-type 0/slot/port | s0/1/0 and s0/1/1 | |
| Slot 2 | EHWIC | Interface-type 0/slot/port | s0/2/0 and s0/2/1 | |
| Slot 3 | EHWIC | Interface-type 0/slot/port | s0/3/0 and s0/3/1 | |
| Built in to chassis back | USB | Interface-type port | usb0 and usb 1 | |
| 4221 / 4321 | On board | Gigabit Ethernet | Interface-type 0/slot/port | gi0/0/0 and gi0/0/1 |
| Gigabit Ethernet | Interface-type 0/slot/port (SFP fiber-optic port) | gi0/0/0 | ||
|
Note Only one of the RJ45 Gi0/0/0 or SFP Gi0/0/0 can be used, as they share the same interface name (Gi0/0/0) |
||||
| Slot 1 | NIMs (Network Interface Modules) Both serial and Ethernet cards are available for NIM slots |
Interface-type 0/slot/port | s0/1/0 and s0/1/1 or gi0/1/0 and gi0/1/1 |
|
| Slot 2 | NIMs Both serial and Ethernet cards are available for NIM slots |
Interface-type 0/slot/port | s0/2/0 and s0/2/1 or gi0/2/0 and gi0/2/1 |
|
Moving Between Interfaces
When moving between interfaces, you have two options. The first option, shown on the left side of the following table, exits out of interface mode back to global configuration mode, and then enters into a new interface mode. In this scenario, the prompt changes and you see the movement. The second option, shown on the right side of the table, moves directly from one interface mode to the second interface mode. In this case, the prompt does not change, even though you are in a new interface mode.
Caution
You do not want to put the configuration for one interface on a different interface.
| Exiting One Interface and Entering a New Interface | Moving Directly Between Interfaces | ||
Router(config)# interface serial 0/0/0 |
Moves to serial interface configuration mode | Router(config)# interface serial 0/0/0 |
Moves to serial interface configuration mode |
Router (config-if)# exit |
Returns to global configuration mode | Router (config-if)# interface fastethernet 0/0 |
Moves directly to Fast Ethernet 0/0 configuration mode |
Router(config)# interface fastethernet 0/0 |
Moves to Fast Ethernet interface configuration mode | Router (config-if)# |
In Fast Ethernet 0/0 configuration mode now |
Router (config-if)# |
In Fast Ethernet 0/0 configuration mode now | Router (config-if)# |
Prompt does not change; be careful |
Configuring a Serial Interface
Router(config)# interface serial 0/0/0 |
Moves to serial interface 0/0/0 configuration mode |
Router(config-if)# description Link to ISP |
Optional descriptor of the link is locally significant |
Router(config-if)# ip address 192.168.10.1 255.255.255.0 |
Assigns address and subnet mask to interface |
Router(config-if)# clock rate 2000000 |
Assigns a clock rate for the interface |
Router(config-if)# no shutdown |
Turns interface on |
Tip
The clock rate command is used only on a serial interface that has a DCE cable plugged into it. There must be a clock rate on every serial link between routers. It does not matter which router has the DCE cable plugged into it or which interface the cable is plugged into. Serial 0/0/0 on one router can be plugged into Serial 0/0/1 on another router.
Note
Serial connections are rapidly being removed from networks because Ethernet connections are faster and not reliant on clocking rates. In this book, serial interfaces are used to distinguish between WAN connections and LAN connections (which are shown using Ethernet interfaces).
Assigning an IPv4 Address to a Fast Ethernet Interface
Router(config)# interface fastethernet 0/0 |
Moves to Fast Ethernet 0/0 interface configuration mode |
Router(config-if)# description Accounting LAN |
Optional descriptor of the link is locally significant |
Router(config-if)# ip address 192.168.20.1 255.255.255.0 |
Assigns address and subnet mask to interface |
Router(config-if)# no shutdown |
Turns interface on |
Assigning an IPv4 Address to a Gigabit Ethernet Interface
Router(config)# interface gigabitethernet 0/0/0 |
Moves to gigabitethernet 0/0/0 interface configuration mode |
Router(config-if)# description Human Resources LAN |
Optional descriptor of the link is locally significant |
Router(config-if)# ip address 192.168.30.1 255.255.255.0 |
Assigns an address and subnet mask to interface |
Router(config-if)# no shutdown |
Turns interface on |
Assigning IPv6 Addresses to Interfaces
Router(config)# ipv6 unicast-routing |
Enables the forwarding of IPv6 unicast datagrams globally on the router |
Router(config)# interface gigabitethernet 0/0/0 |
Moves to interface configuration mode |
Router(config-if)# ipv6 enable |
Automatically configures an IPv6 link-local address on the interface and enables IPv6 processing on the interface Note The link-local address that the ipv6 enable command configures can be used only to communicate with nodes on the same broadcast segment |
Router(config-if)# ipv6 address autoconfig |
Router configures itself with a link-local address using stateless autoconfiguration |
Router(config-if)# ipv6 address 2001::1/64 |
Configures a global IPv6 address on the interface and enables IPv6 processing on the interface |
Router(config-if)# ipv6 address 2001:db8:0:1::/64 eui-64 |
Configures a global IPv6 address with an interface identifier in the low-order 64 bits of the IPv6 address |
Router(config-if)# ipv6 address fe80::260:3eff: fe47:1530/ 64 link-local |
Configures a specific link-local IPv6 address on the interface instead of the one that is automatically configured when IPv6 is enabled on the interface |
Router(config-if)# ipv6 unnumbered type/number |
Specifies an unnumbered interface and enables IPv6 processing on the interface. The global IPv6 address of the interface specified by type/number will be used as the source address |
Creating a Message-of-the-Day Banner
|
^ is being used as a delimiting character. The delimiting character must surround the banner message and can be any character as long as it is not a character used within the body of the message |
Tip
The message-of-the-day (MOTD) banner is displayed on all terminals and is useful for sending messages that affect all users. Use the no banner motd command to disable the MOTD banner. The MOTD banner displays before the login prompt and the login banner, if one has been created, if you are connected via the console or through Telnet. If you are connecting using SSH, the MOTD banner appears after the SSH connection.
Creating a Login Banner
|
^ is being used as a delimiting character. The delimiting character must surround the banner message and can be any character as long as it is not a character used within the body of the message |
Tip
The login banner displays before the username and password login prompts. Use the no banner login command to disable the login banner. The MOTD banner displays before the login banner.
Mapping a Local Host Name to a Remote IP Address
Router(config)# ip host london 172.16.1.3 |
Assigns a locally significant host name to the IP address. After this assignment, you can use the host name rather than an IP address when trying to telnet or ping to that address |
|
Both commands execute the same objective: sending a ping to address 172.16.1.3 |
Tip
When in user EXEC or privileged EXEC mode, commands that do not match a valid command default to Telnet. Therefore, you can use a host name mapping to Telnet to a remote device:
Router# london = Router# telnet london = Router# telnet 172.16.1.3
The no ip domain-lookup Command
|
Turns off trying to automatically resolve an unrecognized command to a local host name |
Tip
Ever type in a command incorrectly and end up having to wait for what seems to be a minute or two as the router tries to translate your command to a domain server of 255.255.255.255? When in user EXEC or privileged EXEC modes, commands that do not match a valid command default to Telnet. Also, the router is set by default to try to resolve any word that is not a command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not going to set up DNS, turn off this feature to save you time as you type, especially if you are a poor typist.
Note
In some newer versions of the IOS, this command might not have a hyphen in it: the command is no ip domain lookup.
Working with DNS on a Router
The reason I created the CCNA Portable Command Guide is because I am a poor typist and I was always waiting for my spelling mistakes to be resolved through a DNS lookup. If you do not have a DNS server configured, all of those spelling mistakes take time to be resolved. This is why I was so happy to discover the no ip domain-lookup command!
But what happens if you have a DNS server configured (using the ip name-server command) and no ip domain-lookup configured? Your DNS server is now useless because it will not be used.
A more proper way of doing things would be to configure your DNS server using the ip name-server command, and then go to all of your lines (con 0, aux 0, vty 0 15), and deactivate the automatic action of telnetting into all “words” that look like host names. The Cisco IOS Software accepts a host name entry at the EXEC prompt as a Telnet command. If you enter the host name incorrectly, the Cisco IOS Software interprets the entry as an incorrect Telnet command and provides an error message indicating that the host does not exist. The transport preferred none command disables this option so that if you enter a command incorrectly at the EXEC prompt, the Cisco IOS Software does not attempt to make a Telnet connection.
Router(config)# line console 0 |
Moves to line console configuration mode |
Router(config-line)# transport preferred none |
Deactivates automatic action of telnetting into words that look like host names (your spelling mistakes that do not look like commands) |
Router(config-line)# line aux 0 |
Moves to line auxiliary configuration mode |
Router(config-line)# transport preferred none |
Deactivates automatic action of telnetting into words that look like host names (your spelling mistakes that do not look like commands) |
Router(config-line)# line vty 0 15 |
Moves to virtual Telnet lines 0 through 15 |
Router(config-line)# transport preferred none |
Deactivates automatic action of telnetting into words that look like host names (your spelling mistakes that do not look like commands) |
Now if you make a spelling mistake at the command prompt, you will be given an error, as opposed to waiting for your mistake to be resolved through a DNS lookup.
Router# confog ^ |
Spelling mistake entered |
% Invalid input detected at ^ marker Router# |
No DNS lookup. Returned to prompt |
The logging synchronous Command
Router(config)# line console 0 |
Moves to line console configuration mode |
Router(config-line)# logging synchronous |
Turns on synchronous logging. Information items sent to the console do not interrupt the command you are typing. The command is moved to a new line |
Tip
Ever try to type in a command and an informational line appears in the middle of what you were typing? Lose your place? Do not know where you are in the command, so you just press Enter and start all over? The logging synchronous command tells the router that if any informational items get displayed on the screen, your prompt and command line should be moved to a new line, so as not to confuse you. The informational line does not get inserted into the middle of the command you are trying to type. If you were to continue typing, the command would execute properly, even though it looks wrong on the screen.
Tip
If you do not set the logging synchronous command and you are in a situation where your command being entered is interrupted by informational items being displayed on the screen, you can use the keyboard shortcut of 
to bring your command to the next line without the message interfering with the command.
The exec-timeout Command
Router(config)# line console 0 |
Moves to line console configuration mode |
Router(config-line)# exec-timeout 0 0 |
Sets the limit of idle connection time, after which the console automatically logs off. A setting of 0 0 (minutes seconds) means the console never logs off—you have disabled the timeout Using the command without the seconds parameter will also work to disable the timeout: Router(config-line)#exec-timeout 0 |
Router(config-line)# |
Tip
The command exec-timeout 0 is great for a lab environment because the console never logs out, regardless of how long the connection remains idle. This is considered to be bad security and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and zero (0) seconds (exec-timeout 10 0) of idle connection time.
Saving Configurations
Router# copy running-config startup-config |
Saves the running configuration to local NVRAM. You will be prompted for a destination filename |
Router# copy running-config tftp |
Saves the running configuration remotely to a TFTP server. You will be prompted to enter in the IP address of the TFTP server |
Erasing Configurations
Router# erase startup-config |
Deletes the startup configuration file from NVRAM. You will be prompted to confirm this action as a safety precaution |
Tip
The running configuration is still in dynamic memory. Reload the router to clear the running configuration.
The write Command
Router# write |
Saves the running configuration to local NVRAM. You are not prompted for a destination file name |
Router# write memory |
Saves the running configuration to local NVRAM. You are not prompted for a destination file name |
Router# write erase |
Deletes the startup configuration file from NVRAM. You will be prompted to confirm this action as a safety precaution |
Router# write network |
Saves the running configuration remotely to a TFTP server. You will be given a message showing this command has been replaced with the copy running-config <url> command |
Note
The write command existed before the copy running-config startup-config and erase startup-config commands. Although the write command was officially deprecated some time ago, it still works in many versions of the Cisco IOS Software. However, it does not work on all devices and platforms—for example, it does not work with the Nexus platform.
Verifying Your Configurations Using show Commands
Router# show ? |
Lists all show commands available |
Router# show arp |
Displays the Address Resolution Protocol (ARP) table |
Router# show clock |
Displays time set on device |
Router# show controllers serial 0/0/0 |
Displays statistics for interface hardware. Statistics display if the clock rate is set and if the cable is Data Communications Equipment (DCE), data terminal equipment (DTE), or not attached |
Router# show flash |
Displays info about flash memory |
Router# show history |
Displays the history of commands used at privileged EXEC level |
Router# show hosts |
Displays the local host-to-IP address cache. These are the names and addresses of hosts on the network to which you can connect |
Router# show interface serial 0/0/0 |
Displays statistics for a specific interface (in this case, serial 0/0/0) |
Router# show interfaces |
Displays statistics for all interfaces |
Router# show ip interface brief |
Displays a summary of all interfaces, including status and IP address assigned |
Router# show ip protocols |
Displays the parameters and the current state of the active IPv4 routing protocol processes |
Router# show ipv6 interface brief |
Displays a summary of all interfaces, including status and IPv6 address assigned |
Router# show ipv6 protocols |
Displays the parameters and the current state of the active IPv6 routing protocol processes |
Router# show protocols |
Displays the status of configured Layer 3 protocols |
Router# show running-config |
Displays the configuration currently running in RAM |
Router# show startup-config |
Displays the configuration saved in NVRAM |
Router# show users |
Displays all users connected to the device |
Router# show version |
Displays info about loaded software version |
EXEC Commands in Configuration Mode: The do Command
Router(config)# do show running-config |
Executes the privileged-level show running-config command while in global configuration mode |
Router(config)# |
The router remains in global configuration mode after the command has been executed |
Tip
The do command is useful when you want to execute EXEC commands, such as show, clear, or debug, while remaining in global configuration mode or in any configuration submode. You cannot use the do command to execute the configure terminal command because it is the configure terminal command that changes the mode to global configuration mode.
Configuration Example: Basic Router Configuration
Figure 14-1 illustrates the network topology for the configuration that follows, which shows a basic router configuration using the commands covered in this chapter.
Figure 14-1 Network Topology for Basic Router Configuration
Boston Router
Router> enable |
Enters privileged EXEC mode |
Router# configure terminal |
Enters global configuration mode |
Router(config)# hostname Boston |
Sets the router name to Boston |
Boston(config)# no ip domain-lookup |
Turns off name resolution on unrecognized commands (spelling mistakes) |
Boston(config)# banner login #This is the Boston Router. Authorized Access Only # |
Creates a login banner |
Boston(config)# enable secret cisco |
Enables secret password set to cisco |
Boston(config)# service password-encryption |
Clear text passwords will be hidden using a weak encryption algorithm |
Boston(config)# line console 0 |
Enters line console mode |
Boston(config-line)# logging synchronous |
Commands will not be interrupted by unsolicited messages |
Boston(config-line)# password class |
Sets the password to class |
Boston(config-line)# login |
Enables password checking at login |
Boston(config-line)# line vty 0 4 |
Moves to virtual Telnet lines 0 through 4 |
Boston(config-line)# password class |
Sets the password to class |
Boston(config-line)# login |
Enables password checking at login |
Boston(config-line)# line aux 0 |
Moves to line auxiliary mode |
Boston(config-line)# password class |
Sets the password to class |
Boston(config-line)# login |
Enables password checking at login |
Boston(config-line)# exit |
Moves back to global configuration mode |
Boston(config)# no service password-encryption |
Turns off password encryption |
Boston(config)# interface fastethernet 0/0 |
Moves to interface Fast Ethernet 0/0 configuration mode |
Boston(config-if)# description Engineering LAN |
Sets locally significant description of the interface |
Boston(config-if)# ip address 172.16.10.1 255.255.255.0 |
Assigns an IP address and subnet mask to the interface |
Boston(config-if)# no shutdown |
Turns on the interface |
Boston(config-if)# interface serial 0/0/0 |
Moves directly to interface serial 0/0/0 configuration mode |
Boston(config-if)# description Link to Buffalo Router |
Sets a locally significant description of the interface |
Boston(config-if)# ip address 172.16.20.1 255.255.255.252 |
Assigns an IP address and subnet mask to the interface |
Boston(config-if)# clock rate 56000 |
Sets a clock rate for serial transmission. The DCE cable must be plugged into this interface |
Boston(config-if)# no shutdown |
Turns on the interface |
Boston(config-if)# exit |
Moves back to global configuration mode |
Boston(config)# ip host buffalo 172.16.20.2 |
Sets a local host name resolution to remote IP address 172.16.20.2 |
Boston(config)# exit |
Moves back to privileged EXEC mode |
Boston# copy running-config startup-config |
Saves the running configuration to NVRAM |