Using Telnet
</objective> <objective>Using Secure Shell (SSH)
</objective> <objective>IOS naming conventions
</objective> <objective>Backing up and restoring your IOS
</objective> <objective>Backing up and restoring your configuration
</objective> </feature>This chapter deals with managing your Cisco router. It covers IOS naming conventions, backing up and restoring your IOS and configuration, and using the Cisco Discovery Protocol, Telnet, and ICMP.
An IOS filename is broken down into four parts:
Platform
Feature set
Run location and compression
Version
For example, if our IOS name was C2500-D-L.120-9.bin, we could break it down as follows:
Platform: C2500
Feature Set: D
Run Location: L
IOS Version: 12.0(9)
The feature set identifies the feature contents on the router. Common feature sets include “j” for enterprise, “d” for desktop, and “s” for plus features such as Network Address Translation (NAT), InterSwitch Link (ISL), and Virtual Private Dial-up Networks (VPDN). Although the number of feature sets is too many to list here, Table 5.1 lists the more common ones found on a 2500 platform.
Exam Alert
The feature sets are provided as an example only; you do not need to know the feature set codes for the exam. You will need to know, however, what is included in an IOS filename: platform, feature set, compression/run location, and version.
The run location indicates both its execution area and, when applicable, the compression identifiers. Table 5.2 illustrates the common run locations.
The compression identifiers indicate what type of compression is used on the image. Common compression identifiers are shown in Table 5.3.
For example, image c7200-js-mz is an IOS for the 7200 series router, with enterprise plus software, executed in RAM, and is Mzip compressed.
You can view the IOS files you have stored in flash memory by executing the command show flash. This command can be executed from either User EXEC or Privileged EXEC mode. Following is the output of the show flash command on a 1604 router:
Router>show flash
PCMCIA flash directory:
File Length Name/status
1 6611048 /c1600-nosy-l.120-25.bin
[6611112 bytes used, 1777496 available, 8388608 total]
8192K bytes of processor board PCMCIA flash (Read ONLY)
In this instance, there is only one IOS in flash. Taking the filename, c1600-nosy-l.120-25.bin, you can see that the platform is a 1600 series router with a feature set of ‘nosy’ (the 1600 designation for IP/IPX/FW Plus) and is relocated at runtime but not compressed. The IOS version is 12.0(25).
Although the show flash command will show you all IOS files that you have in flash, it will not show you the IOS that you are currently using if you have more than one IOS. To view the IOS that you are currently using on your router, execute the command show version. Like the show flash command, the show version command may be executed from User EXEC or Privileged EXEC. Following is the output of the show version command with the relevant portions in bold text.
Router>show version Cisco Internetwork Operating System Software IOS (tm) 1600 Software (C1600-NOSY-L), Version 12.0(25), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Tue 31-Dec-02 12:29 by srani Image text-base: 0x080357F8, data-base: 0x02005000 ROM: System Bootstrap, Version 11.1(10)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ROM: 1600 Software (C1600-BOOT-R), Version 11.1(10)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Router uptime is 6 minutes System restarted by power-on System image file is "flash:/c1600-nosy-l.120-25.bin" <output omitted for brevity>
At some point in your career, you will need to back up, restore, or upgrade your IOS. You can use TFTP, FTP, or RCP to transfer an IOS image to or from a server. TFTP is the most common so that is covered here. (It is also covered in the CCNA exam.)
TFTP is the Trivial File Transfer Protocol. Unlike FTP, there are no means of authenticating with a username or password or navigating directories. To back up your IOS, you will use the copy command from within Privileged EXEC mode. The syntax of this command is copy <from> <to>. Thus, if you want to copy an IOS from your IOS to a TFTP server, the syntax would be copy tftp flash. After executing this command, you will be prompted with a number of questions asking for such things as the IOS filename and IP address of the TFTP server. Following is the output of this command. The TFTP server in this example is located at the IP address 172.16.0.254.
Router#copy flash tftp PCMCIA flash directory: File Length Name/status 5148040 /c1600-sy56i-mz.121-20.bin [5148104 bytes used, 3240504 available, 8388608 total] Address or name of remote host [255.255.255.255]? 172.16.0.254 Source file name?/c1600-sy56i-mz.121-20.bin Destination file name [c1600-sy56i-mz.121-20.bin]? Verifying checksum for 'c1600-sy56i-mz.121-20.bin' (file # 1)... OK Copy 'c1600-sy56i-mz.121-20.bin' from Flash to server as 'c1600-sy56i-mz.121-20.bin'? [yes/no]y !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Upload to server done Flash device copy took 00:01:24 [hh:mm:ss]
To restore or upgrade your IOS from a TFTP server to a router, the syntax would be copy tftp flash.
Remember the following troubleshooting steps if you are having difficulties using TFTP:
Verify that the TFTP server is running.
Verify cable configurations. You should use a crossover cable between a router and a server or, if you have a switch, use a straight-through cable from the router to the switch and from the switch to the server.
Verify that your router is on the same subnet as your TFTP server or has a means to route to it somehow (static route or routing protocol).
Backing up and restoring your configuration is no different than it was for your IOS. To save your configuration, you will copy your running-config in RAM to your startup-config in NVRAM by executing the Privileged EXEC command copy running-config startup-config. If you want to copy your startup-config file to a TFTP server, you would type copy startup-config tftp. If you want to restore your configuration from a TFTP server, you would execute the command copy tftp running-config. (You can also elect to copy it to your startup-config.) Finally, the copy tftp running-config command will merge a configuration file on a TFTP server with your current configuration.
Having the ability to remotely manage your router is crucial to any network engineer. If you have a wide-area network that spans across the world, you do not want to have to fly out to a location every time you have a problem with a router. Four protocols you can use to help you in troubleshooting and remotely manage your routers are
Telnet
Secure Shell (SSH)
CDP
ICMP
Telnet operates at the application layer of the OSI model and is used to remotely connect into a router. Configuring Telnet authentication is covered in Chapter 4, “Working with Cisco Equipment.” As a review, however, the commands to configure a router to allow Telnet access are as follows (the password cisco is used in this example):
Router(config)#enable secret cisco Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password cisco
You must have an enable password for Telnet access to work. If you do not, you will get the following output when you attempt to access Privileged EXEC mode:
Router#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
Router>en
% No password set
Router>To close out an active Telnet session, type exit.
It is also possible to suspend a Telnet session and resume it later. This is helpful as it keeps you from having to remember the IP address of a router. Instead, you can suspend your Telnet session and resume it later based on its session number, not IP address.
To suspend a Telnet session, press Ctrl+Shift+6, x. (Hold down the Ctrl, Shift, and 6 buttons at the same time. Release them, and then press x.)
To see what sessions you have suspended, execute the show sessions command from User EXEC or Privileged EXEC mode. In the output that follows, there are two Telnet sessions that have been suspended:
Router#show sessions Conn Host Address Byte Idle Conn Name 1 192.168.1.1 192.168.1.1 0 0 192.168.1.1 * 2 172.16.0.1 172.16.0.1 0 0 172.16.0.1
Entries that have an asterisk (*) next to them indicate the last session you were using. There are four methods of resuming a session:
Enter key—. Pressing the Enter key will take you to the last session you were currently using (as shown by the asterisk in the
show sessionscommand).Resume—. Typing
resumewithout specifying a session number will allow you to resume the last session you were using. This is the same as pressing the Enter key.Resume #—. Typing
resumefollowed by the session number will resume Telnet for that session. For example, typingresume 1would resume Telnet for the 192.168.1.1 router.Resume [IP address | hostname]—. Instead of giving a Telnet session number, you can also give the IP address or, if you have DNS lookups enabled with a DNS server, you can type in the hostname of the remote router.
In addition to Telnet, you can also use Secure Shell (SSH) to remotely manage your routers. Configuring your router for SSH is covered in Chapter 4. Now you will learn how to use your router as an SSH client to connect into other routers.
SSH is preferred by many engineers because it secures your communication to your router when remotely managing it. This is done by encrypting the communication with algorithms such as Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES), as well as by securing the authentication to the router through password hashing algorithms such as Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1). Encrypting communication and hashing the password prevents malicious hackers from eavesdropping on you when you are configuring your router.
Starting an encrypted SSH session with a router is done with the ssh command. This command can be entered from either User EXEC or Privileged EXEC mode. It has several options as outlined in Table 5.4.
Table 5.4. SSH Options
Command Option | Description |
|---|---|
| This optional parameter specifies whether you are going to use version 1 or version 2. SSH version 1 had some known vulnerabilities, so you should use version 2 whenever possible. |
| This optional parameter specifies the encryption you are going to use when communicating with the router. This value is optional; if you choose not to use it, the routers will negotiate the encryption algorithm to use automatically. |
| This specifies the username to use when logging in to the remote router. |
| This specifies the type of hashing algorithm to use when sending your password. It is optional and if you do not use it, the routers will negotiate what type of hashing to use. |
| You need to specify the IP address or, if you have DNS or static hostnames configured, the name of the router you want to connect to. |
For example, if you wanted to use SSH version 2 to connect to a router at IP address 192.168.0.1 with the username of Admin, using AES256-CBC encryption, and using SHA1 hashing, you would type the following:
Router#ssh –v 2 –l Admin –c aes256-cbc –m hmac-sha-1 192.168.0.1The syntax may appear long at first, but after you start using it on a regular basis to manage your routers, it will become second nature to you.
Sometimes when you Telnet to another router, you might not know what its IP address is. If this is the case, you can use the CDP to discover the Layer 3 address of neighboring devices.
CDP is a Cisco proprietary Layer 2 (data link) multicast protocol that is enabled on all Cisco routers and switches. It can be used to discover information about directly connected devices. Although it is a Layer 2 protocol, it is not forwarded by Cisco switches. (It is by other vendors, however.)
To view what neighboring Cisco devices you have connected to your router or switch, execute the show cdp neighbors command from either User EXEC or Privileged EXEC mode. Following is an example of this output:
Router#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
CoreRouter Ser 1 144 R 2500 Ser 0Here you see that you are connected to a router named “CoreRouter.” You are connected to it out of your local interface serial 1. The holdtime indicates how long it will take to flush this entry out should your router stop hearing CDP frames. CDP sends advertisements every 60 seconds by default and will flush out an entry if it fails to hear a CDP advertisement after 180 seconds. (Timers are manipulated with the cdp timers global configuration command.) The capability of this device is R, which stands for router. In fact, from this output you can see that this is a 2500 series router and it is connected to your router out of its serial 0 interface.
Quite a bit of information gets generated from this command, but it did not tell you the IP address of the 2500 nor did it tell you the IOS version running on the 2500. The two commands you can enter through the Layer 3 IP address and IOS version are as follows:
show cdp neighbors detailshow cdp entry *
These two commands are functionally equivalent. You can look at a specific device in the show cdp entry command or use the wildcard asterisk character to view all entries. Following is the output of the show cdp neighbors detail command (the other show command would generate the same output):
Router#show cdp neighbors detail
-------------------------
Device ID: CoreRouter
Entry address(es):
IP address: 10.0.0.1
Platform: cisco 2500, Capabilities: Router
Interface: Serial0, Port ID (outgoing port): Serial0
Holdtime: 171 sec
Version:
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-I-L), Version 12.1(20), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 29-May-03 22:00 by kellythwAnother useful troubleshooting tool is the ICMP. ICMP is a Layer 3 (network) protocol designed to carry status messages. CCNAs will exercise ICMP via two programs, Ping and Traceroute. The two messages used by the Ping program, Echo Request and Echo Reply, test both connectivity and integrity; the responding station’s job is to reply and repeat the payload, thus testing the quality of the connection. The ping command followed by an IP address or name uses a default payload and primarily tests connectivity.
If a host is unreachable, you will get an ICMP Type 3 Destination Unreachable message. If a firewall or access-list is blocking ICMP, you will get an ICMP Type 3/Code 13 Destination Unreachable: Administratively Prohibited message. Unreachables will show a “U” in the output on your screen, whereas a successful ping will show exclamation points (!). Timeouts will show a “.” (period) in the output. The extended ping has options to test integrity, such as the capability to change the size and content of the payload to be echoed back. Cisco also supports an extended ping feature that is accessible from Privileged EXEC. To access the extended ping feature, enter Privileged EXEC and type ping. Do not enter an IP address, however; instead, press Enter, and you will be presented with a number of questions. With extended ping, you have the ability to set the size of your ping messages, source interface, number of pings, and timeout settings. Following is the output of the extended ping command. Note that the exclamation mark is an indication of a successful ping:
Router#ping Protocol [ip]: Target IP address: 10.0.0.1 Repeat count [5]: 1000 Datagram size [100]: 1024 Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.0.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 1000, 1024-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Tip
When bringing up a new wide-area network circuit, you can do an extended ping and send out 10,000 pings with a size of 1,024 bytes. Watch the results and verify success. If some packets are lost, you know it is not a clean circuit and you should contact your provider.
Traceroute is a technique used when you suspect that a router on the path to an unreachable network is at fault. Traceroute sends out a packet to a destination with a Time To Live (TTL) of 1. If the first hop is not the destination, an ICMP type 11/Code 0 (ICMP Time Exceeded) message is sent back and the response time in milliseconds is recorded. Routers decrement TTL so that a packet will not circulate forever if there is a problem such as a routing loop (covered in Chapter 10, “Basic Routing”). When a TTL gets to 0, the router drops the packet and returns the unreachable message.
A second packet is then sent out with a TTL value of 2, and if it is not the destination, an unreachable message is sent back and the response time in milliseconds is recorded. This continues until the destination is reached or until the maximum TTL as defined by the vendor is reached. (Cisco uses 30 as its maximum TTL with Traceroute, but this is configurable.)
Many devices support Traceroute. On Windows machines, the command is tracert. On Cisco devices, the command is traceroute, but this can be abbreviated as trace.
