Nov 18, 2011

Abstract of CCNA study guide-13 -Cisco IOS Basic configurations 2

Continue the series of  Abstract CCNA study guide book .
Router and Switch Administrative Configurations
The administrative functions that you can configure on a router and switch are as follows:
-Interface descriptions

You can set the identity of the router with the hostname command.
yourname#config t
yourname(config)#hostname Todd

Todd(config)#hostname Atlanta

Atlanta(config)#hostname Todd

A banner is more than just a little cool—one very good reason for having a banner is to give any and all who dare attempt to telnet or dial into your internetwork a little security notice.
Make sure you’re familiar with these four available banner types: exec process creation banner, incoming terminal line banner, login banner, and message of the day banner:

Todd(config)#banner ?
LINE                           c banner-text c, where ‘c’ is a delimiting character
exec                             Set EXEC process creation banner
incoming                      Set incoming terminal line banner
login                            Set login banner
motd                            Set Message of the Day banner
prompt-timeout                        Set Message for login authentication timeout
slip-ppp                       Set Message for SLIP/PPP

Message of the day (MOTD) is the most extensively used banner. It gives a message to every person dialing into or connecting to the router via Telnet or an auxiliary port, or a console port as seen here:
Todd(config)#banner motd #
Enter TEXT message. End with the character ‘#’.
$ network, then you must disconnect immediately.

You can use any character you want for it, but (I hope this is obvious) you can’t use the delimiting character in the message it self .Also, once the message is complete, press Enter, then the delimiting character, and then Enter again.

Setting Passwords
Five passwords are used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable password, and enable secret.
The enable secret and enable password are used to set the password that’s used to secure privileged mode. This will prompt a user for a password when the enable command is used.
The other three are used to configure a password when user mode is accessed through the console port, the auxiliary port, or Telnet.

Enable Passwords
You set the enable passwords from global configuration mode like this:
Todd(config)#enable ?
last-resort         Define enable action if no TACACS servers respond
password         Assign the privileged level password
secret               Assign the privileged level secret
use-tacacs        Use TACACS to check enable passwords

The following points describe the enable password parameters:
last-resort Allows you to still enter the router if you set up authentication through a TACACS server and it’s not available. But it isn’t used if the TACACS server is working.
password Sets the enable password on older, pre-10.3 systems, and isn’t ever used if an enable secret is set.
secret This is the newer, encrypted password that overrides the enable password if it’s set.
use-tacacs This tells the router to authenticate through a TACACS server.

Todd(config)#enable secret todd
Todd(config)#enable password todd
The enable password you have chosen is the same as your  enable secret. This is not recommended. Re-enter the
enable password.

If you try to set the enable secret and enable passwords the same, the router will give you warning to change the second password.

User-mode passwords are assigned by using the line command:
Todd(config)#line ?
<0-337>           First Line number
aux                  Auxiliary line
console            Primary terminal line
tty                    Terminal controller
vty                   Virtual terminal
x/y                   Slot/Port for Modems
x/y/z                Slot/Subslot/Port for Modems

Here are the lines to be concerned with:
aux  Sets the user-mode password for the auxiliary port.
console Sets a console user-mode password.
vty Sets a Telnet password on the router. If this password isn’t set, then Telnet can’t be used by default.

To configure the user-mode passwords, you configure the line you want and use either the login or no login command to tell the router to prompt for authentication. The next sections will provide a line-by-line example of the configuration of each line configuration
Auxiliary Password
Todd#config t
Todd(config)#line aux ?
<0-0> First Line number
Todd(config)#line aux 0
Todd(config-line)#password aux

It’s important to remember the login command or the auxiliary port won’t prompt for authentication.
Console Password
Todd(config)#line console ?
<0-0> First Line number
Todd(config-line)#password console

There are a few other important commands to know for the console port.
For one, the exec-timeout 0 0 command sets the time-out for the console EXEC session to zero, which basically means to never time out. The default time-out is 10 minutes. (If you’re feeling mischievous, try this on people at work: Set it to 0 1. That will make the console time out in 1 second! And to fix it, you have to continually press the down arrow key while changing the time-out time with your free hand!)

logging synchronous is a very cool command, and it should be a default command, but it’s not. It stops annoying console messages from popping up and disrupting the input you’re trying to type.
Here’s an example of how to configure both commands:
Todd(config-line)#line con 0
Todd(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Todd(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
Todd(config-line)#exec-timeout 0 0
Todd(config-line)#logging synchronous

Telnet Password
To set the user-mode password for Telnet access into the router, use the line vty command.
Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines, 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark:
Todd(config-line)#line vty 0 ?
% Unrecognized command
Todd(config)#line vty 0 ?
<1-1180> Last Line number
Todd(config)#line vty 0 1180
Todd(config-line)#password telnet
Remember, you cannot get help from your (config-line)# prompt. You must go back to privilege mode in order to use the question mark (?).

 you can allow Telnet connections without a password by using the no login command:
SFRouter(config-line)#line vty 0 4
SFRouter(config-line)#no login
Setting Up Secure Shell (SSH)
Instead of Telnet, you can use Secure Shell, which creates a more secure session than the Telnet application that uses an unencrypted data stream. Secure Shell (SSH) uses encrypted keys to send data so that your username and password are not sent in the clear.

Here are the steps to setting up SSH:
1. Set your hostname:
Router(config)#hostname Todd
2. Set the domain name:
Todd(config)#ip domain-name
3. Generate the encryption keys for securing the session:
Todd(config)#crypto key generate rsa general-keys modulus ?
<360-2048> size of the key modulus [360-2048]
Todd(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be:
% The key modulus size is 1024 bits
4. Set the max idle timer for a SSH session:
Todd(config)#ip ssh time-out ?
<1-120> SSH time-out interval (secs)
Todd(config)#ip ssh time-out 60
5. Set the max failed attempts for an SSH connection:
Todd(config)#ip ssh authentication-retries ?
<0-5> Number of authentication retries
Todd(config)#ip ssh authentication-retries 2
6. Connect to the vty lines of the router:
Todd(config)#line vty 0 1180
7. Last, configure SSH and then Telnet as access protocols:
Todd(config-line)#transport input ssh telnet

If you do not use the keyword telnet at the end of the command string, then only SSH will work on the router. understand that SSH is more secure than Telnet.

Encrypting Your Passwords
Because only the enable secret password is encrypted by default, you’ll need to manually configure the user-mode and enable passwords for encryption.
you can see all the passwords except the enable secret when performing a show running-config on a router:
Todd#sh running-config

To manually encrypt your passwords, use the service password-encryption command.
Here’s an example of how to do it:
Todd#config t
Enter configuration commands, one per line. End with CNTL/Z.
Todd(config)#service password-encryption
Todd#sh run
Building configuration...
[output cut]
Todd#config t
Todd(config)#no service password-encryption
There you have it! The passwords will now be encrypted. You just encrypt the passwords, perform a show run, and then turn off the command. You can see that the enable password and the line passwords are all encrypted.
 if you set your passwords and then turn on the service password-encryption command, you have to perform a show running-config before you turn off the encryption service or your passwords won’t be encrypted. You don’t have to turn off the encryption service at all; you’d only do that if your router is running low on processes.
And if you turn on the service before you set your passwords, then you don’t even have  to view them to get them encrypted.

The description command is a helpful because you can, for instance, use it to keep track of circuit numbers.
Todd#config t
Todd(config)#int s0/0/0
Todd(config-if)#description Wan to SF circuit number 6fdda12345678
Todd(config-if)#int fa0/0
Todd(config-if)#description Sales VLAN
You can view the description of an interface with either the show running-config command or the show interface command:
Todd#sh run
[output cut]
interface FastEthernet0/0
description Sales VLAN
ip address
[output cut]

Todd#sh int f0/0
FastEthernet0/0 is up, line protocol is down
Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8 (bia 001a.2f55.c9e8)
Description: Sales VLAN

Doing the do Command
Beginning with IOS version 12.3, Cisco has finally added a command to the IOS that allows you to view the configuration and statistics from configuration mode.

Todd(config)#do show run
Building configuration...
Current configuration : 3276 bytes
[output cut]
Todd(config)#do sh int f0/0
FastEthernet0/0 is up, line protocol is down

No comments:

Post a Comment