Continue the series of Abstract CCNA study guide book .
Router and Switch Administrative Configurations
Router and Switch Administrative Configurations
The administrative functions that you can configure on a
router and switch are as follows:
-Hostnames
-Banners
-Passwords
-Interface descriptions
Hostnames
You can set the identity of the router with the hostname
command.
yourname#config t
yourname(config)#hostname Todd
Todd(config)#hostname Atlanta
Atlanta(config)#hostname Todd
Banners
A banner is more than just a little cool—one very
good reason for having a banner is to give any and all who dare attempt to
telnet or dial into your internetwork a little security notice.
Make sure you’re familiar with these four available banner
types: exec process creation banner, incoming terminal line banner, login
banner, and message of the day banner:
Todd(config)#banner ?
LINE c banner-text c, where ‘c’ is a
delimiting character
exec Set
EXEC process creation banner
incoming Set
incoming terminal line banner
login Set
login banner
motd Set
Message of the Day banner
prompt-timeout Set
Message for login authentication timeout
slip-ppp Set
Message for SLIP/PPP
Message of the day (MOTD) is the most extensively used
banner. It gives a message to every person dialing into or connecting to the
router via Telnet or an auxiliary port, or a console port as seen here:
Todd(config)#banner motd #
Enter TEXT message. End with the character ‘#’.
$ Acme.com network, then you must
disconnect immediately.
#
Todd(config)#^Z
You can use any character you want for it, but (I hope this
is obvious) you can’t use the delimiting character in the message it self .Also,
once the message is complete, press Enter, then the delimiting character, and
then Enter again.
Setting Passwords
Five passwords are used to secure your Cisco routers:
console, auxiliary, telnet (VTY), enable password, and enable secret.
The enable secret and enable password are used to set the
password that’s used to secure privileged mode. This will prompt a user for a
password when the enable command is used.
The other three are used to configure a password when user
mode is accessed through the console port, the auxiliary port, or Telnet.
Enable Passwords
You set the enable passwords from global configuration mode
like this:
Todd(config)#enable ?
last-resort Define
enable action if no TACACS servers respond
password Assign
the privileged level password
secret Assign
the privileged level secret
use-tacacs Use
TACACS to check enable passwords
The following points describe the enable password
parameters:
last-resort Allows you to still enter the router if
you set up authentication through a TACACS server and it’s not available. But
it isn’t used if the TACACS server is working.
password Sets the enable password on older,
pre-10.3 systems, and isn’t ever used if an enable secret is set.
secret This is the newer, encrypted password that overrides the
enable password if it’s set.
use-tacacs This tells the router to authenticate
through a TACACS server.
Todd(config)#enable secret todd
Todd(config)#enable password todd
The enable password you have chosen is the same as your enable secret. This is not recommended.
Re-enter the
enable password.
If you try to set the enable secret and enable passwords
the same, the router will give you warning to change the second password.
User-mode passwords are assigned by using
the line command:
Todd(config)#line ?
<0-337> First
Line number
aux Auxiliary
line
console Primary
terminal line
tty Terminal
controller
vty Virtual
terminal
x/y Slot/Port
for Modems
x/y/z Slot/Subslot/Port for Modems
Here are the lines to be concerned with:
aux Sets the user-mode password for the auxiliary port.
console Sets a console user-mode password.
vty Sets a Telnet password on the router. If this password
isn’t set, then Telnet can’t be used by default.
To configure the user-mode passwords, you configure the
line you want and use either the login or no login command to tell the router
to prompt for authentication. The next sections will provide a line-by-line
example of the configuration of each line configuration
Auxiliary Password
Todd#config t
Todd(config)#line aux ?
<0-0> First Line number
Todd(config)#line aux 0
Todd(config-line)#password aux
Todd(config-line)#login
It’s important to remember the login command or the
auxiliary port won’t prompt for authentication.
Console Password
Todd(config)#line console ?
<0-0> First Line number
Todd(config-line)#password console
Todd(config-line)#login
There are a few other important commands to know for the
console port.
For one, the exec-timeout 0 0 command sets the time-out for
the console EXEC session to zero, which basically means to never time out. The
default time-out is 10 minutes. (If you’re feeling mischievous, try this on
people at work: Set it to 0 1. That will make the console time out in 1 second!
And to fix it, you have to continually press the down arrow key while changing the
time-out time with your free hand!)
logging synchronous is a very cool command, and it should
be a default command, but it’s not. It stops annoying console messages from
popping up and disrupting the input you’re trying to type.
Here’s an example of how to configure both commands:
Todd(config-line)#line con 0
Todd(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Todd(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
Todd(config-line)#exec-timeout 0 0
Todd(config-line)#logging synchronous
Telnet Password
To set the user-mode password for Telnet access into the
router, use the line vty command.
Routers that aren’t running the Enterprise edition of the Cisco IOS default
to five VTY lines, 0 through 4. But if you have the Enterprise edition, you’ll have significantly
more. The best way to find out how many lines you have is to use that question
mark:
Todd(config-line)#line vty 0 ?
% Unrecognized command
Todd(config-line)#exit
Todd(config)#line vty 0 ?
<1-1180> Last Line number
Todd(config)#line vty 0 1180
Todd(config-line)#password telnet
Todd(config-line)#login
Remember, you cannot get help from your (config-line)#
prompt. You must go back to privilege mode in order to use the question mark
(?).
you can allow Telnet
connections without a password by using the no login command:
SFRouter(config-line)#line vty 0 4
SFRouter(config-line)#no login
Setting Up Secure Shell (SSH)
Instead of Telnet, you can use Secure Shell, which creates
a more secure session than the Telnet application that uses an unencrypted data
stream. Secure Shell (SSH) uses encrypted keys to send data so that your
username and password are not sent in the clear.
Here are the steps to setting up SSH:
1. Set your hostname:
Router(config)#hostname Todd
2. Set the domain name:
Todd(config)#ip domain-name Lammle.com
3. Generate the encryption keys for securing the session:
Todd(config)#crypto key generate rsa general-keys
modulus ?
<360-2048> size of the key modulus [360-2048]
Todd(config)#crypto key generate rsa general-keys
modulus 1024
The name for the keys will be: Todd.Lammle.com
% The key modulus size is 1024 bits
4. Set the max idle timer for a SSH session:
Todd(config)#ip ssh time-out ?
<1-120> SSH time-out interval (secs)
Todd(config)#ip ssh time-out 60
5. Set the max failed attempts for an SSH connection:
Todd(config)#ip ssh authentication-retries ?
<0-5> Number of authentication retries
Todd(config)#ip ssh authentication-retries 2
6. Connect to the vty lines of the router:
Todd(config)#line vty 0 1180
7. Last, configure SSH and then Telnet as access protocols:
Todd(config-line)#transport input ssh telnet
If you do not use the keyword telnet at the end of the
command string, then only SSH will work on the router. understand that SSH is more
secure than Telnet.
Encrypting Your Passwords
Because only the enable secret password is encrypted by
default, you’ll need to manually configure the user-mode and enable passwords
for encryption.
you can see all the passwords except the enable secret when
performing a show running-config on a router:
Todd#sh running-config
To manually encrypt your passwords, use the service
password-encryption command.
Here’s an example of how to do it:
Todd#config t
Enter configuration commands, one per line. End with
CNTL/Z.
Todd(config)#service password-encryption
Todd(config)#exit
Todd#sh run
Building configuration...
[output cut]
Todd#config t
Todd(config)#no service password-encryption
Todd(config)#^Z
Todd#
There you have it! The passwords will now be encrypted. You
just encrypt the passwords, perform a show run, and then turn off the command.
You can see that the enable password and the line passwords are all encrypted.
if you set your
passwords and then turn on the service password-encryption command, you have to
perform a show running-config before you turn off the encryption service or
your passwords won’t be encrypted. You don’t have to turn off the encryption
service at all; you’d only do that if your router is running low on processes.
And if you turn on the service before you set your
passwords, then you don’t even have to
view them to get them encrypted.
Descriptions
The description command is a helpful because you can, for instance,
use it to keep track of circuit numbers.
Todd#config t
Todd(config)#int s0/0/0
Todd(config-if)#description Wan to SF circuit number
6fdda12345678
Todd(config-if)#int fa0/0
Todd(config-if)#description Sales VLAN
Todd(config-if)#^Z
Todd#
You can view the description of an interface with either
the show running-config command or the show interface command:
Todd#sh run
[output cut]
interface FastEthernet0/0
description Sales VLAN
ip address 10.10.10.1 255.255.255.248
[output cut]
Todd#sh int f0/0
FastEthernet0/0 is up, line protocol is down
Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8
(bia 001a.2f55.c9e8)
Description: Sales VLAN
Doing the do Command
Beginning with IOS version 12.3, Cisco has finally added a
command to the IOS that allows you to view the configuration and statistics
from configuration mode.
Todd(config)#do show run
Building configuration...
Current configuration : 3276 bytes
!
[output cut]
Todd(config)#do sh int f0/0
FastEthernet0/0 is up, line protocol is down
No comments:
Post a Comment