Cisco CLI for Beginners Network Fundamentals Part 10

If you’ve been reading through this series you have gone through about two hours of theory it’s finally time to get our hands dirty and configure something these practical skills are critical all the theory in the world won’t benefit you if you can’t put it into practice by the end of this article you’ll be able to take a new Cisco router or switch and apply some basic configuration to it Cisco devices are quite popular, and that’s why we’re starting there other brands will feel a bit different but the principles will be the same so, you can take what you learn here and adapt it as you need to at the end we’ll briefly discuss how you can make your labs to practice your skills are you ready let’s get started :

We’ll start by thinking about our devices physically routers and switches come in different sizes some are small devices that you would find at home or in a SOHO environment this often bundle a few features into one single device and a midsize or large office you will usually see larger devices we often use separate routers and switches rather than an all-in-one solution if you happen to work at a service provider you will see massive devices like this one the devices that we use need to suit the network that they’re part of we typically need to think of things like the number of ports we’ll need what performance we’ll need, and what features we need most these devices will come with a base license which means that you’re licensed to use their basic features but depending on what you need you may require additional licenses to get advanced features, so let’s say that this router here has been sent to us for configuration first we would want to know what each part of the router does these ports are the built-in data interfaces have their name written above or below them GE 0 0 1 for example, this name means Gigabit Ethernet module 0 port 0 the built-in interfaces are part of module 0 as they suggest we can add more modules by removing the panel to the right and installing it like this one right here more modules may mean more interfaces the interfaces themselves come in different forms you’ll see the common rj45 style port that a regular network cable would connect to there are also these rectangular ports these are where the SFP transceiver czar connected we regularly use SFPs to connect fiber-optic cables in the case of this router here we can choose which type of port we want to use on the far left there is a management port this is a special port used only to manage the device that it is meant to carry traffic that’s used for managing the router itself the management port is optional as it’s not the only way to manage the device where it’s convenient is when we have a few routers and switches we can put all their management ports into one single subnet and manage them all from one place most Cisco devices have USB ports we don, ‘t use them very often though they’re mostly there for when we want to update the routers firmware or when we want to copy some logs from the router right next to the USB ports our two console ports one is a mini USB and the other uses a rj45 connector the console ports are another way of managing the device typically we use these to configure the device when it’s brand-new but sometimes we may use it in an emergency when no other forms of management are working we’ll get to this shortly when we’re ready to start the hands-on configuration the auxiliary port was used in the old days you could connect one of the olds dial-up modems, so, you can still get to the device from a remote location apparently you could even connect an old physical terminal server I’ve never actually seen this port in use in my time if you have please let me know in the comments, I’d love to know how that worked up for you and one last thing I’d like to point out is that some devices have one power supply and some have two other start with one and are then upgraded to two this prevents the entire device going down if one power supply fails and yes that does happen you can also use this to connect the device to two different power sources perhaps two different UPS’s or two different power rails these dual power rails are commonly seen in data centers they’re connected to different generators, so if there’s a power outage on one generator the other one stays up so now that we know all of that how do we connect to our router well its brand new it doesn’t have any IP address to connect to yet, so, we need to use the console port to apply our initial configuration, we may also use the console port if the router is broken, or we don’t know the details connect to it so as long as you have physical access to the router you can connect to it with the console port as you can see there’s two different options one is USB and one is rj45 a USB cable like this one is the newer approach it connects a device directly to your laptop or computer it should work out of the box with Windows 10 but if you’re going to use another operating system you may need to get a driver from Cisco to make it works the other option is a serial cable like this one you connect this to the routers rj45 console port and the other end to your computer in the olden times computers had a serial port that you could connect the other end to in fact I remember when this was common which kind of makes me feel pretty old right now you generally don’t see these ports all that often anymore so, you would probably need a USB to serial adapter like this one, and you may need drivers to make that work to I have always used the serial cable with the adapter, and I still use it mainly because that’s what I’ve always done it’s what I’m familiar with, but the other reason is because some other devices usually non Cisco devices only support serial connections they don’t have that USB port so, it’s good to have this adapter available because you can be versatile in the very old days terminals like this one we used to connect to mainframes what we’ve moved beyond these terminals these days, there text-only style has still hung around so today instead of having terminals we use software called a terminal emulator, you can install a terminal emulator onto your computer and use it to connect to the device some of these you need to pay for some are free but really any of them should do the job I’m going to recommend that you start with a free option called putty it’s free it’s easy it’s popular just do a quick google search and you’ll find it download it and go from there now before we can to the router I’m using a window system here which I’ll have noticed soon you need to know what comport you’re using a comport is how Windows sees a serial port and depending on your system there may actually be more than one on a Windows device you can find this comport in the device Manager under ports here you can see my USB to serial converter which is known as com3 now we open up putty change the connection to serial, and then we change the serial line to comm 3 you can see there are other connection options too, and we’ll discuss a few of these a little later on the rest of the settings you can leave is default for now just click open to open the connection hit enter a few times and you are now connected to the router when you first connect you will see that the prompt is the routers name followed by this symbol not sure what you call that is that a greater than symbol or a right arrow whatever you want to call it what it means been that we’re in user exec mode this mode gives us very limited access, and it won’t allow us to configure anything, so we need to get ourselves some more access we do this by typing in the naval command you’ll notice that the symbol at the end of the prompters changed the name of this symbol depends on where you’re from you might call it a hash symbol or a pound symbol whatever you want to call it means that we’re now in privileged exec mode and this gives us full access to the router something to keep in mind for later is that we weren’t asked for a password in our case, that’s because this is a brand-new router but that’s also a bit of a security hole, so we’ll need to fix that up a bit later on when we want to get information from the router we use show commands, For example, we can see the current time on the router by typing in show clock, or we can see the software version with show version if there’s too much information to fit on the screen you’ll see the more line at the bottom you can use space to move through this information page by page or you can use enter to move through it line a by line what we’re going to do is just press Q to quit without seeing everything, and this just takes us backs to our regular prompt if we don’t know the exact command we want to run we can use the question mark symbol as soon as we press it the CLI gives us all the available options that we can use some commands are short like show clock but often commands can be several keywords long see here that we can optionally add the detail keyword to show clock and have

a look at this if we each start typing a keyword, and then we press tab the CLI will figure out what we mean, and it will complete it for us it’s an amicable CLI in that way and if you’re not familiar with the term CLI that’s command line interface that’s basically what we’re seeing here where you type commands onto this line there you go okay we can also shorten commands sometimes we shorten them too far, and we get this ambiguous command message we do have to give the CLI enough information to work out what we mean but as long as we do that short commands are fine I’m going to try to use the long version of each command in these articles so there’s no confusion around what I’m trying to do okay let’s actually configure something we’ll start with the routers name to do any configuration we need to enter configuration mode, and we do this by typing in configure terminal notice that prompts changes again the config part shows that we can run configuration commands and now that we’ve changed modes our global exec but here’s a little trick for you it’s something and not everyone knows not even people who’ve been configuring routers for some time but if you put a do keyword on the front of your command while you’re in configuration mode you can now run global exact commands, and that’s a lot faster than jumping in and out of configuration mode back to global exact in a configuration really saves you some time so anyway back to change the hostname this is actually pretty easy we’re going to use the hostname command followed by the name that we want to use we’re going to use internet router this immediately updates the prompt with the new name and now that’s done we can exit configuration mode we can either type the word exit or we can use a keyboard shortcut most of the time I prefer using a keyboard shortcut which is control Z and that will take you right back to global exec mode, and when you do that you get this message on the screen messages like these are log entries the router has logged that we’ve finished the configuration and has put a timestamp on it and that’s why it’s important that the clock is set correctly, and we will see these log entries whenever we’re connected to the console port but let’s get back into configuration now and let’s look at configuring an interface the router I’m connected to is different to the one we saw pictures of earlier so first we’ll have a look at what interfaces we have available to us we can do this with show IP interface brief here we can see us have two interfaces we can say that one interface has an IP already configured, and the other does not we can also see that both of these interfaces are administratively down this means that the ports are currently disabled so let’s enable the second interface, and we’ll give it IP address once you’re in configuration mode we enter into interface configuration mode with interface Gigabit 0/1 this changes the prompt again this time to config — word, so any configuration we use here applies to this specific interface we’ll start by giving it a description this is technically optional, but I always recommend doing it I always do it myself because it makes my job easier later on and now for the IP, we do this with the IP address command we give it the IP we want and the subnet mask if you want a refresher on how IP addresses, and subnet masks work click the link to see the article on that now remember how the interfaces were administrative lead out if an interface is admin down it means it has been manually disabled it is shooting down if we want to manually disable an interface ourselves we would issue the shutdown command of course it makes no difference here as it’s already shut down anytime that we want to turn a command off we simply put the word now in front of it so no shutdown removes the shot down state from that interface and straight away we see log messages showing us that the interface has now come up right, so we’re done with the basic interface configuration let’s just verify by having a look at the list of interfaces and see if it has an IP and the status shows that it’s up next to the status is the protocol column this also shows that it’s up as the interface is connected to another device if I unplug the interface we get a message telling us that the line protocol is down if you press the up key on the keyboard you will see the last command that you ran let’s run this again to see a list of our interfaces the status now shows us downs, but not administratively down this is because we haven’t manually disabled the interface with the shutdown command we’ve just unplugged the cable if we plug it back in which I’ll do now more messages are logged to tell us that it’s back up another useful command is show interface description this gives us a simple list of interfaces, and the descriptions that we gave them this makes it is easy to find what each interface does especially if you have a lot of interfaces now we’ve been looking at physical interfaces, so far, but I’d like to take a moment to show you that you can create virtual interfaces as well as an example we’re going to create a loopback interface this is very similar to configuring a normal interface enter interface configuration mode with interface loopback 0 the 0 here is just an example you can pretty much use any number that you want now for IP address all these interfaces are enabled by default, so they come up straight away, and we’ll just finish that IP address now we look through the interface list one last time we can press the up key several times to go through our list of recent commands and look at that we have a new interface with A IP address we’ll see what loopback interfaces do and why we use them a bit later on as we go through this series our goal to be able to connect to this router over the network we dont use the console cable every time and configuring the interface was the first part of that the next thing, we should figure out is authentication if you’re not familiar with that term authentication is just proving to the router that you are who you say you are and a basic form of that is a username and password, and we use this because we only want authorized people to make changes on the router we’ll start by securing the enable command you’ll remember Earlier, that we typed enable, and we’ve got full access to the router, and it didnt ask us for a password that’s what we’re going to change here we want the router to ask for a password whenever anyone enters the enable command in configuration mode if we look at the enable command we see we have options to set a password or a secret you might think that password is what we want but no it isnt the password keyword uses weak encryption while secret securely encrypts the password towards the in this article, I’m going to show you what I mean by that it’ll become clear a bit later in addition to this we want to create an account for each person that way we dont have to share the password out amongst multiple staffs this is done with the username command we also add privilege 15 on a Cisco router privilege 15 means full access it’s kind of like administrator account on Windows or the root account in Linux and once again we add a secret now what this has done is it has created a user account on the router itself so if you have several routers and several switches you’ll need to go to everyone and configure the same list of users you can configure an external server to have a list of all your user accounts so, you dont need to do it on every device, but that’s outside the scope of what we’re doing now if we’re just starting with the basics, we might get to that some other time in the series, we’ll see how do we go okay for the next thing Cisco devices have virtual terminal lines, and we can connect to those with our terminal emulator these are like that they’re like that console port that we were connected to right now, but they’re virtual versions, and we can use those to connect to the router over the network anyway we need to configure these to allow remote logins it’s very much like configuring an interface so enter in line vty 0 for the line vty part refers to configure the virtual terminal lines routers will have five of these, so we give it the range 0 through to 4 so, it can can configure them all at once switches have 16 lines, so that,s 0 through to 15 and now that we’re in here we tell the router which protocols we’re happy with users to log in with the common ones you’ll see our SSH and telnet both of these protocols use TCP to send terminal information across the network in this case putty is the client and the router are the server so in most cases we prefer to use SSH instead of telnet this is because SSH is encrypted and secure while telnet on its own is not you can’t allow both if you want, but we’re going to stick with just SSH for now, there’s only one last thing to do right here, and that’s to issue the login local command this tells the router to look for user accounts locally on the router that is like the account we created earlier if we type exit now we leave the vty configuration mode and drop back to regular configuration mode this is different to when we use the shortcut when we press ctrl-z because the shortcut would take us right back into global exact mode whereas this just takes us one level now back to SSH it is more secure, and therefore, requires a little more work to get going I won’t get into a lot of details about how SSH works because it can be complicated, so we’ll just go through the minimum requirements we need to configure it firstly SSH needs a domain name we configure this with IP domain name, and we’ll use Network Direction net of course you can use whatever domain name you want next we configure a key this is called an RSA key SSH will use this key to encrypt and decrypt traffic you do this with crypto key generate RSA sorry that’s crypto than space, and then key, and you can see the full router name that’s used when creating the key the router will also ask us how many bits we want to use for the key offering 512 as the default value, in my opinion 512 is far to low by today’s standards I suggest you use 2048 by default ssh version 1.99 is automatically enabled, but we’re going to turn it up to ssh version 2 now while we’re here I’d like to introduce you to banners are useful bits of information that our display during login, and we often use them to display legal disclaimers here we’re going to configure the login banner this is shown every time we tried to log in just before we enter our username and password banner login is the command we use which is followed by a character called the delimiter character can be any character, but we’re going to use the hash character we start with the delimiter here, and we’re going to put in our banner over a few lines if we want we’re going to type in authorized logins only and intruders stay out, and then we put that delimiter character again so, everything between those two characters is the banner. Another type of banner is called the message of the day or MOTD it’s also displayed when accessing the router it’s different to the last banner as the last one is only shown if the router asks you for login details remember before how we weren’t asked for login details the login banner wouldn’t show then, but the message of the day banner still would now there are other kinds of banners there are ones that’ll show up after you log in, for example, but I’m not going to bore you with every single type, and what they’re for so that’s going to be a part of your homework go have a look find out what banners there are how to use them and why you would use them ok we’re finally there it’s time to connect our router over the network no console cable required, so I’m closing putty I’m reopening it this time I’m going to leave SSH selected you’ll see the telnet is also an option here I’ll enter the IP address that we configured earlier and click open notice the banners that we configured they’re showing up as well and notice that we’re being challenged to provide a username and password, and because we use privilege level 15 we don’t even need the enable command we’ve already got full access all the configuration that is currently active in the router is called the running config, we can see this configuration with show running — config people frequently use so run to keep it short we can see the settings for the interface, we configured as well as lots of default commands this running config is also the reason we use the secret keyword earlier when creating an account this is called type 5 encryption which is a strong form of encryption a regular password uses type 7 encryption which is easily broken if you don’t believe me just Google decrypt type 7 passwords if you’d like to see what I’m talking about but why is that important well imagine that we’ve saved a copy of this running config file here into notepad saved it on our computer, and someone else has got a hold of that file somehow if we’re only using those type 7 passwords they can easily decrypt them they will know our password to the router and if we reuse passwords they might know our password to other things to ok back to the running config there is a catch the running config is stored in volatile memory that means that if the router reboots we lose all the changes we’ve made but don’t worry it’s not all over don’t panic we can save the running config to non-volatile storage did you know that the routers, and switches have storage just take a look at this it’s not a lot, but this router has some flash memory, and this flash memory is not erased on reboot when the router starts up it loads a file called the startup config into memory once, it’s loaded into memory it is now the running

config, so we can reverse that to save our changes we need to copy the running config to the startup config and this is done by typing in copy running-config space startup config and this is often shortened to copy run start another way that you can do this is with the command write memory or just WR mem this command has been around forever, so you’re going to see people who are using it does the same thing but some devices dont use this command anymore I’ve also heard on the exams they dont like you using write memory so get used to the copy run start version and congratulations you now have a basic configuration on your router we’ll be adding all sorts of different configurations throughout the series so your homework is to try this out in a lab, and practice your skills I’m not going to go in a great amount of detail on how to create a lab because there’s plenty of information that other people’s put out there but I’m going to give you a place to get started so there are a few ways you can do this the most obvious one is to go out there and buy some hardware buy a few routers buy a few switches get the cables cable them all up this may be good if the place you’re working for is throwing out some old equipment that they’ve decommissioned but most of us would need to look on ebay or somewhere like that this is kind of accurate way to lab something out because you get the hands-on experience with actually cabling things through and you know it’s actually going to work on this particular router but you’re limited with this because if you want to try doing something that your router doesnt support like if you need a bigger router or something like that you’re kind of stuck and also, it’s its loud rattles, and switches can be layout they hum and Buzz, and things, and they take up physical space in your house which is not always ideal so your other option is to create a virtual lab and this is what I tend to do myself the virtual is different because you can create a great number of devices you dont just have to rely on having said two or three, routers that you have been sitting in your home you can create 20 virtual routers, and cable them all up virtually the downside to virtual is that not every single physical feature is available in a virtual environment but for the CCNA level exams, and even a few after that you should need to worry about it, they can do pretty well everything you need to know so your first option in the virtual world is Cisco’s packet tracer this has limited functionality, but it’s wonderful for seeing how packets are flowing through the network it’s great to get started this is where I started in fact it’s suitable for the CCNA exam but not so much when you go beyond that you can get packet tracer by signing up to Cisco’s networking academy, and I presume that costs money another very popular option probably the most popular option is gns3 it loads real router and switch operating system images so, you know that what you’re seeing here is going to be exactly like it is on the real device but the downside is well how do you get these software images they dont come with the gns software because the well it’s difficult to get them legally it’s like downloading Windows you generally can’t just go and do that legally so, you need to have some way of getting those images. However, the gns software itself it’s free, and you can use some other vendors as well dont you dont have to limit yourself to just.
Cisco the next option is viral which is also made by Cisco this is the one I use in most of my day-to-day labbing work it supports real software images, but they come as a part of the package so you dont need to go out and find them for the most part this is Cisco only but there is some support for some Linux service if you want to see how servers connect into this environment and you can integrate it into your real network as well so you can use it to mix a bit of virtual with a bit of physical the downside though is it comes with a price tag I think it is 199 US per year finally there’s a package called Eve ng I’ve never used this one myself but I’ve heard some very good things about it’s vendor-neutral, so I’m fairly sure it can run on Cisco devices once again you have to figure out how to get the images to run on the devices, but I’ll leave that up to you and there are free and paid for options, depending on the features, you want to run so go out there figure what you want to do which lab you want to make and practice that’s the key to getting a good understanding and the practice to passing an exam and definitely the practice to getting into the real world, so we’re going to try to do some labbing in every article of this series if we can I hope you’ve liked this article please share some feedback in the comments below if you have any and if you know someone else who can benefit from this please share it with them in the next article we’re going to start by looking into switching and how it works and I hope to see you there .

Add Comment