03 Juni
2011

Getting Started With Cisco

Initially you will probably configure your router from a terminal. If the router is already configured and at least one port is configured with an IP address, and it has a physical connection to the network, you might be able to telnet to the router and configure it across the network. If it is not already configured, then you will have to directly connect to it with a terminal and a serial cable. With any Windows box you can use Hyperterminal to easily connect to the router. Plug a serial cable into a serial (COM) port on the PC and the other end into the console port on the Cisco router. Start Hyperterminal, tell it which COM port to use and click OK. Set the speed of the connection to 9600 baud and click OK. If the router is not on, turn it on.
If you wish to configure the router from a Linux box, either Seyon or Minicom should work. At least one of them, and maybe both, will come with your Linux distribution.
Often you will need to hit the Enter key to see the prompt from the router. If it is unconfigured it will look like this:

Router>

If it has been previously configured with a hostname, it will look like this:

hostname of router>

If you have just turned on the router, after it boots it will ask you if you wish to begin initial configuration. Say no. If you say yes, it will put you in the menu interface. Say no.

Modes

The Cisco IOS command-line interface is organized around the idea of modes. You move in and out of several different modes while configuring a router, and which mode you are in determines what commands you can use. Each mode has a set of commands available in that mode, and some of these commands are only available in that mode. In any mode, typing a question mark will display a list of the commands available in that mode.

Router>?

Unprivileged and privileged modes

When you first connect to the router and provide the password (if necessary), you enter EXEC mode, the first mode in which you can issue commands from the command-line. From here you can use such unprivileged commands as ping, telnet, and rlogin. You can also use some of the show commands to obtain information about the system. In unprivileged mode you use commands like, show version to display the version of the IOS the router is running. Typing show ? will diplay all the show commands available in the mode you are presently in.

Router>show ?

You must enter privileged mode to configure the router. You do this by using the command enable [ Router>enable ]. Privileged mode will usually be password protected unless the router is unconfigured. You have the option of not password protecting privileged mode, but it is HIGHLY recommended that you do. When you issue the command enable and provide the password, you will enter privileged mode.
To help the user keep track of what mode they are in, the command-line prompt changes each time you enter a different mode. When you switch from unprivileged mode to privileged mode, the prompt changes from:

Router>

to

Router#

This would probably not be a big deal if there were just two modes. There are, in fact, numerous modes, and this feature is probably indispensable. Pay close attention to the prompt at all times.
Within privileged mode there are many sub-modes. In this document I do not closely follow Cisco terminology for this hierarchy of modes. I think that my explanation is clearer, frankly. Cisco describes two modes, unprivileged and privileged, and then a hierarchy of commands used in privileged mode. I reason that it is much clearer to understand if you just consider there to be many sub-modes of privileged mode, which I will also call parent mode. Once you enter privileged mode (parent mode) the prompt ends with a pound sign (#). There are numerous modes you can enter only after entering privileged mode. Each of these modes has a prompt of the form:

Router(arguments)#

They still all end with the pound sign. They are subsumed within privileged mode. Many of these modes have sub-modes of their own. Once you enter priliged mode, you have access to all the configuration information and options the IOS provides, either directly from the parent mode, or from one of its submodes.

Configuring your Cisco Router

If you have just turned on the router, it will be completely unconfigured. If it is already configured, you may want to view its current configuration. Even if it has not been previously configured, you should familiarize yourself with the show commands before beginning to configure the router. Enter privileged mode by issuing the command enable, then issue several show commands to see what they display. Remember, the command show ? will display all the showcommands aavailable in the current mode. Definately try out the following commands:

Router> enable
Router# show interfaces
Router# show ip protocols
Router# show ip route
Router# show ip arp

When you enter privileged mode by using the command enable, you are in the top-level mode of privileged mode, also known in this document as “parent mode.” It is in this top-level or parent mode that you can display most of the information about the router. As you now know, you do this with the show commands. Here you can learn the configuration of interfaces and whether they are up or down. You can display what IP protocols are in use, such as dynamic routing protocols. You can view the route and ARP tables, and these are just a few of the more important options.
As you configure the router, you will enter various sub-modes to set options, then return to the parent mode to display the results of your commands. You also return to the parent mode to enter other sub-modes. To return to the parent mode, you hit ctrl-z. This puts any commands you have just issued into affect, and returns you to parent mode.

Global configuration (config)

To configure any feature of the router, you must enter configuration mode. This is the first sub-mode of the parent mode. In the parent mode, you issue the command config.

Router# config
Router(config)#

As demonstrated above, the prompt changes to indicate the mode that you are now in.
In connfiguration mode you can set options that apply system-wide, also refered to as “global configurations.” For instance, it is a good idea to name your router so that you can easily identify it. You do this in configuration mode with the hostname command.

Router(config)# hostname ExampleName
ExampleName(config)#

As demonstrated above, when you set the name of the host with the hostname command, the prompt immediately changes by replacing Router with ExampleName. (Note: It is a good idea to name your routers with an organized naming scheme.)
Another useful command issued from config mode is the command to designate the DNS server to be used by the router:

ExampleName(config)# ip name-server aa.bb.cc.dd
ExampleName(config)# ctrl-Z
ExampleName#

This is also where you set the password for privileged mode.

ExampleName(config)# enable secret examplepassword
ExampleName(config)# ctrl-Z
ExampleName#

Until you hit ctrl-Z (or type exit until you reach parent mode) your command has not been put into affect. You can enter config mode, issue several different commands, then hit ctrl-Z to activate them all. Each time you hit ctrl-Z you return to parent mode and the prompt:

ExampleName#

Here you use show commands to verify the results of the commands you issued in config mode. To verify the results of the ip name-server command, issue the command show host.

Configuring Cisco router interfaces

Cisco interface naming is straightforward. Individual interfaces are referred to by this convention:

media type slot#/port#

“Media type” refers to the type of media that the port is an interface for, such as Ethernet, Token Ring, FDDI, serial, etc. Slot numbers are only applicable for routers that provide slots into which you can install modules. These modules contain several ports for a given media. The 7200 series is an example. These modules are even hot-swapable. You can remove a module from a slot and replace it with a different module, without interrupting service provided by the other modules installed in the router. These slots are numbered on the router.
Port number refers to the port in reference to the other ports in that module. Numbering is left-to-right, and all numbering starts at 0, not at one.
For example, a Cisco 7206 is a 7200 series router with six slots. To refer to an interface that is the third port of an Ethernet module installed in the sixth slot, it would be interface ethernet 6/2. Therefor, to display the configuration of that interface you use the command:

ExampleName#show interface ethernet 6/2

If your router does not have slots, like a 1600, then the interface name consists only of:
media type port#
For example:

ExampleName# show interface serial 0

Here is an example of configuring a serial port with an IP address:

ExampleName# config
ExampleName(config)# interface serial 1/1
ExampleName(config-if)# ip address 192.168.155.2 255.255.255.0
ExampleName(config-if)# no shutdown
ExampleName(config-if)# ctrl-Z
ExampleName#

Then to verify configuration:

ExampleName# show interface serial 1/1

Note the no shutdown command. An interface may be correctly configured and physically connected, yet be “administratively down.” In this state it will not function. The command for causing an interface to be administratively down is shutdown.

ExampleName(config)# interface serial 1/1
ExampleName(config-if)# shutdown
ExampleName(config-if)# ctrl-Z
ExampleName# show interface serial 1/1

In the Cisco IOS, the way to reverse or delete the results of any command is to simply put no infront of it. For instance, if we wanted to unassign the IP address we had assigned to interface serial 1/1:

ExampleName(config)# interface serail 1/1
ExampleName(config-if)# no ip address 192.168.155.2 255.255.255.0
ExampleName(config-if)# ctrl-Z
ExampleName# show interface serial 1/1

Configuring most interfaces for LAN connections might consist only of assigning a network layer address and making sure the interface is not administratively shutdown. It is usually not necessary to stipulate data-link layer encapsulation. Note that it is often necessary to stipulate the appropriate data-link layer encapsulation for WAN connections, such as frame-relay and ATM. Serial interfaces default to using HDLC. A discussion of data-link protocols is outside the scope of this document. You will need to look up the IOS command encapsulation for more details.

Configuring Cisco Routing

IP routing is automatically enabled on Cisco routers. If it has been previously disabled on your router, you turn it back on in config mode with the command ip routing.

ExampleName(config)# ip routing
ExampleName(config)# ctrl-Z

There are two main ways a router knows where to send packets. The administrator can assign static routes, or the router can learn routes by employing a dynamic routing protocol.
These days static routes are generally used in very simple networks or in particular cases that necessitate their use. To create a static route, the administrator tells the router operating system that any network traffic destined for a specified network layer address should be forwarded to a similiarly specified network layer address. In the Cisco IOS this is done with the ip route command.

ExampleName# config
ExampleName(config)# ip route 172.16.0.0 255.255.255.0 192.168.150.1
ExampleName(config)# ctrl-Z
ExampleName# show ip route

Two things to be said about this example. First, the packet destination address must include the subnet mask for that destination network. Second, the address it is to be forwarded to is the specified addres of the next router along the path to the destination. This is the most common way of setting up a static route, and the only one this document covers. Be aware, however, that there are other methods.
Dynamic routing protocols, running on connected routers, enable those routers to share routing information. This enables routers to learn the routes available to them. The advantage of this method is that routers are able to adjust to changes in network topologies. If a route is physically removed, or a neighbor router goes down, the routing protocol searches for a new route. Routing protocols can even dynamically choose between possible routes based on variables such as network congestion or network reliability.
There are many different routing protocols, and they all use different variables, known as “metrics,” to decide upon appropriate routes. Unfortunately, a router needs to be running the same routing protocols as its neighbors. Many routers can, however, run mutliple protocols. Also, many protocols are designed to be able to pass routing information to other routing protocols. This is called “redistribution.” The author has no experience with trying to make redistribution work. There is an IOS redistribute command you can research if you think this is something you need. This document’s compagnion case study describes an alternative method to deal with different routing protocols in some circumstances.
Routing protocols are a complex topic and this document contains only this superficial description of them. There is much to learn about them, and there are many sources of information about them available. An excelent source of information on this topic is Cisco’s website, http://www.cisco.com.
This document describes how to configure the Routing Information Protocol (RIP) on Cisco routers. From the command-line, we must explicitly tell the router which protocol to use, and what networks the protocol will route for.

ExampleName# config
ExampleName(config)# router rip
ExampleName(config-router)# network aa.bb.cc.dd
ExampleName(config-router)# network ee.ff.gg.hh
ExampleName(config-router)# ctrl-Z
ExampleName# show ip protocols

Now when you issue the show ip protocols command, you should see an entry describing RIP configuration.

Saving your Cisco Router configuration

Once you have configured routing on the router, and you have configured individual interfaces, your router should be capable of routing traffic. Give it a few moments to talk to its neighbors, then issue the commands show ip route and show ip arp. There should now be entries in these tables learned from the routing protocol.
If you turned the router off right now, and turned it on again, you would have to start configuration over again. Your running configuration is not saved to any perminent storage media. You can see this configuration with the command show running-config.

ExampleName# show running-config

You do want to save your successful running configuration. Issue the command copy running-config startup-config.

ExampleName# copy running-config startup-config

Your configuration is now saved to non-volatile RAM (NVRAM). Issue the command show startup-config.

ExampleName# show startup-config

Now any time you need to return your router to that configuration, issue the command copy startup-config running-config.

ExampleName# copy startup-config running-config

Example Cisco Router configuration

Router> enable
Router# config
Router(config)# hostname N115-7206
N115-7206(config)# interface serial 1/1
N115-7206(config-if) ip address 192.168.155.2 255.255.255.0
N115-7206(config-if) no shutdown
N115-7206(config-if) ctrl-z
N115-7206# show interface serial 1/1
N115-7206# config
N115-7206(config)# interface ethernet 2/3
N115-7206(config-if)# ip address 192.168.150.90 255.255.255.0
N115-7206(config-if)# no shutdown
N115-7206(config-if)# ctrl-z
N115-7206# show interface ethernet 2/3
N115-7206# config
N115-7206(config)# router rip
N115-7206(config-router)# network 192.168.155.0
N115-7206(config-router)# network 192.168.150.0
N115-7206(config-router)# ctrl-z
N115-7206# show ip protocols
N115-7206# ping 192.168.150.1
N115-7206# config
N115-7206(config)# ip name-server 172.16.0.10
N115-7206(config)# ctrl-z
N115-7206# ping archie.au
N115-7206# trace xx.yy.zz.aa
N115-7206# config
N115-7206(config)# enable secret password
N115-7206(config)# ctrl-z
N115-7206# copy running-config startup-config
N115-7206# exit
##########################################################################
router# enable password myEnableSecret encrypted
	Set the enable password (displays encrypted). Displays in
	encrypted form, with the word "encrypted" at the end. Note that
	when entering the command leave off  "encrypted" keyword or the
	PIX will assume that the string you are putting in is the
	encryption of the actual password.
router# passwd myLoginSecret encrypted
	Set the user mode password, the first password challenge when
	using Telnet.  Note that when executing the command leave off
	the "encrypted" keyword or the PIX will assume that the string
	you are putting in is the encryption of the actual password.
router# hostname UNIT1
	Set the name of the host. It is best to make this name innocuous
	so that it does not give away the type of device this is.
router# name 10.3.3.22 DMZWEBSERVER
	Map address to name
nameif ethernet0 outside security0
	Define the name of ethernet 0 and security level.
router# nameif ethernet1 inside security100
router# nameif ethernet2 management security90
router# nameif ethernet3 dmz security30
nameif ethernet4 pix_failover security40
	We've connected ethernet4 to another failover-capable PIX.
	The name reflects this.
router# nameif ethernet5 not_in_use security20
	Not currently in use.
router# interface ethernet0 100full
	Identify network interface speed and duplex. Activate the
	interface.
router# interface ethernet1 100full
router# interface ethernet2 100full
router# interface ethernet3 100full
router# interface ethernet4 100full
	Identify network interface speed and duplex. Note that this
	interface must be set to 100 and full duplex for proper
	operation of failover, which may be explained in another article.
router# interface ethernet5 100full shutdown
	Note that this interface is shutdown.
router# ip address outside 1.1.1.1 255.255.255.0
	Assign IP address and subnet mask for the interface
router# ip address inside 10.1.1.1 255.255.255.0
router# ip address management 10.2.2.1 255.255.255.0
router# ip address dmz 10.3.3.1 255.255.255.0
router# ip address pix_failover 10.4.4.1 255.255.255.0
PIX Version 6.3(2)
router# nameif ethernet0 outside security0
router# nameif ethernet1 inside security100
router# enable password 8Ry2YjIyt7RRXU24 encrypted
router# passwd 2KFQnbNIdI.2KYOU encrypted
router# hostname pixfirewall
router# fixup protocol ftp 21
router# fixup protocol http 80
router# fixup protocol h323 1720
router# fixup protocol rsh 514
router# fixup protocol smtp 25
router# fixup protocol sqlnet 1521
router# names
router# pager lines 24
router# logging on
router# no logging timestamp
router# no logging standby
router# no logging console
router# no logging monitor
router# logging buffered debugging
router# no logging trap
router# no logging history
router# logging facility 20
router# logging queue 512
router# interface ethernet0 shutdown
router# interface ethernet1 shutdown
router# mtu outside 1500
router# mtu inside 1500
router# ip address outside 209.165.200.226 255.255.255.224
router# ip address inside 10.1.1.1 255.255.255.0
router# no failover
router# arp timeout 14400
router# global (outside) 1 209.165.200.227-209.165.200.254 netmask 255.255.255.224
router# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
router# route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
router# timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
router# timeout rpc 0:10:00 h323 0:05:00
router# timeout uauth 0:05:00 absolute
router# aaa-server TACACS+ protocol tacacs+
router# aaa-server RADIUS protocol radius
router# no snmp-server location
router# no snmp-server contact
router# snmp-server community public
router# no snmp-server enable traps
router# floodguard enable
router# isakmp identity hostname
router# telnet timeout 5
router# terminal width 80
PIX Firewall/ASA running OS version 7.0 or later
asa(config)# interface Ethernet0/0
asa(config-if)# nameif outside
asa(config-if)# duplex auto
asa(config-if)# speed auto
asa(config-if)# ip address 23.42.53.24 255.255.255.0
asa(config-if)# no shutdown
PIX Firewall/ASA running OS version 7.0 or later
asa(config-if)# interface Ethernet0/1
asa(config-if)# nameif inside
asa(config-if)# duplex auto
asa(config-if)# speed auto
asa(config-if)# ip address 10.10.10.1 255.255.255.0
asa(config-if)# no shutdown

To configure the default gateway, do the following:

pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 23.42.53.1

When you wish to permit specific LAN subnet (i.e. 10.10.10.0/24) to have WAN access, you can issue the following command.

pixfirewall(config)# nat (inside) 1 10.10.10.0 255.255.255.0 0 0

If you wish to permit all LAN subnets to have WAN access, you can issue the following command.

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

To specify WAN NAT/PAT-ed IP address of the LAN subnet, similarly you can specify specific IP address; range of IP address; or the WAN interface IP address itself. Let’s say for illustration you like to use the WAN interface IP address itself. Then the command is

pixfirewall(config)# global (outside) 1 interface

Note that there is a 1 parameter on both nat and global commands. Basically when doing NAT/PAT, this parameter on both nat and global commands must match. If let’s say the nat command uses 3, then the global command must use 3 as well to match. In other words, the NAT/PAT process is noted by a pair of both nat and global commands.
To activate the NAT/PAT-ed IP address (or to be exact, reset all of the NAT/PAT IP address), issue the following command.

pixfirewall(config)# clear xlate

Keep in mind that in this illustration, it is assumed that you have WAN static IP address scheme in Ethernet environment. When this does not match your situation, please go to the FAQ subsection and find the most suitable environment (PPP, DHCP, etc.).
There should be no further necessary step of configuring the PIX Firewall. You then need to exit the configuration mode and save the changes, by doing the following.

pixfirewall(config)# exit
pixfirewall# write memory

You can also issue following command to save the changes if the PIX or ASA is running OS 6.x, 7.x, or later.

pixfirewall# copy running-config startup-config

As to the DNS info, you need to inject it into your LAN machines. You can do it either statically or automatically. When you do it statically, it usually means that you configure the LAN machines to have static IP address. When you do it automatically, it usually means that you configure the LAN machines to have dynamic IP address.
Keep in mind that LAN machine configuration step varies, it highly depends on the operating system (i.e. Windows, Mac, or Linux). In general is that when you configure the LAN machines to have either static or dynamic IP address, go to the machine configuration mode and do it from there.

Di Terbitkan Oleh Winston Sahusilawane Pada Rubrik Cisco : 03 Juni, 2011 |