While going through the Packet Tracer labs on the Intense School site, I noticed that there was none that covered the basic router configurations using the CLI (Section 4.2 of the exam objectives) and so, we will be doing that in this lab.
Our lab setup for this article is very simple as shown below:
Two files are attached to this article:
basic_rtr_config_init.pkt: This Packet Tracer file contains the lab setup with only the devices and the necessary interface connections.
basic_rtr_config_final.pkt: This Packet Tracer file contains the lab fully configured to meet the tasks.
The tasks for this lab are as follows:
Configure the hostname of R1 as “RTR1” and R2 as “RTR2”. Also set the clocks on the devices to the current date and time.
Configure the link between R1 and R2 to be on the network 192.168.12.0/24. R1’s IP address should be 192.168.12.1 while R2’s should be 192.168.12.2.
Configure an enable password of “cisco123” on R1 and also a password of “cisco123” on the VTY lines. Ensure that the passwords are not stored in clear-text in the configuration.
Configure a username of “cisco” with a password of “cisco123” on R2. Ensure that this user can connect to R2 using SSH and is placed at a privilege level of 15. Configure another user “cisco2” on R2 with a password of “cisco2123”. This user should be placed at privilege level 2 when he connects via SSH.
Only SSH should be allowed as a remote management protocol on R2 and inactive sessions should be disconnected after 20 seconds.
When users open a remote management session (via Telnet) to R1, the following warning should be displayed at login: “AUTHORIZED PERSONNEL ONLY!”
Ensure that the devices do not lose their configuration even if they are restarted.
Note: Do not enable AAA for any of the tasks.
Task 1: Hostname and Clock
When you turn on a new Cisco IOS device and connect to it via the console, you may see the System Configuration Dialog shown below which can help you configure basic settings on the device:
I have not used this System Configuration Dialog in the real world and I’m not sure I know anyone who has so we just answer “no” and are presented with the router prompt (User EXEC mode). We can then go ahead to the privileged EXEC mode (using the enable command) to begin our configuration.
To set the clock on a Cisco router, we use the clock set command which is actually an EXEC level command (not global configuration mode). We configure a hostname using the hostname command. Therefore, the configuration on the routers is as follows:
! R1 hostname RTR1 end clock set 14:42:00 Oct 30 2015 ! ! R2 hostname RTR2 end clock set 14:42:00 Oct 30 2015
Note: This configuration assumes you are in global configuration mode.
When you change the hostname of a Cisco router, the change is immediate so the only thing we need to verify is our clock settings which can be done using the show clock command:
Task 2: Interface IP Address
IP addresses are configured per interface and by default, physical interfaces (e.g. Fa0/0, Gi0/0) are in the shutdown state so we need to bring them up using the no shutdown command. The configuration to meet this task on the devices is as follows:
! R1 interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 no shutdown ! ! R2 interface FastEthernet0/0 ip address 192.168.12.2 255.255.255.0 no shutdown
One of the easiest ways to verify your interface settings is to use the show ip interface brief command because it gives a nice summary of the interfaces, their IP addresses and their link/protocol status:
Task 3: Enable and Line Password
From a security standpoint, configuring an enable password is not recommended because it is stored in clear text in the router’s configuration. Even if we use the service password-encryption command, the encryption algorithm offered by this command is so weak. However, since that is what the task asks for, let’s go ahead with the configuration:
enable password cisco123 line vty 0 4 password cisco123 ! service password-encryption
To confirm that the passwords are not stored in clear text (due to the service password-encryption command), we can view the running configuration:
Hint: To see how easy it is to crack this type of password, paste “0822455D0A16544541” in the ‘Type 7 Password’ field on this web page: http://www.ifm.net.nz/cookbooks/passwordcracker.html
Task 4: SSH Access
There are a couple of things to note if you want to use SSH to manage a Cisco device remotely:
You must enable SSH. SSH is enabled automatically when an RSA key pair is generated. To generate an RSA key pair, you must have configured a hostname and domain name on the Cisco router. You also need to generate an RSA key pair of at least 768 bits for SSHv2 to be enabled.
When SSH is enabled, a user will be authenticated with a username and a password (unlike Telnet that can use only a password). Therefore, you must configure the login local command under the VTY line or use AAA.
This task also requires that different users be placed at different privilege levels. Since we are using the local DB for authentication, we must configure the privilege levels for each username, so configuring the privilege level on the line will not work.
Therefore, the configuration on R2 is as follows:
ip domain-name example.com ! You need to enter the number of bits for the RSA key pair after the following command ! Normal IOS will let you enter it all in one command crypto key generate rsa ! username cisco privilege 15 password cisco123 username cisco2 privilege 2 password cisco2123 ! line vty 0 4 login local !
We can test this configuration by opening SSH connections to the router (from the router itself or you can use R1):
Task 5: Exec-timeout and Remote Access Protocol Restriction
We can restrict what protocol is allowed to be used to remotely manage a Cisco router by using the transport input line configuration command. Also, we can use the exec-timeout command to specify how long an inactive EXEC session should remain open before being terminated.
The configuration to achieve this task on R2 is as follows:
line vty 0 4 transport input ssh exec-timeout 0 20
To verify that only SSH is allowed, let’s try to open a Telnet connection to R2:
Note: On a real device, it will not say “Open” and then close. You will get “% Connection refused by remote host”.
To test the exec-timeout, login to R2 via SSH and just wait (don’t type anything) for 20 seconds; it should close the session.
Task 6: Banner
Banners can act like warning signs and may be helpful in legal prosecution. To configure a banner, you need to begin with a “delimiting character” and end with the same character. Therefore, you need to choose a character that will not appear in the body of your banner; good options include %, ^ and $.
banner login %AUTHORIZED PERSONNEL ONLY!%
To view this banner, we can open a telnet connection to R1:
Task 7: Save Your Configuration
One of the most important things you should remember to do is save the configuration you have made on your devices (and back them up). Imagine typing a semester paper in Microsoft Word and forgetting to save. *shivers*
There are a couple of ways to save like using the copy run start (short for copy running-config startup-config) or using the write memory command.
This brings us to the end of this lab where we have looked at the basics of configuring a Cisco router including setting hostnames, configuring IP addresses and enabling various remote access management features. I hope you have found this article insightful.
References and Further Reading
VIDEO: Basic Cisco Router Configuration: http://resources.intenseschool.com/video-basic-cisco-router-configuration/