Welcome to this series on the Cisco Configuration Professional (CCP) tool. It is aimed at those who are preparing for the CCNA security certification exam, but it will also be helpful to others who want to know more about this tool. This article will actually serve two purposes: It will serve as a solution to a frequently asked challenge (FAC) on getting CCP running with GNS3 and it will also serve as the introduction to the CCP series in particular.

Lab Setup

The network diagram we will be using is shown below:

GNS3NetConfig1

It is very similar to the setup we have for the GNS3 articles so, if you have not read those articles already, now would be a good time to do so (you can find the first one here). Our GNS3 topology looks something like what is shown below. The CCP_Host cloud has my laptop’s loopback interface configured because it makes it easy for me to change configuration without affecting my Internet access.

I have a base configuration on both routers as shown below:

hostname RTR1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
!
router eigrp 10
network 10.0.0.0 0.0.0.255
network 192.168.12.0
netw 1.1.1.1 0.0.0.0
no auto-summary
!
hostname RTR2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router eigrp 10
 network 192.168.12.0
 netw 2.2.2.2 0.0.0.0
 no auto-summary
!

A look at the routing table of my laptop (route print) also shows that I have added the loopback routes pointing to the RTR1 interface:

To test connectivity, I will try to ping both routers from the host PC:

If you have any issues getting this connection to work, you should go back and read the two articles about GNS3 on this blog.

Preparing for Cisco Configuration Professional (CCP)

To allow configuration of our devices through the CCP tool, there are some things we need to do to get them ready; these configuration can be grouped into four subheadings as discussed below:

Enable HTTP/HTTPS

We need to enable HTTP and HTTPS on our devices. Enabling HTTP is enough if you are not going to connect securely, as we will see in the CCP section but for now, we will just enable both of them on the routers.

ip http server
ip http secure-server

When you enable HTTPS, notice that an RSA key pair is automatically generated (if you didn’t have one before).

Configure a username with privilege level of 15

The next thing we need to do is to configure a username/secret combination to be used by CCP for managing these devices. Remember to assign a privilege level of 15 to this username.

username ccp privilege 15 secret cisco123

Enable HTTP authentication using the local database

This is where we instruct the router to use its local database (with the username configured above) for HTTP(S) authentication:

 ip http authentication local

Enable local database authentication for the VTY lines

This step is similar to the one above; we need to enable local database authentication for the VTY lines so that the username we configured in step 2 can be used successfully by CCP (Telnet or SSH):

line vty 0 4
login local

All these steps will make more sense when we see the CCP tool’s interface.

Cisco Configuration Professional

You can download the CCP tool from the Cisco site. Although it is free, you will need a valid CCO account to be able to download the tool. I will be installing version 2.7 and I will be doing a fresh installation. The installation is fairly straightforward, just a couple of “Next” buttons.

After the installation is done, you can open the CCP tool from the “Programs” menu. Remember to Run As Administrator, or you may get stuck on the splash screen below:

There are several issues you may run into trying to run CCP on your system. The one I encountered is that it was only showing in the top quarter part of my browser.

To resolve this issue, hit the ALT key (if this does not work, close the browser completely and open a fresh Internet Explorer browser). Go to the “Tools” menu and select “Compatibility View Settings,” as shown below:

Add “127.0.0.1” to the list and then launch the CCP tool again.

You should now see something like this:

By default, the “Select/Manage Community” screen also shows up when CCP starts up. This allows us configure communities (a community is just a group of devices with similar features, such physical location, device type, etc.; it is up to you how you want to define your communities). Devices are added to communities and you specify the username/password combination to connect to them.

We will create a new community called CCNA CCP and add our two routers there. Notice that there is a “Connect Securely” checkbox—this is where the steps we took above begin to come together. CCP can manage devices using HTTP and Telnet (non-secure) or HTTPS and SSH (secure). We can see this difference below:

Without “Connect Securely” checked, we have HTTP (80) and Telnet (23). Also notice that these port numbers are configurable, in case you are doing port redirection or something.

The last thing I want us to notice on this screen is the “Discover all devices” checkbox at the bottom left corner. If we don’t check this box, we will only be adding devices to the CCP but it will not attempt to discover these devices. Without discovering devices, we cannot configure or monitor them.

I will check the box and let it attempt to discover those devices. When I hit the OK button, this is the screen I’m presented with:

As you can see, CCP is now trying to discover those devices and, since you are probably going to be using a self-signed certificate, you will get a “Security Certificate Alert” dialog box asking you whether you want to trust the certificate presented by the device. The dialog will be similar to the one we show below:

You can just go ahead and click “Yes” or view the certificate if you want to confirm with the one you have on your router. At the end of the discovery, you could have several messages such as “Discovered” or “Discovered with warnings” or “Discovery failed.”

Notice that my RTR1 was discovered (with warnings) but my RTR2 failed its discovery. In the next article, we will see why that router’s discovery process failed. For now, let’s check the warnings issued for RTR1. Use the “Discovery Details” button at the bottom at the page.

As you can see, it gives us information about the IOS version and hardware platform (3725 in my case) and then goes on to say that the hardware platform is not supported by Cisco CP and so some functionality may not work as expected. That’s fine because all we will be doing will work as expected.)

Summary

Whew, let’s stop here for now. This is already long enough. We have been able to prove that, even in the midst of so many things that could possibly go wrong, it is possible to connect the CCP tool to GNS3 devices. We saw the four basic steps we needed to perform on any device that will be configured and monitored through the CCP tool and we also resolved an issue with the view in Internet Explorer along the way.

In the next article, we will take a tour of the CCP tool and also troubleshoot the problem of RTR2 not being discovered, and other related issues. I hope you have found this article helpful and I look forward to presenting the next article in this series.

Further Reading