Lab files for this chapter can be found at: https://packt.link/CCNArepoCh02

Cisco enterprise devices, such as their routers and switches, have a networking operating system known as the Cisco Internetwork Operating System (IOS). Cisco IOS enables network professionals to easily manage and control the hardware components within Cisco IOS devices. Furthermore, Cisco IOS also provides the necessary software features to support a wide range of network functionalities, including routing, switching, and security. However, unlike most network operating systems and firmware that provide the user with a graphical user interface (GUI), Cisco IOS provides command-line interface (CLI) access only.

Additionally, the Cisco routers and switches have similar hardware components to computers, such as the following:

• Processor: A central processing unit (CPU) to execute network operations on the device
• Memory: Has limited random access memory (RAM) to temporarily store data and configurations while awaiting instructions from the CPU
• Storage: Uses either external or integrated flash memory
• Network adapters: Different models of routers and switches have various port densities (support for a number of ports)
• Power supply unit (PSU): The PSU is usually integrated into the motherboard of the device and is responsible for converting alternating current (AC) to direct current (DC)
• Motherboard: The motherboard interconnects all hardware components of the device and enables Cisco IOS to operate the hardware

Note

Cisco IOS is stored in flash memory. Using the show flash command will show all the contents in flash.

System administrators are required to understand each phase of the boot process of computers and servers, as this information is useful when troubleshooting any issues that may prevent the operating systems from loading properly. Similarly, both aspiring and seasoned network professionals are required to understand the boot process of Cisco IOS devices.

The following is the boot process of a Cisco IOS device:

1. Power-on self-test (POST): POST performs a check on all the hardware components to ensure they’re all functioning correctly.
2. Bootstrap: Bootstrap is a simple application that’s stored in read-only memory (ROM) that turns on the hardware components and locates Cisco IOS.
3. Locating and loading Cisco IOS: The bootstrap checks the following locations for Cisco IOS in the following sequential order:
   1. Flash memory (default location for Cisco IOS) – once Cisco IOS is found, it’s loaded into RAM.
   2. Trivial File Transfer Protocol (TFTP) server – once Cisco IOS is found on a remote TFTP server, the Cisco device downloads it and runs it in RAM.
   3. If Cisco IOS is not found in flash memory or the TFTP server, then the bootstrap loads a scaled-down version of Cisco IOS into RAM, which provides the network professional with the capability to reload a full version of Cisco IOS into flash memory.
4. Providing the bootstrap locates Cisco IOS either in flash memory or on the TFTP server, it loads it into RAM.
5. Loading configurations: Once the full version of Cisco IOS is loaded into RAM, the device checks for the startup-config file that is stored in non-volatile RAM (NVRAM) and loads it into running-config in RAM.
6. If the startup-config file is not found, the device will enter the setup mode, which prompts the user to configure the device.
7. Initializing services and operations: Once Cisco IOS and the configuration files are loaded, the device will start various services and enable interfaces for operation.

Through these steps, you have learned how a Cisco IOS device boots into the operating system and loads its configurations into RAM.

Note

When configuring Cisco IOS, the configurations are stored within the running-config file in RAM. Since RAM is volatile and loses its contents when the device is powered off, it’s important to save the configurations in the startup-config files that are located in NVRAM. However, saving running-config in startup-config is a manual process, which you will learn about in a later section of this chapter.

Figure 2.1 shows the boot process of a Cisco IOS device:

Figure 2.1: Boot process

Cisco IOS Modes and Levels of Access

Cisco IOS is a full-fledged network operating system that enables network professionals to control the hardware and other components of a Cisco device. In addition, Cisco IOS provides advanced security features to help network professionals improve their network security and prevent unauthorized access to Cisco routers and switches.

Cisco IOS has many modes or levels of access and each of these enables network professionals to execute specific commands. These levels of access/modes are as follows:

• User Exec: Upon accessing a Cisco device, Cisco IOS places the network professional into this mode. This mode has very limited capabilities and access to the device. With this mode, the network professional can execute commands such as ping and traceroute to troubleshoot connectivity issues.
• User Exec mode can be easily identified by the > prompt, as shown here:

  Router>

• Privilege Exec: This mode provides higher privileges and enables the network professional to view the device’s configurations and access the global configuration mode of Cisco IOS.
• The Privilege Exec mode can be easily identified by the # prompt, as shown here:

  Router#

• Global Configuration: This mode enables network professionals to apply configurations and changes to the entire device and access interface, line, and router modes.
• The Global Configuration mode can be easily identified by the (config)# prompt, as shown here:

  Router(config)#

• Interface mode: Interface mode enables network professionals to apply configurations on specific interfaces of the device, such as configuring the IP address and subnet mask on the interface.
• Interface mode is easily identified by the (config-if)# prompt, as shown here:

  Router(config-if)#

• Line mode: This mode enables network professionals to apply configurations on the console port and the Virtual Teletype (VTY) lines for remote access.
• Line mode is easily identified by the (config-line)# prompt, as shown here:

  Router(config-line)#

Figure 2.2 shows the various levels of access or modes of Cisco IOS:

Figure 2.2: Cisco IOS modes

As shown in Figure 2.2, network professionals usually gain access to the User Exec mode via the console port or remote access through a VTY line using Secure Shell (SSH) or Telnet.

Note

SSH is a secure remote access protocol that enables network protocols to securely connect to a remote device over the network and obtain terminal access. By default, SSH encrypts the data between the SSH client on the network professional’s computer and the SSH service that’s running on the remote network device. Telnet is an unsecured remote access protocol that provides terminal access to networking devices. However, Telnet does not encrypt the data between the user and the Telnet service on the network device.

The following are examples of some common Cisco IOS commands for getting started with configuring a Cisco IOS device and moving around the different modes, such as User Exec, Privilege Exec, and even Global Configuration mode:

1. To elevate or move from User Exec to Privilege Exec, use the enable command and hit Enter, as shown here:

   Router> enable

2. To move from Privilege Exec to Global Configuration mode, use the configure terminal command and hit Enter, as shown here:

   Router# configure terminal

3. While in Global Configuration mode, to access an interface, set an IP address and subnet mask, and enable the interface, use the commands shown here:

   Router(config)# interface gigabitEthernet 0/1
   Router(config-if)# ip address 192.168.1.1 255.255.255.0
   Router(config-if)# no shutdown
   Router(config-if)# exit

Note

The exit command will return you to the previous mode. Therefore, if you’re in Interface mode, you will return to Global Configuration mode. After typing a command, hit Enter on the keyboard to execute the command within Cisco IOS.

4. If you’re in Global Configuration mode, use the exit command to return to Privilege Exec mode, as shown here:

   Router(config)# exit

5. Once you’re in Privilege Exec mode, use the disable command to return to User Exec mode, as shown here:

   Router# disable

6. To save running-config into startup-config, use the following command:

   Router# copy running-config startup-config

The following shows an example of using all the commands in the preceding steps:

Router> enable
Router# configure terminal
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# exit
Router# copy running-config startup-config
Router# disable
Router>

Note

If you are in Router, Interface, or Line mode, using the exit command will return you to Privilege Exec mode.

Having completed this section, you have learned about the boot process of Cisco IOS devices and the fundamentals of navigating between various modes of Cisco IOS. Next, you will learn how to perform initial device access on a new Cisco IOS router or switch.

Unlike computers and smartphones, networking devices do not support video output, which makes it necessary for network professionals to use alternative methods, such as remote access, to interact with Cisco IOS for administration and troubleshooting. Whenever you purchase a new Cisco IOS device, you will find a special blue cable within the box, known as a console cable. The console cable enables network professionals to gain initial access to Cisco IOS from a computer using a terminal emulator application.

Figure 2.3 shows a Cisco console cable:

Figure 2.3: Cisco console cable

As shown in the preceding figure, there’s an RS-232 connector that connects to a serial interface (DB-9) on a computer. However, modern computers and laptops no longer have a DB-9 interface to support the RS-232 connector. Therefore, network professionals may need to acquire an RS-232-to-USB converter cable to bridge the connection.

Figure 2.4 shows an RS-232-to-USB converter cable:

Figure 2.4: RS-232 converter cable

Additionally, the RJ45 connector on the console cable connects to the console port of a Cisco IOS device, as shown:

Figure 2.5: Console port

The console port of a Cisco IOS device will always be labeled to help network professionals easily identify the interface.

Note

Keep in mind that you will need to use a console cable to gain initial access to a device that has not been configured for remote access and management.

Upon making the connection between the PC and the Cisco IOS device using the console cable, a serial connection is created between the PC and the device via the RS-232-to-USB cable. To access the CLI of Cisco IOS, a terminal emulation application is required.

The following are some common terminal emulation applications:

• PuTTY (free): https://www.putty.org/
• SecureCRT (paid): https://www.vandyke.com/products/securecrt/

To access the CLI, please take the following steps:

1. Connect the console cable to your laptop and the Cisco IOS device.
2. If you’re using Microsoft Windows, open Control Panel and click on Device Manager.
3. Expand the Port (COM & LPT) category to view which COM interface is assigned to the cable.
4. Figure 2.6 shows COM3 is being utilized on the computer:

Figure 2.6: Device Manager on Windows

Note

If the serial connection does not appear, ensure the latest drivers are installed for the cable on your computer. Additionally, the COM port number may be different when the cable is connected to your computer.

5. Next, download PuTTY on your computer and launch the application. Once PuTTY opens, use the following settings:
   • Connection type: Serial
   • Serial line: COM3 (change this accordingly)
   • Speed: 9600
   • Data bits: 8
   • Parity: None
   • Stop bit: 1
   • Flow control: None

Note

PuTTY can be downloaded via the Microsoft Store application on Microsoft Windows operating systems.

6. Figure 2.7 shows the PuTTY Configuration window:

Figure 2.7: PuTTY on Windows

7. Next, click on Open to establish the serial connection from PuTTY through the console cable to Cisco IOS.
8. Figure 2.8 shows the typical welcome screen when connecting to Cisco IOS:

Figure 2.8: CLI of a Cisco IOS router

Now that you have learned how to access a Cisco IOS device using the console cable, take a look at acquiring the Cisco Packet Tracer application, a network simulator built by Cisco for learning for the Cisco Certified Network Associate (CCNA) certification.

Learning about networking can be a lot of fun and leveraging your imagination enables you to design, configure, and troubleshoot complex network architectures. However, as an aspiring network professional and candidate for the CCNA certification, it is important to gain a lot of practical, hands-on experience in implementing and administering Cisco devices. This means that everything you learn, in theory, should be applied to a practical lab to help you gain a solid understanding of the topic.

To assist with creating a lab environment, Cisco has created a very powerful network simulator application for students who are pursuing the CCNA certification. It is called Packet Tracer and it is available to anyone for free. The Cisco Packet Tracer application helps students design, configure, and troubleshoot real-world Cisco architectures without the need to acquire expensive physical devices. Most importantly, the Cisco Packet Tracer commands used on devices within the application can be easily copied and pasted into real Cisco devices.

Lab: Getting the Cisco Packet Tracer Application

To get your hands on the Cisco Packet Tracer application, please follow the given steps:

1. On your host computer, go to https://www.netacad.com/courses/getting-started-cisco-packet-tracer and click on the Get Started With Self-Paced button, as shown in Figure 2.9:

Figure 2.9: Packet Tracer course

2. Next, click on the Sign up link to register for a free user account on the platform, as shown in Figure 2.10:
   

Figure 2.10: Login portal

3. Complete the sign-up form to create a new account.
4. Once the account is created, the Terms and Conditions window will appear. Ensure you read and accept them to proceed to the next step.
5. On the Course Outline tab, click on 1.0.3 Download Cisco Packet Tracer to access the download link for the Cisco Packet Tracer application, as shown in Figure 2.11:

Figure 2.11: Course platform

Note

I strongly suggest that you complete the Getting Started with Cisco Packet Tracer course at step 5 before proceeding further. The course will help you become familiar with the user interface to ensure you can find your way around the application.

6. Alternatively, you can go to https://www.netacad.com/resources/lab-downloads to download the version of Packet Tracer that’s compatible with your computer’s operating system, as shown in Figure 2.12:

Figure 2.12: Locating Cisco Packet Tracer

Note

For the exercises throughout this book, I’ll be using Packet Tracer 8.2.2 Windows 64bit.

7. After downloading Packet Tracer, ensure you have installed it on your computer.
8. After the installation is complete, launch the application and it will prompt you to log in. Select the Cisco Skills For All option, as shown in Figure 2.13:

Figure 2.13: Sign-in portal

9. Enter your newly created user credentials to authenticate yourself to the Packet Tracer application and unlock its features. Once you’ve logged in to the Packet Tracer application, its user interface will load, as shown in Figure 2.14:

Figure 2.14: Cisco Packet Tracer

Now that you have completed this exercise and have acquired a copy of the Cisco Packet Tracer application, you will learn how to use the Packet Tracer interface.

Lab: Understanding the Cisco Packet Tracer Interface

Now that you have installed Packet Tracer on your PC, the following instructions will help you become a bit more familiar with the user interface and locate items easily:

1. Launch the Packet Tracer application as shown in Figure 2.15:

Figure 2.15: Cisco Packet Tracer user interface

2. The bottom toolbar contains all the network devices and components. The upper row represents various categories of networking devices and components, such as Networking Devices, End Devices, Components, Connections, Miscellaneous, and Multiuser Connection, as shown in Figure 2.16:
   

Figure 2.16: Cisco Packet Tracer device categories

Note

Hovering the mouse cursor over each icon shows you the name of the category or component.

3. Select the Networking Devices category to display the sub-category on the lower row, as shown in Figure 2.17:
   

Figure 2.17: Device sub-categories

4. As shown in the preceding screenshot, the sub-categories display various components, such as routers, switches, hubs, wireless devices, security, and WAN emulation.
5. Select Routers within the sub-categories to display various models of Cisco routers that are integrated into the Packet Tracer application, as shown in Figure 2.18:
   

Figure 2.18: Network devices in Cisco Packet Tracer

6. To place a device in the logical space, click on the 2911 router and drag it anywhere within the space.
7. Select the End Devices category, click on PC0, and drag it onto the logical space, as shown in Figure 2.19:

Figure 2.19: PC and router within Cisco Packet Tracer

8. Click on the Connections category, select the Console cable, then click on PC0 and attach it to the RS-232 port. To connect the other end of the cable, click on the 2911 router and select the Console port, as shown in Figure 2.20:

Figure 2.20: PC to router using a console cable

9. When a cable is selected and you click on a device, a list of available ports will appear. Then, clicking on a port will logically connect the cable to the selected port.

Note

If you’re having difficulties setting up the lab, you can download the pre-built lab file from https://packt.link/CCNArepoCh02 and select the Lab 1 - Accessing the Cisco IOS CLI.pkt file to download and open it with Packet Tracer on your computer.

10. To access the CLI of Cisco IOS on the router, click on PC0 and select Desktop | Terminal, as shown in Figure 2.21:

Figure 2.21: Terminal within Cisco Packet Tracer

11. When the Terminal application opens, click on OK to access the CLI on the router, as shown in Figure 2.22:

Figure 2.22: Terminal settings

12. You will notice Cisco IOS is decompressed and loaded into RAM. When a router is powered on without a startup-config file, it will prompt the user with the following question:

    Would you like to enter the initial configuration dialog? [yes/no]:

13. Type no and hit Enter twice to continue, as shown in Figure 2.23:

Figure 2.23: CLI of a Cisco IOS device

14. Typing yes will enable the initial configuration dialog; however, this option is not recommended for an aspiring network engineer pursuing the CCNA certification. Hence, always type no and hit Enter to access the User Exec mode.

Now that you have learned how to access a new Cisco IOS device using the console cable, next, you will learn how to set up a small Cisco network and test end-to-end connectivity.

When building a network, it is always recommended to start with a network diagram called a network topology. A topology is used to show the logical and physical connections between devices on a network, as well as basic IP addressing assignments.

Figure 2.24 shows the first lab topology:

Figure 2.24: Lab topology

As you can see, there are two networks: 192.168.1.0/24 and 172.16.1.0/24. These are interconnected using a Cisco 2911 model router. Each of these networks has a Cisco 2960 model switch to allow the PC and server to interface with the network.

Table 2.1 shows the IP addressing scheme for each device in the lab topology:

Table 2.1: IP addressing table

If you are up for the challenge, you can choose to build this lab topology within Cisco Packet Tracer or download a pre-built file by taking the following steps:

1. Go to https://packt.link/CCNArepoCh02
2. Download the Lab 2 - Configuring Cisco IOS Devices.pkt file and open it with Cisco Packet Tracer on your computer to follow along.
3. Figure 2.25 shows the contents of the file when it is opened using Cisco Packet Tracer:

Figure 2.25: Lab file

Note

To display the interface labels in Packet Tracer, click on Options | Preferences, then select the Interface tab and check Always Show Port Labels in Logical Workspace.

Once you have opened the Lab 2 - Configuring Cisco IOS Devices.pkt file using Cisco Packet Tracer on your computer, you can proceed to the next steps.

Task 1: Navigating Cisco IOS

Understanding how to interact with Cisco IOS is essential for performing various configuration and management tasks. In this task, you will become familiar with the basics of navigating Cisco IOS:

1. You can start with the Cisco router. Click on the Router icon and select the CLI tab, as shown in Figure 2.26:

Figure 2.26: Router CLI

Note

In a real-world scenario, you’ll need to connect the console cable between your computer and the console port of the router. Then, use a terminal emulator application such as PuTTY or SecureCRT to access the CLI of the Cisco router running Cisco IOS.

2. Since the bootstrap on the router did not find a startup-config file within NVRAM, the following prompt appears:

   --- System Configuration Dialog ---
   Would you like to enter the initial configuration dialog? [yes/no]:

3. Type no and hit Enter twice to access User Exec mode, as shown in Figure 2.27:

Figure 2.27: Router CLI

4. Now, you should be in the User Exec mode (>). To access Privilege Exec mode, use the enable command, as shown here:

   Router> enable

5. As shown in Figure 2.28, the prompt has changed from > to #, which indicates you are no longer in User Exec mode and are now in Privilege Exec mode:

Figure 2.28: Elevating to Privilege Exec mode

6. To move from Privilege Exec to User Exec mode, use the disable command:

   Router# disable

7. As shown in Figure 2.29, the prompt has changed from # to >, which now indicates that you are back in User Exec mode:

Figure 2.29: Moving to User Exec mode

Note

Cisco IOS is able to temporarily store the last 15 commands executed on the device. Using the up and down keys on your keyboard, you can cycle through recently used commands for each mode. Therefore, if you are in Privilege Exec mode, you will only see the most recent commands used in that mode.

8. Cisco IOS allows network professionals to enter the shorthand version of a command provided Cisco IOS is able to recognize most parts of the command itself. While in User Exec mode, type en and hit Enter:

Router> en

9. As shown in Figure 2.30, Cisco IOS automatically recognizes the enable command and executes it:

Figure 2.30: Shorthand commands

Note

If Cisco IOS is unable to recognize a shorthand command, it will provide an error message such as % Ambiguous command: " e".

10. Cisco IOS supports context-sensitive help and a command syntax checker feature for verifying the accuracy of a command entered by a user.
11. If you want to determine all the commands that begin with sh, then type sh? as shown here:

Router# sh?

12. As shown in Figure 2.31, Cisco IOS returns the show command:

Figure 2.31: Using the context-sensitive help

13. Additionally, if you want to view a list of commands that are supported by show, use the show ? command, shown in Figure 2.32:

Figure 2.32: Using the context-sensitive help

14. As shown in Figure 2.32, the left column shows the various commands to append after the show command, such as show clock, while the right column shows their descriptions.

Note

When Cisco IOS displays multiple lines, it temporarily breaks by indicating a --More-- syntax at the end of a page. Using the Enter key on your keyboard will display an additional line of output, while the spacebar will display another page of output on your screen.

Cisco IOS is filled with a lot of commands that enable you to perform many tasks, such as routing, switching, and security. However, you do not need to learn about every command, only those that are applicable to the CCNA certification.

Now that you have a better idea of how to navigate Cisco IOS, you can dive into configuring your small network topology.

Task 2: Checking the IOS Version

As an aspiring network professional, it is important to identify the current IOS version on your Cisco device. By identifying the IOS version, you will be able to determine whether there is a newer version of the operating system and whether there are security vulnerabilities and bugs, as well as getting help with asset management.

Use show version on the Cisco IOS router to view the device’s operating system, hardware components, and system uptime, as shown in Figure 2.33:

Figure 2.33: The show version command

Figure 2.33 shows the following:

• The version of Cisco IOS as 15.1(4)M4.
• The system uptime since the last boot. This helps network professionals determine whether the device lost power, triggering a network outage.
• The location and filename of Cisco IOS on the device.

Task 3: Best Practices for Securing Devices

By default, anyone with physical access can use a console cable that is connected to their computer and the console port of a Cisco IOS device to access the User Exec mode of the device.

Securing the Console Port

To password-protect and enable authentication on the console port, use the following commands on the router:

Router> enable
Router# configure terminal
Router(config)# line console 0
Router(config-line)# password mySecurePassword
Router(config-line)# login
Router(config-line)# exec-timeout 5 0
Router(config-line)# exit

If you are already in Privilege Exec mode, you can simply start with line #2 and move from there. The following is a description of each line of the command:

• The enable command allows elevation to Privilege Exec mode
• The configure terminal command allows elevation to Global Configuration mode.
• The line console 0 command enters the console line mode
• The password [your_password] command allows you to set a password

Note

The password command sets your password in plaintext within the configuration files. It’s not recommended to use this command unless there’s no other choice. The secret command automatically encrypts your password and stores the encrypted version, but the secret command is not available in Line mode.

• The login command enables authentication on the console line and, therefore, prompts the user to enter a password that’s set within the Line mode. In this scenario, the user will be required to enter MySecurePassword to access Cisco IOS via the console port.
• The exec-timeout [minutes] [seconds] command specifies the exec-timeout period to automatically terminate an idle session on the console line.
• The exit command is used to exit the line mode and return to the Global Configuration mode.

Figure 2.34 shows the execution of the preceding commands on the router:

Figure 2.34: Securing the console port

Note

To remove the password from the line console mode, use the no password command.

Securing the Privilege Exec Mode

By default, users move from User Exec to Privilege Exec mode without restrictions. To secure administrative access to the Privilege Exec mode, use the following instructions:

1. To restrict unauthorized access in the Privilege Exec mode, use the enable password [your_password] command within Global Configuration mode, as shown here:

   Router(config)# enable password myNotSecurePassword

Note

The enable password command does not encrypt the actual password when it is stored in the running-config or startup-config file.

2. Figure 2.35 shows how the preceding command sets the password and shows how the user will be prompted to enter the correct credentials to access Privilege Exec mode:

Figure 2.35: Using the enable password command

3. As shown in Figure 2.35, when prompted to enter the password to access Privilege Exec mode, it is invisible as you type it for security reasons.
4. Figure 2.36 shows the contents of the running-config file and displays enable password in plaintext:
   

Figure 2.36: Plaintext password

5. However, it is highly recommended to use the enable secret [your_password] command to set an encrypted password, which is more secure, by using the following commands:

   Router(config)# enable secret myEncryptedPassword

6. Figure 2.37 shows the execution of the preceding command and verifies the enable secret command stores the encrypted form of the password in the running-config file:
   

Figure 2.37: Plaintext password

7. As shown in Figure 2.37, both the enable secret and enable password passwords are stored in the running-config file. However, if both exist on a Cisco IOS device, enable secret will take precedence when the user is moving from User Exec to Privilege Exec mode. This means enable password will no longer be enforced when the enable secret password is set.
8. It’s recommended to remove the less secure password from the configurations by using the following command:

   Router(config)# no enable password

9. Figure 2.38 shows the execution of the preceding command and verifies that enable password is no longer saved within the running-config file on the router:
   

Figure 2.38: Removing enable password

As shown in Figure 2.38, the encrypted form of the password is stored in the running-config file on the router.

Task 4: Changing the Hostname and Setting a Banner

One of the very first tasks when provisioning a new router, switch, access point, or even a firewall is changing the default hostname of the device. Each device on your network should have a unique hostname. Many organizations usually implement a naming convention that’s used for assigning hostnames to systems and devices on the network.

Displaying a legal banner whenever someone logs in to your network device is highly recommended. Such notifications can be used as an official legal warning to anyone who is either attempting to gain or has gained unauthorized access to the device.

Setting a Hostname

Hostnames help network professionals to easily identify and manage their network devices. When a network professional remotely connects to a device, the hostname quickly helps the user recognize and determine whether they have connected to the right device, especially if there are multiple devices in a large network architecture.

The following are general guidelines when configuring a hostname on a Cisco IOS device:

• The hostname should not have any spaces. For instance, BLD RTR 01 is not acceptable. However, using the underscore (_) or period (.) character to represent a space is acceptable – BLD_RTR_01.
• Hostnames should not be more than 64 characters in length.
• It’s recommended that hostnames begin with a letter and not a number.
• Hostnames can end with either a letter or a number.

To change the hostname of the router from the Global Configuration mode, use the following commands:

Router(config)# hostname TT-RTR-01

As shown in Figure 2.39, the hostname of the router changed immediately after executing the hostname command:

Figure 2.39: Changing the hostname

If you need to reset the hostname of a device to the default, use the no hostname command within the Global Configuration mode of the Cisco IOS device.

Setting a Banner

To set a banner on the Cisco IOS device, use the banner command. There are different banners, such as the message of the day (MOTD) banner, the login banner, and the Exec banner.

To set the MOTD banner from Global Configuration mode, use the following command on the router:

TT-RTR-01(config)# banner motd #Unauthorized Access is Prohitbited.#

The following is a breakdown of the preceding command:

• The banner motd command sets the message of the day that will be shown to anyone who administratively attempts to access Cisco IOS on the router.
• The # character represents an opening and closing delimiter with the message enclosed between them. A delimiter can be #, $, @, !, %, or &. Delimiters work in pairs. If you use $ as the opening delimiter, you should use the same as the closing delimiter.

Figure 2.40 shows the banner that appears during a console connection:

Figure 2.40: Displaying the banner

Legal statements in banners should be crafted by the legal team of an organization and placed on company-owned devices to notify unauthorized users about the consequences of unauthorized access.

Task 5: Configuring IP Addresses

Before configuring IP addresses on a router’s interfaces, it is essential to verify which interfaces are available and which ones are in use. Privilege Exec mode enables you to run your show commands to verify the device’s operating status, hardware components, and configurations.

The show ip interface brief command displays a summary of all interfaces on the router, as shown in Figure 2.41:

Figure 2.41: Summary of interfaces

The following provides a description of each column of the output in Figure 2.41:

• Interface: Specifies the interface type (Ethernet, FastEthernet, or GigabitEthernet) and the interface ID.
• IP-Address: Specifies whether an IP address is assigned to an interface.
• OK?: Validates whether the assigned IP address on the interface is valid. If the address is valid, it will show YES. If there’s an issue with the address, it will show NO.
• Method: Tells you how the IP address was assigned to the interface. The following are the different methods indicated by Cisco IOS:
  • manual: The IP address was manually configured on the interface
  • DHCP: The interface was automatically assigned the IP address from a DHCP server on the network
  • unset: No IP address was assigned on the interface
• Status: Specifies the line protocol status of the interface. The following are the different status types indicated by Cisco IOS:
  • up: The interface is administratively up and in operation
  • down: The interface is administratively down
  • administratively down: The interface is manually shut down by a network professional using the shutdown command within Interface mode
• Protocol: Verifies the status of the IP protocol on the interface. The following are the different protocol statuses that are indicated by Cisco IOS:
  • up: The IP protocol on the interface is running
  • down: The IP protocol is not running due to a misconfiguration on the interface or other issues

To configure an IP address, subnet mask, and description on a router’s interface, use the following instructions:

1. From the Global Configuration mode, use the following commands to configure the GigabitEthernet0/1 interface of the router with a description and IP address with a subnet mask, and administratively enable the interface:

   TT-RTR-01(config)# interface gigabitEthernet 0/1
   TT-RTR-01(config-if)# description connected to LAN_1
   TT-RTR-01(config-if)# ip address 192.168.1.1 255.255.255.0
   TT-RTR-01(config-if)# no shutdown
   TT-RTR-01(config-if)# exit

2. Next, from the Global Configuration mode, use the following commands to configure the GigabitEthernet0/2 interface of the router:

   TT-RTR-01(config)# interface gigabitEthernet 0/2
   TT-RTR-01(config-if)# description connected to LAN_2
   TT-RTR-01(config-if)# ip address 172.16.1.1 255.255.255.0
   TT-RTR-01(config-if)# no shutdown
   TT-RTR-01(config-if)# exit

3. Then, use the show ip interface brief command to view the status changes of the interfaces, as shown in Figure 2.42:

Figure 2.42: Summary of interfaces

4. The following are additional commands to verify the status and configurations of an interface:
   • show interfaces: Displays all information about all interfaces
   • show interfaces gigabitEthernet 0/1: Displays all information about a specific interface
   • show interfaces status: Displays a summary of interfaces and their duplex, speed, and VLAN status
   • show running-config: Displays the configurations on the interfaces
5. Next, use the show running-config command to display the configurations that were applied on each interface of the router, as shown in Figure 2.43:

Figure 2.43: Interface configurations

6. As shown in the preceding screenshot, each interface contains the default configurations for both the duplex and speed modes – both are set to automatic mode.

Task 6: Setting up Secure Remote Access

Remote access enables network professionals to remotely monitor, manage, and troubleshoot devices. There are two common remote access protocols that are supported on Cisco IOS devices:

• Telnet: An unsecured protocol that transmits data in plaintext and operates on port 23 by default
• SSH: A secure protocol that establishes a secure communication channel and operates on port 22 by default

Both Telnet and SSH allow you to remotely access a device via a terminal, allowing you to gain shell access. However, Telnet is an unsecured method to remotely access and manage a device as traffic can be seen in plaintext. SSH is the recommended method for remote access. All SSH traffic is encrypted by default. If a hacker is intercepting SSH traffic over a network, the attacker will not be able to see the actual contents of the traffic flowing between the SSH client and the SSH server.

Setting Up Telnet

To configure Telnet on the router from Global Configuration mode, use the following commands:

TT-RTR-01(config)# line vty 0 4
TT-RTR-01(config-line)# password myTelnetPassword
TT-RTR-01(config-line)# exec-timeout 10 0
TT-RTR-01(config-line)# login
TT-RTR-01(config-line)# exit

The following are descriptions of the preceding commands:

• line vty 0 4: The command will be applied to the VTY lines 0 to 4, which are used for remote access
• password myTelnetPassword: Sets the Telnet password for the VTY lines 0 to 4
• login: Enables password-checking and prompts the user to enter the Telnet password
• exec-timeout 10 0: Sets an exec inactivity timeout of 10 minutes and 0 seconds

However, to disable Telnet and prevent any incoming Telnet connections to the router, use the following commands from Global Configuration mode:

TT-RTR-01(config)# line vty 0 4
TT-RTR-01(config-line)# transport input ssh
TT-RTR-01(config-line)# no password
TT-RTR-01(config-line)# exit

The following are descriptions of the preceding commands:

• line vty 0 4: The commands will be applied to the VTY lines 0 to 4, which are used for remote access
• transport input ssh: Ensures the router accepts incoming SSH connections only
• No password: The password that’s set in Line mode is applicable to Telnet connections

By disabling Telnet and configuring SSH, any password that is configured under Line mode will no longer be applicable as users are prompted to enter a valid username and password combination during the SSH authentication process to the Cisco IOS router.

Configuring SSH

To configure SSH on the router from Global Configuration mode, follow the given instructions:

1. Change the default hostname of the device. This was completed during Task 4 already.
2. Configure an enable secret password. This was completed during Task 3.
3. Set the domain name of the router as it’s required for creating the RSA encryption keys. Use the ip domain-name [your_domain_name] command in Global Configuration mode:

   TT-RTR-01(config)# ip domain-name ccnalab.local

4. Create the RSA encryption keys for data encryption with SSH:

   TT-RTR-01(config)# crypto key generate rsa

5. The key (modulus) size should be at least 1024 or greater to improve security, as shown in Figure 2.44:

Figure 2.44: Configuring SSH

6. Create a local user account for the SSH user:

   TT-RTR-01(config)# username User1 secret mySSHpassword

Note

The secret command will store the encrypted form of the password within the running-config file. Instead, if you use the password command, the password will be stored in plaintext. This command is not recommended unless it’s the only available option.

7. Enable SSHv2 and configure SSH on the VTY lines:

   TT-RTR-01(config)# ip ssh version 2
   TT-RTR-01(config)# line vty 0 4
   TT-RTR-01(config-line)# transport input ssh
   TT-RTR-01(config-line)# login local
   TT-RTR-01(config-line)# exit

8. The login local command is commonly used on the VTY and console lines, which specifies the local authentication should be used, that is, check for a valid username and password only.
9. When this command is applied, the authentication mechanisms will not acknowledge any password that’s configured under Line mode. For instance, if the previous Telnet password is still present, the login local command will only check for the user accounts that were created in step 4.

Note

In Privilege Exec mode, the show users command enables device administrators to identify which users are remotely connected.

Task 7: Configuring the Console to Use Local User Accounts

Now that you have created a local user account, you can also configure the console line to check for a local user account, instead of a password only.

To perform this task, use the following commands:

TT-RTR-01(config)# line console 0
TT-RTR-01(config-line)# login local
TT-RTR-01(config-line)# no password
TT-RTR-01(config-line)# exit

Task 8: Disabling Domain Lookup and Encrypting All Plaintext Passwords

If you have incorrectly entered a command, Cisco IOS may attempt to perform a domain lookup, as shown in Figure 2.45:

Figure 2.45: Domain lookup

To prevent or disable automatic domain name or Domain Name System (DNS) lookup on a Cisco IOS device, use the following command in Global Configuration mode:

TT-RTR-01(config)# no ip domain-lookup

There are various modes within Cisco IOS that do not support the enable secret or the secret command for storing the encrypted form of a password, and only the password command is available.

To automatically encrypt all existing and future plaintext passwords that are stored in the configuration file, use the following command in Global Configuration mode:

TT-RTR-01(config)# service password-encryption

Task 9: Saving Configurations and Rebooting Systems

All the configurations that were performed in the previous steps and tasks are stored in the running-config file. To view the running-config file, use the show running-config command, as shown in Figure 2.46:

Figure 2.46: Current configuration

Use the following steps to properly save the current configurations such that these configurations are loaded into memory when the device reboots:

1. If the device loses power or reboots, the configurations are lost. Therefore, to save the current configurations in the startup-config file, use the following commands in Privilege Exec mode:

   TT-RTR-01# copy running-config startup-config

2. After executing the preceding command, the following prompt will appear:

   Destination filename [startup-config]?

3. Simply hit Enter again to use the default name of the configuration file.
4. To test whether your configurations save properly, use the show startup-config command within Privilege Exec mode and compare it with the running-config file.
5. Lastly, use the reload command to reboot the device from the CLI.

Keep in mind that the configurations of running-config are lost if the device reboots or loses power. Therefore, it’s essential to save the current configurations after completing and testing the functionality of a system change.

Task 10: Configuring Switch 1

This sub-section covers the instructions for configuring Switch 1 within your lab topology:

1. To secure Privilege Exec mode, use the following commands to restrict unauthorized access:

   Switch> enable
   Switch# configure terminal
   Switch(config)# enable secret myEncryptedPassword

2. Use the following commands to configure the hostname and banner on the switch:

   Switch(config)# hostname TT-SW-01
   TT-SW-01(config)# banner motd #Unauthorized Access is Prohitbited.#

3. A switch virtual interface (SVI) enables a network professional to configure an IP address on a management virtual local area network (VLAN) interface for the purposes of remote management and troubleshooting. To configure an SVI on Switch 1, use the following commands:

   TT-SW-01(config)# interface vlan 1
   TT-SW-01(config-if)# ip address 192.168.1.2 255.255.255.0
   TT-SW-01(config-if)# no shutdown
   TT-SW-01(config-if)# exit

4. To ensure that the switch is reachable outside its own IP network, a default gateway should be configured on the switch. Use the following command to set a default gateway on the switch:

   TT-SW-01(config)# ip default-gateway 192.168.1.1

5. To configure a domain name and generate RSA keys for setting up SSH, use the following commands:

   TT-SW-01(config)# ip domain-name ccnalab.local
   TT-SW-01(config)# crypto key generate rsa

6. To create a local user account and enable SSHv2 to improve security, use the following commands:

   TT-SW-01(config)# username User1 secret mySSHpassword
   TT-SW-01(config)# ip ssh version 2

7. To configure VTY lines for SSH input only, use the following commands:

   TT-SW-01(config)# line vty 0 4
   TT-SW-01(config-line)# transport input ssh
   TT-SW-01(config-line)# login local
   TT-SW-01(config-line)# exit

8. To configure the console line for local authentication, use the following commands:

   TT-SW-01(config)# line console 0
   TT-SW-01(config-line)# login local
   TT-SW-01(config-line)# exit

9. To disable domain name lookup, encrypt all plaintext passwords, and save configurations on the device, use the following commands:

   TT-SW-01(config)# no ip domain-lookup
   TT-SW-01(config)# service password-encryption
   TT-SW-01(config)# exit
   TT-SW-01# copy running-config startup-config

Now that you have configured Switch 1 within the lab, you can move on to the next section within the topology.

Task 11: Configuring Switch 2

In this sub-section, you will be configuring Switch 2 within the lab topology:

1. To secure Privilege Exec mode on Switch 2, use the following commands:

   Switch> enable
   Switch# configure terminal
   Switch(config)# enable secret myEncryptedPassword

2. To configure the hostname and banner on Switch 2, use the following configurations:

   Switch(config)# hostname TT-SW-02
   TT-SW-02(config)# banner motd #Unauthorized Access is Prohitbited.#

3. To configure an SVI on the switch, use the following commands:

   TT-SW-02(config)# interface vlan 1
   TT-SW-02(config-if)# ip address 172.16.1.2 255.255.255.0
   TT-SW-02(config-if)# no shutdown
   TT-SW-02(config-if)# exit

4. To ensure the switch is reachable outside its own IP network, a default gateway should be configured on the switch. Use the following commands to set a default gateway on the switch:

   TT-SW-02(config)# ip default-gateway 172.16.1.1

5. To configure a domain name and generate RSA keys for setting up SSH, use the following commands:

   TT-SW-02(config)# ip domain-name ccnalab.local
   TT-SW-02(config)# crypto key generate rsa

6. To create a local user account and enable SSHv2 for better security, use the following commands:

   TT-SW-02(config)# username User1 secret mySSHpassword
   TT-SW-02(config)# ip ssh version 2

7. To configure VTY lines for SSH access, use the following:

   TT-SW-02(config)# line vty 0 4
   TT-SW-02(config-line)# transport input ssh
   TT-SW-02(config-line)# login local
   TT-SW-02(config-line)# exit

8. To configure the console line for local authentication, use the following commands:

   TT-SW-02(config)# line console 0
   TT-SW-02(config-line)# login local
   TT-SW-02(config-line)# exit

9. To disable domain name lookup, encrypt all plaintext passwords, and save configurations, use the following commands:

   TT-SW-02(config)# no ip domain-lookup
   TT-SW-02(config)# service password-encryption
   TT-SW-02(config)# exit
   TT-SW-02# copy running-config startup-config

Having completed this section, you have learned how to set up a small Cisco environment and apply common device configurations. Next, you will learn how to perform common troubleshooting procedures.

During and after configuring your devices on a network, it is best practice to verify the IP addresses on each device.

Table 2.2 shows the IP address scheme for the lab topology:

Table 2.2: IP addressing scheme

Up next, you will learn about various troubleshooting commands for both end devices and Cisco devices.

Verifying IP Configurations on End Devices

The following commands are commonly used by network professionals in their troubleshooting process to identify whether they’ve assigned the appropriate IP address on a host device:

• ipconfig: A Windows-based command for displaying the IP address, subnet mask, and default gateway addresses of each interface
• ipconfig /all: A Windows-based command that displays additional addressing such as the media access control (MAC) address and DNS server addresses on each interface
• ifconfig: A Linux-based command for displaying the IP addresses and interfaces
• ip address: A Linux-based command for displaying IP addresses and interfaces on Linux systems

Verifying IP Configurations on Cisco Devices

The following are useful Cisco IOS commands for verifying IP configurations on Cisco devices:

• show ip interface brief: Displays a summary of all interfaces, their status, and assigned IP addresses
• show ip interface [interface-ID]: Shows IP-related information for a specific interface
• show interfaces [interface-ID]: Shows detailed information about a specific interface
• show running-config: Displays the device’s current configurations, including the IP addresses that are configured on each interface

Verifying End-to-End Connectivity

The ping and traceroute utilities are software-based tools that are integrated into many operating systems, such as Windows, Linux, macOS, and even Cisco IOS. The ping utility leverages Internet Control Message Protocol (ICMP) for checking end-to-end connectivity between a sender and a destination host. ICMP is a Layer 3 network protocol that is integrated within the OSI and TCP/IP network model that sends error and operational messages to identify whether there is a failure or a successful connection between devices over a network. Additionally, the traceroute utility also leverages ICMP for checking each hop along the path from a sender to a destination host.

Figure 2.47 shows how to use the ping utility on a Windows-based system:

Figure 2.47: ping results on a Windows device

As shown in the preceding screenshot, the PC sent four ping requests to 172.16.1.10 (server) and got four ping replies, which indicates the destination host is online and has end-to-end connectivity.

Note

The ping [destination host] command is applicable to Windows, Linux, macOS, and Cisco IOS devices.

Figure 2.48 shows the ping output on a Cisco IOS router:

Figure 2.48: ping results on a Cisco device

Cisco IOS does not provide a similar output to Windows or Linux operating systems – rather, it provides various symbols with different meanings, such as the following:

• !: Successful – ping requests are sent and received.
• .: Request timeout – the ping request is sent to the destination but no response is received. This is caused by a return path being missing from the destination host or ICMP responses being disabled on the recipient device.
• U: Destination unreachable – the sender or default gateway does not have a route to the destination host or network. This is caused by a missing route from the routing table of the sender or default gateway.

Additional Troubleshooting Tips

The following are common troubleshooting tips:

• Verify the destination device is powered on
• Verify the cables are connected to the correct interfaces
• Ensure the IP addresses are configured on the correct interfaces
• Ensure the interfaces are administratively up

Having completed this section, you have learned about the fundamental checks to perform. As you progress further in this book, you will learn about more technologies and their troubleshooting procedures.

Having completed this chapter, you have gained hands-on experience in performing initial device configurations on a Cisco router and two Cisco switches to build a small network. During these exercises, you’ve learned about the commands needed to change the hostname, set a banner, configure interfaces with IP addresses, and even set up remote access using SSH. Most importantly, the knowledge gained from this chapter will help you to better understand the CLI of Cisco IOS devices when performing advanced configurations in later chapters of this book.

I hope this chapter has been informative for you and is helpful in your journey toward learning how to implement and administer Cisco solutions and prepare for the 200-301 CCNA v1.1 certification. In the next chapter, Chapter 3, Network Architectures and Physical Infrastructure, you will learn about some common network topologies and their architectures, and how they are implemented in various types of organizations.

• 8 Steps to Configure Your Network Switch: https://www.cisco.com/c/en/us/solutions/small-business/resource-center/networking/how-to-setup-network-switch.html
• Configuring a Cisco router: https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/routconf.html

Apart from mastering key concepts, strong test-taking skills under time pressure are essential for acing your certification exam. That’s why developing these abilities early in your learning journey is critical.

Exam readiness drills, using the free online practice resources provided with this book, help you progressively improve your time management and test-taking skills while reinforcing the key concepts you’ve learned.

HOW TO GET STARTED

• Open the link or scan the QR code at the bottom of this page
• If you have unlocked the practice resources already, log in to your registered account. If you haven’t, follow the instructions in Chapter 19 and come back to this page.
• Once you log in, click the START button to start a quiz
• We recommend attempting a quiz multiple times till you’re able to answer most of the questions correctly and well within the time limit.
• You can use the following practice template to help you plan your attempts:

The above drill is just an example. Design your drills based on your own goals and make the most out of the online quizzes accompanying this book.

First time accessing the online resources?

You’ll need to unlock them through a one-time process. Head to Chapter 19 for instructions.