By James Boney

Cover | Table of Contents | Colophon

Table of Contents

Chapter 1: Getting Started

Content preview·Buy reprint rights for this chapter

The modern world is networked in a way that could barely be imagined a few decades ago. Today, the Internet reaches into virtually every business and almost every home. Our children and even our grandparents speak of dot-coms, email, and web sites. The Internet is now part of our culture.

Routers are the glue that holds the Internet together. And Cisco is the most prominent router manufacturer, holding the largest share of the market. Their routers come in all sizes, from inexpensive units for homes and small offices to equipment costing well over $100,000 and capable of routing at gigabit speeds. One of the most impressive facts about their product line is its unified operating system. Almost all of their routers, as well as half of their switches—from the smallest to the largest—run the Internetwork Operating System (IOS). Therefore, they share the same command set, the same user interface, and the same configuration techniques. While an 800-series home router doesn't have the features or the capacity of a 7500-series router that might be used to connect an ISP to an Internet backbone, you configure them the same way. Both routers use access lists, have similar security mechanisms, support the same set of protocols in the same way, and so on. A home router probably wouldn't have a Frame Relay interface, but if it did, it would be configured just like a Frame Relay interface on a mid-sized corporate router.

IOS is an extremely powerful and complex operating system with an equally complex configuration language. There are many commands, with many options, and if you get something wrong you can easily take your company offline. That's why I've decided to provide a quick-reference guide to IOS. As large a book as this is, though, it's impossible to cover all of IOS. Therefore, I've limited the discussion to IOS configuration for the TCP/IP protocol family. I've included all the commands that you need to work with TCP/IP and the lower-level protocols on which it relies. The trade-off is that I've made no attempt to cover other protocols that IOS supports, and there are many: IPX, AppleTalk, SNA, DecNet, and virtually any other protocol suite that is now or ever has been in widespread use.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Introduction

Content preview·Buy reprint rights for this chapter

The modern world is networked in a way that could barely be imagined a few decades ago. Today, the Internet reaches into virtually every business and almost every home. Our children and even our grandparents speak of dot-coms, email, and web sites. The Internet is now part of our culture.

Routers are the glue that holds the Internet together. And Cisco is the most prominent router manufacturer, holding the largest share of the market. Their routers come in all sizes, from inexpensive units for homes and small offices to equipment costing well over $100,000 and capable of routing at gigabit speeds. One of the most impressive facts about their product line is its unified operating system. Almost all of their routers, as well as half of their switches—from the smallest to the largest—run the Internetwork Operating System (IOS). Therefore, they share the same command set, the same user interface, and the same configuration techniques. While an 800-series home router doesn't have the features or the capacity of a 7500-series router that might be used to connect an ISP to an Internet backbone, you configure them the same way. Both routers use access lists, have similar security mechanisms, support the same set of protocols in the same way, and so on. A home router probably wouldn't have a Frame Relay interface, but if it did, it would be configured just like a Frame Relay interface on a mid-sized corporate router.

IOS is an extremely powerful and complex operating system with an equally complex configuration language. There are many commands, with many options, and if you get something wrong you can easily take your company offline. That's why I've decided to provide a quick-reference guide to IOS. As large a book as this is, though, it's impossible to cover all of IOS. Therefore, I've limited the discussion to IOS configuration for the TCP/IP protocol family. I've included all the commands that you need to work with TCP/IP and the lower-level protocols on which it relies. The trade-off is that I've made no attempt to cover other protocols that IOS supports, and there are many: IPX, AppleTalk, SNA, DecNet, and virtually any other protocol suite that is now or ever has been in widespread use.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

IOS User Modes

Content preview·Buy reprint rights for this chapter

There are two primary modes of operation within the IOS: user mode and privileged mode. When you first connect to the router, you are placed in the user mode. The Cisco documentation refers to this as the user exec mode; I am going to omit "exec" throughout this book. The user mode is indicated by the prompt:

Router>

The word "Router" is replaced with your router's hostname if the hostname is already configured.

The show commands in user mode are limited to a few basic levels. You cannot edit or view configurations at this stage; you can only view the router status and other miscellaneous information. To obtain a basic listing of commands, type a question mark:

Router>?
         

Editing the router's configuration requires you to be in the privileged exec mode, which I simply call "privileged mode." Use the enable command to enter this mode:

Router>enable
Password:
Router#         Privileged mode prompt
         

You can always tell whether you are in user mode or privileged mode by looking at the prompt. The user mode prompt has a > at the end; the privileged mode prompt always has a # at the end, regardless of the submode.

If you are familiar with Unix, you can equate privileged mode to "root" access. You could also equate it to the administrator level in NT or the supervisor in NetWare. In this mode, you have permission to access everything inside the router, including configuration commands. However, you can't type configuration commands directly. Before you can change the router's actual configuration, you must enter a submode of the privileged mode by giving the command configure terminal (see Section 1.3 for a shortcut). This command can be entered only when you are in the privileged mode.

Router#configure terminal
            Enter configuration commands, one per line. End with Ctrl-Z
Router(config)#        Configuration mode
         

To exit from configuration mode, you can use the command

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Command-Line Completion

Content preview·Buy reprint rights for this chapter

Command-line completion makes the IOS interface much more user-friendly. It saves you extra typing and helps out when you cannot remember a command's syntax. In a previous example, we used the command configure terminal:

Router#configure terminal
         

But you could have saved wear and tear on your hands by typing:

Router#conf t
         

IOS expands the command conf t to configure terminal. Another shortcut is to press Tab after typing "conf"; the router will fill in the best completion, which is "configure". Here is another example:

Router#show running-config
         

This long command can be shortened to:

Router#sh ru
         

The router knows that "show" is what you wanted because show is the only command that begins with "sh"; likewise, the only subcommand of show that begins with "ru" is running-config.

If the router does not understand a command, it repeats the entire command line and places a caret (^) under the point at which it ran into trouble. For example:

Router>show itnerface e0
>show itnerface e0
       ^
% Invalid input detected at '^' marker.

The caret symbol is pointing to the "t" in "itnerface", which is the command the router does not understand. We can quickly fix that by retyping the command:

Router>show interface e0
         

We now get the correct output! Since we also know how to use shortcuts, we can type:

Router>sh int e0
         

With this command we get the same result as its lengthy counterpart. Command-line completion saves a lot of typing, and it helps you keep your sanity when you're working with long commands.

Another form of command-line completion is the use of the Tab key. If you start a command by entering the first few characters, you can hit the Tab key. As long as there is only one match, the router will complete the command: for example, if you type "sh" and hit Tab, the router completes the "sh" with "show". If the router does not complete the command, you can enter a few more letters and try again.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Get to Know the Question Mark

Content preview·Buy reprint rights for this chapter

Previously, I said that you can get the available commands by typing ? at the prompt. You can also use this trick to find the subcommands of any command. For example, if you know you want to use the copy command but cannot remember which subcommand you need, type:

Router#copy ?
  WORD            Copy from flash device - format <dev:>[partition:][filename]
  flash           Copy from system flash
  flh-log         Copy FLH log file to server
  mop             Copy from a MOP server
  rcp             Copy from an rcp server
  running-config  Copy from current system configuration
  startup-config  Copy from startup configuration
  tftp            Copy from a TFTP server

Another use of the question mark is to find all commands that match what you have typed so far. For example, if you know the first part of a command, type it and then type a question mark. The router will return a list of all the matching commands. In the following example, we remember that the configure command begins with "co", but that's it. The router gives us the matching commands:

Router#co?        
configure  connect  copy

Note the important difference between these two examples. In the first example, there was a space before the question mark, which gave us the next command that complements copy. Had there not been a space, the router would have tried to complete the word "copy" for us, not given us the next available commands. In the next example, we did not add the space, so the router tried to complete "co" with all the commands it could find that start with "co".

Another important rule to understand is that the router will return only commands that are relevant to the mode you are currently in. For example, if you are in user mode, you will be given only commands that apply to that mode.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Command-Line Editing Keys

Content preview·Buy reprint rights for this chapter

IOS provides a number of keyboard shortcuts that let you edit the line you're typing. They should be familiar to any user of Unix or Emacs. Table 1-1 lists the command-line editing keys.

Table 1-1: Command-line editing keys

Keys	Commands
Ctrl-a	Returns the cursor to the beginning of the current line.
Ctrl-b	Moves the cursor back one character. (Equivalent to the left arrow key.)
Ctrl-d	Deletes the character to the left of the cursor.
Ctrl-e	Moves the cursor to the end of the line.
Ctrl-f	Moves the cursor forward one character. (Equivalent to the right arrow key.)
Ctrl-k	Deletes all the characters from the current cursor position to the end of the line.
Ctrl-n	Goes to the next command in the session history. (Equivalent to the down arrow key.)
Ctrl-p	Goes to the previous command in the session history. (Equivalent to the up arrow key.)
Ctrl-t	Switches the current character with the character to the left of the cursor.
Ctrl-r

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Pausing Output

Content preview·Buy reprint rights for this chapter

Using the terminal command, you can set an important feature of the user interface: the pausing of lengthy output. For example, if you run a command that has more than one page of output, the router will pause after 24 lines with a "—More—" prompt. The value 24 is the default terminal length. Depending on the size of your terminal window, this might not be adequate. You can change the length and width using the terminal command, like this:

Router>terminal length 10
Router>terminal width 80
         

These commands set the terminal length to 10 and the width to 80, which means the router will pause after 10 lines of output and that each of these lines will be 80 characters long. You can disable the pausing altogether by setting the terminal length to 0:

Router>terminal length 0
         

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

show Commands

Content preview·Buy reprint rights for this chapter

As you work with IOS, you'll become intimately familiar with the show commands. They are among the most useful commands you will ever use; they allow you to view just about any settings within the router. Issuing the command show ? produces output like this:

Router>show ?
  clock     Display the system clock
  history   Display the session command history
  hosts     IP domain-name, lookup style, nameservers, and host table
  sessions  Information about Telnet connections
  snmp      snmp statistics
  terminal  Display terminal configuration parameters
  users     Display information about terminal lines
  version   System hardware and software status

The show command has many different subcommands. However, notice that we are in user mode. In privileged mode, the show command has a lot more subcommands, which would take up a few pages if we listed them here. The important thing to remember is that show commands often have more than one keyword. For example, the command show ip route works by itself, but there are also many other options that can be applied to it. For example:

router#show ip route ?
  Hostname or A.B.C.D  Network to display information about or hostname
  bgp                  Border Gateway Protocol (BGP)
  connected            Connected
  egp                  Exterior Gateway Protocol (EGP)
  eigrp                Enhanced Interior Gateway Routing Protocol (EIGRP)
  igrp                 Interior Gateway Routing Protocol (IGRP)
  isis                 ISO IS-IS
  odr                  On Demand stub Routes
  ospf                 Open Shortest Path First (OSPF)
  rip                  Routing Information Protocol (RIP)
  static               Static routes
  summary              Summary of all routes
  supernets-only       Show supernet entries only
  <cr>

I certainly haven't explained routing enough for you to understand the output of this command. However, you can see how to find show keywords with the question mark. The

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: IOS Images and Configuration Files

Content preview·Buy reprint rights for this chapter

Eventually you will want to upgrade your router's software. Upgrading IOS involves transferring a new IOS image to your router from some kind of server. As we'll see in this chapter, there are several methods for uploading a new IOS image: the most common is to use a TFTP (Trivial File Transfer Protocol) server or an RCP (Remote Copy Protocol) server somewhere on your network. Before we discuss how to transfer a new image, let's define exactly what is meant by an "image file" and how it differs from a configuration file.

IOS image files contain the system code that your router uses to function; that is, the image contains the IOS itself, plus various feature sets (optional features or router-specific features). However, the features are not configured in any way. The router's actual configuration—which features are enabled and how they are used in your particular network environment—is stored in a configuration file written in IOS's configuration language. The commands in this file describe everything from the router's name and the IP address of each interface to the protocols that you're using, address translation, security, and more. The router is useless without a concrete configuration—just like an operating system kernel is useless without the configuration files (for example, the Windows registry, or the files in /etc on a Unix system) that tell the kernel how you want it to operate in a particular situation.

IOS is the software that resides inside the Cisco device. You can think of IOS as the kernel or the actual operating code within your router. The IOS image has a name, which specifies the platform for which the image was built, the features it includes, and where the image is located in memory. To see the name of the image your router is running, give the command show version :

Router>show version
Cisco Internetwork Operating System Software IOS (tm)
 3600 Software (C3640-JS-M), Version 12.0(5)T1,  RELEASE SOFTWARE (fc1)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

IOS Images

Content preview·Buy reprint rights for this chapter

Eventually you will want to upgrade your router's software. Upgrading IOS involves transferring a new IOS image to your router from some kind of server. As we'll see in this chapter, there are several methods for uploading a new IOS image: the most common is to use a TFTP (Trivial File Transfer Protocol) server or an RCP (Remote Copy Protocol) server somewhere on your network. Before we discuss how to transfer a new image, let's define exactly what is meant by an "image file" and how it differs from a configuration file.

IOS image files contain the system code that your router uses to function; that is, the image contains the IOS itself, plus various feature sets (optional features or router-specific features). However, the features are not configured in any way. The router's actual configuration—which features are enabled and how they are used in your particular network environment—is stored in a configuration file written in IOS's configuration language. The commands in this file describe everything from the router's name and the IP address of each interface to the protocols that you're using, address translation, security, and more. The router is useless without a concrete configuration—just like an operating system kernel is useless without the configuration files (for example, the Windows registry, or the files in /etc on a Unix system) that tell the kernel how you want it to operate in a particular situation.

IOS is the software that resides inside the Cisco device. You can think of IOS as the kernel or the actual operating code within your router. The IOS image has a name, which specifies the platform for which the image was built, the features it includes, and where the image is located in memory. To see the name of the image your router is running, give the command show version :

Router>show version
Cisco Internetwork Operating System Software IOS (tm)
 3600 Software (C3640-JS-M), Version 12.0(5)T1,  RELEASE SOFTWARE (fc1)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Using the IOS Filesystem for Images

Content preview·Buy reprint rights for this chapter

The upgrade procedure described in the previous sections is for a Class B IOS filesystem. Class B filesystems are probably the most common, but they aren't universal—particularly on high-end routers. There are also Class A and Class C filesystems; the filesystem you have depends on the router you're using. Table 2-4 shows which filesystem is used in a number of different routers.

Table 2-4: Flash filesystem types

Filesystem type	Router
Class A	7000 series, C12000, and LightStream 1010
Class B	1003, 1004, 1005, 2500, 3600, 4000, AS5200, 800
Class C	3810

As far as a user is concerned, the filesystems differ primarily in the commands that they support. Table 2-5 lists the filesystem commands and what they do.

Table 2-5: Filesystem commands

Command	Filesystem	Description
cd	All	Changes the working directory.
delete	All

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Router's Configuration

Content preview·Buy reprint rights for this chapter

Every router has two different configurations to consider:

Running configuration

The router's active configuration, which is stored in the router's RAM. Every configuration command you give is stored in the running configuration. If you reboot your router, this configuration will be lost. If you make changes that you want to save, you must copy the running configuration to a safe location, such as a network server, or save it as the router's startup configuration.

Startup configuration

The configuration that is loaded when the router boots. This configuration is stored in the router's nonvolatile memory (NVRAM). You cannot edit a startup configuration directly. All commands you enter are stored in the running configuration, which can be copied into the startup configuration.

In other words, when you boot a router, the startup configuration becomes the initial running configuration. As you modify the configuration, the two diverge: the startup configuration remains the same, while the running configuration reflects the changes you have made. If you want to make your changes permanent, you must copy the running configuration to the startup configuration.

The following command copies the router's current running configuration into the startup configuration:

Router#copy running-config startup-config
Building configuration...

Similarly, to save the running configuration on a network server using TFTP, you would give the command:

Router#copy running-config tftp
         

You'll be prompted for additional information, such as the remote host and the name for the saved file.

The terms "running configuration" and "startup configuration" were added in recent versions of IOS. In earlier versions, you used the command write

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Loading Configuration Files

Content preview·Buy reprint rights for this chapter

Loading and saving configuration files is much simpler than loading a kernel image. This section summarizes the commands that load and save the configuration.

Once loaded, the running configuration will immediately be used by the router. Use these commands to load it using either TFTP or RCP:

Router#copy tftp running-config        
               (for TFTP)
Router#copy rcp running-config         
               (for RCP)
            

The startup configuration is not used until the router is rebooted. Loading the startup configuration can be dangerous, because the router doesn't parse the configuration file and won't give you any warning if the file has errors. The configuration is not parsed until the router is rebooted—and if the configuration is incorrect, the router may not boot properly. Therefore, use the following commands with care:

Router#copy tftp startup-config         
               (for TFTP)
Router#copy rcp startup-config          
               (for RCP)
            

The following command is the most important of all. If you don't save your running configuration, all your configuration changes will be lost during the next reboot of the device. Once you are satisfied that your current router configuration is correct, copy your configuration to the startup configuration with this command:

Router#copy running-config startup-config
            

The following commands display the startup or the running configuration:

Router#show startup-config
Router#show running-config
            

The following command deletes the startup configuration:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: Basic Router Configuration

Content preview·Buy reprint rights for this chapter

Managing a handful of routers quickly becomes a large task, and managing thousands of routers is even worse. You can minimize your administrative burden by configuring your routers carefully, completely, and consistently. I strongly recommend that you use every helpful item possible—even if the configuration item is not required. Every moment spent doing configuration groundwork translates into many hours saved when you are troubleshooting or performing maintenance tasks. When you try to solve a network problem at 2 A.M., the importance of properly configured routers becomes painfully clear.

This chapter covers most of the configuration items that make routers more manageable and easier to tame.

The examples in this book use "Router" as the router's name. That's fine for examples, but a bad idea in real life. Eventually, a router should be given a name. To set the router name to "Sphinx", use the hostname command:

Router(config)#hostname Sphinx
Sphinx(config)#

The router instantly responds by updating the prompt to reflect the new router name. The name can be up to 254 characters long, but don't use a name so long that you can't type it comfortably.

It's a good practice to follow a naming convention for your routers. With a logical, consistent naming scheme, it's easy to remember a router's name, or guess the name if you've forgotten it. For example, let's say that your router names all start with "rtr", followed by the city initials, followed by a number. Then, late one night when you're staring at a blank terminal screen trying to remember the name of the backbone router in New York, you can type rtr-ny-01 and be reasonably confident that you've guessed correctly.

Don't use underscores ( _ ) in router names. They are hard to type, often lead to confusion, and aren't legal in Domain Name System (DNS) names. Use a hyphen (-) instead. Similarly, avoid mixing upper- and lowercase. Instead of "routerOneNewYork", use "router-one-newyork". The router won't care, but your users will!

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuration Soapbox

Content preview·Buy reprint rights for this chapter

Managing a handful of routers quickly becomes a large task, and managing thousands of routers is even worse. You can minimize your administrative burden by configuring your routers carefully, completely, and consistently. I strongly recommend that you use every helpful item possible—even if the configuration item is not required. Every moment spent doing configuration groundwork translates into many hours saved when you are troubleshooting or performing maintenance tasks. When you try to solve a network problem at 2 A.M., the importance of properly configured routers becomes painfully clear.

This chapter covers most of the configuration items that make routers more manageable and easier to tame.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Setting the Router Name

Content preview·Buy reprint rights for this chapter

The examples in this book use "Router" as the router's name. That's fine for examples, but a bad idea in real life. Eventually, a router should be given a name. To set the router name to "Sphinx", use the hostname command:

Router(config)#hostname Sphinx
Sphinx(config)#

The router instantly responds by updating the prompt to reflect the new router name. The name can be up to 254 characters long, but don't use a name so long that you can't type it comfortably.

It's a good practice to follow a naming convention for your routers. With a logical, consistent naming scheme, it's easy to remember a router's name, or guess the name if you've forgotten it. For example, let's say that your router names all start with "rtr", followed by the city initials, followed by a number. Then, late one night when you're staring at a blank terminal screen trying to remember the name of the backbone router in New York, you can type rtr-ny-01 and be reasonably confident that you've guessed correctly.

Don't use underscores ( _ ) in router names. They are hard to type, often lead to confusion, and aren't legal in Domain Name System (DNS) names. Use a hyphen (-) instead. Similarly, avoid mixing upper- and lowercase. Instead of "routerOneNewYork", use "router-one-newyork". The router won't care, but your users will!

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Setting the System Prompt

Content preview·Buy reprint rights for this chapter

By default, the router uses its hostname as the prompt; the hostname is "Router" if you haven't defined it explicitly. It's often a good idea to put other useful information in the prompt by using the prompt command. For example:

Sphinx(config)#prompt %h:%n%p
Sphinx(config)#exit
Sphinx:5#

We've used three escape sequences to set the prompt to the hostname (%h), followed by the command number (%n), followed by the appropriate prompt character for the current command mode (%p). The escape sequences for the prompt command are listed in Table 3-1.

Table 3-1: Prompt variables

Escape sequence	Meaning
%%	Percent character
%h	Hostname of the router
%n	TTY number for this EXEC session
%p	Prompt character: either > for user level or # for privileged level
%s	Space character
%t	Tab character

The no prompt command returns the router to the default prompt.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuration Comments

Content preview·Buy reprint rights for this chapter

It's a good idea to keep your routers' configuration files on a server somewhere. Then you can modify the configuration files using a convenient text editor and upload the files to your routers as necessary. One advantage to this procedure is that you can include comments within your configuration files. A comment is any line beginning with an exclamation point. For example:

!
! This is a comment.
!

You can also type comments when you are configuring the router from the command line, but comments are never saved as part of the router's configuration. Therefore, when you try to view or save the router's configuration, the comments will be gone.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Enable Password

Content preview·Buy reprint rights for this chapter

The enable password secures the privileged mode, which is required for all commands that change the router's configuration. Configuring the enable password therefore keeps people with general access to your router from changing the router's configuration. It takes only one person with enough knowledge to be dangerous to take down your whole network, so securing the privileged (enable) mode is always the right thing to do.

To set the password, use the enable password command:

Router(config)#enable password not2secure
         

The password is now set to "not2secure". Once the password is set, the router will prompt you for the password before it enters privileged mode.

By default, passwords are stored in clear text, which means that anybody who can find your router configuration file or watch you list the configuration on the console can see the enable password. The command service password-encryption (with no arguments) configures the router to store the password in an encrypted form.

Chapter 13 discusses better ways to manage passwords and authentication.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Mapping Hostnames to IP Addresses

Content preview·Buy reprint rights for this chapter

Like all network equipment, routers work naturally with numeric IP addresses. However, using IP addresses isn't convenient for humans—including network administrators. It is much more convenient to work with hostnames. Like any other network host, routers implement DNS and can use DNS to look up IP addresses. But the use of DNS presents a problem in a routing environment. If the router can't access the Internet, it can't look up addresses; one reason that the router might not be able to access the Internet could be a routing problem; and if the router is configured to use DNS but can't access the Internet, you will have trouble using the commands you need to diagnose and fix the problem.

There is a good halfway point, however. Like other network hosts, the router can maintain a host table, and you can place any IP addresses that appear in your configuration in the host table. You can then use DNS to look up any hostnames that aren't actually involved in the router's configuration. This will make it easier to understand the output from show commands or to use commands such as ping to check your network connectivity.

The ip host command builds and maintains the router's host table. This command takes a hostname followed by one or more IP addresses. You can have up to eight IP addresses per hostname.

ip host pyramid 10.10.1.3
ip host sphinx 10.10.1.2 10.10.1.4 10.10.1.5

Deleting a host requires you to type the entire hostname and IP address over again!

no ip host pyramid 10.10.1.3
no ip host sphinx 10.10.1.2 10.10.14 10.10.1.5

The Domain Name System (DNS) reduces the need for host entries—although, as I said before, you should have explicit host entries for any IP addresses that appear in your configuration. DNS is enabled by default; to enable it explicitly, use the command

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Setting the Router's Time

Content preview·Buy reprint rights for this chapter

The router's internal clock is set with the clock set command. This command is not a configuration command (i.e., you must be in enable mode to give it, but you don't need to give the configure terminal command) and is not stored in the router's configuration. The time is in military (24-hour) time. For example:

Router#clock set 13:00:00 20 jun 1999
         

In addition to setting the time itself, you need to set the time zone using the clock timezone command. This command is part of the router's configuration. For example, a router on the east coast of the United States would have the line:

Router(config)#clock timezone EST -5
         

-5 is the UTC (Coordinated Universal Time) offset for the Eastern time zone.

Now that the time and time zone have been set, one final configuration item exists: in most places, you want to observe Daylight Savings Time. The following command tells the router to use Daylight Savings Time in the Eastern time zone:

Router(config)#clock summer-time EDT recurring
         

High-end Cisco routers have a calendar that is separate from the system clock. The calendar runs continuously, even if the router is off. After the calendar has been set, the system clock automatically sets itself every time the router is booted. The following commands set the router's calendar and set the clock's time from the calendar time. The calendar set command simply sets the time, and is not stored in the router's configuration.

Router#calendar set 12:10:00 5 September 1999
Router#clock read-calendar
            

The Network Time Protocol (NTP) is available in IOS Versions 9.21 and above. This protocol uses an NTP server to synchronize the router's time with other clocks on the network. Configuring NTP is as simple as setting the address of an NTP server. There are several NTP servers on the Internet for your use; your ISP may have its own NTP server.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Enabling SNMP

Content preview·Buy reprint rights for this chapter

It should be obvious that since you're trying to manage a network, you should be able to use the network to help manage your network equipment. That's the goal of the Simple Network Management Protocol (SNMP). This protocol enables network-management stations to gather information from network nodes. Network nodes can be almost anything, ranging from the simplest bridge to the largest router, and even including software running inside the servers. Virtually all modern network equipment includes an SNMP agent, which is the software that communicates with the management station. Network-management stations can run commercial management software, or they can use homegrown tools.

I will not try to give an introduction to SNMP, nor will I talk about management software. In this section, I'll briefly describe how to configure the SNMP agent in a Cisco router. If you're not using SNMP, you can skip this section—though you should certainly investigate what SNMP can do for you.

By default, SNMP access is not enabled. To enable SNMP, use the command:

snmp-server community name mode access-list
         

The parameters are as follows:

name

The community string the management station will use to ask for information. This string acts like a password. SNMPv1's implementation is insecure because the string travels across the network in clear text. Anyone snooping on your network will be able to see the community string pass back and forth. To improve security, use the access-list option.

mode

Either RO for read-only access (unprivileged), or RW for read-write access (privileged). RO means that the management station can read information about the router but can't change anything;

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Cisco Discovery Protocol

Content preview·Buy reprint rights for this chapter

The Cisco Discovery Protocol (CDP) is tremendously helpful when configuring a wide variety of Cisco equipment. It allows you to see what the adjacent routers or switches are, as well as their configured protocols and addresses.

CDP is enabled by default on most available interfaces. (There are a few exceptions, such as ATM interfaces.) This protocol automatically detects neighbor Cisco devices that are directly connected. The following command enables CDP globally:

cdp run

To disable CDP, use the no form of the command:

no cdp run

You can disable CDP on particular interfaces by using the no cdp enable command in interface configuration mode.

CDP can display useful information about other routers or switches that are directly connected:

Router>show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
switch1             Eth 0          162         T S        1900      AUI
router2             Eth 0          176          R         4000      Eth 0

Disable CDP on any router that is directly connected to the Internet or to another site that you don't trust (e.g., a customer site). CDP can be considered a security risk because it provides information to outside devices. It doesn't provide much information, but there's no reason to give any information away to potential intruders.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

System Banners

Content preview·Buy reprint rights for this chapter

A router maintains a number of standard messages for communicating with users. These messages are typically associated with the process of logging into the router. For example, a user is typically shown a " message of the day," followed by a login banner, followed by the login prompt itself. After a successful login, the user is usually shown an "exec banner"; in the special case of a reverse telnet connection (see Chapter 4), the user is shown the "incoming banner" rather than the exec banner. In other words, for a typical console session, you would see:

This is the message of the day banner. 
            (motd banner)
This is the login banner.               
            (login banner)
User access verification
    
Password:     
            (not echoed) 
This is the exec banner.   
            (exec banner)
Router>       
            (user mode prompt)
         

Each banner configuration statement has the same format: banner-type # message # . The pound character (#) represents the delimiting character of your choice. It marks the beginning and end of your message. You cannot use your delimiting character inside the message body. For example, the following command sets the message of the day:

Router(config)#banner motd #  Router will be rebooted today for maintenance.  #
         

Messages can contain blank lines and line breaks, as in the following example:

Router(config)#banner motd $
Enter TEXT message.  End with the character '$'.

Router will be down until tomorrow.

            I guess we should have planned it better.
            $
Router(config)#

To create a banner of any type, use the banner command followed by the type of banner and the message:

Router(config)#banner motd # message #
Router(config)#banner login # message #
Router(config)#banner exec # 

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 4: Line Commands

Content preview·Buy reprint rights for this chapter

Cisco routers make a fairly basic distinction between the characteristics of a serial line (which you might want to think of as "physical" characteristics) and the characteristics of the protocols running over the line. The physical characteristics of a line are configured by the line command (and various commands that follow it) and include items such as parity and port speed. The high-level protocol characteristics are configured by the interface command (and the commands that follow it); these characteristics include IP addresses and other properties.

The line command can configure:

• The router's console port (CTY)
• The router's asynchronous ports (TTYs), used for dial-in and dial-out modem connections
• The router's auxiliary port (AUX), used for backup modem connections
• Telnet and rlogin connections to the router ("virtual terminals" or VTYs)

The line command specifies which line or group of lines you want to configure by entering the line configuration mode. It doesn't actually do the configuration; it is followed by other commands that set up the specific properties you want. Here's the syntax of the line command:

line [aux | console | tty | vty] starting-line-number ending-line-number
         

The possible line types are aux, console, tty, and vty. These line types are discussed individually in this chapter. The following example shows how to use the line command to configure some properties of the router's console interface:

Router>enable                              
            Enter the privileged command mode
Router#config terminal                     
            Enter configuration mode
Router(config)#line console 0              
            Select the console line
Router(config-line)#

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Is a Line?

Content preview·Buy reprint rights for this chapter

Cisco routers make a fairly basic distinction between the characteristics of a serial line (which you might want to think of as "physical" characteristics) and the characteristics of the protocols running over the line. The physical characteristics of a line are configured by the line command (and various commands that follow it) and include items such as parity and port speed. The high-level protocol characteristics are configured by the interface command (and the commands that follow it); these characteristics include IP addresses and other properties.

The line command can configure:

• The router's console port (CTY)
• The router's asynchronous ports (TTYs), used for dial-in and dial-out modem connections
• The router's auxiliary port (AUX), used for backup modem connections
• Telnet and rlogin connections to the router ("virtual terminals" or VTYs)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The line Command

Content preview·Buy reprint rights for this chapter

The line command specifies which line or group of lines you want to configure by entering the line configuration mode. It doesn't actually do the configuration; it is followed by other commands that set up the specific properties you want. Here's the syntax of the line command:

line [aux | console | tty | vty] starting-line-number ending-line-number
         

The possible line types are aux, console, tty, and vty. These line types are discussed individually in this chapter. The following example shows how to use the line command to configure some properties of the router's console interface:

Router>enable                              
            Enter the privileged command mode
Router#config terminal                     
            Enter configuration mode
Router(config)#line console 0              
            Select the console line
Router(config-line)#exec-timeout 30 0      
            Set the timeout to 30 minutes
Router(config-line)#exit                   
            Exit the line configuration mode
Router(config)#exit                        
            Exit the configuration mode
Router#

If you want to apply line commands to more than one line, you can specify the starting and ending numbers of a group of lines. For example, say you want to apply the command exec-timeout to TTY lines 5 through 10. Instead of typing this command five times, you can configure the entire group with one line command:

Router(config)#line tty 5 10
Router(config-line)#exec-timeout 30 0
         

When you're typing the line command, you give it "relative" line numbers: the first TTY is tty0, the first virtual terminal is vty0, and so on. This numbering scheme is intuitive and convenient. Internally, the router uses an absolute numbering scheme to keep track of the lines. It would be nice if you could ignore the router's internal bookkeeping, but a number of commands use absolute line numbers when reporting information about a line's status.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Console Port

Content preview·Buy reprint rights for this chapter

Each router has one console port. This port always has line number 0. You make a connection to the console port by attaching a standard RS232 cable, as shown in Figure 4-1. This cable is often shipped with your router.

Figure 4-1: Console cable connection

You can use any VT100 terminal-emulation program to talk to the router; just select the correct PC serial interface (the one the console cable is plugged into) and then hit the Return key a few times. The router responds by starting an EXEC session, which is the process within the router that provides the command-line interface. The default settings for the port are 9600 baud, 8 databits, no parity, and 1 stop bit. If you changed any of these defaults on the device, you will have to change the settings on your terminal program to match.

Using the line commands, we can define and control access to the console port. Here is a basic configuration:

Router#config terminal
Router(config)#service linenumber
Router(config)#line console 0
Router(config-line)#location Building-2A
Router(config-line)#exec-timeout 30 0
         

The location command identifies the router's location to the users. The command service linenumber displays the location information automatically to the user upon login. This information can be useful when you are administering your routers. Next, we add a basic security measure: a timeout. If the console port is idle for more than 30 minutes, the session automatically closes. You do not want the session active all the time in a real environment. If you forget to log out, someone might come in after you and modify the router's configuration!

A little more security can be achieved by adding a user login:

Router(config)#username bob password letmein
Router(config)#line console 0
Router(config-line)#

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Virtual Terminals (VTYs)

Content preview·