LAB 1: CISCO CLI MODE

Most Cisco devices use a CLI (Command Line Interface) to configure the network device. The CLI is an
interface, based on text. We type in configuration commands and use show commands to get the output
from the router or switch. There are also GUIs (Graphical User Interface) for the routers, switches and
firewalls but the CLI is much easier to work.

Overview of user levels and Modes

As a security feature, Cisco IOS® Software separates EXEC sessions into two different access levels:

 User EXEC level and

 Privileged EXEC level

User EXEC level allows you to access only basic monitoring commands; privileged EXEC level allows
you to access all router commands. Privileged EXEC level can be password protected to allow only
authorized users the ability to configure or manage the router. From privileged EXEC level, you can
access all the command modes.

There are five command modes: global configuration mode, interface configuration mode, subinterface
configuration mode, router configuration mode, and line configuration mode.

Cisco IOS Command Hierarchy

After an EXEC session is established, commands within Cisco IOS Software are hierarchically structured.
The following figure illustrates a simple high-level schematic diagram of some Cisco IOS commands.
This figure summarizes the different modes you will explore in the Interface Labs in a later section.

Router> - User EXEC mode

Router# - Privileged EXEC mode

- Configuration mode (notice the # sign indicates this

Router(config)#
is accessible only at privileged EXEC mode)

Router(config-if)# - Interface level within configuration mode

Router(config-router)# - Routing engine level within configuration mode

- Line level (vty, tty, async) within configuration

Router(config-line)#
mode
To assist you in navigation through the Cisco IOS CLI, the command prompt changes to reflect
your position within the command hierarchy. This setup allows you to easily identify where within
the command structure you are at any given moment. The following table is a summary of
command prompts and the corresponding location within the command structure

Privilege levels

Privilege levels define what commands users can issue after they have logged into a network device.
Cisco Internetwork Operating System (IOS) currently has 16 privilege levels that range from 0 through
15. Users have access to limited commands at lower privilege levels compared to higher privilege levels.

To illustrate this, think of being on a mountain, when you're at the bottom (Level 0) you see very little
around you. As soon as you make your way to the top of the mountain (Level 15), you see a whole lot
more, having access to commands assigned to level 15 and below. Using the command "show privilege"
allows the user to determine what privilege level a user is currently assigned, here are two examples:

Router>
Router>show privilege
Current privilege level is 1
Router>

Once we type "enable", we are assigned a higher privilege level. (By default, this level is 15; we can also
use the command "enable 15" to specifically elevate our privilege level to 15.)

Router>enable 15
Router#
Router#show privilege
Current privilege level is 15
Router#

Typing "?" under each privilege level provides a list of available commands. You'll see certain commands
missing while in level 1 as opposed to level 15.

Typically the preconfigured default levels are 1 and 15. Level 1 being a "read-only" mode with limited
access to commands and no ability to modify the running configuration; with level 15 having full
administrative access
There is no middle ground; it‘s all or nothing.

 Level 15: Full Access to all commands, such as the "Reload" command, and the ability to make
configuration changes.
 Level 1: Read-only, and access to limited commands, such as the "Ping" command.

Examples: First time login to Router – Console cable

Console Cabling

On the switch, you will find one or two physical connectors for the console. Take a look at the picture
below:
This is a Cisco Router; you see the light blue RJ45 port. This cable is called a Cisco console cable and
you will need a serial port on your computer. Modern computers or laptops don‘t have these serial ports
anymore so you might have to use a serial-to-USB cable like this one:

This cable emulates a serial port and has a USB connection. Once you have connected your computer to
the switch, we can start a terminal application to access the CLI.
Terminal Emulator

There are many terminal emulator applications. If you are new to this, the best one to start with is Putty.
It‘s free and allows you to connect using a serial connection, telnet and SSH. Once you have downloaded
it, you will see the main screen:

Make sure you select the ―Serial‖ option. The default speed is 9600 (baud rate). The COM port will
depend on your computer; it might be COM1 but if you are unsure, check the device manager in
Windows. Click on Start > Run and enter ―devmgmt.msc‖:

Here is the device manager:

Above you can see that on my computer, I have to use COM4. Change the COM port and click on Open
to start the console:
Now is a good time to power on your switch or in case it is already powered on, pull the plug so it can
reload.
Output omitted - -

Press RETURN to get started!

Now it‘s up to us to configure the Router

Depending if your switch already has a configuration or not, you might see the following message:

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]:

If there is no configuration, the switch will ask you if you would like to follow a wizard called the initial
configuration dialog. If you see this, type ―no‖ to continue so that we can start with a blank configuration.
We will configure the device ourselves.

Right now, the command line will show you this:

Router>

The > symbol tells us that we are currently in user mode. To get full access to the switch, we have to enter
privileged mode, also called enabled mode. Here is how to do this:

Router>enable
Router#

LAB 2: Basic Configuration of Switch and Router

Objective:

1. Switch Configuration
 hostname
 login banner
 enable password for accessing privilege mode
 assign console password to prevent console login
 assign IP for vlan 1 (Management VLAN)
 configure virtual terminal for telnet session
 set default gateway for the switch

1. Router as Configuration

 hostname
 login banner
 enable password for accessing privilege mode
 Assign IP Address on Router Interface
 assign console password to prevent console login
 configure virtual terminal for telnet session
 Assign IP for the PC
 Save all configurations
 Verification

Switch Configuration

1. First check the startup-config and running-config…If there any configuration is exist

When you type a command in the global configuration mode it is stored in the running configuration. A
running configuration resides in a device‘s RAM, so if a device loses power, all configured commands will
be lost.

So you need to copy your current configuration into a startup configuration. A startup configuration is
stored in the NVRAM of a device, now all configurations are saved even if the device loses power.

Check the startup-config and running-config

Switch#show startup-config
Startup-config is not present
Switch#show running-config
There are two ways to save your configuration:
Switch#copy running-config startup-config
Or,
Switch# write memory

2. Enter global configuration mode and configure Hostname as DU

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch (config) #hostname DU
DU(config)#

3. Assign password cisco123

Enable password will restrict one's access to privilege mode which is like a root user's password. We can
set it in two ways: enable password / enable secret command.
# enable secret password provides encryption automatically using MD5 hash algorithm.

The enable password password does not encrypt the password and can be view in clear text in the
running-config. In order to encrypt the enable password password, use the service password-encryption
command. Actually, the enable secret password command provides stronger encryption than the service
password-encryption command.

DU(config)#enable secret cisco123

4. Configure login banner

A login banner is displayed whenever someone connects to the router by telnet or console connections

DU(config)#banner motd "Unauthorized Users are highly Prohibited to

login here"
DU(config)#

5. Console Password

We can protect console port of Cisco devices using console port password.

DU(config)#line console 0
DU(config-line)#password ashish123
DU(config-line)#login
DU(config-line)#exit
DU(config)#
6. Telnet configuration for remote access

Telnet is a user command and an underlying TCP/IP protocol for accessing remote devices.

The VTY lines are the Virtual Terminal lines of the router. They are Virtual in the sense that they are a
function of software - there is no hardware associated with them. They appear in the configuration as line
vty 0 4.

DU#conf t
Enter configuration commands, one per line. End with CNTL/Z.
DU(config)#line vty 0 4
DU(config-line)#password ashish@123#
DU(config-line)#login
DU(config-line)#exit

7. Configure management vlan for remotely access on the switch

By default, all switch ports are part of VLAN 1. VLAN 1 contains control plane traffic and can contain
user traffic.
By default, VLAN 1 is the management VLAN. Management VLAN is used for purposes such as telnet,
SNMP, and syslog.

DU(config)#interface vlan 1
DU(config-if)#ip address 192.168.10.10 255.255.255.0
DU(config-if)#no shutdown
DU(config-if)#exit
DU(config)#

8. Configure default-gateway for the switch

The switch should be configured with a default gateway if the switch will be managed remotely from
networks not directly connected. The default gateway is the first Layer 3 device (such as a router) on the
same management VLAN network to which the switch connects. The switch will forward IP packets with
destination IP addresses outside the local network to the default gateway.

DU(config)#ip default-gateway 192.168.10.1

Router Configuration

1. First check the startup-config and running-config

Router#show startup-config
startup-config is not present
Router#show running-config

2. Configure Hostname as BUET

Router #conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router (config)#hostname BUET
BUET(config)#

3. Assign enable secret password cisco123

BUET(config)#enable secret cisco123

BUET(config)#

4. Configure login banner

BUET(config)#banner motd "Do not try to access here"

5. Console password

BUET(config)#line console 0
BUET(config-line)#password ashish123
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#

6. Enter Virtual Terminal lines and give a password ashish@123#, to login remotely

BUET(config)#line vty 0 4
BUET(config-line)#password ashish@123#
BUET(config-line)#login
BUET(config-line)#exit
BUET(config)#

7. Configure IP Address Router's on Interface

Enter global configuration mode

BUET# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
BUET(config)#
Enter FastEthernet 0/0 interface configuration mode:

BUET(config)#interface fastEthernet 0/0

Enter IP address and subnet mask:

BUET(config-if)#ip address 192.168.10.1 255.255.255.0

By default, all interfaces on a Cisco router are “Administratively Down”. To bring an interface up,
issue the no shutdown command.

BUET(config-if)#no shutdown
BUET(config-if)#exit
BUET(config)#

8. Save Configuration

BUET#write memory
Building configuration...
[OK]
DU# write memory
Building configuration
[OK]

You can also save configuration using

BUET# copy running-config start-up config

But be sure about the command, cannot be reversed as:

# Copy start-up config running-config

Then your entire configuration will be lost or backup from NVRAM.

9. Assign IP to all hosts

11. Now ping to all devices from any PC
C:\>ping 192.168.10.2

Pinging 192.168.10.2 with 32 bytes of data:

Reply from 192.168.10.2: bytes=32 time=1ms TTL=128

Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128
Reply from 192.168.10.2: bytes=32 time<1ms TTL=128

C:\>ping 192.168.10.3

Pinging 192.168.10.3 with 32 bytes of data:

Reply from 192.168.10.3: bytes=32 time=1ms TTL=128

Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128
Reply from 192.168.10.3: bytes=32 time<1ms TTL=128

C:\>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:

Reply from 192.168.10.1: bytes=32 time=1ms TTL=255

Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time<1ms TTL=255
Reply from 192.168.10.1: bytes=32 time=1ms TTL=255

14. Now logon to the router remotely

C:\>telnet 192.168.10.1

Trying 192.168.10.1 ...Open

Do not try to access here
User Access Verification
Password:
Password:
BUET>
16. Now logon to the switch remotely
C:\>telnet 192.168.10.10

Trying 192.168.10.10 ...Open

Unauthorized Users are highly prohibited to login here
User Access Verification
Password:
DU>

N.B. if the switch is L3 you can assign IP address to its interfaces as follows:

DU(config)#interface fastEthernet 0/2

DU(config-if)# no switchport
DU(config-if)# ip address 192.168.10.10 255.255.255.0
DU(config-if)# no shutdown

For routing capabilities you can also follow the rules

DU(config)# ip routing

LAB 3: SSH Configuration

Telnet was designed to work within a private network and not across a public network where threats can
appear. Because of this, all the data is transmitted in plain text, including passwords. This is a major
security issue and the developers of SSH used encryptions to make it harder for other people to sniff the
password and other relevant information.

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices.
Communication between the client and server is encrypted in SSH. To do this, it uses a RSA
public/private keypair.

There are two versions: version 1 and 2. Version 2 is more secure and commonly used.
Enable SSH on Cisco Switch

Step 1: Configure Management IP

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.10.10 255.255.255.0
Switch(config-if)#no shutdown

Step 2: Configure default gateway points to the router

Switch(config)#ip default-gateway 192.168.10.1

Step 3: Configure hostname and domain name

The name of the RSA keypair will be the hostname and domain name of the router.

Switch(config)#hostname ASHISH-SW
ASHISH-SW(config)#ip domain-name ashish.com
Step 4: Generate the RSA Keys

ASHISH-SW(config)#crypto key generate rsa

The name for the keys will be: ASHISH-SW.ashish.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
ASHISH-SW(config)#
Key sizes of 1024 or smaller should be avoided. Larger key sizes take longer time to calculate and
enhance more security

Step 5: SSH version 1 is the default version. So change it to version 2

ASHISH-SW(config)#ip ssh version 2

Step 6: Setup the Line VTY configurations

ASHISH-SW(config)#line vty 0 4
ASHISH-SW(config-line)#transport input ssh
ASHISH-SW(config-line)#login local
Step 7: Create the username password

ASHISH-SW(config)#username ashish privilege 15 password cisco123

Step 8: Create enable password

ASHISH-SW(config)#enable secret cisco123

Step 9: create console password

ASHISH-SW(config)#line console 0
ASHISH-SW(config-line)#logging synchronous
ASHISH-SW(config-line)#login local

Step 10: Verify SSH

C:\>ssh -l ashish 192.168.10.10
Password:
ASHISH-SW#conf t
ASHISH-SW(config)#

Enable SSH on Router (same as before)

Router>en
Router#conf t
Router(config)#hostname Venus
Venus(config)#interface fastEthernet 0/0
Venus(config-if)#ip address 192.168.10.1 255.255.255.0
Venus(config-if)#no shutdown
Venus(config-if)#exit
Venus(config)#ip domain-name cisco.com
Venus(config)#username ashish privilege 15 password cisco123
Venus(config)#crypto key generate rsa

The name for the keys will be: Venus.cisco.com

Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
Venus(config)#
*Mar 1 0:34:31.790: %SSH-5-ENABLED: SSH 1.99 has been enabled
Venus(config)#ip ssh version 2
Venus(config)#enable secret cisco
Venus(config)#line console 0
Venus(config-line)#logging synchronous
Venus(config-line)#login local
Venus(config-line)#exit
Venus(config)#line vty 0 4
Venus(config-line)#transport input ssh
Venus(config-line)#login local

Venus#show ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3
Venus#

C:\>ssh -l ashish 192.168.10.1

Password:
Venus#conf t
Venus(config)#
 Key Note:

"Logging synchronous" prevents every logging output from immediately

interrupting your consolesession.
Say for example when you tried to telnet your Router or switch you will see
lot of log messages beforeyou logged in with username and password.

RSA is algorithm used by modern computers to encrypt and decrypt messages.

It is an asymmetric cryptographic algorithm. Asymmetric means that there are
two different keys. This is also called public key cryptography, because one of
them can be given to everyone.
=========================================================================
===