Chapter_11_1

Key Concepts: Cisco IOS

Cisco IOS provides the following networking services:

• Basic routing and switching services
• Reliable and secure access to networked resources
• Network scalability

You can access the IOS CLI for management and configuration through:

• Console
• Telnet / SSH
• AUX Port

Console

The CLI can be accessed through a console session, also known as the CTY line. A console uses a low speed serial connection to directly connect a computer or terminal to the console port on the router or switch.

The console port is a management port that provides out-of-band access to a router. The console port is accessible even if no networking services have been configured on the device. The console port is often used to access a device when the networking services have not been started or have failed.

Examples of console use are:

The initial configuration of the network device

Disaster recovery procedures and troubleshooting where remote access is not possible

Password recovery procedures

When a router is first placed into service, networking parameters have not yet been configured yet. Therefore, the router cannot communicate via a network. To prepare for the initial startup and configuration, a computer running terminal emulation software is connected to the console port of the device. Configuration commands for setting up the router can be entered on the connected computer.

During operation, if a router cannot be accessed remotely, a connection to the console can enable a computer to determine the status of the device. By default, the console conveys the device startup, debugging, and error messages.

For many IOS devices, console access does not require any form of security, by default. However, the console should be configured with passwords to prevent unauthorized device access. In the event that a password is lost, there is a special set of procedures for bypassing the password and accessing the device. The device should be located in a locked room or equipment rack to prevent physical access.

Telnet and SSH

A method for remotely accessing a CLI session is to telnet to the router. Unlike the console connection, Telnet sessions require active networking services on the device. The network device must have at least one active interface configured with a Layer 3 address, such as an IPv4 address. Cisco IOS devices include a Telnet server process that launches when the device is started. The IOS also contains a Telnet client.

A host with a Telnet client can access the vty sessions running on the Cisco device. For security reasons, the IOS requires that the Telnet session use a password, as a minimum authentication method. The methods for establishing logins and passwords will be discussed in a later section.

The Secure Shell (SSH) protocol is a more secure method for remote device access. This protocol provides the structure for a remote login similar to Telnet, except that it utilizes more secure network services.

SSH provides stronger password authentication than Telnet and uses encryption when transporting session data. The SSH session encrypts all communications between the client and the IOS device. This keeps the user ID, password, and the details of the management session private. As a best practice, always use SSH in place of Telnet whenever possible.

Most newer versions of the IOS contain an SSH server. In some devices, this service is enabled by default. Other devices require the SSH server to be enabled.

IOS devices also include an SSH client that can be used to establish SSH sessions with other devices. Similarly, you can use a remote computer with an SSH client to start a secure CLI session. SSH client software is not provided by default on all computer operating systems. You may need to acquire, install, and configure SSH client software for your computer.

AUX

Another way to establish a CLI session remotely is via a telephone dialup connection using a modem connected to the router's AUX port. Similar to the console connection, this method does not require any networking services to be configured or available on the device.

The AUX port can also be used locally, like the console port, with a direct connection to a computer running a terminal emulation program. The console port is required for the configuration of the router, but not all routers have an auxiliary port. The console port is also preferred over the auxiliary port for troubleshooting because it displays router startup, debugging, and error messages by default.

Generally, the only time the AUX port is used locally instead of the console port is when there are problems using the console port, such as when certain console parameters are unknown.

Network devices depend on two types of software for their operation: operating system and configuration. Like the operating system in any computer, the operating system facilitates the basic operation of the device's hardware components.

Configuration files contain the Cisco IOS software commands used to customize the functionality of a Cisco device. Commands are parsed (translated and executed) by the Cisco IOS software when the system is booted (from the startup-config file) or when commands are entered in the CLI while in configuration mode.

A network administrator creates a configuration that defines the desired functionality of a Cisco device. The configuration file is typically a few hundred to a few thousand bytes in size.

Types of Configuration Files

• A Cisco network device contains two configuration files:
• The running configuration file - used during the current operation of the device
• The startup configuration file - used as the backup configuration and is loaded when the device is started

A configuration file may also be stored remotely on a server as a backup.

Startup Configuration File

The startup configuration file (startup-config) is used during system startup to configure the device. The startup configuration file or startup-config file is stored in non-volatile RAM (NVRAM). Since NVRAM is non-volatile, when the Cisco device is turned off, the file remains intact. The startup-config files are loaded into RAM each time the router is started or reloaded. Once the configuration file is loaded into RAM, it is considered the running configuration or running-config.

Running Configuration

Once in RAM, this configuration is used to operate the network device.

The running configuration is modified when the network administrator performs device configuration. Changes to the running configuration will immediately affect the operation of the Cisco device. After making any changes, the administrator has the option of saving those changes back to the startup-config file so that they will be used the next time the device restarts.

Because the running configuration file is in RAM, it is lost if the power to the device is turned off or if the device is restarted. Changes made to the running-config file will also be lost if they are not saved to the startup-config file before the device is powered down.

The IOS has several forms of help available:

1. Context-sensitive help
2. Command Syntax Check
3. Hot Keys and Shortcuts

User Executive Mode

The user executive mode, or user EXEC for short, has limited capabilities but is useful for some basic operations. The user EXEC mode is at the top of the modal hierarchical structure. This mode is the first entrance into the CLI of an IOS router.

The user EXEC mode allows only a limited number of basic monitoring commands. This is often referred to as view-only mode. The user EXEC level does not allow the execution of any commands that might change the configuration of the device.

The user EXEC mode can be identified by the prompt ending with the > symbol.

Switch>

Privileged EXEC Mode

The execution of configuration and management commands requires that the network administrator use the privileged EXEC mode, or a specific mode further down the hierarchy.

The privileged EXEC mode can be identified by the prompt ending with the # symbol.

Switch#

Steps for Troubleshooting:

• Test the TCP/IP stack
• Test the NIC
• Test another local host
• Test the gateway
• Test access to remote host

Troubleshooting Tools and their underlying protocols:

ARP ( ARP L2 Protocol )

PING ( ICMP L3 Protocol )

TRACEROUTE ( ICMP L3 Protocol)

Troobleshooting Commands:

Router# show version

Router# show flash

Router# show interface

Router# show process CPU

Router# show protocols

Router# show memory

Router# show stacks

Router# show buffers

Router# show start-up config

Hot Keys and Shortcuts

The IOS CLI provides hot keys and shortcuts that make configuring, monitoring, and troubleshooting easier.

The figure shows most of the shortcuts. The following are worthy of special note:

Tab - Completes the remainder of the command or keyword

Ctrl-R - Redisplays a line

Ctrl-Z - Exits configuration mode and returns to the EXEC

Down Arrow - Allows user to scroll forward through former commands

Up Arrow - Allows user to scroll backward through former commands

Ctrl-Shift-6 - Allows the user to interrupt an IOS process such as ping or traceroute

Ctrl-C - Aborts the current command and exits the configuration mode

Summary of IOS features and commands:

User EXEC Mode

enable - Enter Privileged EXEC mode

Privileged EXEC Mode

copy running-config startup-config - Copy the active configuration to NVRAM.

copy startup-config running-config - Copy the configuration in NVRAM to RAM.

erase startup-configuration - Erase the configuration located in NVRAM.

ping ip_address - Ping to that address.

traceroute ip_address - Trace each hop to that address.

show interfaces - Display statistics for all interfaces on a device.

show clock - Show the time set in the router.

show version - Display currently loaded IOS version, hardware, and device information.

show arp - Display the ARP table of the device.

show startup-config - Display the saved configuration located in NVRAM.

show running-config - Display the contents of the currently running configuration file.

show ip interface - Display IP statistics for interface(s) on a router.

configure terminal - Enter terminal configuration mode.

Terminal Configuration Mode

hostname hostname - Assign a host name to device.

enable password password - Set an unencrypted enable password.

enable secret password - Set a strongly encrypted enable password.

service password-encryption - Encrypt display of all passwords except secret. (weak encryption)

banner motd# message # - Sets a message-of-the-day banner.

line console 0 - Enter console line configuration mode.

line vty 0 4 - Enter virtual terminal (Telnet) line configuration mode.

interface Interface_name - Enter interface configuration mode.

Line Configuration Mode

login - Enable password checking at login.

password password - Set line password.

Interface Configuration Mode

ip addressip_address netmask - Set interface IP address and subnet mask.

description description - Set interface description.

clock rate value - Set clock rate for DCE device.

no shutdown - Set interface to up.

shutdown - Administratively set interface to down.

One of the most effective tools for monitoring and troubleshooting network performance is to establish a network baseline. A baseline is a process for studying the network at regular intervals to ensure that the network is working as designed. It is more than a single report detailing the health of the network at a certain point in time. Creating an effective network performance baseline is accomplished over a period of time. Measuring performance at varying times and loads will assist in creating a better picture of overall network performance.

Backup Configuration on TFTP Server

As shown in the figure, one option is to save the running configuration or the startup configuration to a TFTP server. Use either the copy running-config tftp or copy startup-config tftp command and follow these steps:

1. Enter the copy running-config tftp command.

2. Enter the IP address of the host where the configuration file will be stored.

3. Enter the name to assign to the configuration file.

4. Answer yes to confirm each choice.