- December 6, 2020
- Posted by: Syed Shujaat
- Category: Cisco
The basic CLI modes that we will be referring to below are as follows:
Cisco IOS supports various command modes, among those followings are the main command modes.
- User EXEC Mode
- Privileged EXEC Mode
- Global Configuration Mode
- Interface Configuration Mode
- Sub Interface Configuration Mode
- Setup Mode
- ROM Monitor Mode
Router> <– User EXEC Mode
Router# <– Privileged EXEC mode
Router(config)# <– Global Configuration Mode
Router(config-if)# <– Interface Configuration Mode
Router(config-line)# <– Line Configuration Mode
Login banner
Router(config)#banner motd #Enter TEXT message. End with the character '#'. #Authorized users only, violaters will be shot on sight! #
Enable Secret Password:
Router# configure terminal <– Privileged EXEC mode
Router(config)# <– Global Configuration Mode
Router(config)# enable password“somestrongpassword”
Router(config)# enable secret “somestrongpassword”
From now on, when you log in from user EXEC mode you will be asked for a password.
Both commands will set the password on privilege exec mode. The difference between these commands is the method of password storage. enable password command will store the password in plain text while enable secret command will store the password in encryption format.
Make sure the password-encryption service is turned on, which will encrypt the password, and when you do “sh run”, you’ll see only the encrypted password and not a clear-text password.
# service password-encryption
Configuration Modes :
line [ aux | console | tty | vty ] line-number |
Enters line configuration mode, and specifies the type of line. |
Enable Telnet Line Password
It is suggested also to configure a password for the Telnet Lines (VTY lines) which will secure your access when connecting via Telnet over the network.
Router(config)# line vty 0 4
Router(config-line)# password “strongTelnetPass”
Router(config-line)# login
Enable Console Port
Router(config)#line console 0
Router(config-line)#password “strongConsolePass”
Router(config-line)#login
Secure auxiliary port
Router(config)#line aux 0
Router(config-line)#password “strongAuxPass”
Router(config-line)#login
Now we can generate the RSA key pair:
The switch or router should have RSA keys that it will use during the SSH process. So, generate these using the crypto command as shown below.
myswitch(config)# crypto key generate rsa The name for the keys will be: myswitch.thegeekstuff.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
HostName
Router(config)# hostname My-Router
My-Router(config)#
Configure IPV4 addresses for Router Interfaces
My-Router(config)# interface GigabitEthernet 0/0
My-Router(config-if)# ip address 100.100.100.1 255.255.255.252
My-Router(config-if)# no shutdown
My-Router(config-if)# exit
My-Router(config)# interface GigabitEthernet 0/1
My-Router(config-if)# ip address 192.168.10.1 255.255.255.0
My-Router(config-if)# no shutdown
My-Router(config-if)# exit
Configure IPV6 addresses for Router Interfaces
Pv6 Address Type | Preferred Format | Compressed Format |
---|---|---|
Unicast | 2001:0:0:0:DB8:800:200C:417A | 2001::DB8:800:200C:417A |
Multicast | FF01:0:0:0:0:0:0:101 | FF01::101 |
Loopback | 0:0:0:0:0:0:0:1 | ::1 |
Unspecified | 0:0:0:0:0:0:0:0 | :: |
The loopback address listed in the table above may be used by a node to send an IPv6 packet to itself. The loopback address in IPv6 functions the same as the loopback address in IPv4 (127.0.0.1).
Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# ipv6 address FE80::260:3EFF:FE11:6770 link-local
or
R1(config-if)#ipv6 address 2001:0BB9:AABB:1234::/64 eui-64
Device(config-if)# ipv6 enable
Device(config)# ipv6 unicast-routing !Enables the forwarding of IPv6 unicast datagrams.
Configure serial interface in the router
Router(config)#interface serial 0/0/0
Router(config-if)#description Connected to WAN Link
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#clock rate 64000 :DCE side only command. Assigns a clock rate for the interface
Router(config-if)#bandwidth 64
Router(config-if)#no shutdown
Disable automatic domain-lookup
By default, routers are configured to resolve every word that is not a command. It will first look in the static DNS table for an entry. If it fails to find an entry in the static DNS table, it will try with DNS server at address 255.255.255.255. If you are not going to use a DNS server or hostname facility, it is better to turn this off. It will save you time because every incorrectly typed command will cost you a wait of a minute or two.
no ip domain-lookup : command is used to disable this feature.
Enable logging synchronous
Cisco IOS has a great security feature to secure the console line. It automatically logs out the ideal connection in 10 minutes.
You can disable this feature in the lab environment. exec-timeout 0 0 commands will disable this.
Saving Configuration
Router # copy running-config startup-config
You can display your current configuration to verify your settings as follows:
Router # show running-config
Erasing configuration in cisco router
Router # erase startup-config
Backing up router configuration to TFTP:
Router #enable Router #copy running-config tftp Address or name of remote host []? 10.10.0.1 Destination filename [PeteRouter-confg]? PeteRouter_Backup !! 7400 bytes copied in 0.548 secs (13504 bytes/sec)