CNE1 - Labor3 - IOS Basics PDF

Summary

This document is a collection of slides detailing computer networking concepts, specifically IOS basics, CLI, security. The slides, created by Karl Pracher from the University of Applied Sciences Salzburg in February 2020, focus on Cisco CCNAv7 resources.

Full Transcript

Computer Networks 2
Lab 1 – IOS basics, CLI, security

University of Applied Sciences Salzburg
Feb 2020, Karl Pracher
Slides and contents based on Cisco CCNAv7 resources
Cisco IOS Access

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Cisco IOS Access
Access Methods
Console – A physical management port
used to access a device in order to
provide maintenance, such as
performing the initial configurations. A
special rollover cable is needed to
connect to the COM port of a PC.
Auxiliary port (AUX) – A physical port
used to access a device over a tele-
phone line. It is used like the console.

Out-of-band connections
The console and AUX port are so called
out-of-band connections. This refers to
the ability to access the device without a
configured networking service.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Cisco IOS Access
Access Methods (Cont.)
Secure Shell (SSH) – Establishes a
secure remote CLI connection to a
device, through a virtual interface, over a
network. (Note: This is the recommended
method for remotely connecting to a
device.)

Telnet – Establishes an insecure remote
CLI connection to a device over the
network. (Note: User authentication,
passwords and commands are sent over the
network in plaintext.)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Cisco IOS Access
Terminal Emulation Programs
Terminal emulation programs are used to connect to a network device by either a console
port or by an SSH/Telnet connection.
There are several terminal emulation programs to chose from such as PuTTY, Tera Term
and SecureCRT.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
IOS Navigation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
IOS Navigation
Primary Command Modes
User EXEC Mode:
Allows access to only a limited
number of basic monitoring
commands
Identified by the CLI prompt
that ends with the > symbol

Privileged EXEC Mode:
Allows access to all
commands and features
Identified by the CLI prompt
that ends with the # symbol

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
IOS Navigation
Configuration Mode and Subconfiguration Modes

Global Configuration Mode:
Used to access
configuration options on the
device

Line Configuration Mode:
Used to configure console,
SSH, Telnet or AUX access

Interface Configuration Mode:
Used to configure a switch
port or router interface
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
IOS Navigation
Navigation Between IOS Modes
▪ Privileged EXEC Mode:
To move from user EXEC mode to privilege
EXEC mode, use the enable command.
▪ Global Configuration Mode:
To move in and out of global configuration
mode, use the configure terminal
command. To return to privilege EXEC
mode, use the exit command.
▪ Line Configuration Mode:
To move in and out of line configuration
mode, use the line command followed by
the management line type. To return to
global configuration mode, use the exit
command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
IOS Navigation
Navigation Between IOS Modes (Cont.)
Subconfiguration Modes:
To move out of any subconfiguration mode to
get back to global configuration mode, use
the exit command. To return to privilege
EXEC mode, use the end command or key
combination Ctrl +Z.

To move directly from one subconfiguration
mode to another, type in the desired
subconfiguration mode command. In the
example, the command prompt changes from
(config-line)# to (config-if)#.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
The Command Structure

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
The Command Structure
Basic IOS Command Structure

Keyword – This is a specific parameter defined in the operating system (in the figure, ip
protocols).

Argument - This is not predefined; it is a value or variable defined by the user (in the
figure, 192.168.10.5).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
The Command Structure
IOS Command Syntax Check
A command might require one or more arguments. To determine the keywords
and arguments required for a command, refer to the command syntax.
Boldface text indicates commands and keywords that are entered as shown.
Italic text indicates an argument for which the user provides the value.

Convention Description
Boldface text indicates commands and keywords that you enter literally as
boldface
shown.
italics Italic text indicates arguments for which you supply values.

[x] Square brackets indicate an optional element (keyword or argument).

{x} Braces indicate a required element (keyword or argument).
Braces and vertical lines within square brackets indicate a required choice
[x {y | z }] within an optional element. Spaces are used to clearly delineate parts of the
command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
The Command Structure
IOS Command Syntax Check (Cont.)
▪ The command syntax provides the pattern, or format, that must be used when
entering a command.

▪ The command is ping and the user-defined
argument is the ip-address of the
destination device. For example, ping
10.10.10.5.
▪ The command is traceroute and the
user-defined argument is the ip-
address of the destination device. For
example, traceroute 192.168.254.254.

▪ If a command is complex with multiple arguments, you may see it represented like this:

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
The Command Structure
IOS Help Features
The IOS has two forms of help available: context-sensitive help and command
syntax check.
Context-sensitive help enables you to Command syntax check verifies that
quickly find answers to these questions: a valid command was entered by
Which commands are available in each command
the user.
mode? If the interpreter cannot understand the
Which commands start with specific characters or command being entered, it will provide
group of characters? feedback describing what is wrong with
the command.
Which arguments and keywords are available to
particular commands?

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
The Command Structure
Hot Keys and Shortcuts
The IOS CLI provides hot keys and shortcuts that make configuring, monitoring, and
troubleshooting easier.
Commands and keywords can be shortened to the minimum number of characters
that identify a unique selection. For example, the configure command can be
shortened to conf because configure is the only command that begins with conf.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
The Command Structure
Hot Keys and Shortcuts (Cont.)
▪ The table below is a brief list of keystrokes to enhance command line editing.

Keystroke Description

Tab Completes a partial command name entry.

Backspace Erases the character to the left of the cursor.

Left Arrow or Ctrl+B Moves the cursor one character to the left.

Right Arrow or Ctrl+F Moves the cursor one character to the right.

Recalls the commands in the history buffer, beginning with
Up Arrow or Ctrl+P
the most recent commands.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
The Command Structure
Hot Keys and Shortcuts (Cont.)
When a command output produces more text
than can be displayed in a terminal window, The table below lists commands that can
the IOS will display a “--More--” prompt. The be used to exit out of an operation.
table below describes the keystrokes that can
be used when this prompt is displayed.

Keystroke Description Keystroke Description
When in any configuration mode, ends the
Enter Key Displays the next line. Ctrl-C configuration mode and returns to privileged EXEC
mode.
When in any configuration mode, ends the
Space Bar Displays the next screen. Ctrl-Z configuration mode and returns to privileged EXEC
mode.
Ends the display string, returning to All-purpose break sequence used to abort DNS
Any other key Ctrl-Shift-6
privileged EXEC mode. lookups, traceroutes, pings, etc.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Basic Device Configuration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Basic Device Configuration
Device Names
The first configuration command on any device should be to
give it a unique hostname.
By default, all devices are assigned a factory default name.
For example, a Cisco IOS switch is "Switch.”

Guideline for naming devices:
Start with a letter
Contain no spaces
End with a letter or digit
Note: To return the switch to the default
Use only letters, digits, and dashes prompt, use the no hostname global
Be less than 64 characters in length config command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Basic Device Configuration
Password Guidelines
The use of weak or easily guessed passwords are a security concern.
All networking devices should limit administrative access by securing privileged EXEC,
user EXEC, and remote Telnet access with passwords. In addition, all passwords should
be encrypted and legal notifications provided.

Password Guidelines:
Use passwords that are more than eight
characters in length.
Use a combination of upper and lowercase
letters, numbers, special characters, and/or
numeric sequences. Note: Most of the labs in this course use simple
passwords such as cisco or class. These passwords
Avoid using the same password for all devices. are considered weak and easily guessable and should
Do not use common words because they are be avoided in production environments.
easily guessed.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Basic Device Configuration
Configure Passwords
Securing user EXEC mode access:
First enter line console configuration mode
using the line console 0 command in global
configuration mode.
Next, specify the user EXEC mode password
using the password password command.
Finally, enable user EXEC access using
the login command.

Securing privileged EXEC mode access:
First enter global configuration mode.
Next, use the enable secret password command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Basic Device Configuration
Configure Passwords (Cont.)
Securing VTY line access:
First enter line VTY configuration mode
using the line vty 0 15 command in
global configuration mode.
Next, specify the VTY password using
the password password command.
Finally, enable VTY access using
the login command.

▪ Note: VTY lines enable remote access using Telnet or SSH to the device. Many Cisco
switches support up to 16 VTY lines that are numbered 0 to 15.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Basic Device Configuration
Encrypt Passwords
▪ The startup-config and running-config files ▪ Use the show running-config command
display most passwords in plaintext. to verify that the passwords on the device
are now encrypted.
▪ To encrypt all plaintext passwords, use
the service password-encryption global config
command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Basic Device Configuration
Banner Messages
▪ A banner message is important to warn
unauthorized personnel from attempting
to access the device.
▪ To create a banner message of the day
on a network device, use the banner The banner will be displayed on attempts to access the device.
motd # the message of the day # global
config command.

Note: The “#” in the command syntax is called
the delimiting character. It is entered before
and after the message.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Device Security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Device Security
Cisco AutoSecure
The security settings are set to the default values when a new operating system is
installed on a device. In most cases, this level of security is inadequate. For Cisco routers,
the Cisco AutoSecure feature can be used to assist securing the system.

In addition, there are some simple steps that should be taken that apply to most operating
systems:
Default usernames and passwords should be changed immediately.
Access to system resources should be restricted to only the individuals that are
authorized to use those resources.
Any unnecessary services and applications should be turned off and uninstalled
when possible.
Often, devices shipped from the manufacturer have been sitting in a warehouse for a
period of time and do not have the most up-to-date patches installed. It is important
to update any software and install any security patches prior to implementation.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Device Security
Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to
follow:
Use a password length of at least eight characters, preferably 10 or more characters.
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols,
and spaces, if allowed.
Avoid passwords based on repetition, common dictionary words, letter or number sequences,
usernames, relative or pet names, biographical information, such as birthdates, ID numbers,
ancestor names, or other easily identifiable pieces of information.
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
Change passwords often. If a password is unknowingly compromised, the window of opportunity for
the threat actor to use the password is limited.
Do not write passwords down and leave them in obvious places such as on the desk or monitor.
On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not.
Therefore, one method to create a strong password is to use the space bar and create a phrase made
of many words. This is called a passphrase. A passphrase is often easier to remember than a simple
password. It is also longer and harder to guess.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Device Security
Additional Password Security
There are several steps that can be taken to
help ensure that passwords remain secret on
a Cisco router and switch including these:
Encrypt all plaintext passwords with the
service password-encryption
command.
Set a minimum acceptable password
length with the security passwords
min-length command.
Deter brute-force password guessing
attacks with the login block-
for # attempts # within # command.
Disable an inactive privileged EXEC
mode access after a specified amount of
time with the exec-timeout command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Device Security
Enable SSH
It is possible to configure a Cisco device to support SSH using the following steps:
1. Configure a unique device hostname. A device must have a unique hostname other than the default.
2. Configure the IP domain name. Configure the IP domain name of the network by using the global
configuration mode command ip-domain name.
3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to
do so, a unique authentication key must be generated by using the global configuration command crypto
key generate rsa general-keys modulus bits. The modulus bits determines the size of the key and can
be configured from 360 bits to 2048 bits. The larger the bit value, the more secure the key. However, larger
bit values also take longer to encrypt and decrypt information. The minimum recommended modulus length
is 1024 bits.
4. Verify or create a local database entry. Create a local database username entry using
the username global configuration command.
5. Authenticate against the local database. Use the login local line configuration command to
authenticate the vty line against the local database.
6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify
multiple input protocols including Telnet and SSH using the transport input [ssh | telnet] command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Device Security
Disable Unused Services
Cisco routers and switches start with a list of active services that may or may not
be required in your network. Disable any unused services to preserve system
resources, such as CPU cycles and RAM, and prevent threat actors from exploiting
these services.
The type of services that are on by default will vary depending on the IOS
version. For example, IOS-XE typically will have only HTTPS and DHCP ports
open. You can verify this with the show ip ports all command.
IOS versions prior to IOS-XE use the show control-plane host open-
ports command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Save Configurations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Save Configurations
Configuration Files
▪ There are two system files that store the device configuration:
startup-config - This is the saved configuration file that is stored in NVRAM. It contains all the commands that will be
used by the device upon startup or reboot. Flash does not lose its contents when the device is powered off.
running-config - This is stored in Random Access Memory (RAM). It reflects the current configuration. Modifying a
running configuration affects the operation of a Cisco device immediately. RAM is volatile memory. It loses all of its
content when the device is powered off or restarted.
To save changes made to the running configuration to the startup configuration file, use the copy running-config
startup-config privileged EXEC mode command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Save Configurations
Alter the Running Configurations
If changes made to the running config do not
have the desired effect and the running-config
has not yet been saved, you can restore the
device to its previous configuration. To do this
you can:
Remove the changed commands individually.
Reload the device using the reload command
in privilege EXEC mode. Note: This will cause
the device to briefly go offline, leading to
network downtime.
If the undesired changes were saved to the
startup-config, it may be necessary to clear all
the configurations using the erase startup-
config command in privilege EXEC mode.
After erasing the startup-config, reload the
device to clear the running-config file from
RAM.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Save Configurations
Capture Configuration to a Text File
Configuration files can also be saved and
archived to a text document.
Step 1. Open terminal emulation software,
such as PuTTY or Tera Term, that is already
connected to a switch.
Step 2. Enable logging in to the terminal
software and assign a name and file location to
save the log file. The figure displays that All
session output will be captured to the file
specified (i.e., MySwitchLogs).

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Save Configurations
Capture Configuration to a Text File (Cont.)
Step 3. Execute the show running-
config or show startup-config command at
the privileged EXEC prompt. Text displayed in
the terminal window will be placed into the
chosen file.
Step 4. Disable logging in the terminal
software. The figure shows how to disable
logging by choosing the None session logging
option

Note: The text file created can be used as a record of
how the device is currently implemented. The file could
require editing before being used to restore a saved
configuration to a device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36