562 Networks

Great article on the subject

http://www.networkworld.com/community/node/46036?source=NWWNLE_nlt_cisco_2009-10-09

Found this page interesting considering CCIE’s are a big deal!

http://www.cisco.com/web/learning/le3/ccie/certified_ccies/worldwide.html

SolarWinds Tuesday announced an updated product that the company says will enable IT departments to use Cisco IP SLA to better manage WAN connections, router performance statistics and VoIP metrics.

SolarWinds’ Orion IP SLA Manager replaces the vendor’s Orion VoIP Monitor and combines capabilities to track voice metrics such as jitter, latency and packet loss with visibility into Cisco’s IOS IP SLA. According to Cisco, IOS IP SLAs “use active monitoring to generate traffic in a continuous, reliable and predictable manner, thus enabling the measurement of network performance and health.”

SolarWinds says it decided to monitor the Cisco technology with a commercial product (the vendor already made a free IP SLA monitoring tool available) because enterprise IT managers are overcoming the traditional barriers to such Cisco tools as IP SLA and NetFlow, for instance.

“Traditionally there were key barriers to the deployment of IP SLA in customer environments. It could potentially have a pretty negative impact,” says Josh Stephens, head geek for SolarWinds. “That has changed a lot over the past few years and now you can configure devices in such a way that IP SLA and NetFlow don’t impact the operation of the device, but still add value when it comes to network performance monitoring.”

The software, targeted at network engineers ideally, can understand from every point on the network how voice applications, for instance, are performing, Stephens says. The product can help network managers get from one tool metrics on how each site is operating from a WAN perspective as well. Because IP SLA is already built into Cisco routers, network managers can quickly generate network and services performance data to identity site-specific or WAN-related performance issues. It tracks edge-to-edge router performance statistics that can be exported into a dashboard for quick reference as well, SolarWinds says.

“Performance can vary greatly across sites,” Stephens explains. “This product helps to make the process of collecting this data simple and helps network engineers better understand the performance of the networks, applications and services.”

Competitive products include CA’s eHealth, which CA obtained via its Concord Communications buy, and tools developed by InfoVista.

SolarWinds Orion IP SLA Manager pricing starts at $1,495, including first year maintenance. Orion IP SLA requires an installation of Orion Network Performance Monitor (NPM). Pricing starts at $2,475 for Orion NPM, including first year maintenance.

Booting up the Router

Cisco routers can boot Cisco IOS software from these locations:

 

1. Flash memory
2. TFTP server
3. ROM (not full Cisco IOS)

Multiple source options provide flexibility and fallback alternatives

 

Locating the Cisco IOS Software

Default boot sequence for Cisco IOS software:

 

1. NVRAM
2. Flash (sequential)
3. TFTP server (network boot)
4. ROM (partial IOS)

Note: boot system commands can be used to specify the primary IOS source and fallback sequences.

 

Booting up the router and locating the Cisco IOS

1. POST (power on self test)
2. Bootstrap code executed
3. Check Configuration Register value (NVRAM) which can be modified using the configregister command0 = ROM Monitor mode
   1 = ROM IOS
   2 – 15 = startup-config in NVRAM
4. Startup-config file: Check for boot system commands (NVRAM) If boot system commands in startup-configa. Run boot system commands in order they appear in startup-config to locate the IOS
   b. [If boot system commands fail, use default fallback sequence to locate the IOS (Flash, TFTP, ROM)?]

   If no boot system commands in startup-config use the default fallback sequence in locating the IOS:
   a. Flash (sequential)
   b. TFTP server (netboot)
   c. ROM (partial IOS) or keep retrying TFTP depending upon router model

5. If IOS is loaded, but there is no startup-config file, the router will use the default fallback sequence for locating the IOS and then it will enter setup mode or the setup dialogue.
6. If no IOS can be loaded, the router will get the partial IOS version from ROM

---

---

Default (normal) Boot Sequence

Power on Router – Router does POST – Bootstrap starts IOS load – Check configuration register
to see what mode the router should boot up in (usually 0×102 to 0×10F to look in NVRAM) – check the startup-config file in NVRAM for boot-system commands (normally there aren’t any) – load IOS from Flash.

 

Boot System Commands

Router(config)# boot system flash IOS filename – boot from FLASH memory Router(config)# boot system tftp IOS filename tftp server ip address – boot from a TFTP server
Router(config)# boot system rom – boot from system ROM

 

Configuration Register Command

Router(config)# config-register 0×10x (where that last x is 0-F in hex)

When the last x is:
0 = boot into ROM Monitor mode
1 = boot the ROM IOS
2 – 15 = look in startup config file in NVRAM

I hope you found this article to be of use and it helps you prepare for your Cisco CCNA certification. Achieving your CCNA certification is much more than just memorizing Cisco exam material. It is having the real world knowledge to configure your Cisco equipment and be able to methodically troubleshoot Cisco issues. So I encourage you to continue in your studies for your CCNA exam certification.

Routing with Cisco 2500 and 1000 Series for LAN-ISDN Service

Commands – General

There are 3 different modes of operation within the Cisco IOS.

1. Disabled mode
2. Enabled mode
3. Configuration mode

In the Disabled mode you can use a limited number of commands. This is used primarily to monitor the router.

The Enabled mode is used to show configuration information, enter the configuration mode, and make changes to the configuration.

The Configuration mode is used to enter and update the runtime configuration.

To get a list of the commands for the cisco type ‘?’ at the prompt. To get further information about any command, type the command followed by a ‘?’.

Other Useful Commands

View the Software Version
View the Ethernet IP
View the Serial IP
View the Default Route
View the Filters
View the Bandwidth
Add a Static Route
Change the Dial Number
Turn Filters On and Off
Ping from the Router
Traceroute from the Router

View the Software Version

Cisco>en
Cisco#wr term    <--- Shows the running configuration
Building configuration...
Current configuration:
!
version 11.2
no service udp-small-servers
no service tcp-small-servers
!
hostname Cisco
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
!
interface Serial0
 ip address 192.168.6.1 255.255.255.0
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial1
 ip address 192.168.4.2 255.255.255.0
 encapsulation frame-relay
 bandwidth 1536
 keepalive 5
 frame-relay map ip 192.168.4.1 101 IETF
!
router rip
 version 2
 network 192.168.4.0
 network 192.168.6.0
 neighbor 192.168.6.2
 neighbor 192.168.4.1
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.2
ip route 0.0.0.0 0.0.0.0 192.168.4.1
!
line con 0
line aux 0
line vty 0 4
login
!
end

View the Ethernet IP

Router#wr term

This will show the running configuration.
Within the configuration, you will see an interface ethernet 0 section:

interface Ethernet0
ip address 38.150.93.1 255.255.255.0
no ip directed-broadcast

View the Serial IP

Router#wr term

Within the configuration, you will see an interface serial 0 section:

interface Serial0
ip address 38.21.10.100 255.255.255.0
ip broadcast-address 38.21.10.255
ip access-group 106 in
encapsulation frame-relay
bandwidth 56
no fair-queue
frame-relay map ip 38.21.10.1 500 IETF

View the Default Route

Router#wr term

Within the configuration, you will see an ip route section. 

In the ip route section, look for a route:
ip route 0.0.0.0 0.0.0.0 38.167.29.1
The last ip address is the POP ip.

View the Filters

Router#wr term

Under interface serial 0, look for:

ip access-group 104 in
ip access-group 105 out

This means that access-group 104 is the inbound filter set and
access-group 105 is the outbound filter set.
Then, continue to look in the configuration for the access-list statements:

(Example access-list statements)
access-list 104 deny   ip 38.166.101.0 0.0.0.255 any
access-list 104 permit tcp any any established
access-list 104 permit tcp any eq ftp-data any gt 1023
access-list 104 permit udp any eq domain any gt 1023
access-list 104 permit udp any eq domain any eq domain
access-list 104 permit icmp any any
access-list 104 permit udp any eq snmp any gt 1023
access-list 105 deny   ip any 38.166.101.0 0.0.0.255
access-list 105 permit tcp any any established
access-list 105 permit tcp any any eq ftp
access-list 105 deny   udp any eq netbios-ns any
access-list 105 deny   udp any eq netbios-dgm any
access-list 105 permit ip any any

View the Bandwidth

Router#wr term

Within the config, you will see an interface serial 0 section:

interface Serial0
ip address 38.21.10.100 255.255.255.0
ip broadcast-address 38.21.10.255
ip access-group 106 in
encapsulation frame-relay
bandwidth 56
no fair-queue
frame-relay map ip 38.21.10.1 500 IETF

Add a Static Route

Cisco#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco(config)#ip route DEST.DEST.DEST.DEST MASK.MASK.MASK.MASK GATE.GATE.GATE.GATE
where: DEST.DEST.DEST.DEST = The destination network the static route is for
       MASK.MASK.MASK.MASK = The subnet mask of the destination network
       GATE.GATE.GATE.GATE = The gateway of the static route
Example route statement:
ip route 38.222.75.0 255.255.255.0 38.20.5.1
Cisco(config)#^Z (hit <control> z)

Write the entry to memory:

Cisco#wr mem
Building configuration...
[OK]

Change the Dial Number

Type en to put the router in enable mode:

test.com>en

The password should be the same as the one used to telnet in.

Password:

To view the router's configuration, type:

test.com#show config

There will be a line in the configuration that says:

dialer map IP 38.1.1.1 speed 64 name LD3330 2707000

The 2707000 is the dial number.

NOTE: Record what interface the dialer map IP line is under because you will need to
use that interface when changing the number.

Type config t to configure from terminal.

test.com#config t

Enter configuration commands, one per line.  End with CNTL/Z.
Enter the interface that the dialer map IP line is under:

test.com(config)#interface BRI0

Add in the new dialer map IP line with the new phone number:

test.com(config)#dialer map IP 38.1.1.1 speed 64 name LD3330 [new number]

Now, remove the old dialer map IP line.
To remove a line, type no and then the line.
For example, to remove the old dialer map IP, type:

test.com(config)#no dialer map IP 38.1.1.1 speed 64 name LD3330 2707020

Now leave config mode:

test.com(config)# [control] z

Save changes:

test.com# write mem
Building configuration...
[OK]

Verify the new number is in the config:

test.com#show config

The new number should be in the dialer map IP line.

Turn Filters On and Off

To turn the filters off:

Router#configure terminal
Router(config)#interface Serial0
Router(config-if)#no ip access-group 104 in
Router(config-if)#no ip access-group 105 out
Router(config-if)# Hit CTRL-Z
Router#wr mem
Building configuration...
[OK]
Router#

To turn the filters on:


Router#configure terminal
Router(config)#interface Serial0
Router(config-if)#ip access-group 104 in
Router(config-if)#ip access-group 105 out
Router(config-if)# Hit CTRL-Z
Router#wr mem
Building configuration...
[OK]
Router#

Ping from the Router

Cisco#ping <hostname>
Example:
Cisco#ping 38.8.14.2

There are several methods available for configuring Cisco routers. It can be done over the network from a TFTP server. It can be done through the menu interface provided at bootup, and it can be done from the menu interface provided by using the command setup. This tutorial does not cover these methods. It covers configuration from the IOS command-line interface only. Useful for anyone new to Cisco routers, and those studying for CCNA.

Note that this tutorial does not cover physically connecting the router to the networks it will be routing for. It covers operating system configuration only.

1.1 Reasons for using the command-line

The main reason for using the command-line interface instead of a menu driven interface is speed. Once you have invested the time to learn the command-line commands, you can perform many operations much more quickly than by using a menu. This is basically true of all command-line vs. menu interfaces. What makes it especially efficient to learn the command-line interface of the Cisco IOS is that it is standard across all Cisco routers. Also, some questions on the CCNA exam require you to know command-line commands.

Initially you will probably configure your router from a terminal. If the router is already configured and at least one port is configured with an IP address, and it has a physical connection to the network, you might be able to telnet to the router and configure it across the network. If it is not already configured, then you will have to directly connect to it with a terminal and a serial cable. With any Windows box you can use Hyperterminal to easily connect to the router. Plug a serial cable into a serial (COM) port on the PC and the other end into the console port on the Cisco router. Start Hyperterminal, tell it which COM port to use and click OK. Set the speed of the connection to 9600 baud and click OK. If the router is not on, turn it on.

If you wish to configure the router from a Linux box, either Seyon or Minicom should work. At least one of them, and maybe both, will come with your Linux distribution.

Often you will need to hit the Enter key to see the prompt from the router. If it is unconfigured it will look like this:

Router>

If it has been previously configured with a hostname, it will look like this:

hostname of router>

If you have just turned on the router, after it boots it will ask you if you wish to begin initial configuration. Say no. If you say yes, it will put you in the menu interface. Say no.

The Cisco IOS command-line interface is organized around the idea of modes. You move in and out of several different modes while configuring a router, and which mode you are in determines what commands you can use. Each mode has a set of commands available in that mode, and some of these commands are only available in that mode. In any mode, typing a question mark will display a list of the commands available in that mode.

Router>?

2.2 Unprivileged and privileged modes

When you first connect to the router and provide the password (if necessary), you enter EXEC mode, the first mode in which you can issue commands from the command-line. From here you can use such unprivileged commands as ping, telnet, and rlogin. You can also use some of the show commands to obtain information about the system. In unprivileged mode you use commands like, show version to display the version of the IOS the router is running. Typing show ? will diplay all the show commands available in the mode you are presently in.

Router>show ?

You must enter privileged mode to configure the router. You do this by using the command enable. Privileged mode will usually be password protected unless the router is unconfigured. You have the option of not password protecting privileged mode, but it is HIGHLY recommended that you do. When you issue the command enable and provide the password, you will enter privileged mode.

To help the user keep track of what mode they are in, the command-line prompt changes each time you enter a different mode. When you switch from unprivileged mode to privileged mode, the prompt changes from:

Router>

to

Router#

This would probably not be a big deal if there were just two modes. There are, in fact, numerous modes, and this feature is probably indispensable. Pay close attention to the prompt at all times.

Within privileged mode there are many sub-modes. In this document I do not closely follow Cisco terminology for this hierarchy of modes. I think that my explanation is clearer, frankly. Cisco describes two modes, unprivileged and privileged, and then a hierarchy of commands used in privileged mode. I reason that it is much clearer to understand if you just consider there to be many sub-modes of privileged mode, which I will also call parent mode. Once you enter privileged mode (parent mode) the prompt ends with a pound sign (#). There are numerous modes you can enter only after entering privileged mode. Each of these modes has a prompt of the form:

Router(arguments)#

They still all end with the pound sign. They are subsumed within privileged mode. Many of these modes have sub-modes of their own. Once you enter priliged mode, you have access to all the configuration information and options the IOS provides, either directly from the parent mode, or from one of its submodes.

If you have just turned on the router, it will be completely unconfigured. If it is already configured, you may want to view its current configuration. Even if it has not been previously configured, you should familiarize yourself with the show commands before beginning to configure the router. Enter privileged mode by issuing the command enable, then issue several show commands to see what they display. Remember, the command show ? will display all the showcommands aavailable in the current mode. Definately try out the following commands:

Router#show interfaces
Router#show ip protocols
Router#show ip route
Router#show ip arp

When you enter privileged mode by using the command enable, you are in the top-level mode of privileged mode, also known in this document as “parent mode.” It is in this top-level or parent mode that you can display most of the information about the router. As you now know, you do this with the show commands. Here you can learn the configuration of interfaces and whether they are up or down. You can display what IP protocols are in use, such as dynamic routing protocols. You can view the route and ARP tables, and these are just a few of the more important options.

As you configure the router, you will enter various sub-modes to set options, then return to the parent mode to display the results of your commands. You also return to the parent mode to enter other sub-modes. To return to the parent mode, you hit ctrl-z. This puts any commands you have just issued into affect, and returns you to parent mode.

To configure any feature of the router, you must enter configuration mode. This is the first sub-mode of the parent mode. In the parent mode, you issue the command config.

Router#config
Router(config)#

As demonstrated above, the prompt changes to indicate the mode that you are now in.

In connfiguration mode you can set options that apply system-wide, also refered to as “global configurations.” For instance, it is a good idea to name your router so that you can easily identify it. You do this in configuration mode with the hostname command.

Router(config)#hostname ExampleName
ExampleName(config)#

As demonstrated above, when you set the name of the host with the hostname command, the prompt immediately changes by replacing Router with ExampleName. (Note: It is a good idea to name your routers with an organized naming scheme.)

Another useful command issued from config mode is the command to designate the DNS server to be used by the router:

ExampleName(config)#ip name-server aa.bb.cc.dd
ExampleName(config)#ctrl-Z
ExampleName#

This is also where you set the password for privileged mode.

ExampleName(config)#enable secret examplepassword
ExampleName(config)#ctrl-Z
ExampleName#

Until you hit ctrl-Z (or type exit until you reach parent mode) your command has not been put into affect. You can enter config mode, issue several different commands, then hit ctrl-Z to activate them all. Each time you hit ctrl-Z you return to parent mode and the prompt:

ExampleName#

Here you use show commands to verify the results of the commands you issued in config mode. To verify the results of the ip name-server command, issue the command show host.

Cisco interface naming is straightforward. Individual interfaces are referred to by this convention:

media type slot#/port#

“Media type” refers to the type of media that the port is an interface for, such as Ethernet, Token Ring, FDDI, serial, etc. Slot numbers are only applicable for routers that provide slots into which you can install modules. These modules contain several ports for a given media. The 7200 series is an example. These modules are even hot-swapable. You can remove a module from a slot and replace it with a different module, without interrupting service provided by the other modules installed in the router. These slots are numbered on the router.

Port number refers to the port in reference to the other ports in that module. Numbering is left-to-right, and all numbering starts at 0, not at one.

For example, a Cisco 7206 is a 7200 series router with six slots. To refer to an interface that is the third port of an Ethernet module installed in the sixth slot, it would be interface ethernet 6/2. Therefor, to display the configuration of that interface you use the command:

ExampleName#show interface ethernet 6/2

If your router does not have slots, like a 1600, then the interface name consists only of:

media type port#

For example:

ExampleName#show interface serial 0

Here is an example of configuring a serial port with an IP address:

ExampleName#config
ExampleName(config)#interface serial 1/1
ExampleName(config-if)#ip address 192.168.155.2 255.255.255.0
ExampleName(config-if)#no shutdown
ExampleName(config-if)#ctrl-Z
ExampleName#

Then to verify configuration:

ExampleName#show interface serial 1/1

Note the no shutdown command. An interface may be correctly configured and physically connected, yet be “administratively down.” In this state it will not function. The command for causing an interface to be administratively down is shutdown.

ExampleName(config)#interface serial 1/1
ExampleName(config-if)#shutdown
ExampleName(config-if)#ctrl-Z
ExampleName#show interface serial 1/1

In the Cisco IOS, the way to reverse or delete the results of any command is to simply put no infront of it. For instance, if we wanted to unassign the IP address we had assigned to interface serial 1/1:

ExampleName(config)#interface serail 1/1
ExampleName(config-if)#no ip address 192.168.155.2 255.255.255.0
ExampleName(config-if)ctrl-Z
ExampleName#show interface serial 1/1

Configuring most interfaces for LAN connections might consist only of assigning a network layer address and making sure the interface is not administratively shutdown. It is usually not necessary to stipulate data-link layer encapsulation. Note that it is often necessary to stipulate the appropriate data-link layer encapsulation for WAN connections, such as frame-relay and ATM. Serial interfaces default to using HDLC. A discussion of data-link protocols is outside the scope of this document. You will need to look up the IOS command encapsulation for more details.

IP routing is automatically enabled on Cisco routers. If it has been previously disabled on your router, you turn it back on in config mode with the command ip routing.

ExampleName(config)#ip routing
ExampleName(config)#ctrl-Z

There are two main ways a router knows where to send packets. The administrator can assign static routes, or the router can learn routes by employing a dynamic routing protocol.

These days static routes are generally used in very simple networks or in particular cases that necessitate their use. To create a static route, the administrator tells the router operating system that any network traffic destined for a specified network layer address should be forwarded to a similiarly specified network layer address. In the Cisco IOS this is done with the ip route command.

ExampleName#config
ExampleName(config)#ip route 172.16.0.0 255.255.255.0 192.168.150.1
ExampleName(config)#ctrl-Z
ExampleName#show ip route

Two things to be said about this example. First, the packet destination address must include the subnet mask for that destination network. Second, the address it is to be forwarded to is the specified addres of the next router along the path to the destination. This is the most common way of setting up a static route, and the only one this document covers. Be aware, however, that there are other methods.

Dynamic routing protocols, running on connected routers, enable those routers to share routing information. This enables routers to learn the routes available to them. The advantage of this method is that routers are able to adjust to changes in network topologies. If a route is physically removed, or a neighbor router goes down, the routing protocol searches for a new route. Routing protocols can even dynamically choose between possible routes based on variables such as network congestion or network reliability.

There are many different routing protocols, and they all use different variables, known as “metrics,” to decide upon appropriate routes. Unfortunately, a router needs to be running the same routing protocols as its neighbors. Many routers can, however, run mutliple protocols. Also, many protocols are designed to be able to pass routing information to other routing protocols. This is called “redistribution.” The author has no experience with trying to make redistribution work. There is an IOS redistribute command you can research if you think this is something you need. This document’s compagnion case study describes an alternative method to deal with different routing protocols in some circumstances.

Routing protocols are a complex topic and this document contains only this superficial description of them. There is much to learn about them, and there are many sources of information about them available. An excelent source of information on this topic is Cisco’s website, http://www.cisco.com.

This document describes how to configure the Routing Information Protocol (RIP) on Cisco routers. From the command-line, we must explicitly tell the router which protocol to use, and what networks the protocol will route for.

ExampleName#config
ExampleName(config)#router rip
ExampleName(config-router)#network aa.bb.cc.dd
ExampleName(config-router)#network ee.ff.gg.hh
ExampleName(config-router)#ctrl-Z
ExampleName#show ip protocols

Now when you issue the show ip protocols command, you should see an entry describing RIP configuration.

Once you have configured routing on the router, and you have configured individual interfaces, your router should be capable of routing traffic. Give it a few moments to talk to its neighbors, then issue the commands show ip route and show ip arp. There should now be entries in these tables learned from the routing protocol.

If you turned the router off right now, and turned it on again, you would have to start configuration over again. Your running configuration is not saved to any perminent storage media. You can see this configuration with the command show running-config.

ExampleName#show running-config

You do want to save your successful running configuration. Issue the command copy running-config startup-config.

ExampleName#copy running-config startup-config

Your configuration is now saved to non-volatile RAM (NVRAM). Issue the command show startup-config.

ExampleName#show startup-config

Now any time you need to return your router to that configuration, issue the command copy startup-config running-config.

ExampleName#copy startup-config running-config

1. Router>enable
2. Router#config
3. Router(config)#hostname N115-7206
4. N115-7206(config)#interface serial 1/1
5. N115-7206(config-if)ip address 192.168.155.2 255.255.255.0
6. N115-7206(config-if)no shutdown
7. N115-7206(config-if)ctrl-z
8. N115-7206#show interface serial 1/1
9. N115-7206#config
10. N115-7206(config)#interface ethernet 2/3
11. N115-7206(config-if)#ip address 192.168.150.90 255.255.255.0
12. N115-7206(config-if)#no shutdown
13. N115-7206(config-if)#ctrl-z
14. N115-7206#show interface ethernet 2/3
15. N115-7206#config
16. N115-7206(config)#router rip
17. N115-7206(config-router)#network 192.168.155.0
18. N115-7206(config-router)#network 192.168.150.0
19. N115-7206(config-router)#ctrl-z
20. N115-7206#show ip protocols
21. N115-7206#ping 192.168.150.1
22. N115-7206#config
23. N115-7206(config)#ip name-server 172.16.0.10
24. N115-7206(config)#ctrl-z
25. N115-7206#ping archie.au
26. N115-7206#config
27. N115-7206(config)#enable secret password
28. N115-7206(config)#ctrl-z
29. N115-7206#copy running-config startup-config
30. N115-7206#exit

Inevitably, there will be problems. Usually, it will come in the form of a user notifying you that they can not reach a certain destination, or any destinattion at all. You will need to be able to check how the router is attempting to route traffic, and you must be able to track down the point of failure.

You are already familiar with the show commands, both specific commands and how to learn what other show commands are available. Some of the most basic, most useful commands you will use for troubleshooting are:

ExampleName#show interfaces
ExampleName#show ip protocols
ExampleName#show ip route
ExampleName#show ip arp

It is very possible that the point of failure is not in your router configuration, or at your router at all. If you examine your router’s configuration and operation and everything looks good, the problem might be be farther up the line. In fact, it may be the line itself, or it could be another router, which may or may not be under your administration.

One extremely useful and simple diagnostic tool is the ping command. Ping is an implementation of the IP Message Control Protocol (ICMP). Ping sends an ICMP echo request to a destination IP address. If the destination machine receives the request, it responds with an ICMP echo response. This is a very simple exchange that consists of:

Hello, are you alive?

Yes, I am.

ExampleName#ping xx.xx.xx.xx

If the ping test is successful, you know that the destination you are having difficulty reaching is alive and physically reachable.

If there are routers between your router and the destination you are having difficulty reaching, the problem might be at one of the other routers. Even if you ping a router and it responds, it might have other interfaces that are down, its routing table may be corrupted, or any number of other problems may exist.

To see where packets that leave your router for a particular destination go, and how far, use the trace command.

ExampleName#trace xx.xx.xx.xx

It may take a few minutes for this utility to finish, so give it some time. It will display a list of all the hops it makes on the way to the destination.

There are several debug commands provided by the IOS. These commands are not covered here. Refer to the Cisco website for more information.

Do not overlook the possibility that the point of failure is a hardware or physical connection failure. Any number of things can go wrong, from board failures to cut cables to power failures. This document will not describew troubleshooting these problems, except for these simple things.

Check to see that the router is turned on. Also make sure that no cables are loose or damaged. Finally, make sure cables are plugged into the correct ports. Beyond this simple advice you will need to check other sources.

If the point of failure is farther up the line, the prolem might lie with equipment not under your administration. Your only option might be to contact the equipment’s administrator, notify them of your problem, and ask them for help. It is in your interest to be courtious and respectful. The other administrator has their own problems, their own workload and their own priorities. Their agenda might even directly conflict with yours, such as their intention to change dynamic routing protocols, etc. You must work with them, even if the situation is frustrating. Alienating someone with the power to block important routes to your network is not a good idea.

While the initial configuration of your Cisco router using the console port and a rollover cable may be necessary, you’ll eventually want to access routers on your network using telnet sessions. Since telnet is an IP-based application, your routers will need to be configured with at least one valid and reachable IP address to use this method. Also remember that in order to connect to a router using telnet, that router will need a virtual terminal (vty) password configured. If not, any connection attempts will be refused. Notice what happens when we attempt to telnet into the accra router at IP address 192.168.1.45.

cisco2501#telnet 192.168.1.45
Trying 192.168.1.45 ... Open
Password required, but none set
[Connection to accra closed by foreign host]
cisco2501#

Using telnet to connect to routers is much faster than connecting via the console port. If you recall, back in the hostname section of this chapter we added an entry to our hosts table that resolved the name accra to its IP address. Because of that, we can easily connect to the accra router by simply entering accra at the prompt. By the same token, we could just as easily enter the IP address without the telnet command preceding it. The router will assume that we’re trying to telnet if we don’t provide any additional information.

cisco2501#accra
Trying accra (192.168.1.45)... Open
User Access Verification
Password:

Before issuing the command, I set a vty password on the accra router – notice it prompts us for a password rather than refusing the connection this time.

Telnetting from a client machine to a telnet server is known as a forward telnet session. However, when you connect from a telnet server to another telnet server, it is known as a reverse telnet session. In general, this detail isn’t terribly important, but I thought I should mention it since you may come across the term in the Cisco documentation.
After we have connected to the accra router via telnet, we still have the ability to get back to the prompt of the cisco2501 router using a special key sequence. By pressing Ctrl+Shift+6 together and then the letter X, we return to the original prompt. The telnet session to the accra router is still open – we’ve just left it temporarily, perhaps to open yet another reverse telnet session to another router. The ability to switch between connections is much more convenient than constantly logging off and back on.
However, having multiple telnet session open can also be a little confusing. So how can you recall sessions that you’ve initiated and access them again? Well, you should start off with the show sessions command. This will list the currently active sessions, as shown below.

Cisco2501#show sessions
Conn Host Address Byte Idle Conn Name
* 1 192.168.1.45 192.168.1.45 0 0 192.168.1.45
Cisco2501#

The asterisk shown above is used to designate the last session accessed. To reconnect to this telnet session, you can either press Enter twice (this will always access the last session), or enter the number associated with the Conn header – in this case 1, followed by the Enter key.

To end a telnet session, you have two main options. From within a session, just type exit.

accra>exit
[Connection to accra closed by foreign host]
cisco2501#

If you want to close a session without actually being in it, use the disconnect command. For example, to close that accra session from the cisco2501 command prompt, we would enter disconnect followed by the associated connection number.

cisco2051#disconnect 1
Closing connection to 192.168.1.45 [confirm]
cisco2501#

While configuring a router using telnet may be common, it is also possible to configure your router via a web browser. Although it’s disabled by default, your router has its own mini HTTP server built in. This provides yet another way to gain access to the router for the purpose of issuing commands. To enable the HTTP server, use the command ip http server from global configuration mode.

cisco2501(config)#ip http server
cisco2501(config)#

After doing this, open your web browser and point it to one of your router’s IP addresses. While the browser interface may not be pretty, it’s worth being aware of its existence. In general, it really provides no more functionality that what is available in a telnet session, although it does offer the ability to issue commands using hyperlinks. For the most part, I suggest that you keep the HTTP server turned off, since it offers another point of access for potential hacking. After taking a look, the HTTP server can be turned off using the no ip http server command.

Hostname Configuration

 

yourname(config)#hostname LinuxDynasty-Cisco_1811

SNMP Configuration (For Access from Network Management Tools)

LinuxDynasty-Cisco_1(config)#snmp-server community linux ro
LinuxDynasty-Cisco_1(config)#snmp-server community dynasty rw
LinuxDynasty-Cisco_1(config)#snmp-server ifindex persist

Service Configuration (To hide the passwords when doing a “show run”, and
setting the log to show timestamps instead of uptime next to entries)

LinuxDynasty-Cisco_1(config)#service password-encryption
LinuxDynasty-Cisco_1(config)#service timestamps debug datetime msec localtime
LinuxDynasty-Cisco_1(config)#service timestamps log datetime msec localtime

Clock Settings (Configuration for Eastern Standard Time, 5 hour offset from GMT)

LinuxDynasty-Cisco_1(config)#clock timezone EST -5
LinuxDynasty-Cisco_1(config)#clock summer-time EDT recurring
*Oct  5 07:55:58.051: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:55:58 UTC Sun Oct 5 2008 to 07:55:58 EST Sun Oct 5 2008, configured from console by Cisco on console.
LinuxDynasty-Cisco_1(config)#
*Oct  5 08:56:04.423: %SYS-6-CLOCKUPDATE: System clock has been updated from 07:56:04 EST Sun Oct 5 2008 to 08:56:04 EDT Sun Oct 5 2008, configured from console by Cisco on console.

                   
AAA Authentication commands

LinuxDynasty-Cisco_1(config)#aaa new-model

LinuxDynasty-Cisco_1(config)#aaa authentication login default local
LinuxDynasty-Cisco_1(config)#aaa authentication enable default enable line
LinuxDynasty-Cisco_1(config)#username linux privilege 15 password dynasty

VTY Line Authentication Commands

LinuxDynasty-Cisco_1(config)#line vty 0 15
LinuxDynasty-Cisco_1(config-line)#login authentication default
LinuxDynasty-Cisco_1(config-line)#password linux
LinuxDynasty-Cisco_1(config)#enable password dynasty
LinuxDynasty-Cisco_1(config)#enable secret dynasty

The enable secret you have chosen is the same as your enable password.
This is not recommended.  Re-enter the enable secret.

LinuxDynasty-Cisco_1(config)#enable secret dyn@sty

Create Loopback (Best interface to use for NMS’s also will use to test AAA configuration)

LinuxDynasty-Cisco_1(config)#interface loopback 0
*Oct  5 09:05:25.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to upaddres
LinuxDynasty-Cisco_1(config-if)#ip address 10.10.10.1 255.255.255.255
LinuxDynasty-Cisco_1(config-if)#exit
LinuxDynasty-Cisco_1(config)#exit
LinuxDynasty-Cisco_1811#
*Oct  5 09:05:58.723: %SYS-5-CONFIG_I: Configured from console by Cisco on consoleping 10.10.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Telneting to check AAA configuration and passwords

LinuxDynasty-Cisco_1811#telnet 10.10.1.1
Trying 10.10.1.1 …
% Connection refused by remote host

Uh-OHHH!!!

LinuxDynasty-Cisco_1811#sho run | begin line vty
line vty 0 4
 access-class 23 in -> AHA! Default configuration has an Access-Class.
 privilege level 15
 password 7 10420017100F
 transport input telnet ssh
line vty 5 15
 access-class 23 in -> Again with the freakin default Access-Class.
 privilege level 15
 password 7 10420017100F
 transport input telnet ssh

Removing Default Access-Class from VTY Lines

LinuxDynasty-Cisco_1811#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
LinuxDynasty-Cisco_1(config)#line vty 0 15
LinuxDynasty-Cisco_1(config-line)#no access-class 23 in
LinuxDynasty-Cisco_1(config-line)#exit
LinuxDynasty-Cisco_1(config)#exit
LinuxDynasty-Cisco_1811#
*Oct  5 09:07:05.695: %SYS-5-CONFIG_I: Configured from console by Cisco on console

Trying Telnet Again – prompt doesn’t show because of the console message directly above. I just kept typing
telnet 10.10.1.1
Trying 10.10.1.1 … Open

———————————————————————–
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username “cisco”
with the password “cisco”. The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
———————————————————————–

User Access Verification

Username: linux
Password:

% Password expiration warning.
———————————————————————–
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username “cisco” for  one-time use. If you have already
used the username “cisco” to login to the router and your IOS image supports the
“one-time” user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
———————————————————————--

Success!!!!

LinuxDynasty-Cisco_1811#config t
Enter configuration commands, one per line.  End with CNTL/Z.

Now for a Standard Banner

LinuxDynasty-Cisco_1(config)#banner login *This device is the property of LinuxDynasty Inc.
Enter TEXT message.  End with the character ‘*’.
Unathorized access will be punished to the full extent of the law!*
LinuxDynasty-Cisco_1(config)#^Z
LinuxDynasty-Cisco_1811#
*Oct  5 09:44:18.747: %SYS-5-CONFIG_I: Configured from console by linux on consolexit

LinuxDynasty-Cisco_1811 con0 is now available

Press RETURN to get started.

Session Timeout during a bathroom break.

This device is the property of LinuxDynasty Inc.
Unathorized access will be punished to the full extent of the law!

User Access Verification

Username: linux
Password:

LinuxDynasty-Cisco_1811>en
Password:
LinuxDynasty-Cisco_1811#10.10.1.1
Trying 10.10.1.1 … Open
This device is the property of LinuxDynasty Inc.
Unathorized access will be punished to the full extent of the law!

User Access Verification

Username: linux
Password:

LinuxDynasty-Cisco_1811#

Save your configuratiion by executing the “write memory” command. I didn’t because this was a demo. Rebooting without saving will take you back to the factory configuration. Of course, this always happens when you’re satisfied with the configuration, and you’re off the clock in 5 minutes. hehe

Well, looks like we’re good for now. To be continued…….

 

 

 

 

 

This week, we also have a review of Cisco IPS 7.0. Our reviewers found that the addition of a global threat correlation feature increases the value of the Cisco software — and the appliances it runs on — and is easy to deploy.

Read the review for yourself here.

Cisco also set the bar “pretty high” with IPS 7.0, states reviewer Joel Snyder. Cisco took the SenderBase reputation filtering technology it obtained from its acquisition of IronPort and created Cisco SensorBase, to change the Risk Rating of security events identified by the IPS.

This mean an event linked to a ‘bad’ IP address will result in an even higher Risk Rating, Snyder writes in his review. A Risk Rating also lets users prioritize events and decide what to look at and what to ignore.