CCNA Routing and Switching training adds value to the networking professionals career and helps them to advance their careers. A CCNA® Routing and Switching certified professional will have an opportunity to increase their job prospects. CCNA® R&S is the first level of Cisco certification program, it validates the competency levels of network professionals in various networking streams such as Routing, Switching and Connectivity.
Cisco Integrated Services Router (ISR)
Cisco provides various series and models of routers geared towards different types of customer and requirements. Some of them just do routing whereas others provide some other functions such as Wireless connectivity, Security features and Voice-over-IP services. Cisco’s ISR series routers are example of routers that provide various services.
The earlier CCNA exams used to focus on Cisco 2500 and 2600 routers that have been replaced by ISR 1800 and 2800/2900 series routers. 2500 and 2600 routers are End-of-Life now and cannot be bought from Cisco anymore. Figure 3-1 shows a part of the backplane of a Cisco 1841 router with important parts labeled.
Cisco Catalyst Switches
Cisco provides a wide range of switches under its Catalyst brand. The Catalyst brand encompasses many series of switches with each series targeting a particular part or size of a network. The CCNA exam focuses on the 2960 series of switches in the Catalyst brand. 2960 switches are low-cost wiring closet switches that you would expect to be used at the Access layer (remember the Cisco Hierarchical model) for providing network connectivity to hosts.
Each model in the 2960 series switch is different in terms of the number of physical network interfaces it has but overall each model looks similar.
Configuration of Router and Switches
Hostname – You can set the name of the device with the hostname command in the global configuration mode. Setting the name of the router does not have any impact on the functions of the router. It will continue to perform normally respective of the name, but it is easier to manage and troubleshoot your network when you give the devices a meaningful name. The example below shows how you can change the hostname. Notice the immediate change in prompt after the command is executed.
Gateway(config)#hostname myRouter
myRouter(config)#
Clock – You can set the date and time on the router with the clock command in the privileged exec mode. Setting the correct date and time is a requirement for some advanced configuration and it helps when troubleshooting the device. The syntax of the command is clock set hh:mm:ss day month. An example is shown below:
myRouter#clock set 14:12:00 7 June 2011
Banners – Banners are messages displayed to users who connect to the routers either through the various lines (console, vty and auxiliary) or through a dial-up. Banners are usually used to display a message prohibiting unauthorized access. There are many types of banners but you need to be aware of three kinds – the exec process creation banner, login banner and the message of the day (motd) banner. The motd banner is displayed first, followed by the login banner. These two banners are displayed before the login prompt. The exec process creation banner is displayed just after the login and before the prompt. You can use the banner command in the global configuration mode to create banners. The syntax for the command is banner {exec | login | motd} delimiter text delimiter. The delimiter is of importance here. It is any character which marks the start and end of the banner text. In the example below, the hash sign (#) is the delimiter.
myRouter(config)#banner motd #Enter TEXT message. End with the character ‘#’.
Welcome to my Router. No unauthorized access.
#
The above example is repeated below with the delimiter changed to the dollar sign($) and the entire command given in a single line.
myRouter(config)#banner motd $ Welcome to myRouter. No unauthorized access.$The following output shows the banner displayed when an exec session is started.
Press RETURN to get started.Welcome to my Router. No unauthorized access.
myRouter>
Securing access to the device
Routers and switches are the core of your network. A malicious user who gets access to these devices can cause network wide problems such as theft of data, loss of connectivity and more. Hence it is essential to secure access to your network devices. IOS provides two basic mechanisms for access restriction – line passwords and enable password/secret.
As you already know, an administrative (exec) session to an IOS device can be started using three methods – console, telnet/ssh and auxiliary. These are also referred to as lines. (The term lines is actually reminiscent of very old technologies so do not worry about why they are called such). The IOS allows you to configure a password on these lines so that anyone connecting to them is required to enter the password before being connected to the CLI. After reaching the CLI prompt, a user is at the user exec mode where they cannot even view the configuration. To be able to view or edit the configuration, the user needs to go to the privileged exec mode using the enable command. The IOS also allows you to configure a password that is required to go to the privileged exec mode. This is called the enable password or secret.
The enable password or secret can be configured using the following command in the global configuration mode:
There are four things that you should remember about the enable password and secret:
-Enable secret is encrypted before being stored in the config while the enable password is stored as plain text. So anyone viewing the config will know the enable password.
-If enable secret and enable password both are configured, the secret will be used always.
-Enable secret and password cannot have the same value.
-When using telnet or ssh to connect to the IOS, you cannot enter the enable mode if an enable secret or password has not been configured.
Here’s an example of how they are configured:
myRouter(config)#enable password testmyRouter(config)#enable secret test123
After the enable password or secret is configured, notice the how the user is prompted for password when then enter the enable command in the user exec mode:
myRouter>enPassword: test123 (password will not be shown when typed on the device]
myRouter#
To configure a line password for console, you will first need to enter the line configuration mode for the console using the line consolecommand in the global configuration mode as shown below:
myRouter(config)#line console ?<0-0> First Line number
myRouter(config)#line console 0myRouter(config-line)#
In the above output, I used a question mark at the end of the first line. The help output shows that 0 is the only option available. First thing to know here is that there can be multiple lines of a kind (example multiple telnet lines). Second you will need to specify the line number that you want to configure. In the case of console, there will always be only a single line, zero, available. So the command line console 0will bring you to the line configuration mode for the console line (notice the change in router prompt to (config-line)#).
In the line config mode, use the password password command to set a password for the line. After that you will need to use the logincommand to enable login with the password you just configured. The output below shows an example.
myRouter(config)#line console 0myRouter(config-line)#password test
myRouter(config-line)#login
Now when someone tries to connect using the console, they will be prompted for a password as shown below.
myRouter con0 is now availablePress RETURN to get started.
User Access Verification
Password: test [password will not be displayed when typed]
myRouter>
Similar to how you configured the console password above, you can configure the password for the auxiliary line by going to the line mode for auxiliary using the line aux 0 command. There is always a single auxiliary line in a device. The example below shows configuration required.
myRouter(config)#line aux 0myRouter(config-line)#password test
myRouter(config-line)#login
Configuring the password for the telnet lines is no different, but you need to know two things before doing that:
-Telnet lines are called vty lines because they are virtual unlike console and auxiliary
-Each IOS device has a minimum of 5 vty lines (0 to 4). Some of them can have 15 or more.
-You can configure all the vty lines together, in a group or one at a time. They need not have the same -configuration.
-A new telnet or SSH session will use the lowest available vty line. So there can be 5 telnet or SSH sessions to the device at any time.
-Telnet or SSH sessions to the device will not be allowed unless a password has been configured and login is enabled.
Interested in mastering CCNA? Learn more about CCNA Training in this blog post.
To configure a password on line vty, you need to use the password and login commands in the line configuration mode. You can enter the vty line configuration mode using the line vty linenumber linenumber command. The following example shows the available number of vty lines:
myRouter(config)#line vty ?<0-4> First Line number
myRouter(config)#line vty 0 ?
<1-4> Last Line number
<cr>
myRouter(config)#line vty 0 4
myRouter(config-line)#
The line vty 0 4 command in the above example will enter the line configuration mode and you will be able to configure all the available vty lines at one time.
The example below shows a password configured for all the vty lines:
myRouter(config)#line vty 0 4myRouter(config-line)#password test
myRouter(config-line)#login
Once the password has been configured and login enabled, the device will allow Telnet sessions to be initiated to the device. As you already know, Telnet is not a secure protocol because the session is transmitted in plain text and is vulnerable to snooping. To overcome this problem, SSH can be used. SSH encrypts the entire session but it requires encryption keys to start a session. By default IOS does not have these keys and hence a SSH session cannot be initiated. To generate those keys, you must first set the hostname and domain name of the device and then use the crypto key command as shown below:
myRouter(config)#hostname GatewayGateway(config)#ip domain-name test.edu
Gateway(config)#crypto key generate rsa general-keys modulus 1024
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…
Jun 9 00:43:43.599: %SSH-5-ENABLED: SSH 1.99 has been enabled
Once the keys are generated, the vty line can be configured to accept SSH sessions using the following command:
Gateway(config-line)#transport input ssh telnet
If you leave out the telnet option from the above command, only SSH will be allowed to the device.
One final thing you need to know about passwords is that the line passwords and the enable password is stored in the configuration as plain text. What this means is that anyone who comes across the configuration stored outside the device, can learn the passwords. To prevent this, the passwords can be encrypted using the service password-encryption command in the global configuration mode.