2.8 Perform an Initial Configuration on a Router 179 You can view the description of an interface either with the show running-config command or the show interface command. Atlanta#sh run [cut] interface Ethernet0 description Sales Lan ip address 172.16.10.30 255.255.255.0 no ip directed-broadcast ! interface Serial0 description Wan to Miami circuit:6fdda4321 no ip address no ip directed-broadcast no ip mroute-cache Atlanta#sh int e0 Ethernet0 is up, line protocol is up Hardware is Lance, address is 0010.7be8.25db (bia 0010.7be8.25db) Description: Sales Lan [output cut] Atlanta#sh int s0 Serial0 is up, line protocol is up Hardware is HD64570 Description: Wan to Miami circuit:6fdda4321 [output cut] Atlanta# Viewing and Saving Configurations If you run through setup mode, you’ll be asked if you want to use the configuration you just created. If you say Yes, it will copy the configuration running in DRAM (known as the running-config) into NVRAM and name the file startup-config. You can manually save the file from DRAM to NVRAM by using the copy running- config startup-config command. You can use the shortcut copy run start also: Atlanta#copy run start Destination filename [startup-config]?[Enter] Warning: Attempting to overwrite an NVRAM configuration previously written by a different version of the system image. 4309c02.fm Page 179 Friday, October 24, 2003 2:55 PM 180 Chapter 2  Implementation & Operation Overwrite the previous NVRAM configuration?[confirm] [Enter] Building configuration Notice that the message you received here tells you you’re trying to write over the older startup-config. The IOS had been just upgraded to version 12.2, and the last time the file was saved, 11.3 was running. When you see a question with an answer in [], it means that if you just press Enter, you’re choosing the default answer. Also, when the command asked for the destination filename, the default answer was startup-config. The “feature” aspect of this command output is that you can’t even type anything else in or you’ll get an error! Atlanta#copy run start Destination filename [startup-config]?todd %Error opening nvram:todd (No such file or directory) Atlanta# Okay, you’re right—it’s weird! Why on earth do they even ask if you can’t change it at all? Well, since this “feature” was first introduced with the release of the 12.x IOS, we’re all pretty sure it will turn out to be relevant and important some time in the future. Anyway, you can view the files by typing show running-config or show startup-config from privileged mode. The sh run command, which is the shortcut for show running-config, tells you that you are viewing the current configuration: Atlanta#sh run Building configuration Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Atlanta ip subnet-zero frame-relay switching ! [output cut] 4309c02.fm Page 180 Friday, October 24, 2003 2:55 PM 2.8 Perform an Initial Configuration on a Router 181 The sh start command—the shortcut for the show startup-config command—shows you the configuration that will be used the next time the router is reloaded. It also tells you how much NVRAM is being used to store the startup-config file: Atlanta#sh start Using 4850 out of 32762 bytes ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Atlanta ! ! ip subnet-zero frame-relay switching ! [output cut] You can delete the startup-config file by using the erase startup-config command, after which you’ll receive an error if you ever try to view the startup-config file. Atlanta#erase startup-config Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK] Erase of nvram: complete Atlanta#sh start %% Non-volatile configuration memory is not present Atlanta#reload If you reload or power down and up the router after using the erase startup-config command, you’ll be put into Setup mode because there’s no configuration saved in NVRAM. You can press Ctrl+C to exit setup mode at any time. (The reload command can only be used from privileged mode.) At this point, you shouldn’t use Setup mode to configure your router. Setup mode was designed to help people who do not know how to use the CLI, and this no longer applies to you! 4309c02.fm Page 181 Friday, October 24, 2003 2:55 PM 182 Chapter 2  Implementation & Operation Verifying Your Configuration Obviously, show running-config would be the best way to verify your configuration, and show startup-config would be the best way to verify the configuration that’ll be used the next time the router is reloaded—right? Well, once you take a look at the running-config, and if all appears well, you can verify your configuration with utilities like Ping and Telnet. Ping (Packet Internet Groper) is a program that uses Internet Control Message Protocol (ICMP) echo requests and replies. Ping sends a packet to a remote host, and if that host responds, you know that the host is alive. But you don’t know if it’s alive and also well—just because you can ping an NT server does not mean you can log in. Even so, Ping is an awesome starting point for troubleshooting an internetwork. Did you know that you can ping with different protocols? You can test this by typing ping ? at either the router user-mode or privileged mode prompt: Router#ping ? WORD Ping destination address or hostname appletalk Appletalk echo decnet DECnet echo ip IP echo ipx Novell/IPX echo srb srb echo <cr> If you want to find a neighbor’s Network layer address, you either need to go to the router or switch itself, or you can type show cdp entry * protocol to get the Network layer addresses you need for pinging. (By the way, CDP stands for Cisco Discovery Protocol.) Traceroute uses ICMP timeouts to track the path a packet takes through an internetwork, in contrast to Ping that just finds the host and responds, and Traceroute can also be used with mul- tiple protocols. Router#traceroute ? WORD Trace route to destination address or hostname appletalk AppleTalk Trace clns ISO CLNS Trace ip IP Trace oldvines Vines Trace (Cisco) vines Vines Trace (Banyan) <cr> Telnet is the best tool since it uses IP at the Network layer and TCP at the Transport layer to create a session with a remote host. If you can telnet into a device, your IP connectivity just 4309c02.fm Page 182 Friday, October 24, 2003 2:55 PM 2.8 Perform an Initial Configuration on a Router 183 has to be good. You can only telnet to devices that use IP addresses, and you can use Windows hosts or router prompts to telnet to a remote device. Router#telnet ? WORD IP address or hostname of a remote system <cr> From the router prompt, you just type a hostname or IP address and it assumes you want to telnet—you don’t need to type the actual command, telnet. Verifying with the show interface Command Another way to verify your configuration is by typing show interface commands, the first of which is show interface ?. Using this command reveals all the available interfaces to configure. The following output is from my 2600 routers: Router#sh int ? Async Async interface BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.3 Loopback Loopback interface MFR Multilink Frame Relay bundle interface Multilink Multilink-group interface Null Null interface Serial Serial Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing accounting Show interface accounting crb Show interface routing/bridging info dampening Show interface dampening info description Show interface description irb Show interface routing/bridging info mac-accounting Show interface MAC accounting info mpls-exp Show interface MPLS experimental accounting info precedence Show interface precedence accounting info rate-limit Show interface rate-limit info summary Show interface summary 4309c02.fm Page 183 Friday, October 24, 2003 2:55 PM 184 Chapter 2  Implementation & Operation switching Show interface switching | Output modifiers <cr> The only “real” physical interfaces are FastEthernet and Serial; the rest are all logical inter- faces. In addition, the newer IOS shows the “possible” show commands that you can use to verify your router interfaces—a very new feature from Cisco. The next command is show interface fastethernet 0/0; it reveals the hardware address, logical address, and encapsulation method, as well as statistics on collisions: Router#sh int fastethernet 0/0 FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 00b0.6483.2320 (bia 00b0.6483.2320) Description: connection to LAN 40 Internet address is 192.168.1.33/27 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:04, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 84639 packets output, 8551135 bytes, 0 underruns 0 output errors, 0 collisions, 16 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out The most important statistic of the show interface command is the output of the line and Data Link protocol status. 4309c02.fm Page 184 Friday, October 24, 2003 2:55 PM 2.8 Perform an Initial Configuration on a Router 185 If the output reveals that FastEthernet 0/0 is up and the line protocol is up, then the interface is up and running. Router#sh int fa0/0 FastEthernet0/0 is up, line protocol is up The first parameter refers to the Physical layer, and it’s up when it receives carrier detect. The second parameter refers to the Data Link layer, and it looks for keepalives from the connecting end. (Keepalives are used between devices to make sure connectivity has not dropped.) Router#sh int s0/0 Serial0/0 is up, line protocol is down If you see that the line is up but the protocol is down, as just shown, you are experiencing a clocking (keepalive) or framing problem. Check the keepalives on both ends to make sure that they match, that the clock rate is set if needed, and that the encapsulation type is the same on both ends. This up/down status would be considered a Data Link layer problem. Router#sh int s0/0 Serial0/0 is down, line protocol is down If you discover that both the line interface and the protocol are down, it’s a cable or interface problem, which would be considered a Physical layer problem. If one end is administratively shut down (as shown next), the remote end would present as down and down. Router#sh int s0/0 Serial0/0 is administratively down, line protocol is down To enable the interface, use the command no shutdown from interface configuration mode. The next show interface serial 0/0 command demonstrates the serial line and the max- imum transmission unit (MTU)—1500 bytes by default. It also shows the default bandwidth (BW) on all Cisco serial links—1.544Kbs. You use this to determine the bandwidth of the line for routing protocols like IGRP, EIGRP, and OSPF. Another important configuration to notice is the keepalive, which is 10 seconds by default. Each router sends a keepalive message to its neighbor every 10 seconds, and if both routers aren’t configured for the same keepalive time, it won’t work. You can clear the counters on the interface by typing the command clear counters. Router#sh int s0/0 Serial0/0 is up, line protocol is up Hardware is HD64570 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 4309c02.fm Page 185 Friday, October 24, 2003 2:55 PM 186 Chapter 2  Implementation & Operation Encapsulation HDLC, loopback not set, keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 16 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Router#clear counters ? Async Async interface BVI Bridge-Group Virtual Interface CTunnel CTunnel interface Dialer Dialer interface FastEthernet FastEthernet IEEE 802.3 Group-Async Async Group interface Line Terminal line Loopback Loopback interface MFR Multilink Frame Relay bundle interface Multilink Multilink-group interface Null Null interface Serial Serial Tunnel Tunnel interface Vif PGM Multicast Host interface Virtual-Template Virtual Template interface Virtual-TokenRing Virtual TokenRing <cr> Router#clear counters s0/0 Clear "show interface" counters on this interface [confirm][Enter] 4309c02.fm Page 186 Friday, October 24, 2003 2:55 PM 2.8 Perform an Initial Configuration on a Router 187 Router# 00:17:35: %CLEAR-5-COUNTERS: Clear counter on interface Serial0 by console Router# Verifying with the show ip interface Command The show ip interface command provides you with information regarding the Layer 3 con- figurations of a router’s interfaces. Router#sh ip interface FastEthernet0/0 is up, line protocol is up Internet address is 1.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled [output cut] The status of the interface, the IP address and mask, and information on whether an access list is set on the interface as well as basic IP information is included in this output. Using the show ip interface brief Command This is probably one of the most helpful commands that you can ever use on a Cisco router. The show ip interface brief provides a quick overview of the routers interfaces including the logical address and status: Router#sh ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.33 YES manual up up FastEthernet0/1 10.3.1.88 YES manual up up Serial0/0 10.1.1.1 YES manual up up Serial0/1 unassigned YES NVRAM administratively down down 4309c02.fm Page 187 Friday, October 24, 2003 2:55 PM 188 Chapter 2  Implementation & Operation Using the show controllers Command The show controllers command displays information about the physical interface. It’ll also give you the type of serial cable plugged into a serial port. Usually, this will only be a DTE cable that plugs into a type of DSU. Router#sh controllers serial 0/0 HD unit 0, idb = 0x1229E4, driver structure at 0x127E70 buffer size 1524 HD unit 0, V.35 DTE cable cpb = 0xE2, eda = 0x4140, cda = 0x4000 Router#sh controllers serial 0/1 HD unit 1, idb = 0x12C174, driver structure at 0x131600 buffer size 1524 HD unit 1, V.35 DCE cable cpb = 0xE3, eda = 0x2940, cda = 0x2800 Notice that Serial 0/0 has a DTE cable, whereas the Serial 0/1 connection has a DCE cable. Serial 0/1 would have to provide clocking with the clock rate command. Serial 0/0 would get its clocking from the DSU. Exam Essentials Understand the sequence of what happens when you power on a router. When you first bring up a Cisco router, it will run a power-on self-test (POST), and if that passes, it will then look for and load the Cisco IOS from Flash memory, if a file is present. The IOS then proceeds to load and look for a valid configuration in NVRAM called the startup-config. If no file is present in NVRAM, the router will go into setup mode. Know what setup mode provides. Setup mode automatically starts if a router boots and no startup-config is in NVRAM. You can also bring up setup mode by typing setup from the priv- ileged mode. Setup provides a minimum amount of configuration in an easy format for someone who does not understand how to configure a Cisco router from the command line. Understand the difference between user mode and privileged mode. User mode provides a command-line interface with very few available commands by default. User mode does not allow the configuration to be viewed or changed. Privileged mode allows a user to both view and change the configuration of a router. You can enter privileged mode by typing the command enable and entering the enable password or enable secret password, if set. Understand what the command show version provides. The show version command pro- vides basic configuration for the system hardware as well as the software version, the names and sources of configuration files, and the boot images. 4309c02.fm Page 188 Friday, October 24, 2003 2:55 PM [...]... be 172. 16. 16. 0 through 172. 16. 19.0 The following example shows an access list starting at 172. 16. 16. 0 and going up a block size of 8 to 172. 16. 23.0 Lab_A(config)#access-list 10 deny 172. 16. 16. 0 0.0.7.255 The next example starts at network 172. 16. 32.0 and goes up a block size of 32 to 172. 16. 63.0 Lab_A(config)#access-list 10 deny 172. 16. 32.0 0.0.31.255 The last example starts at network 172. 16. 64.0 and... mode and enable mode passwords by using the enable password command The following output shows the configuration of both the user mode and enable mode passwords: (config)#enable password ? level Set exec level password (config)#enable password level ? Level number To enter the user mode password, use level number 1 To enter the enable mode password, use level mode 15 The password must be at least... not use enable secret password password, or you will set your password to “password password” Here is an example: enable config t enable secret todd Know how to set the console password on a router To set the console password, use the following sequence: enable config t line console 0 login password todd Be able to set the Telnet password on a router To set the Telnet password, use the following sequence:... up a block size of 64 to 172. 16. 127.0 Lab_A(config)#access-list 10 deny 172. 16. 64.0 0.0 .63 .255 Here are two more things to keep in mind when working with block sizes and wildcards: Each block size must start at 0 For example, you can’t say that you want a block size of 8 and then start at 12 You must use 0–7, 8–15, 16 23, and so on For a block size of 32, the ranges are 0–31, 32 63 , 64 –95, and so on... output shows the user mode password being set and denied because it’s more than eight characters: (config)#enable password level 1 toddlammle Error: Invalid password length Password must be between 4 and 8 characters This output is an example of how to set both the user mode and enable mode passwords on the 1900 switch: (config)#enable password level 1 todd (config)#enable password level 15 todd1 (config)#exit... Switch(config-line)#password telnet Switch(config-line)#line con 0 Switch(config-line)#login Switch(config-line)#password todd Switch(config-line)#exit Switch(config)#exit Switch# Cool—you’ve just learned how to set the user mode passwords and the enable password on the 1900, but there’s still is one more password that needs attention on each switch: the enable secret Setting the Enable Secret Password The... Lab_A(config)#access-list 10 deny 172. 16. 10.0 0.0.0.255 The next example tells the router to match the first two octets and that the last two octets can be any value Lab_A(config)#access-list 10 deny 172. 16. 0.0 0.0.255.255 Try to figure out this next line: Lab_A(config)#access-list 10 deny 172. 16. 16. 0 0.0.3.255 The preceding configuration tells the router to start at network 172. 16. 16. 0 and use a block size of... interface, then you need to buy a new router—ouch! However, the 160 0, 1700, 260 0, 360 0, and higher routers have modular interfaces that allow you to buy what you need now and add almost any type of interface you may need later The 160 0 and 1700 are limited and have both fixed and modular ports, but the 260 0 and up provide many serials, FastEthernet, and even voice-module availability—now we’re talking!... must be the same—a plain-text password that you can see with a show run command You can encrypt the password by using the command service password-encryption You’ve got to have a username and password configured for each remote system you plan to connect to The remote routers must also be configured with usernames and passwords After you set the hostname, usernames, and passwords, choose the authentication... have to be 16 or 32, but not 20 Let’s say that you want to block access to part of network that is in the range from 172. 16. 8.0 through 172. 16. 15.0 That is a block size of 8 Your network number would be 172. 16. 8.0, and the wildcard would be 0.0.7.255 Whoa! What is that?!? The 7.255 is what the router uses to determine the block size The network and wildcard tell the router to start at 172. 16. 8.0 and . use enable secret password password, or you will set your password to “password password”. Here is an example: enable config t enable secret todd Know how to set the console password on a router level password (config)#enable password level ? <1-15> Level number To enter the user mode password, use level number 1. To enter the enable mode password, use level mode 15. The password. and enable mode passwords by using the enable password command. The following output shows the config- uration of both the user mode and enable mode passwords: (config)#enable password ? level