The management and configuration of routers and switches will definitely refresh your mind!!!

1. Management and configuration of routers and switches

While the content of managing and configuring routers and switches is not life-or-death for the proper functioning of a router or switch in a network, it is certainly important. Knowledge of it can help with configuration commands that manage a network.

On routers and switches, the configurable management functions are as follows:

• Host name;
• Flag;
• password;
• Interface description.

Don't forget, none of these configurations will make your routers and switches perform better or run faster, but trust me, if you take the time to set these configurations on each network device, your job will be much easier. Because if you do this, troubleshooting and maintaining your network will be much easier. I'll demonstrate these commands on a Cisco router below, but they're also perfectly applicable to Cisco switches!

2. Hostname

To set the router's identity, we use the command hostname. This has only a local effect, i.e. it does not affect how the router performs name lookups, nor does it affect how the router operates in the internetwork.

Here is an example:

Although it is tempting to configure the hostname according to your name, it is definitely a better idea to name it according to the location of the router. This is because it is much easier to find it when the hostname is specified according to the actual location of the device. In addition, this also helps to verify that you are currently configuring the correct device. For this chapter, I will temporarily keep the hostname Todd because it is fun, hahahahaha~~~

3. Flags

Configuring banners isn't just for show; a good reason to configure banners is to send a security warning to anyone who tries to connect to your internetwork via telnet or dial-up. You can create a banner that displays the information you want to anyone who logs into your router.

There are 4 types of flags: exec process creation banner, incoming terminal line banner, login banner and every 8 message banner, please be familiar with them. The following code illustrates all these flags:

MOTD (Message OfThe Day) is the most commonly used flag. It displays a message to anyone who dials in or connects to the router via Telnet, the auxiliary port, or even the console port, like this:

The above MOTD flags tell the person connected to the router to leave if they are uninvited. What needs to be explained is the separator character, which is used to tell the router where the message ends. We can use any separator character, but obviously we can't use it in the message. Otherwise, type the complete message and press Enter, then type the separator character and press Enter. You can also not do this, but if there are multiple flags, they will be combined into one message and occupy one line.

For example, you can set the flag in one line as follows:

This works perfectly, but if you add a second MOTD flag message, they will be merged into one line.

The following are the other flags mentioned above.

• The EXEC flag configures the line active (EXEC) flag, which is displayed when an EXEC process is created (such as line activation or an incoming VTY line connection). When a user EXEC session is established through the console port, we will activate the EXEC flag.
• Inbound Banner You can configure a banner to be displayed on the terminal connected to the reverse Telnet line. This banner can be used to provide instructions to users using reverse Telnet.
• The login banner can be configured to be displayed on all connected terminals as a login banner. This banner is displayed after the MOTD banner and before the login prompt appears. We cannot disable the login banner on a line basis, but must disable it globally, for this we must remove it using the command no banner login.

Here is an example of a login banner:

Anyone who has ever logged into an ISR router will be familiar with the above login banner, which is the banner that Cisco configures by default on its ISR routers.

NOTE: The login banner appears before the login prompt and after the MOTD banner.

4. Set a password

There are five passwords used to ensure the security of Cisco routers: console password, auxiliary port password, remote login (VTY) password, enable password (enable) and enable secret password (enable secret). The enable password and enable secret password control the user's entry into privileged mode and require the user to provide a password when executing the enable command. The other three passwords are used to control the user's entry into user mode through the console port, auxiliary port and Telnet.

Each password is described in detail below.

Enable Password

Set the enable password in global configuration mode as follows:

The parameters of the enable command are as follows:

• last-resort allows you to log into the router when a TACACS server is used for authentication but is unavailable; this password will not work if a TACACS server is available.
• password Set the enable password on old systems before 10.3. If the enable encryption password is set, the password will not work.
• secret A newer encryption secret which, if set, will take precedence over the enable secret.
• use-tacacs tells the router to use a TACACS server for authentication. This is handy if you have dozens or more routers, after all, who wants to change passwords on all of them? When using a TACACS server, you only have to change the password once.

Here is an example of setting an enable password:

If you set the same Enable Encryption Password as the Enable Password, the router will prompt you to change the second password. If you are not using an older router, you do not need to use an Enable Password at all.

The password to enter user mode is set using the command line:

Below are the parameters involved in the CCNA exam.

• aux Sets the user mode password for the auxiliary port. The auxiliary port is typically used to connect a modem to the router, but can also be used as a console port.
• console Sets the user mode password for the console port.
• vty sets the password for entering user mode via Telnet. If this password is not set, you will not be able to connect to the router via Telnet by default.

To configure a user mode password, configure the corresponding line and use the command login to let the router authenticate.

5. Auxiliary port password

To configure the auxiliary port password, enter global configuration mode and enter line aux ?. From the output below, you can see that you only have one option, which is 0, because there is only one auxiliary port:

Note: While Cisco provides this "ensure password is set" feature in newer IOS versions (12.2 and higher), not all IOs have this feature. It is important to keep this in mind.

6. Console port password

To set the console port password, use the command line console 0. What happens if you try to enter the command line console ? at the prompt (config-line)#? An error message will appear. At this prompt, we can enter the command line console 0, and the command will be accepted by the system, but the help screen does not work at this prompt. Enter exit and go back one level, and we will find that the help screen works. This is also a feature.

Here is an example:

Since there is only one console port, we can only choose number 0. We can set the password to the same for all lines, but for security reasons, it is recommended that you set them to different ones. There are several other commands related to the console port that you must know.

For example, the command exec-timeout 0 0 sets the console EXEC session timeout to 0, which means never time out. The default timeout is 10 minutes. (If you like to be a prankster, try setting it to 0 1, which will set the console port timeout to 1 second. To fix this, you have to keep pressing the down arrow and changing the timeout with your other hand!)

Logging synchronous is a great command that should be enabled by default, but it isn't. It prevents you from having console messages constantly appearing while you're typing. With this command configured, the messages will still appear, but they won't appear until you return to the router prompt, so they won't interrupt your typing. This way, your typing will be easier to read.

The following example shows how to configure these two commands:

Note: We can set the console timeout to any value from 00 (never timeout) to 35791 minutes 2 147 483 seconds. The default is 10 minutes.

7. Telnet Password

To set the password for entering user mode when accessing the router using Telnet, we can use the command line vty. If the router is not running Cisco IOS Enterprise Edition, it will have 5 VTY lines by default: 0~4. But if it is running Enterprise Edition, the lines will be much more. The best way to find out how many lines there are is to use question marks:

Don't forget that you can't get help from the prompt (config-line) #. To use the question mark (?), you must return to global configuration mode.

What happens if you try to remotely log into a router without a VTY password set? You will see an error message stating that the connection request was denied because no password was set. Therefore, if the following message appears when you try to remotely log into the router:

This means that the remote router (here SFRouter) has not set a VTY (Telnet) password. To bypass this obstacle and allow the router to establish a Telnet connection even when a Telnet password is not set, we can use the no login command:

Warning: Unless in a test or classroom environment, it is not recommended to use the no login command to allow a router without a password to accept Telnet connections. In a production environment, be sure to set a VTY password.

After configuring the IP address for the router, we can use the Telnet program to configure and check the router without using a console cable. In any command prompt (DOS or Cisco), we can enter telnet to run the Telnet program.

[[337572]]

8. Set up Secure Shell (SSH)

We can use Secure Shell as an alternative to Telnet. Compared to Telnet, which uses an unencrypted data stream, the session created by SSH is more secure. SSH uses encryption keys to send data so that the username and password are not sent in clear text.

The steps to set up SSH are as follows.

(1) Set the host name:

(2) Set the city name (user name and city name are required to generate encryption keys):

(3) Set the username to support SSH client access:

(4) Generate encryption keys for protecting sessions:

(5) Enable SSH version 2 on the router. This is not required, but highly recommended:

(6) Enter the router VTY line configuration mode:

(7) Finally, specify SSH and Telnet as the access protocols in turn:

If you do not specify the keyword telnet at the end of the last command, the router will only support SSH. This is not to suggest which method you should use, but just to show that SSH is more secure than Telnet.

9. Encrypt your password

By default, only the enable encryption password is encrypted. To encrypt both the user mode password and the enable password, you must configure it manually.

When you execute the show running-config command on the router, you will see all the passwords except the enable encryption password:

To manually configure password encryption, we can use the command service password-encryption, as shown in the following example:

In this way, the password will be encrypted. In the previous example, we encrypted the password, then executed the command show run, and finally cancelled the password encryption. As you can see, both the enable password and the line password are encrypted.

Before we go into the details of how to set up the profile on a router, let's first discuss password encryption in detail. As mentioned earlier, if you set a password and enable the command service password-encryption, you must execute the command showrunning-config before disabling the encryption service, otherwise the password will not be encrypted. It is not necessary to disable the encryption service, only when the CPU usage of the router is high. If the encryption service is enabled before setting the password, the passwords will be encrypted even if you do not view them.

10. Description

Setting an interface description is helpful for administrators. Like the host name, the description is only meaningful locally. The command description is useful because it can be used to identify the circuit number.

Here is an example:

To view the description of the interface, we can use the command show running-config or show interface:

11. Real Case

description - a very useful command

Bob is a responsible network administrator for Acme Corporation, a company located in San Francisco, with more than 50 WAN links connecting branch offices throughout the United States and Canada. Whenever an interface fails, Bob spends a lot of time to determine the circuit it is connected to and find the phone number of the WAN link provider.

The interface description command is helpful to Bob because he can use it to determine the interface of each router.

By adding the circuit number and the provider's phone number to each WAN interface, Bob benefits greatly. So, by spending a few hours adding this information to each router interface, Bob will save a lot of valuable time when the WAN link fails (which it will surely do).

12. Use do Command

Starting with IOS version 12.3, Cisco finally added a command in IOS that allows you to view configuration and statistics in configuration mode.

In fact, in any IOS, if we try to view the configuration in global configuration mode, we will see the following error message:

Compare the following output to the output obtained when executing the command using the do syntax on a router running IOS version 12.4.

Basically, now we can run any command from any configured prompt. Isn’t that cool? For the password encryption example above, using the do command definitely speeds things up. It’s a really nice command!