Basic Cisco Device Settings =========================== This document contains the commands needed to configure a Cisco router's "basic" settings. These are settings that are commonly needed or useful for most routers. They are presented here as a reference. Cisco switches use largely the same commands, but see the last section of this document for additional information. This page gives a nice summery of the process. It is for a specific router, but most of the configuration commands are common to all Cisco devices. https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/routconf.html Global Settings --------------- Turn on privilege mode, enter configuration mode, set the host name. Obviously use some appropriate host name for your situation. "R1" is used here. Router> enable Router# configure terminal Router(config)# hostname R1 Set the privilege mode "secret" to 'hotdog'. This is, of course, a terrible password. However, we will use it as the standard enable secret for VTSU classes. In real life, you would use a much more appropriate password. Note that it may be possible to set both the enable "secret" and the enable "password". The password option is weaker and now deprecated. Do not use it. For more information see: https://community.cisco.com/t5/networking-knowledge-base/understanding-the-differences-between-the-cisco-password-secret/ta-p/3163238 R1(config)# enable secret hotdog Turn off DNS lookup. This stops the router from trying to translate domain names into IP addresses. In order for this to work, a name server would have to be specified, but it will never work for the simulated environment used in the lab (unless we also set up a name server in the simulated environment... which we could do, but typically don't). For more information see: https://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html R1(config)# no ip domain lookup It is considered good practice to define a MOTD banner for those who log into the router. In some environments there are legal reasons why this banner should be present. Note that in the command below, the '#' characters are delimiters, not part of the banner itself, but you must type them. They allow the banner text to span multiple lines. R1(config)# banner motd # Warning! Unauthorized access is prohibited! # Console Access -------------- Configure the console for those who connect to the device directly via the console port using a serial connection. Best practice is to *always* include a password. VTSU classes use the password 'hamburger' for this purpose, which is not a password you would ever use in real life. Note that "login" means check the password against what is configured here. There is no notion of "user" involved. An alternative (and probably better) approach is to configure one or more users with their own passwords, drop the password here, and use "login local" to indicate that the local user database should be used. See the SSH Access section for more information. R1(config)# line console 0 R1(config-line)# password hamburger R1(config-line)# login // Enable password checking on login. R1(config-line)# logging synchronous // Synchronous logging prevents messages from interrupting. R1(config-line)# exec-timeout 15 // EXEC timeout interval in minutes. Default is 10. R1(config-line)# exit Telnet Access ------------- Configure remote access using Telnet via virtual terminal lines (vty). The configuration is essentially the same as for the console aside from the use of virtual terminals. R1(config)# line vty 0 15 // Configures lines 0-15 identically. R1(config-line)# password hamburger R1(config-line)# login R1(config-line)# logging synchronous R1(config-line)# exec-timeout 15 R1(config-line)# exit SSH Access ---------- Telnet is normally unencrypted (unless you do something like Telnet-over-TLS). In the real world, it is usually better to use SSH. Many (most) Cisco devices have an on-board SSH server that you can configure. Start by specifying the name of the DNS domain where the router lives. Here "cislab.vermontstate.edu" is just an example. R1(config)# ip domain-name cislab.vermontstate.edu Next define a user (here "admin", but any name is fine). In this example, this user will have privilege level 15 (the maximum), using a password (or "secret") of "hamburger" (the VTSU lab standard, but obviously not a password to use in real life). Multiple users with different privilege levels can be created. R1(config)# username admin privilege 15 secret hamburger Now generate an RSA public/private keypair for the SSH server. You will be prompted for the "modulus" of the key. DO NOT USE ANYTHING LESS THAN 2048 (4096 might be better). Small modulus values are not secure enough by today's standard. R1(config)# crypto key generate rsa R1(config)# ip ssh version 2 Finally, configure the virtual lines to use SSH rather than the default Telnet. Most of the configuration is the same as above. Notice that you don't specify a password here. The password is associated with the username and set above (as the "secret"). R1(config)# line vty 0 15 R1(config-line)# transport input ssh R1(config-line)# login local // Use the local user database R1(config-line)# logging synchronous R1(config-line)# exec-timeout 15 R1(config-line)# exit You can check your work using: R1> show ip ssh A Note About Switches ===================== Switches can be configured in a similar way except that since they don't theoretically need IP addresses (switches are layer 2 devices and independent of the network protocol), it is necessary to create a switch virtual interface (SVI) connected to some VLAN before one can actually connect to a switch remotely. VLAN 1 is pre-defined, so I will use it below. In the example below, the IP address 192.168.1.3/24 is assigned to the SVI (using a netmask to define the network address). Obviously, you will need to use some address that is appropriate for your circumstances. S1(config)# interface vlan 1 S1(config-if)# ip address 192.168.1.3 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit In the router case, you can connect to any of the IP addresses associated with the router's interfaces. Don't Forget!! ============== When you are doing setting up a device, don't forget to save the configuration you created. Otherwise when/if the device is rebooted, all your configuration changes will be lost. R1# copy running-config startup-config Notice how this is done outside of configuration mode. The name 'running-config' is special. It refers to the configuration the device is currently using (after your changes). The name 'startup-config' refers to a non-volatile storage file that holds the configuration read by the system when it boots.