Cisco Router Setup Guide and Tutorial Howto With Commands and Examples

In most of the Cisco router IOS I find the ports like ge0/0 ge0/1 and ge0/2 or whatever your ports are down.  They will not even give you a link light.  So one of the first tasks should be getting the port you are working with up.

In my case the first goal is often connectivity with the LAN and WAN.

LAN = your local area network (eg. in the office/home )

WAN = your ISP/public internet (eg. fiber/cable/dsl/ethernet).

In these examples I assume we have 3 x gigabit ethernet interfaces.

GE0/0, GE0/1, GE0/2

GE0/0 plugged into the WAN / public internet

GE0/1 lugged into the LAN / local net

Login and bring up GE0/1 (your LAN port) which should be plugged into another switch

#you can also use int gi0/1 for short

Router>enable
Router#conf t
Router(config)#interface gigabitethernet0/1
Router(config-if)#no shutdown

 

*Mar 25 20:39:21.151: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Mar 25 20:39:23.695: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar 25 20:39:24.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
 

Assign an IP address to an interface:

Router(config-if)#int gi0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0

You should be able to ping this IP from devices connected to the switch provided that they are on the same VLAN as the port that you have plugged into on the switch.  You should also be able to ping other devices on your LAN from the router interface successfully.

Create a DHCP Pool for this network:

#let's run our own DNS
R1(config)#ip dns server
R1(config)#ip dhcp pool nat
R1(dhcp-config)#default-router 192.168.1.1
R1(dhcp-config)#network 192.168.1.0 255.255.255.0
#specify ourselves/own DNS as the DNS server for clients to use
R1(dhcp-config)#dns-server 192.168.1.1
#go back to our main config and make sure we exclude the router address
R1(config)#ip dhcp excluded-address 192.168.1.1

 

show interface status/brief details:

show interface gi0/0      
GigabitEthernet0/0 is up, line protocol is up
  Hardware is PQ3_TSEC, address is 881d.fc4f.4500 (bia ----------------)
  Internet address is 199.24.89.101/25
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full Duplex, 1Gbps, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     791 packets input, 91550 bytes, 0 no buffer
     Received 784 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 27 multicast, 0 pause input
     80 packets output, 10098 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     13 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

 

show the ip of an interface:

show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 199.24.89.101/25
  Broadcast address is 255.255.255.255
  Address determined by DHCP
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside, Common Flow Table, Stateful Inspection, NAT ALG proxy
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

 

Show routing table:

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/0
      199.81.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        199.81.89.0/25 is directly connected, GigabitEthernet0/0
L        199.81.89.101/32 is directly connected, GigabitEthernet0/0
S        199.81.204.103/32 [254/0] via 199.81.89.126, GigabitEthernet0/0
      10.20.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        10.20.1.0/24 is directly connected, GigabitEthernet0/1
L        10.20.1.1/32 is directly connected, GigabitEthernet0/1

 

Show arp table:

Switch#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.25.20.20             -   0000.0000.0000  ARPA   Vlan7
Internet  192.168.1.1             0   0000.0000.0000  ARPA   Vlan9
Internet  192.168.1.3             7   0000.0000.0000  ARPA   Vlan9
Internet  192.168.1.2             -   0000.0000.0000  ARPA   Vlan9

 

In the above example .1 is our own router gi0/1 IP, .2 is the switch and .3 is a client device.  The 10.25.20.20 is assigned to another VLAN (7) on the switch.

Set hostname

Router(config)#hostname realtechtalk.com
realtechtalk.com(config)#

 

Enable http/https Web Server

Router(config)#ip http server
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...

Enable SSH Server

#Set a domain name, username and password

Router(config)#ip domain-name realtechtalk.com
Router(config)#username testuser privilege 15 Password realechtalk.compass

#create your SSH RSA keys

crypto key generate rsa                  

#I choose at least a key size of 4096

   
The name for the keys will be: realtechtalk.com.realtechtalk.com
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 43 seconds)

Router(config-line)#line vty 0         
Router(config-line)#transport input ssh
Router(config-line)#password realtechtalk.com     
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#banner motd "realtechtalk.com"
Router(config-line)#exit

Change SSH Port

Here we change the port to 3599 for rotary value 1 (or whatever number we specify for rotary).

realtechtalk.com(config)#ip ssh port 3599 rotary 1

Then take the rotary value and assign it to line vty 0 (or whatever vty you used for your SSH):

realtechtalk.com(config)#line vty 0
realtechtalk.com(config-line)#rotary 1

If you want only the new SSH port to be accessed then follow this to add a proper ACL
 

#do not forget the permit ip any any after the deny or you will have blocked your new SSH port too!

realtechtalk.com(config)#ip access-list extended sshblock
realtechtalk.com(config-ext-nacl)#deny tcp any any eq 22
realtechtalk.com(config-ext-nacl)#permit ip any any
realtechtalk.com(config-ext-nacl)#line vty 0
realtechtalk.com(config-line)#access-class sshblock in

 

Is SSH enabled?

realtechtalk.com#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 50 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):


 

#sometimes there are issues logging in:

 

ssh testuser@192.168.1.1
Connection closed by 192.168.1.1

The error above where you do not get a password prompt from SSH is caused by your client and also Cisco.  You see if you check the logs, it will often try to send your RSA key to authenticate, when that fails it also says your password failed (even though it never prompted you!).  I am thinking it is a bug.  If you have client-side SSH keys you need to make sure you DO NOT send them by using this option on the client side:

ssh -o PubkeyAuthentication=no user@10.10.10.1

debug ip ssh

*Mar 26 21:20:23.079: SSH2 0: MAC compared for #6 :ok
*Mar 26 21:20:23.079: SSH2 0: input: padlength 10 bytes
*Mar 26 21:20:23.079: SSH2 0: Using method = publickey
*Mar 26 21:20:23.079: SSH2 0: Verifying pubkey blob is acceptable for 'testuser' in SSH2_MSG_USERAUTH_REQUEST
*Mar 26 21:20:23.079: SSH2 0: Publickey for 'testuser' not found
*Mar 26 21:20:23.079: SSH2 0: Pubkey Authentication failed for user 'testuser'
*Mar 26 21:20:23.079: SSH0: password authentication failed for testuser


The client side ssh -v shows abou the same and basically it never prompts for a password.

Who is connected to SSH?

show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.

 

Enable password (also works for http/https/ssh/telnet)

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable password realtechtalk.com
Router(config)#end
Router#wr
Building configuration...

Enable telnet password:

R1(config)#line vty 0 1
R1(config-line)#password realtechtalk.com

 

You need a vty password set otherwise you won't be able to telnet in:

Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.


Password required, but none set
Connection closed by foreign host.
 

 

Setting Up NAT in 4 commands

 The following assumes gi0/0 is the WAN and gi0/1 points to the LAN

#first let's create our access list which really in our case is the subnet to be used for the internal NAT 192.168.1.0/24

realtechtalk.com(config)#access-list 23 permit 192.168.1.0
realtechtalk.com(config)#access-list 23 permit 0.0.0.0 255.255.255.0
realtechtalk.com(config)access-list 199 permit ip any any

#create NAT overload on our outside interface (gi0/0) pointing to the inside

realtechtalk.com(config)ip nat inside source list 199 interface gi0/0 overload

#now define the internal NAT interface (in our case gi0/1 which is connected to our LAN).
realtechtalk.com(config)#int gi0/1
realtechtalk.com(config-if)#ip nat inside

#now we define the external/public/WAN NAT interface
realtechtalk.com(config)#int gi0/0
realtechtalk.com(config-if)#ip nat outside

#not working still don't forget your default route/last resort especially if you are using DHCP on gi0/0 (your WAN interface)


ip route 0.0.0.0 0.0.0.0 dhcp

 


Tags:

cisco, router, tutorial, howto, commands, examplesin, ios, ports, ge, tasks, connectivity, lan, wan, eg, isp, fiber, dsl, ethernet, examples, gigabit, interfaces, plugged, lugged, login, int, gi, enable, conf, config, interface, gigabitethernet, shutdown, mar, updown, lineproto, protocol, assign, ip, ping, devices, provided, vlan, successfully, arp, min, hardware, addr, arpa, assigned, hostname, realtechtalk, http, https, server, generating, rsa, exportable, ssh, domain, username, password, testuser, realechtalk, compass, crypto, generate, modulus, choosing, bits, ok, elapsed, telnet, configuration, cntl, z, wr,

Latest Articles

  • Linux tftp listens on all interfaces and IPs by DEFAULT Security Risk Hole Solution
  • python import docx error
  • Cisco Unified Communications Manager Express Cheatsheet CUCME CME
  • Linux Ubuntu Debian Missing privilege separation directory: /var/run/sshd
  • bash how to count the number of columns or words in a line
  • bash if statement how to test program output without assigning to variable
  • RTNETLINK answers: Network is unreachable
  • Centos 7 how to save iptables rules like Centos 6
  • nfs tuning maximum amount of connections
  • qemu-kvm error "Could not initialize SDL(No available video device) - exiting"
  • Centos 7 tftpd will not work with selinux enabled
  • Debian Ubuntu Mint Howto Create Bridge (br0)
  • How To Control Interface that dhcpd server listens to on Debian based Linux like Mint and Ubuntu
  • LUKS unable to type password to unlock during boot on Debian, Ubuntu and Mint
  • Debian Ubuntu and Linux Mint Broken Kernel After Date - New Extra Module Naming Convention
  • Wordpress overwrites and wipes out custom htaccess rules and changes soluton
  • Apache htaccess and mod_rewrite how to redirect and force all URLs and visitors to the SSL / HTTPS version
  • python 3 pip cannot install mysql module
  • QEMU-KVM won't boot Windows 2016 or 2019 server on an Intel Core i3
  • Virtualbox vbox not starting