Cisco Router Setup Guide and Tutorial Howto With Commands and Examples

In most of the Cisco router IOS I find the ports like ge0/0 ge0/1 and ge0/2 or whatever your ports are down.  They will not even give you a link light.  So one of the first tasks should be getting the port you are working with up.

In my case the first goal is often connectivity with the LAN and WAN.

LAN = your local area network (eg. in the office/home )

WAN = your ISP/public internet (eg. fiber/cable/dsl/ethernet).

In these examples I assume we have 3 x gigabit ethernet interfaces.

GE0/0, GE0/1, GE0/2

GE0/0 plugged into the WAN / public internet

GE0/1 lugged into the LAN / local net

Login and bring up GE0/1 (your LAN port) which should be plugged into another switch

#you can also use int gi0/1 for short

Router>enable
Router#conf t
Router(config)#interface gigabitethernet0/1
Router(config-if)#no shutdown

 

*Mar 25 20:39:21.151: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Mar 25 20:39:23.695: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar 25 20:39:24.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
 

Assign an IP address to an interface:

Router(config-if)#int gi0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0

You should be able to ping this IP from devices connected to the switch provided that they are on the same VLAN as the port that you have plugged into on the switch.  You should also be able to ping other devices on your LAN from the router interface successfully.

Create a DHCP Pool for this network:

#let's run our own DNS
R1(config)#ip dns server
R1(config)#ip dhcp pool nat
R1(dhcp-config)#default-router 192.168.1.1
R1(dhcp-config)#network 192.168.1.0 255.255.255.0
#specify ourselves/own DNS as the DNS server for clients to use
R1(dhcp-config)#dns-server 192.168.1.1
#go back to our main config and make sure we exclude the router address
R1(config)#ip dhcp excluded-address 192.168.1.1

 

show interface status/brief details:

show interface gi0/0      
GigabitEthernet0/0 is up, line protocol is up
  Hardware is PQ3_TSEC, address is 881d.fc4f.4500 (bia ----------------)
  Internet address is 199.24.89.101/25
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full Duplex, 1Gbps, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     791 packets input, 91550 bytes, 0 no buffer
     Received 784 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 27 multicast, 0 pause input
     80 packets output, 10098 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     13 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

 

show the ip of an interface:

show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 199.24.89.101/25
  Broadcast address is 255.255.255.255
  Address determined by DHCP
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside, Common Flow Table, Stateful Inspection, NAT ALG proxy
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

 

Show routing table:

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/0
      199.81.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        199.81.89.0/25 is directly connected, GigabitEthernet0/0
L        199.81.89.101/32 is directly connected, GigabitEthernet0/0
S        199.81.204.103/32 [254/0] via 199.81.89.126, GigabitEthernet0/0
      10.20.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        10.20.1.0/24 is directly connected, GigabitEthernet0/1
L        10.20.1.1/32 is directly connected, GigabitEthernet0/1

 

Show arp table:

Switch#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.25.20.20             -   0000.0000.0000  ARPA   Vlan7
Internet  192.168.1.1             0   0000.0000.0000  ARPA   Vlan9
Internet  192.168.1.3             7   0000.0000.0000  ARPA   Vlan9
Internet  192.168.1.2             -   0000.0000.0000  ARPA   Vlan9

 

In the above example .1 is our own router gi0/1 IP, .2 is the switch and .3 is a client device.  The 10.25.20.20 is assigned to another VLAN (7) on the switch.

Set hostname

Router(config)#hostname realtechtalk.com
realtechtalk.com(config)#

 

Enable http/https Web Server

Router(config)#ip http server
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...

Enable SSH Server

#Set a domain name, username and password

Router(config)#ip domain-name realtechtalk.com
Router(config)#username testuser privilege 15 Password realechtalk.compass

#create your SSH RSA keys

crypto key generate rsa                  

#I choose at least a key size of 4096

   
The name for the keys will be: realtechtalk.com.realtechtalk.com
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 43 seconds)

Router(config-line)#line vty 0         
Router(config-line)#transport input ssh
Router(config-line)#password realtechtalk.com     
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#banner motd "realtechtalk.com"
Router(config-line)#exit

Change SSH Port

Here we change the port to 3599 for rotary value 1 (or whatever number we specify for rotary).

realtechtalk.com(config)#ip ssh port 3599 rotary 1

Then take the rotary value and assign it to line vty 0 (or whatever vty you used for your SSH):

realtechtalk.com(config)#line vty 0
realtechtalk.com(config-line)#rotary 1

If you want only the new SSH port to be accessed then follow this to add a proper ACL
 

#do not forget the permit ip any any after the deny or you will have blocked your new SSH port too!

realtechtalk.com(config)#ip access-list extended sshblock
realtechtalk.com(config-ext-nacl)#deny tcp any any eq 22
realtechtalk.com(config-ext-nacl)#permit ip any any
realtechtalk.com(config-ext-nacl)#line vty 0
realtechtalk.com(config-line)#access-class sshblock in

 

Is SSH enabled?

realtechtalk.com#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 50 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):


 

#sometimes there are issues logging in:

 

ssh testuser@192.168.1.1
Connection closed by 192.168.1.1

The error above where you do not get a password prompt from SSH is caused by your client and also Cisco.  You see if you check the logs, it will often try to send your RSA key to authenticate, when that fails it also says your password failed (even though it never prompted you!).  I am thinking it is a bug.  If you have client-side SSH keys you need to make sure you DO NOT send them by using this option on the client side:

ssh -o PubkeyAuthentication=no user@10.10.10.1

debug ip ssh

*Mar 26 21:20:23.079: SSH2 0: MAC compared for #6 :ok
*Mar 26 21:20:23.079: SSH2 0: input: padlength 10 bytes
*Mar 26 21:20:23.079: SSH2 0: Using method = publickey
*Mar 26 21:20:23.079: SSH2 0: Verifying pubkey blob is acceptable for 'testuser' in SSH2_MSG_USERAUTH_REQUEST
*Mar 26 21:20:23.079: SSH2 0: Publickey for 'testuser' not found
*Mar 26 21:20:23.079: SSH2 0: Pubkey Authentication failed for user 'testuser'
*Mar 26 21:20:23.079: SSH0: password authentication failed for testuser


The client side ssh -v shows abou the same and basically it never prompts for a password.

Who is connected to SSH?

show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.

 

Enable password (also works for http/https/ssh/telnet)

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable password realtechtalk.com
Router(config)#end
Router#wr
Building configuration...

Enable telnet password:

R1(config)#line vty 0 1
R1(config-line)#password realtechtalk.com

 

You need a vty password set otherwise you won't be able to telnet in:

Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.


Password required, but none set
Connection closed by foreign host.
 

 

Setting Up NAT in 4 commands

 The following assumes gi0/0 is the WAN and gi0/1 points to the LAN

#first let's create our access list which really in our case is the subnet to be used for the internal NAT 192.168.1.0/24

realtechtalk.com(config)#access-list 23 permit 192.168.1.0
realtechtalk.com(config)#access-list 23 permit 0.0.0.0 255.255.255.0
realtechtalk.com(config)access-list 199 permit ip any any

#create NAT overload on our outside interface (gi0/0) pointing to the inside

realtechtalk.com(config)ip nat inside source list 199 interface gi0/0 overload

#now define the internal NAT interface (in our case gi0/1 which is connected to our LAN).
realtechtalk.com(config)#int gi0/1
realtechtalk.com(config-if)#ip nat inside

#now we define the external/public/WAN NAT interface
realtechtalk.com(config)#int gi0/0
realtechtalk.com(config-if)#ip nat outside

#not working still don't forget your default route/last resort especially if you are using DHCP on gi0/0 (your WAN interface)


ip route 0.0.0.0 0.0.0.0 dhcp

 


Tags:

cisco, router, tutorial, howto, commands, examplesin, ios, ports, ge, tasks, connectivity, lan, wan, eg, isp, fiber, dsl, ethernet, examples, gigabit, interfaces, plugged, lugged, login, int, gi, enable, conf, config, interface, gigabitethernet, shutdown, mar, updown, lineproto, protocol, assign, ip, ping, devices, provided, vlan, successfully, arp, min, hardware, addr, arpa, assigned, hostname, realtechtalk, http, https, server, generating, rsa, exportable, ssh, domain, username, password, testuser, realechtalk, compass, crypto, generate, modulus, choosing, bits, ok, elapsed, telnet, configuration, cntl, z, wr,

Latest Articles

  • CentOS 6 impossible to compile a newer libguestfs
  • chroot
  • How To Get Started on Ubuntu with gpt-2 OpenAI Text Prediction
  • Remove cloud-init in your VM
  • QEMU-KVM KVM Command Line Practical Guide
  • Linux How To Change NIC Name to eth0 instead of enps33 or enp0s25
  • virt-resize: error: libguestfs error: could not create appliance through libvirt.
  • Asterisk Does Not Retry When Authentication Fails
  • Linux Debian Ubuntu How To Install PEPPER Faster and Latest Adobe Flash Player in Firefox
  • How To Speed Up Linux Ubuntu and Debian Based Computers By Improving CPU Performance and Changing the CPU Governor
  • Convert data or file to base64 on a single line
  • Linux Mint Ubuntu Debian radeon slow 2D performance issues radeon_dp_aux_transfer_native: 158 callbacks suppressed
  • mdadm: super0.90 cannot open /dev/sdb1: Device or resource busy mdadm: /dev/sdb1 is not suitable for this array.
  • How To Install NextCloud on Centos 7 and Centos 8
  • AH01630: client denied by server configuration:
  • ERROR: Could not find a version that satisfies the requirement PIL (from versions: none) ERROR: No matching distribution found for PIL
  • ZTE Camera Cannot Work unable to connect to camera. Camera has been disabled becaue of security policies or is being used by other apps
  • QEMU KVM how to boot off a physical CD/DVD/BDROM Drive
  • How To Install OpenProject on Centos 7 Step-by-Step Guide
  • Ubuntu Debian Linux Cannot Install Wine Solution - wine1.6 : Depends: wine1.6-i386 (= 1:1.6.2-0ubuntu14.2) but it is not installable wine1.4 : Depends: wine1.6 but it is not going to be installed