In most of the Cisco router IOS I find the ports like ge0/0 ge0/1 and ge0/2 or whatever your ports are down. They will not even give you a link light. So one of the first tasks should be getting the port you are working with up.
In my case the first goal is often connectivity with the LAN and WAN.
LAN = your local area network (eg. in the office/home )
WAN = your ISP/public internet (eg. fiber/cable/dsl/ethernet).
Here are all the methods for copying files to and from the router/switch:
/erase Erase destination file system.
/error Allow to copy error file.
/noverify Don't verify image signature before reload.
/verify Verify image signature before reload.
archive: Copy from archive: file system
cns: Copy from cns: file system
flash0: Copy from flash0: file system
flash1: Copy from flash1: file system
flash: Copy from flash: file system
ftp: Copy from ftp: file system
http: Copy from http: file system
https: Copy from https: file system
null: Copy from null: file system
nvram: Copy from nvram: file system
rcp: Copy from rcp: file system
running-config Copy from current system configuration
scp: Copy from scp: file system
startup-config Copy from startup configuration
system: Copy from system: file system
tar: Copy from tar: file system
tftp: Copy from tftp: file system
tmpsys: Copy from tmpsys: file system
xmodem: Copy from xmodem: file system
ymodem: Copy from ymodem: file system
Just use the copy tftp flash command, enter the tftp server IP and enter the filename of the firmware.
Router#copy tftp flash
Address or name of remote host ? 184.108.40.206
Source filename ? c2900-universalk9_npe-mz.SPA.153-3.M5.bin
Destination filename [c2900-universalk9_npe-mz.SPA.153-3.M5.bin]?
Loading c2900-universalk9_npe-mz.SPA.153-3.M5.bin from 220.127.116.11 (via GigabitEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 92449896 bytes]
92449896 bytes copied in 128.440 secs (719791 bytes/sec)
Instead of the above prompts we could have done this instead:
copy tftp://18.104.22.168/c2900-universalk9_npe-mz.SPA.153-3.M5.bin flash:
How do we get the router/switch to use the new firmware?
Just type this in config mode:
boot system flash:yourfilename.bin
Then you'll type end, reload, save changes if you haven't already and then it will reboot into the new firmware.
Router(config)#boot system flash:c2900-universalk9_npe-mz.SPA.153-3.M5.bin
System configuration has been modified. Save? [yes/no]: yes
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
Proceed with reload? [confirm]
Connection closed by foreign host.
GE0/0, GE0/1, GE0/2
GE0/0 plugged into the WAN / public internet
GE0/1 lugged into the LAN / local net
Login and bring up GE0/1 (your LAN port) which should be plugged into another switch
#you can also use int gi0/1 for short
*Mar 25 20:39:21.151: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Mar 25 20:39:23.695: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar 25 20:39:24.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
Assign an IP address to an interface:
Router(config-if)#ip address 192.168.1.1 255.255.255.0
You should be able to ping this IP from devices connected to the switch provided that they are on the same VLAN as the port that you have plugged into on the switch. You should also be able to ping other devices on your LAN from the router interface successfully.
Create a DHCP Pool for this network:
#let's run our own DNS
R1(config)#ip dns server
R1(config)#ip dhcp pool nat
R1(dhcp-config)#network 192.168.1.0 255.255.255.0
#specify ourselves/own DNS as the DNS server for clients to use
#go back to our main config and make sure we exclude the router address
R1(config)#ip dhcp excluded-address 192.168.1.1
show interface status/brief details:
show interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is PQ3_TSEC, address is 881d.fc4f.4500 (bia ----------------)
Internet address is 22.214.171.124/25
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:03, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
791 packets input, 91550 bytes, 0 no buffer
Received 784 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 27 multicast, 0 pause input
80 packets output, 10098 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
13 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
show the ip of an interface:
show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 126.96.36.199/25
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
Output features: Post-routing NAT Outside, Common Flow Table, Stateful Inspection, NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Show routing table:
show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0
188.8.131.52/16 is variably subnetted, 3 subnets, 2 masks
C 184.108.40.206/25 is directly connected, GigabitEthernet0/0
L 220.127.116.11/32 is directly connected, GigabitEthernet0/0
S 18.104.22.168/32 [254/0] via 22.214.171.124, GigabitEthernet0/0
10.20.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 10.20.1.0/24 is directly connected, GigabitEthernet0/1
L 10.20.1.1/32 is directly connected, GigabitEthernet0/1
Show arp table:
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.25.20.20 - 0000.0000.0000 ARPA Vlan7
Internet 192.168.1.1 0 0000.0000.0000 ARPA Vlan9
Internet 192.168.1.3 7 0000.0000.0000 ARPA Vlan9
Internet 192.168.1.2 - 0000.0000.0000 ARPA Vlan9
In the above example .1 is our own router gi0/1 IP, .2 is the switch and .3 is a client device. The 10.25.20.20 is assigned to another VLAN (7) on the switch.
Enable http/https Web Server
Router(config)#ip http server
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
Enable SSH Server
#Set a domain name, username and password
Router(config)#ip domain-name realtechtalk.com
Router(config)#username testuser privilege 15 Password realechtalk.compass
#create your SSH RSA keys
crypto key generate rsa
#I choose at least a key size of 4096
The name for the keys will be: realtechtalk.com.realtechtalk.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus : 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 43 seconds)
Router(config-line)#line vty 0
Router(config-line)#transport input ssh
Router(config-line)#banner motd "realtechtalk.com"
Change SSH Port
Here we change the port to 3599 for rotary value 1 (or whatever number we specify for rotary).
realtechtalk.com(config)#ip ssh port 3599 rotary 1
Then take the rotary value and assign it to line vty 0 (or whatever vty you used for your SSH):
realtechtalk.com(config)#line vty 0
If you want only the new SSH port to be accessed then follow this to add a proper ACL
#do not forget the permit ip any any after the deny or you will have blocked your new SSH port too!
realtechtalk.com(config)#ip access-list extended sshblock
realtechtalk.com(config-ext-nacl)#deny tcp any any eq 22
realtechtalk.com(config-ext-nacl)#permit ip any any
realtechtalk.com(config-ext-nacl)#line vty 0
realtechtalk.com(config-line)#access-class sshblock in
Is SSH enabled?
realtechtalk.com#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 50 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
#sometimes there are issues logging in:
Connection closed by 192.168.1.1
The error above where you do not get a password prompt from SSH is caused by your client and also Cisco. You see if you check the logs, it will often try to send your RSA key to authenticate, when that fails it also says your password failed (even though it never prompted you!). I am thinking it is a bug. If you have client-side SSH keys you need to make sure you DO NOT send them by using this option on the client side:
ssh -o PubkeyAuthentication=no email@example.com
debug ip ssh
*Mar 26 21:20:23.079: SSH2 0: MAC compared for #6 :ok
*Mar 26 21:20:23.079: SSH2 0: input: padlength 10 bytes
*Mar 26 21:20:23.079: SSH2 0: Using method = publickey
*Mar 26 21:20:23.079: SSH2 0: Verifying pubkey blob is acceptable for 'testuser' in SSH2_MSG_USERAUTH_REQUEST
*Mar 26 21:20:23.079: SSH2 0: Publickey for 'testuser' not found
*Mar 26 21:20:23.079: SSH2 0: Pubkey Authentication failed for user 'testuser'
*Mar 26 21:20:23.079: SSH0: password authentication failed for testuser
The client side ssh -v shows abou the same and basically it never prompts for a password.
Who is connected to SSH?
%No SSHv2 server connections running.
%No SSHv1 server connections running.
Enable password (also works for http/https/ssh/telnet)
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password realtechtalk.com
Enable telnet password:
R1(config)#line vty 0 1
You need a vty password set otherwise you won't be able to telnet in:
Connected to 10.10.10.1.
Escape character is '^]'.
Password required, but none set
Connection closed by foreign host.
Setting Up NAT in 4 commands
The following assumes gi0/0 is the WAN and gi0/1 points to the LAN
#first let's create our access list which really in our case is the subnet to be used for the internal NAT 192.168.1.0/24
realtechtalk.com(config)#access-list 23 permit 192.168.1.0
realtechtalk.com(config)#access-list 23 permit 0.0.0.0 255.255.255.0
realtechtalk.com(config)access-list 199 permit ip any any
#create NAT overload on our outside interface (gi0/0) pointing to the inside
realtechtalk.com(config)ip nat inside source list 199 interface gi0/0 overload
#now define the internal NAT interface (in our case gi0/1 which is connected to our LAN).
realtechtalk.com(config-if)#ip nat inside
#now we define the external/public/WAN NAT interface
realtechtalk.com(config-if)#ip nat outside
#not working still don't forget your default route/last resort especially if you are using DHCP on gi0/0 (your WAN interface)
ip route 0.0.0.0 0.0.0.0 dhcp
cisco, router, tutorial, howto, commands, examplesin, ios, ports, ge, tasks, connectivity, lan, wan, eg, isp, fiber, dsl, ethernet, examples, gigabit, interfaces, plugged, lugged, login, int, gi, enable, conf, config, interface, gigabitethernet, shutdown, mar, updown, lineproto, protocol, assign, ip, ping, devices, provided, vlan, successfully, arp, min, hardware, addr, arpa, assigned, hostname, realtechtalk, http, https, server, generating, rsa, exportable, ssh, domain, username, password, testuser, realechtalk, compass, crypto, generate, modulus, choosing, bits, ok, elapsed, telnet, configuration, cntl, z, wr,