Cisco Router Setup Guide and Tutorial Howto With Commands and Examples

In most of the Cisco router IOS I find the ports like ge0/0 ge0/1 and ge0/2 or whatever your ports are down.  They will not even give you a link light.  So one of the first tasks should be getting the port you are working with up.

In my case the first goal is often connectivity with the LAN and WAN.

LAN = your local area network (eg. in the office/home )

WAN = your ISP/public internet (eg. fiber/cable/dsl/ethernet).

How To Reset Cisco Router / Switch to Factory Defaults

How To Reset Cisco Switch / Router Password

How To Upgrade Firmware via tftp/http/ftp

Here are all the methods for copying files to and from the router/switch:

  /erase          Erase destination file system.
  /error          Allow to copy error file.
  /noverify       Don't verify image signature before reload.
  /verify         Verify image signature before reload.
  archive:        Copy from archive: file system
  cns:            Copy from cns: file system
  flash0:         Copy from flash0: file system
  flash1:         Copy from flash1: file system
  flash:          Copy from flash: file system
  ftp:            Copy from ftp: file system
  http:           Copy from http: file system
  https:          Copy from https: file system
  null:           Copy from null: file system
  nvram:          Copy from nvram: file system
  rcp:            Copy from rcp: file system
  running-config  Copy from current system configuration
  scp:            Copy from scp: file system
  startup-config  Copy from startup configuration
  system:         Copy from system: file system
  tar:            Copy from tar: file system
  tftp:           Copy from tftp: file system
  tmpsys:         Copy from tmpsys: file system
  xmodem:         Copy from xmodem: file system
  ymodem:         Copy from ymodem: file system



Just use the copy tftp flash command, enter the tftp server IP and enter the filename of the firmware.

Router#copy tftp flash
Address or name of remote host []? 172.172.10.2
Source filename []? c2900-universalk9_npe-mz.SPA.153-3.M5.bin
Destination filename [c2900-universalk9_npe-mz.SPA.153-3.M5.bin]?
Accessing tftp://172.172.10.2/c2900-universalk9_npe-mz.SPA.153-3.M5.bin...
Loading c2900-universalk9_npe-mz.SPA.153-3.M5.bin from 172.172.10.2 (via GigabitEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 92449896 bytes]

92449896 bytes copied in 128.440 secs (719791 bytes/sec)

Instead of the above prompts we could have done this instead:

copy tftp://172.172.10.2/c2900-universalk9_npe-mz.SPA.153-3.M5.bin flash:

 

How do we get the router/switch to use the new firmware?

Just type this in config mode:

boot system flash:yourfilename.bin

Then you'll type end, reload, save changes if you haven't already and then it will reboot into the new firmware.

Router(config)#boot system flash:c2900-universalk9_npe-mz.SPA.153-3.M5.bin

Router(config)#end
Router#reload

System configuration has been modified. Save? [yes/no]: yes
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
Building configuration...
[OK]
Proceed with reload? [confirm]
Connection closed by foreign host.

 

 

 

In these examples I assume we have 3 x gigabit ethernet interfaces.

GE0/0, GE0/1, GE0/2

GE0/0 plugged into the WAN / public internet

GE0/1 lugged into the LAN / local net

Login and bring up GE0/1 (your LAN port) which should be plugged into another switch

#you can also use int gi0/1 for short

Router>enable
Router#conf t
Router(config)#interface gigabitethernet0/1
Router(config-if)#no shutdown

 

*Mar 25 20:39:21.151: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
*Mar 25 20:39:23.695: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar 25 20:39:24.695: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up
 

Assign an IP address to an interface:

Router(config-if)#int gi0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0

You should be able to ping this IP from devices connected to the switch provided that they are on the same VLAN as the port that you have plugged into on the switch.  You should also be able to ping other devices on your LAN from the router interface successfully.

Create a DHCP Pool for this network:

#let's run our own DNS
R1(config)#ip dns server
R1(config)#ip dhcp pool nat
R1(dhcp-config)#default-router 192.168.1.1
R1(dhcp-config)#network 192.168.1.0 255.255.255.0
#specify ourselves/own DNS as the DNS server for clients to use
R1(dhcp-config)#dns-server 192.168.1.1
#go back to our main config and make sure we exclude the router address
R1(config)#ip dhcp excluded-address 192.168.1.1

 

show interface status/brief details:

show interface gi0/0      
GigabitEthernet0/0 is up, line protocol is up
  Hardware is PQ3_TSEC, address is 881d.fc4f.4500 (bia ----------------)
  Internet address is 199.24.89.101/25
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full Duplex, 1Gbps, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:03, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     791 packets input, 91550 bytes, 0 no buffer
     Received 784 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 27 multicast, 0 pause input
     80 packets output, 10098 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     13 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

 

show the ip of an interface:

show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 199.24.89.101/25
  Broadcast address is 255.255.255.255
  Address determined by DHCP
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside, Common Flow Table, Stateful Inspection, NAT ALG proxy
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

 

Show routing table:

show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/0
      199.81.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        199.81.89.0/25 is directly connected, GigabitEthernet0/0
L        199.81.89.101/32 is directly connected, GigabitEthernet0/0
S        199.81.204.103/32 [254/0] via 199.81.89.126, GigabitEthernet0/0
      10.20.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        10.20.1.0/24 is directly connected, GigabitEthernet0/1
L        10.20.1.1/32 is directly connected, GigabitEthernet0/1

 

Show arp table:

Switch#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.25.20.20             -   0000.0000.0000  ARPA   Vlan7
Internet  192.168.1.1             0   0000.0000.0000  ARPA   Vlan9
Internet  192.168.1.3             7   0000.0000.0000  ARPA   Vlan9
Internet  192.168.1.2             -   0000.0000.0000  ARPA   Vlan9

 

In the above example .1 is our own router gi0/1 IP, .2 is the switch and .3 is a client device.  The 10.25.20.20 is assigned to another VLAN (7) on the switch.

Set hostname

Router(config)#hostname realtechtalk.com
realtechtalk.com(config)#

 

Enable http/https Web Server

Router(config)#ip http server
Router(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...

Enable SSH Server

#Set a domain name, username and password

Router(config)#ip domain-name realtechtalk.com
Router(config)#username testuser privilege 15 Password realechtalk.compass

#create your SSH RSA keys

crypto key generate rsa                  

#I choose at least a key size of 4096

   
The name for the keys will be: realtechtalk.com.realtechtalk.com
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 43 seconds)

Router(config-line)#line vty 0         
Router(config-line)#transport input ssh
Router(config-line)#password realtechtalk.com     
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#banner motd "realtechtalk.com"
Router(config-line)#exit

Change SSH Port

Here we change the port to 3599 for rotary value 1 (or whatever number we specify for rotary).

realtechtalk.com(config)#ip ssh port 3599 rotary 1

Then take the rotary value and assign it to line vty 0 (or whatever vty you used for your SSH):

realtechtalk.com(config)#line vty 0
realtechtalk.com(config-line)#rotary 1

If you want only the new SSH port to be accessed then follow this to add a proper ACL
 

#do not forget the permit ip any any after the deny or you will have blocked your new SSH port too!

realtechtalk.com(config)#ip access-list extended sshblock
realtechtalk.com(config-ext-nacl)#deny tcp any any eq 22
realtechtalk.com(config-ext-nacl)#permit ip any any
realtechtalk.com(config-ext-nacl)#line vty 0
realtechtalk.com(config-line)#access-class sshblock in

 

Is SSH enabled?

realtechtalk.com#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication timeout: 50 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):


 

#sometimes there are issues logging in:

 

ssh testuser@192.168.1.1
Connection closed by 192.168.1.1

The error above where you do not get a password prompt from SSH is caused by your client and also Cisco.  You see if you check the logs, it will often try to send your RSA key to authenticate, when that fails it also says your password failed (even though it never prompted you!).  I am thinking it is a bug.  If you have client-side SSH keys you need to make sure you DO NOT send them by using this option on the client side:

ssh -o PubkeyAuthentication=no user@10.10.10.1

debug ip ssh

*Mar 26 21:20:23.079: SSH2 0: MAC compared for #6 :ok
*Mar 26 21:20:23.079: SSH2 0: input: padlength 10 bytes
*Mar 26 21:20:23.079: SSH2 0: Using method = publickey
*Mar 26 21:20:23.079: SSH2 0: Verifying pubkey blob is acceptable for 'testuser' in SSH2_MSG_USERAUTH_REQUEST
*Mar 26 21:20:23.079: SSH2 0: Publickey for 'testuser' not found
*Mar 26 21:20:23.079: SSH2 0: Pubkey Authentication failed for user 'testuser'
*Mar 26 21:20:23.079: SSH0: password authentication failed for testuser


The client side ssh -v shows abou the same and basically it never prompts for a password.

Who is connected to SSH?

show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.

 

Enable password (also works for http/https/ssh/telnet)

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable password realtechtalk.com
Router(config)#end
Router#wr
Building configuration...

Enable telnet password:

R1(config)#line vty 0 1
R1(config-line)#password realtechtalk.com

 

You need a vty password set otherwise you won't be able to telnet in:

Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.


Password required, but none set
Connection closed by foreign host.
 

 

Setting Up NAT in 4 commands

 The following assumes gi0/0 is the WAN and gi0/1 points to the LAN

#first let's create our access list which really in our case is the subnet to be used for the internal NAT 192.168.1.0/24

realtechtalk.com(config)#access-list 23 permit 192.168.1.0
realtechtalk.com(config)#access-list 23 permit 0.0.0.0 255.255.255.0
realtechtalk.com(config)access-list 199 permit ip any any

#create NAT overload on our outside interface (gi0/0) pointing to the inside

realtechtalk.com(config)ip nat inside source list 199 interface gi0/0 overload

#now define the internal NAT interface (in our case gi0/1 which is connected to our LAN).
realtechtalk.com(config)#int gi0/1
realtechtalk.com(config-if)#ip nat inside

#now we define the external/public/WAN NAT interface
realtechtalk.com(config)#int gi0/0
realtechtalk.com(config-if)#ip nat outside

#not working still don't forget your default route/last resort especially if you are using DHCP on gi0/0 (your WAN interface)


ip route 0.0.0.0 0.0.0.0 dhcp

 


Tags:

cisco, router, tutorial, howto, commands, examplesin, ios, ports, ge, tasks, connectivity, lan, wan, eg, isp, fiber, dsl, ethernet, examples, gigabit, interfaces, plugged, lugged, login, int, gi, enable, conf, config, interface, gigabitethernet, shutdown, mar, updown, lineproto, protocol, assign, ip, ping, devices, provided, vlan, successfully, arp, min, hardware, addr, arpa, assigned, hostname, realtechtalk, http, https, server, generating, rsa, exportable, ssh, domain, username, password, testuser, realechtalk, compass, crypto, generate, modulus, choosing, bits, ok, elapsed, telnet, configuration, cntl, z, wr,

Latest Articles

  • Cloned VM/Server/Computer in Linux won't boot and goes to initramfs busybox Solution
  • How To Add Windows 7 8 10 11 to GRUB Boot List Dual Booting
  • How to configure OpenDKIM on Linux with Postfix and setup bind zonefile
  • Debian Ubuntu 10/11/12 Linux how to get tftpd-hpa server setup tutorial
  • efibootmgr: option requires an argument -- 'd' efibootmgr version 15 grub-install.real: error: efibootmgr failed to register the boot entry: Operation not permitted.
  • Apache Error Won't start SSL Cert Issue Solution Unable to configure verify locations for client authentication SSL Library Error: 151441510 error:0906D066:PEM routines:PEM_read_bio:bad end line SSL Library Error: 185090057 error:0B084009:x509 certif
  • Linux Debian Mint Ubuntu Bridge br0 gets random IP
  • redis requirements
  • How to kill a docker swarm
  • docker swarm silly issues
  • isc-dhcp-server dhcpd how to get longer lease
  • nvidia cannot resume from sleep Comm: nvidia-sleep.sh Tainted: Linux Ubuntu Mint Debian
  • zfs and LUKS how to recover in Linux
  • [error] (28)No space left on device: Cannot create SSLMutex Apache Solution Linux CentOS Ubuntu Debian Mint
  • Save money on bandwidth by disabling reflective rpc queries in Linux CentOS RHEL Ubuntu Debian
  • How to access a disk with bad superblock Linux Ubuntu Debian Redhat CentOS ext3 ext4
  • ImageMagick error convert solution - convert-im6.q16: cache resources exhausted
  • PTY allocation request failed on channel 0 solution
  • docker error not supported as upperdir failed to start daemon: error initializing graphdriver: driver not supported
  • Migrated Linux Ubuntu Mint not starting services due to broken /var/run and dbus - Failed to connect to bus: No such file or directory solution