Cisco Internetwork Operating System (IOS) and Security


The Cisco Internetwork Operating System (IOS):- is the kernel of Cisco routers and most switches. The Cisco IOS is a proprietary kernel that provides routing, switching, internetworking, and tele-communications features. These are some important things that the Cisco router IOS software is responsible for:

1. Carrying network protocols and functions

2. Connecting high-speed traffic between devices

Adding security to control access and stop unauthorized network use providing scalability for ease of network growth and redundancy Supplying network reliability for connecting to network resources.

We can access the Cisco IOS through the console port of a router, from a modem into the auxiliary (or Aux) port, or even through Telnet.

Connecting to a Cisco Router

We can connect to a Cisco router to configure it, verify its configuration, and check statistics. There are different ways to do this, the first place you would connect to is the console port. The console port is usually an RJ-45 (8-pin modular) connection located at the back of the router. You can also connect to a Cisco router through an auxiliary port—which is really the same thing as a console port, the third way to connect to a Cisco router is in-band, through the program Telnet.

Bringing Up a Router

When you first bring up a Cisco router, it will run a power-on self-test (POST). If it passes, it will then look for and load the Cisco IOS from flash memory—if an IOS file is present. After that, the IOS loads and looks for a valid configuration—the startup-config—that’s stored in nonvolatile RAM, or NVRAM.
 

  • Router Modes:-

    Entering the CLI from a Non-ISR Router

    After the interface status messages appear and you press Enter, the Router> prompt will appear. This is called user exec mode (user mode), and it’s mostly used to view statistics, But it’s also a stepping stone to logging in to privileged mode. We can only view and change the configuration of a Cisco router in privileged exec mode (privileged mode), which you can enter with the enable command. Here’s how:

    Router>enable

    Router#

    We now end up with a Router# prompt, which indicates that you’re in Privileged mode, where you can both view and change the router’s configuration. We can go back from privileged mode into user mode by using the disable command, as seen here:

    Router# disable

    Router>

    At this point, you can type logout

    from either mode to exit the console: Router>logout

    Overview of Router Modes

    To configure from a CLI, you can make global changes to the router by typing configure terminal (or config t for short), which puts you in global configuration mode and changes what’s known as the running-config. A global command (a command run from global config) is set only once and affects the entire router. We can type config from the privileged-mode prompt and then just press Enter to take the default of terminal, as seen here:

    Router# config

    Configuring from terminal, memory, or network [terminal]? [ press enter ] Here are some of the other options under the configure command:

    Router (config) # exit

    or press

    Cntl-z

    Router# config?

    Confirm            Confirm replacement of running-config with a new config file

    Memory            Configure from NV memory

    Network            Configure from a TFTP network host

    Overwrite-network            Overwrite NV memory from TFTP network host

    Replace            Replace the running-config with a new config file

    Terminal            Configure from the terminal

    Interfaces

    To make changes to an interface, you use the interface command from global configuration mode:

    Router (config) # interface?
     
    Async			Async interface
    BVI				Bridge-Group Virtual Interface
    CDMA-Ix			CDMA Ix interface
    CTunnel			CTunnel interface
    Dialer			Dialer interface
    FastEthernet		FastEthernet IEEE 802.3
    Group-Async		Async Group interface
    Lex				Lex interface
    Loopback		Loopback interface
    MFR			Multilink Frame Relay bundle interface
    Multilink			Multilink-group interface
    Null				Null interface
    Port-channel		Ethernet Channel of interfaces
    Serial			Serial
    Tunnel			Tunnel interface
    Vif				PGM Multicast Host interface
    Virtual-PPP		Virtual PPP interface
    Virtual-Template	Virtual Template interface
    Virtual-TokenRing	Virtual Token Ring
    Range			interface range command
    


    Router (config) # interface
    fastEthernet 0/0
    Router (config-if) #
    Did you notice that the prompt changed to Router (config-if) #? This tells us that we’re in interface configuration mode. And wouldn’t it be nice if the prompt also gave us an indication of what interface you were configuring? Well, at least for now we’ll have to live without the prompt information, because it doesn’t. One thing is for sure: You really have to pay attention when configuring a router!
     
  • Gathering Basic Routing Information

    The show version command will provide basic configuration for the system hardware as well as the software version and the boot images. Here’s an example:

    Router# show version

    Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1)
  • Administrative Function

    The administrative functions that you can configure on a router and switch are Hostnames, Banners, Passwords and Interface descriptions.

    Remember, none of these will make your routers or switches work better or faster, but we just take the time to set these configurations on each of your network devices. That’s because doing this makes troubleshooting and maintaining your network so much easier.
    1. Hostnames

      We can set the identity of the router with the hostname command. This is only locally significant, which means that it has no bearing on how the router performs name lookups or how the router works on the internetwork.

      Here’s an example:
       
      Router # config t
      Router (config) # hostname Todd
      Todd (config) # hostname Atlanta
      Atlanta (config) # hostname Todd
      Todd (config) #
      
    2. Banners

      A Banner is more than just a little cool—one very good reason for having a banner is to give any and all who dare attempt to telnet or dial into our internetwork a little security notice. And we can create a banner to give anyone who shows up on the router exactly the information we want them to have.login banner, and message of the day banner (all illustrated in the following code):
       
      Router (config) # banner?
      login	Set login banner
      motd	Set Message of the Day banner
      


      Message of the day (MOTD) is the most extensively used banner. It gives a message to every person dialing into or connecting to the router via Telnet or an auxiliary port, or even through a console port as seen here:
       
      Router (config) # banner motd?
      LINE c banner-text c, where ‘c’ is a delimiting character
      Router (config) # banner motd #
      Enter TEXT message. End with the character ‘#’.$ Acme.com network, then you must disconnect immediately. #
      Router (config) # ^Z
      Router #
      or
      Router (config) # banner motd x Unauthorized access prohibited! x
      


      Login banner

      We can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner but before the login prompts. The login banner can’t be disabled on a per-line basis, so to globally disable it, you’ve got to delete it with the no banner login command.
    3. Setting Passwords

      Five passwords are used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable password, and enable secret. The enable secret and enable password are used to set the password that’s used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed through the console port, through the auxiliary port, or via Telnet.

      Enable Passwords

      We set the enable passwords from global configuration mode like this:

      Router (config) # enable?
      password	Assign the privileged level password
      secret		Assign the privileged level secret


      The following points describe the enable password parameters:

      Router (config) # enable secret Todd
      Router (config) # enable password Todd

      The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password. If we try to set the enable secret and enable passwords the same, the router will give you a nice, polite warning to change the second password. If you don’t have older legacy routers, don’t even bother to use the enable password.

      User-mode passwords are assigned by using the line command:

      Router (config) # line?
      <0-337> First Line number
      aux      Auxiliary line
      console  Primary terminal line
      tty      Terminal controller
      vty      Virtual terminal
      x/y      Slot/Port for Modems
      x/y/z    Slot/Subslot/Port for Modems


      Here are the lines to be concerned with:

      aux

      Sets the user-mode password for the auxiliary port. It’s usually used for attaching a modem to the router, but it can be used as a console as well.

      console

      Sets a console user-mode password.

      vty

      Sets a Telnet password on the router. If this password isn’t set, then Telnet can’t be used by default. To configure the user-mode passwords, you configure the line you want and use either the login or no login command to tell the router to prompt for authentication. The next sections will provide a line-by-line example of the configuration of each line configuration

      Auxiliary Password
      To configure the auxiliary password, go into global configuration mode and type

      line aux ?
      We can see here that you only get a choice of 0–0 (that’s because there’s only one port):
       
      Router# config t
      Router (config) # line aux 0
      Router (config-line) password cisco
      Router (config-line) # login
      Router (config-line) # exit
      


      Console Password To set the console password, use the line console 0 command.
       
      Router# config t
      Router (config) # line consol 0
      Router (config-line) password cisco
      Router (config-line) # login
      Router (config-line) # exit
      


      Telnet Password
       
      Router# config t
      Router (config) # line vty 0 1180
      Router (config-line) # password telnet
      Router (config-line) # login
      


      Encrypting Your Passwords

      Because only the enable secret password is encrypted by default, you’ll need to manually configure the user-mode and enable passwords for encryption. To manually encrypt your passwords, use the service password-encryption command.
       
      Router# config t
      Router (config) # service password-encryption
      Router (config) # exit
      Router # sh run
      Router # config t
      Router (config) # no service password-encryption
      Router (config) # ^Z
      
  • Setting Up Secure Shell (SSH)

    Instead of Telnet, you can use Secure Shell, which creates a more secure session than the Telnet application that uses an unencrypted data stream. Secure Shell (SSH) uses encrypted keys to send data so that your username and password are not sent in the clear. Here are the steps to setting up SSH:
  • Configuring an IP Address on an Interface

    Even though we don’t have to use IP on your routers, it’s most often what people actually do use. To configure IP addresses on an interface, use the ip address command from interface configuration mode:

    Router (config) #int f0/1
    Router (config-if) # ip address 172.16.10.2 255.255.255.0

    Don’t forget to enable the interface with the no shutdown command. If you want to add a second subnet address to an interface, you have to use the secondary parameter. If we type another IP address and press Enter, it will replace the existing IP address and mask. This is definitely a most excellent feature of the Cisco IOS.
     
    Router (config-if) #ip address 172.16.20.2 255.255.255.0?
    secondary  Make this IP address a secondary address
    < cr >
    Router (config-if) # ip address 172.16.20.2 255.255.255.0 secondary
    Router (config-if) # ^Z
    Router (config-if) # do sh run
    

h4 ExamMATE

Online Personalised Exam Preparation Tool to score higher using Assessment, Analytics & Artificial Intelligence

Copyright ©2015 h4exammate.com, All Rights Reserved. h4 ExamMATEâ„¢ is registered trademark of Hub4tech Portal Services Pvt. Ltd.
All trademarks and logos appearing on this website are the property of their respective owners.
FOLLOW US    
Need help? Ask h4 ExamMATE Bot