Cisco: IOS basics

The boot, the behaviour and its use.

Boot process

Before we get into the boot process, here are few things you need to know:

  • ROM = Read only memory, stores the POST, bootstrap, ROMMON and mini IOS.
  • POST = Power on self test, in this process the Cisco device does a diagnosis on itself to see where components are failed or fully operational.
  • Bootstrap = Controls the boot process of IOS. Basically the same your computer’s BIOS.
  • ROMMON = ROM monitor, a small form of IOS that allows you to perform diagnosis as well as changing the boot behaviour of the Cisco device.
  • Mini IOS = A stripped down version of the full IOS that is just enough to get a network connection and load an IOS image through TFTP.

Furthermore, in terms of storage, the flash memory is like a USB stick files and firmware can be stored on here.
The NVRAM is non-volatile RAM, which is used to store the configuration files onto. This is actually RAM, but powered by a battery, just like the battery on your motherboard.
RAM is used to decompress the Cisco IOS image onto as well as the running-config file. Along with that any other things as ARP, routing tables and much, much more.

Cisco device boot sequence

IOS: Behaviour and use

IOS CLI modes

IOS has several different layers it works at. Each layer will grant you different amounts of access to the settings and diagnostics the system offers to you.

  • User mode: User EXEC mode gives you the most limited features available. This’ll, for instance, include:
    Ping/traceroute, show (with limited options), enable (to get to privileged mode) and Telnet/SSH.
  • Privileged mode: Privileged EXEC mode gives you more options in terms of troubleshooting and verifying configuration (changes) with the User EXEC mode commands included. This can include:
    Debug, reload, configure (to get to global configuration mode),  show the running configuration.
  • Global configuration mode: Global configuration EXEC mode allows you to apply changes to settings on the device.
    These can be:
    Hostname, enable secret (to apply a password), ip route, interface x/y/z, line, router.
  • Interface configuration mode: Interface configuration mode is entered once you use the ‘interface’. It’ll allow you to apply settings to one or multiple interfaces. Command that can be used are, for instance:
    ip address, shutdown, encapsulation, speed, duplex.
  • Line configuration mode: This mode allows you to configure a line. This line allows you to connect to the device either by console cable (line console) or SSH/Telnet (line VTY). From here you can change settings like:
    Password, login, motd-banner.

Using the ‘no’ command before any command, where it can be applied, will either cause that setting to be reverted back to default.

Your first configuration

Under here will be a few, most used, basic configurations to get you a bit familiar with IOS.

You first step will be to place router in Packet Tracer. If you don’t have it already, you can go to this page.

Once you’re done, get a Cisco 1941 router in Packet Tracer by clicking on the router and then clicking in the field above. Any other model will do (including switches, except for a few commands), the 1941 is just used in this example.

To configure the router, click on it. This will open a separate window. At the top you’ll have four different tabs, click on CLI.
You may see that the device is still booting up, if not it’ll ask you the following:

Would you like to enter the initial configuration dialog? [yes/no]:

With this option just type ‘no’ and hit enter. Now you’re all up and ready to configure and you’ll see the following at the bottom of the command line:

router>

The ‘>’ symbol on the end indicates you’re in user EXEC mode. Type the following command to elevate yourself to privileged mode and then the command underneath it to get to global configuration mode:

enable
configure terminal

You might have noticed the ‘>’ changed to a ‘#’ symbol this means you’re now in privileged mode. The ‘(config)’ part indicates you’re in global configuration mode. Now you’re ready to configure!

Securing your device and enabling remote access

One of the most important things for networking equipment is to secure the device with a password and a MOTD (Message Of The Day) banner. The latter is mainly for legal reasons, if they would break in and you wouldn’t have a MOTD you most likely lose that fight in court.

To set a password use the following command followed by:

enable password Cisco
service password-encryption

These two commands will firstly give the enable command a password of ‘Cisco’ and it’ll encrypt the password at a basic level then when you would review the configuration it wouldn’t just show the password to you, or anyone watching over your shoulder.

After this, set a MOTD by using the following command:

banner-motd &
Please, do not enter this device without permission. Actions will be logged!
&

This command will apply the message on the middle row and will show it once you try to log in on the Cisco device. The ‘&’ can be anything you want, but must never be used in the whole message as this symbol will mark both the start and end of the message.

Now we want to enable SSH. SSH is a more secure way of controlling the device remotely than with using Telnet.
To enable SSH, we first need a different hostname and make the device member of a domain (which doesn’t have to exist), to set the hostname use the following command:

hostname IOS-Basics
ip domain name mydomain.int

This will change the hostname to ‘IOS-Basics’ and set the domain to ‘mydomain.int’.

After this use the following command to generate RSA keys which are required to let SSH work:

crypto key generate rsa

After this we want to create a new user so we are able to log into the device with SSH remotely.
Use the following command:

username Cisco password Cisco

After this we want to enable local login for both SSH and console as well as disabling Telnet, otherwise the new user cannot be used. Do this with the following commands:

line vty 0 4
login local
transport input ssh
exit
line console 0
login local
exit
Setting an enable password and hiding it in the configuration
Setting a MOTD
Setting a hostname, domain and generating RSA keys
Creating a local user and enabling login capabilities

Nice to have's, but not necessary configuration

Right, now that the device is set up and secure we can change some settings that are not necessary but sure are nice to have and can make life a bit easier.

Normally, if you write down commands and Cisco IOS shows some kind of informational message it will mess up your line of text and makes it hard to read.
Luckily we have a neat command for that to prevent debug and informational text to appear right in between a command you’re typing. To enable this function use the following command:

line vty 0 4
logging synchronous
exit
line console 0
logging synchronous
exit

No that your command line is more clear to read while working with it up next would be a good idea to disable ip domain-lookup’s. Having this option disabled can really make your day a bit less annoying when entering a command wrongly.

Normally, if your command is wrong and thus misinterpreted Cisco IOS will assume you do a domain lookup and start resolving your mistyped command to an IP. Quite annoying at best as you have to wait for a timeout or cancel the command.

To disable that, use the following command in the regular global config mode:

no ip domain-lookup
Cisco IOS command line WITHOUT logging synchronous
Cisco IOS command line WITH logging synchronous
Cisco IOS command line WITH domain-lookup enabled
Cisco IOS command line WITHOUT domain-lookup enabled

Setting an IP and connecting to it

So. To finally put all this into practice. You eventually want to set an IP on the device. To do this, for routers we need to put the IP on an interface, normally. For switches, we need to put the IP on a VLAN. In any case, we both address the VLAN and interface with the ‘interface XYZ ‘command.

For routers. You want to go into the desired interface and add an IP there with the following command:

ip address ###.###.###.### ###.###.###.###

Hereby, the first four octets are the IP. The second four is the subnet mask.

Now you will be able to connect to the device with SSH and its IP address as a destination.

Just be sure to have a host in the same network with a valid IP address or another device outside the network with the proper routes installed.

Setting an IP address to an interface

Wrapping up

Of course, now that we’re done we need to save our configuration. Any settings you apply will be active immediately, but after a reboot of your device, the settings will default back to what has last been saved. In the case of a fresh device it’ll just be the default configuration.

To save the config, use either one of the following commands:

write memory

Or:

copy running-config startup-config

The latter option can be useful in real-case scenarios as it will allow you to save to other destinations.

Saving the configuration in two ways