Connection to Cisco via Putty console. Configure Telnet and Console Access Passwords
Lesson 16. Description of commands and operating system Cisco IOS
Switches can be configured and controlled by the following ways:
- Cisco Network Assistant. a free graphic application that allows you to configure up to 80 devices on the network.
- Using the software supporting the SNMP protocol (Simple Network Management Protocol), for example, Cisco Works Lan Management (LMS)
- Cisco View. paid software for configuration and monitoring
- Contain terminal. controlled by administrator teams. To connect to the device, you can use such programs as Hyper Terminal, Putty. The connection is carried out locally via serial port or remotely via the network through Telnet/SSH protocols.
Consider the connection and basic configuration of the switch using the example of using the PUTTY program. In this case, since the switch has no settings, we will use the console port. In the future, you can use the remote connection via Telnet/ssh.
The procedure is as follows:
Connect the console cable to the computer and the console port of the switch.
Launch Putty and select a serial connection at a speed of 9600 BOD and indicate the number of the catfish port
To find out the number of the catfish port, hang the mouse cursor on my computer (My Computer), open the context menu and choose the administration (Manage). In the window that opens, select the Device Manager and cut the port list (Ports) in which you will see the available catfalls.
With a successful connection, a banner message will be displayed:
Settings in iOS
Cisco switches and routers use the iOS operating system (Interconnecting Operating System) in their work. We will meet her closer in the following lessons.
Before starting the setting of the system, we will get acquainted with the operating modes of iOS.
User mode. User Exec Mode
In the console under this mode, the invitation line is displayed by the sign
For this mode, a limited number of commands for viewing information about the state of the system and basic settings is available. This mode is available immediately after connecting the terminal to the console.
Private mode. Privileged Mode
In the console under this mode, the invitation line is displayed by the sign #
commands are supported to view all system settings, it is possible to launch various utilities for diagnosing network and protocols, and basic command system management commands are supported.
To go to this mode from the user mode (user exec mode), you must enter the Enable command
To get out of this mode, back in the User Exec mode, enter the Disable command.
Global configuration mode. Global Configuration Mode
In this mode, the entire system and protocols are configured. To go to this mode from Privileged Mode, enter the Configure Terminal command
To go back to the Privileged Mode mode, enter the Exit command.
To go to User Exec Mode, enter the End command.
The figure below displays the structure of the transition to the above modes
Getting Started with Cisco Switch Commands
Before We Begin, Get to Know What Hardware You’re Using, Fire Up Your Cli and Download Putty.
The first step is to check What Hardware You’re Using Before You Begin. IF YOU’RE USING A CISCO Switch You Need to Know What Model You have. You Also Want to Check the Physical State of the Device and Verify that None of the Cables Are Damage. You can turn the router on to make sure is no damage to the libling/indicators.
Now That You’ve Made Sure The Device is in Working Order You’re Ready to Start Configuring. In this guide, We’re Going to Perform a Cisco Switch Configuration Through The Command-Line Interface (Cli) With the Open-Source Ssh/Telnet Client Puther. IF for Any Reason Putty is not An Option for Your Setup, You can get Similar Results with A Putty Alternate.
Connect The Switch to Putty
To Start Configuration, You Want to Connect the Switch Console to Putty. You can do this
- Connect The Switch to Putty with A 9-Pin Serial Cable.
- Now Open Putty and the Putty Configuration Window Will Display. Go to the Connection Type Settings and Check The Serial Option (Shown Below).
- Go to the Category List Section On the Left-Hand Side and Select the Serial Option.
- When The Options Controling Local Serial Lines Page Displays Enter The Com Port Your Network Is Connected to the Serial Line to Box E.G. COM1.
- Next, Enter The Digital Transmission Speed of Your Switch Model. For 300 and 500 Series Managed Switches, this is 115200.
- Go to the Data Bits Field and Enter 8.
- Now Go to the Stops Bits Field and Enter 1.
- Click on the Parity Drop-Down Menu and Select the None Option.
- Go to the Flow Control Drop-Down Menu and Select the None Option.
Save Your Settings and Start the Putty Cli
To Save your Putty Settings for Your Next Session Do the Following:
- Click on the Session Option from the Category List on the Left-Hand Side of the Page.
- Go to the Saved Session Field and Enter a Name for Your Settings E.G. Comparitech.
- Click The Save Button to Store The Settings.
- Press the Open Button at the Bottom of the Page to Launch The Cli.
The Following Message Will Display in the Command Prompt:
Basic settings of the Cisco Catalyst switch
In this article I want to introduce you to the settings that any network engineer faces, these are the basic settings of the device. We will more specifically consider the basic settings of the Cisco Catalyst switcher. In my example, this is Cisco Catalyst 2950, however, basic settings for switches of various platforms are the same.
To do this, we need a Rollover-console cable. Connect one end of the Rollover Continual Cable to the RJ-45 console port on the switch. We connect the other end of the cable to the sequential COM port on the computer. If there is no consistent COM port on the computer, then you will need USB-Serial (DB9) adapter. When using USB-Serial (DB9) of the adapter for connecting the Rollover-Continual cable, it may be necessary to install the driver. It can be downloaded from the site of the manufacturer USB. Serial (DB9) adapter. We will also need to know the COM port number in order to execute the connection, it can be viewed through the device manager after connecting the adapter.
The best adapter of USB. Serial (DB9) that I had to use is PL2303 of Prolific Technology Inc. For this adapter, drivers are available for all popular operating systems.
We launch the terminal emulation program. Putty. Indicate the COM port number, indicate the connection settings as in the figure and click on the Open button.
It is also necessary to connect the computer with ordinary straight (Straight-through) patch cord with the port Fasthernet 0/1 of the switch, as shown in the figure.
So let’s start, turn on the food. The device performs Power-on-Self-Test (Post)-self-test, after which the Cisco IOS operating system is loading. In my case, the device is reset to the factory settings and there is no initial configuration file on it (Startup-Config). When loading, you should see something like this:
If the load was regularly, then you should see the invitation to the configuration dialogue, we answer NO here, because we will configure everything ourselves.
Actually, after that, we get into the command line, where we will perform the basic setting.
Next, you need to make sure that the switch is really dropped to factory settings:
Initially, we find ourselves in the user execa user mode. He has limited possibilities. This mode looks like this:
We switch to the privileged Privileged Exec mode, for this you need to enter the command:
We switch to global configuration mode, for this we enter the command:
Here we indicated the name of the switch-floor-1 switch. I recommend setting the name for the device logical, so as not to confuse later and it was obvious after time what kind of device it is and where it is located.
Be sure to set the password for a privileged EXEC mode:
We set the Banneric Motd Banner, which will be displayed before entering the system:
Please note that here the opening symbol for the message is # (lattice), respectively, you must definitely end the banner message by this sign # (lattice).
Check access settings. To do this, switch between modes:
Note. The password will not be displayed on the screen during the input.
We will ensure the possibility of remote control of the switch, for this it is necessary to configure the IP address on Switch Virtual Interface (SVI). Let’s go to the global configuration mode and further in SVI:
Limit access to the console port. The default configuration allows all console connections without a password:
Let’s configure the Virtual Teletype (VTY) lines for the switch to allow remote access through the Telnet protocol. If you do not configure the VTY password, you will not be able to contact the Telnet Protocol switch:
Here we set the password for five simultaneous connections, in the Cisco iOS, the range is indicated through the gap.
Now let’s see the settings of the switch:
We check the state of the SVI control integration. The state of the VLAN 1 integration should be up/up, which indicates that it is active and the IP address should be assigned to it. Please note that the state of the porter porter Fasthernet0/1 is also UP, since the computer is connected to it. Since all the ports of the switch originally belong to VLAN 1 by default, you can interact with the switch by IP address, which was assigned for VLAN 1.
We test the connection between the computer and the switch. We open the command line window (CMD.exe) on the computer. On the command line we write the IPConfig command in order to submit information about the IP address.
In the same place, we enter the Ping command in the command line, which is used to check the connection.
Cisco, Linux, cybersecurity courses, Devops / Devnet, Python with employment!
Hurry up to apply! Groups start on January 25, February 26, March 22, April 26, May 24, June 21, July 26, August 23, September 20, October 25, November 22, December 20.
- We will help you become an expert on network engineering, cybersecurity, programmable networks and systems and receive international certificates of Cisco, Linux Lpi, Python Institute.
- We offer a proven program with the best textbooks from experts from Cisco Networking Academy, Linux Professional Institute and Python Institute, the assistance of certified instructors and personal curator.
- We will help with the employment and start of my career in the field of IT. 100% of our graduates are employed.
- We will hold evening online lectures on our platform.
- We agree with you a convenient time for practices.
- If you want an individual schedule, we will discuss and implement.
- A personal curator will be in touch to answer questions, advise and motivate to adhere to the deadlines for passing exams.
- Anyone who is afraid to lose motivation and not finish training, we will offer communication with a professional coach.
- edit or create a resume from scratch;
- prepare for a technical interview;
- prepare for the competition for the vacancy you like;
- get a job in Cisco under a special program. Our students who are already working there: click on #SOCISCO. #SOVCISCO
To study at Cisco, Linux Lpi, cybersecurity, Devops / Devnet, Python, submit an application or get a free consultation.
Комментарии и мнения владельцев
Thanks for the interesting and understandable material)! I am happy to read your site! Good luck and prosperity to you!
This is very often necessary if there is no reservation
After I made a copy of the reserve in Cisco configuration mode. You need to get out of this mode somehow? If so, how? Command Exit?? Thank you, useful article!)
You are in Enable mode. Either you further to increase Conf T, or Exit to exit
To connect to equipment on the console port, you can use the popular Putty utility.
Putty is a simple installation and use, a freely distributed client for various remote access protocols, including connecting through a sequential (COM) port.
The screenshots below shows the settings of the program for connecting on the console port. our example shows parameters for Cisco equipment.
Before connecting, it is necessary to determine the port number in the OS, the number is determined in the device dispatcher in the Ports section (COM LPT).
Step 1: Choose the type of connection: Serial and enter the port number (Serial Line) in the example: COM1. Go to the category (Category) Serial to install connecting parameters.
Step 2: Connection settings:
After setting up the connection parameters. press Open and you can start setting up equipment.
In Linux, you can use the minicom utility.
Minicom-textual connection control utility in Unix-like OS, terminal emulator.
The program is usually included in standard repositories of popular distributions, it is installed simply:
Before starting, it is necessary to determine the name of the sequential port in the system:
As a rule, the sequential port is called /DEV /TTYS [0-9]. In the case of USB- /DEV /TTYUSB [0-9]
The utility is interactive, for navigation by menu it is necessary to use arrows.
Step 2: Go to the section settings section of the sequential port:
Step 3: Press A and enter the name of the sequential port:
Step 4: Press E to enter the menu for installing speed parameters and parties. Click C To select a speed of 9600 or buttons A and B select the required speed.
Step 5: After setting, the parameters should look as shown in the screenshot below. Additionally, the key can be turned off the hardware control of the flow.
Step 6: Save the settings in the DFL file, press Exit and start setting up equipment. To exit from minicom, use the Ctrla Q or Ctrla X keys combination.
For subsequent launches of the program with presteled parameters, you can use:
Cisco for beginners. Part 1.Initial setting of the Cisco router
To begin with the fact that on 18xx 28xx and the sharp routers of the 8th series, the connection and the initial setting of the equipment is carried out through the console port with the RJ-45 connector, usually the tuning cable is included, it is RJ-45 on RS-232 of blue color. Equipment of 19xx 29xx series in addition to the console port of the RJ 45 has a console port MiniUSB (which is much more convenient when setting up equipment with a laptop with an absent COM port). To configure equipment through MiniUSB, we will need an emulation driver further in Device Manager will appear Cisco Serial where you can configure the port number.
The connection is installed with standard values - 9600 BOD/8 data bits/1 stop bit/without verification of parity and control of passage. In Windows. systems you can use Putty, in Linux Cu or Minicom. In the future, when the router is assigned an IP address for settings will use SSH, but the first time you can not do without a console connection.
Open PUTTY, select the type of connecting Serial port COM7 (I have it COM7) click 2 times [Enter] and see the merchant of the command line with the invitation of the router
Router move into an prevention mode by Enable Routerenable Router#delete the existing configuration located in the flash memory and reload the router: Router#Erase Startup-Config#Reload, we are waiting for the Router overloading, observing the process, observing the process, observing the process, observing the process of the process. In the pre.evicted regime Routerenable
We go to the configuration mode and give the Hostname command: Router#Configure Terminal Enter Configuration Commands, One Per Line. End with CNTL/Z. Router (Config) #Hostname GW0 GW0 (Config)#Turn on the storage mode of passwords in the configuration file of the device in the encrypted form: GW0 (Config) #Service Password-Encryption through HTTP and HTTPS and CDP GW0 (CONFIG) Server GW0 (Config) #NO IP http secure-server GW0 (Config) #NO CDP Run will set passwords for connection through the console port GW0 (Config) #Line Con 0 GW0 (Config-Line) #PASSWORD Passole GW0 (Config-line) #login Gw0 (Config-Line) #EXIT and Telnet GW0 (Config) #Line VTY ? Oh, how much he said there is available? 0-1441 means Line VTY 0 1441)) GW0 (config-line) #PASSWORD Password GW0 (Config-line) #login GW0 (Config-Line) #EXIT will set the password for enable GW0 (Config) Enable Secret password_enable_
Let’s move on to setting up the internal network Inte Week. If the router has gigabit ports, then the names of the ports can be reduced as Gi 0/0 (Gigabit Ethernet). If 100 Mbuty, then most likely it will be FA (Fast Ethernet) in principle, if you doubt the team, click the TAB. the team finished on the command line? So the norm, don’t remember what to introduce? Enter the question mark iOS will give you all available commands in this context. GW0 (Config) #interface Gi 0/0 GW0 (Config-Or) #IP Address 192.168.0.1 255.255.255.0 gw0 (config-oh) #description Lan Gw0 (Config-Afig-Fig) #NO Shutdown Gw0 (Config-Or) #Exit set DNS servers
GW0 (config)# IP NAME-SERVER 192.168.0.2
Everything, the router is available to 192.168.0.1 Record the configuration in the memory of the GW0# Copy Running-Config Startup Config or WR command
In the next article, in fact, we will turn off access to the router via Telnet (because not secular) and set up access to it using ssh.
Connection to Cisco via Putty console
Dear readers, let’s fantasize with you a little and imagine such an interesting situation. You are a specialist engaged in computer service, setting servers or a novice networker who has not yet encountered Cisco Systems equipment setting up (hereinafter simply Cisco). And one fine day, your leadership decided to purchase this equipment for the modernization or deployment of network infrastructure. Mo waiting for the equipment flew like one day and now it lies in front of you. a brand new switch, router or other network bun of Cisco.What to do with it? How to configure it? And a whole cloud of questions arises at this moment in your head (in any case, such questions defeated me at the first acquaintance with Cisco switches). In order for the resolution of these issues not to cause great difficulties to write this post, it does not have a large number of theory, and it is only suitable for specialists who first encountered Cisco equipment. It will consider the main aspects of the first acquaintance with the equipment of the Cisco company working under the control of the Cisco IOS operating system (Internetwork Operating System), examples of such equipment can be routers: Cisco 1841, Cisco 2811 and D.R., Catalyst 2960 switches, and in general, most of the equipment produced by Cisco.
And so where to start the tuning of a freshly acquired “cyski”.To start it, it is necessary to connect to the computer from which it will be set up. For these purposes, a special console cable is used, supplied together with the equipment you purchased (in some cases this cable may be purchased separately). The appearance of this cable is presented in the figure.
If you do not have a console cable, but there is nowhere to purchase it, then you can make it yourself. This will require: network connector (rj.45 8P8C), several meters of network 8 residential cable, plug Mom for connecting to COM PUTU (the one with holes), squeezing ticks and soldering iron. One end of the network cable is squeezed in accordance with the pattern. The second end of the cable is soldered on the plug in accordance with the same pattern.
As a result, you get a console cable for connecting to the network equipment of Cisco. I would like to note that Cisco itself recommends using only original console cables to configure its equipment.
For the connection of custom.made equipment with a computer, one end of the console cable (the one that is equipped with a network connector RJ.45 8P8C) is connected to the console port of the network equipment (usually there is an inscription of Console in a blue boot), the other end of the cable is connected to the computer of the computer.
After the custom equipment of Cisco. connected to the computer physically, that is, using a cable, you can already connect to it using special software and set it up. Hyperterminal can be used as such software. Putty and D.R. Unfortunately, starting with Windows 7 (perhaps I won’t say definitely with Vista), Hyperterminal is no longer a standard preinstalled application, and to install it will have to be a bit to be a bit. Therefore, the best option would be to use Putty. This client is quite easy to find using Google. Its installation and launch does not cause the slightest complexity. Puttty allows you to connect to customary equipment using Telnet. SSH or connection via a sequential port. In this case, we are interested in the last option. To use it in the “Connection Type” section, select the version “Serial”. In the “Serial Line” field, indicate the number of the port number to which the device is connected (if to the first, then COM1, if to the second, then COM2 and T.D.). Speed field value leave up to 9600.
After all the parameters are set in accordance with the above description, click on the Open button. The console window opens. It will be completely black and will not respond to pressing keyboard keys. Turn on the set.up device. Information about the device, its characteristics and the start of the launch will begin to appear on the console screen. The approximate type of console at the time of starting the device is shown in the figure.
Wait until the process of starting the equipment will end. The screen will be displayed on the screen Press Return To GetStarted !, Press the Enter key on the keyboard. The input pointer will go to a new line, and the inscription Router will be displayed in the console (this example is given to configure the router, when setting up another type of device, the inscription Router will be replaced in accordance with the type of aligned device). Now you are connected to this device and you can configure it.
When setting up Cisco equipment. You need to know that there are 3 types of access to the device (in fact there are 15 levels of access privileges, but we will not now about this).
The first mode is unprivileged (Exec). Immediately after connecting to the equipment, you fall into this mode. In this mode, you cannot change the configuration of the device, but you can view some of its characteristics. The presence in this mode in the console is indicated by the icon “”. For example, in this mode, you can execute the ShowHistory command, which displays the list of commands that you performed during one session (note this team displays not only the executed commands, but in general everything that was driven into the console, even any meaningless Beliberd of all the real teams that have been bred in the example And the right thing only show high).
The second mode is a privilage exec mode. In this mode, the user can view information about the device, its configuration, save the current configuration, but cannot change it. In this mode, you can go from an unheard of mode by execution of the Enable command.The presence in this mode in the console is indicated by the###. For example, in this mode you can perform the Showrunning-Config command that display the current working configuration of the device.
The third regime is the configuration mode (many do not distinguish it into a separate regime, but simply count as a regime of configuration of a privileged regime). In this mode, you cannot view information about the device and its configuration, but you can change it. To go to the configuration mode, it is necessary to execute the ConfigTerminal command in a privileged mode.The presence in this mode in the console is indicated by the icon “(config)#”.
Well, you brought a router, printed, they gave me food. He languidly rustled with coolers, winks at you with LEDs of his ports. And what to do next?
We will use one of the oldest and non.unlucking ways to control almost any smart device: console. To do this, you need a computer, device itself and a suitable cable.
There is every vendor for which it is. What connectors they do not use: RJ-45, DB-9 dad, DB-9 mom, DB-9 with non-standard crucifix, DB-25. Tsiski uses the RJ-45 connector on the device side and DB-9 mom (to connect to a COM port) on the PC side.
Combined RJ-45 Combined MiniUSB Port
Always highlighted in blue. Recently, it has become possible to manage USB.
It used to be supplied in every box, now often costs separate money. In principle, a similar cable is suitable from HP.
The problem is that modern PCs often do not have a COM port. Frequent converters of USB-to-Com come to the rescue:
USB.-RS232 converter USB.-RS232 converter
Either RS232-tyrnet converters rarely used for these purposes.
After you stuck the cable, determined the COM port number, you can use Hyperterminal or Putty to Windows and Minicom to connect to the connection.
Control through the console is available immediately, but for the telnet you need to install a password. How to do it? We turn to PT.
Let’s start by creating a router: select it on the panel below and transfer it to the workspace. We give some name.
What would you do if it were the most real iron router? Would take a console cable and connected it into it and to the computer. We will do the same here:
Packet Tracer. Creating a computer Packet Tracer. Connecting a computer to a router
Clicking on a computer we call the settings window in which we are interested in the Desktop tab. Next, select Terminal, where we are given the choice of parameters.
Packet Tracer. Terminal tuning on a computer
However, all the parameters are arranged by default, and it makes no sense to change them particularly.
If there is no configuration file (Startup-Config) in the energy-dependent memory of the device, and it will be the first to turn on the new iron, we will be met by Initial Configuration Dialog Prompt:
Packet Tracer. Dialogue of the initial configuration of the router
Briefly, this is such a Byzard, which allows step by step to configure the main parameters of the device (Hostname, passwords, Inte weaps). But this is not interesting, so we answer no and see the invitation
This is a standard invitation for any Cisco line, which characterizes the user mode in which you can view some statistics and conduct the simplest operations like ping. Entering the question sign will show a list of available commands:
How to Assign Console Password on CISCO Switch
List of available router commands
Roughly speaking, this is the regime for the network operator, an engineer of the first line of technical support so that he does not damage anything there, does not shift and does not recognize too much.
Much greater opportunities provide a regime with the speaking name of a privileged. You can get into it by introducing the enable command. Now the invitation looks like this:
Here, the list of operations is much more extensive, for example, you can perform one of the most commonly used commands that demonstrates the current settings of the AKA Config AKHOW Running-Config device. In privileged mode, you can view all the information about the device.
Before proceeding to setting up, we mention several useful things when working with Cisco Cli, which can greatly simplify life:
- All teams in the console can be reduced. The main thing is that the reduction unequivocally indicates the command. For example, Show Running-Config is reduced to Sh Run. Why not up s r r ? Because S (in user mode) can mean as a show command. So the SSH command. and we will receive a message about the error of % Ambigous Command: “S R” (ambiguous team);
- Use the TAB key and question mark. By pressing the Tab, the abbreviated team is prepared to complete, and the question sign following the command displays a list of further capabilities and a small certificate for them (try it yourself in PT);
- Use hot keys in the console:
- Ctrla. move the cursor at the beginning of the line;
- Ctrle. move the cursor to the end of the line;
- Cursor UP. Down. moving on the history of teams;
- Ctrlw. erase the previous word;
- Ctrlu. erase the entire fishing line for a trimmer;
- CTRLC. exit from the configuration mode;
- Ctrlz. apply the current command and get out of the configuration mode;
- Ctrlshift6. stopping long processes (the so.called Escape Sequence);
How to connect to Cisco Switch using Console Cable via PuTTY? (with English subtitles)
- Begin. the conclusion of all lines, starting from the one where the word was found;
- Section. output of sections of the configuration file in which the word is found;
- Include. the conclusion of the lines where the word is found;
- Exclude. the conclusion of the lines where the word is not found.
But back to the modes. The third main regime, along with user and privileged: global configuration mode. As the name implies, it allows us to make changes to the settings of the device. It is activated by the #Configure Terminal command from a privileged mode and demonstrates the following invitation:
In the global configuration mode, quite necessary commands of other modes are not necessary (the same Show Running-Config. Ping. etc.). But there is such a useful thing as do. Thanks to her, we can, without leaving the configuration regime, to execute these very commands, simply adding do before them. or less like this:
Telnet access setup
From this mode we will configure the integration integration through Telnet. The command to go to the configuration mode of the Fasthernet 0/0:
By default, all integrates are disabled (Administratively Download condition). We turn on the integration:
Shutdown. means “turn off the integration”. Accordingly, if you want to cancel the action of the command, then use the word no in front of it. This rule is common to CLI and applicable to most teams.
We connect. To do this, use the cross.over cable. (Although in real life this is often not necessary. all cards are able to understand the reception/transmission, but there are also routers whose ports do not rise when using the wrong type of cable. so be careful).
Connection to the router via Ethernet
We set up a computer IP address via Desktop.
And try to connect by selecting the Command Prompt in the Desktop panel:
Connection to the router via Telnet
As expected, Tsisk does not let it go without a password. In real life, it usually gives the phrase “Password Required, but None Set”
Telnet or SSH connection is called a virtual terminal (VT) and is adjusted as follows:
0 4 is 5 user virtual terminals = telnet sessions.
This is already enough to get into the user mode, but not enough for privileged:
What is the difference from Password Secret? Approximately the same than SSH from Telnet. When setting Secret, the password is stored in an encrypted form in a configuration file, and Password in open. Therefore, the use of secrets is recommended.
If you still set the password by the Password command, you should also apply the Service Password-Encryption, then your password in the configuration file will be encrypted:
Line VTY 0 4 Password 7 08255F4A0F0A0111
Now it is adopted to configure access not through virtual terminals, but by the #USERNAME and #AAA NEW-MODEL commands. In version pt 5.3.2 They already exist and are quite working.
Router (Config) #aaaaaaa-Model Router (Config) #USERNAME Admin Password 1234
The first team serves to activate the new AAA model (Authentication, Authorization, Accounting). This is necessary in order to use the server to use for aunting on the Radius or Tacacs device. If this is not specifically configured, then the local user base set by the USERNAME command will be used.
Be careful: the priority of the AAA New-Model team is higher than the commands of virtual terminals and therefore, even despite the fact that you have Password in Line VTY mode, if you do not have users in the local base, you will not work out to the device remotely anymore.
Now, when connecting, the router will request the user name and the corresponding password.
With a deeper tuning of Line VTY there is one danger.
There is such a parameter: Access-Class. Its setting allows you to limit the IP address from which it is possible to connect. And then one day I, as a smart Masha, decided to engage in security on the network and on all the equipment almost put these accessories so that the mosquito would not fly. At one point, I had to go to the field and that day I cursed my accuracy. I could not reach anywhere. I did not leave the slightest loophole. In general, be careful with this team or leave the loopholes for yourself.
When working with access-list’ami and other dangerous things, the wrong setting of which can deprive you of access to the device, you can use the wonderful Reload in Min command, where min is time in minutes. This team will reboot the device after the specified time if it is not interrupted by the Reload Cancel command. T.e. The scheme of work is as follows: you remotely dig something that can in the theory (the Law of Mei do not forget) to interrupt your communication session with the device. We save the current (worker) config in Startup-Config (it is used when loading), put ReLoad in 15, enter a key team regarding which we have doubts ;-), and we get a connection break, worse fears justified. We are waiting for 15 minutes, the device is overloaded with a working config, Connect. voila, communication is. Or (if the connection is not interrupted) check that everything works and do Reload Cancel.
If you want to limit password access through the console port, you will need commands
Router (Config) #Line Console 0 Router (Config-Line) #login Router (Config-Line) #PASSWORD Cisco
Another important point that the articles pay little attention to: Privelege LEVEL.
As implies from Latin sound, this is the level of user rights. There are 16 levels in total: 0-15.
Privilege LEVEL 0. these are the commands of Disable, Enable, Exit, Help and Logout, which work in all modes
Privilege LEVEL 1 is the user regime commands, that is, as soon as you get to Tsisk and see the invitation of Router, you have level 1.
Privilege LEVEL 15. these are commands of a privileged mode, like ROOT in UNIX’Ah
It is impossible not to mention that Telnet is an unprotected protocol and transfers the password and data in open form. Using any package analyzer, you can calculate the password.
Therefore, we extremely recommend using SSH-any Cisco devices with not the most cut firmware are able to act as a ssh server.
The next set of commands will allow you to enable SSH and disable access to Telnet:
Router (Config) #Hostname R0 Router (Config) #ip Domain-Name Cisco-Dmn Router (Config) #Crypto Key Generate RUTER (Config) #Line 0 4 Router (Config-line)
The name of the host should differ from the Router, the name of the domain must be given. The third line is generated by the key and then only SSH is allowed. The length of the key should be more than 768 bits if you want to use SSH version 2, and you want it. Everything.
Another final attention to beginners: do not forget about the Write Memory team. this is the preservation of the current configuration. However, it is enough to burn twice, forgetting to save in order to forever earn immunity to this. who was stabbed at night or wrote a term paper, he will understand.
Well, for sweet: password reset
So, what to do if a drilling cyska with an unknown password fell on the table or you forgot it very much? Actually, this is repeatedly described and easily googled, but it is necessary to repeat it.
Almost any network device has the opportunity to reset the password with physical access. If this is impossible or this is a separate paid service, then most likely in your hands there is some kind of Russian craft (not offense, of course, to our manufacturers, but I read such lines in the documentation twice :))
1) connect to the device with a console cable,
2) send it to the rebot (at least for food, at least the #RELOAD team)
3) When such a line ######## will run on the screen. ###, which means loading the image (40-60 seconds after turning on), you need to send the Break signal. How to do this in different programs read here. You find yourself in Rommon mode.
4) In this mode, enter the command: Confreg 0x2142, it will force the device to ignore Startup-Config when loading.
6) after loading Running-Config will be virgin clean, and Startup-Config contains the last preserved configuration. Now is the time to change the password or drain config.
7) The most important thing: return the registers back:
If you do not, then all your configuration will be relevant to the first rebut) and well, if this device is standing nearby and you will remember that you have been tasted. I was not lucky)