In the previous section you became familiar with the IOS CLI and even used a few commands to move around it. In this section you will learn to configure a few basic administrative features. These features are not critical to the functions of the router in a network, but these features help make administrating the router easier and secure. Remember that all of the commands in this section work on routers as well as switches.

  • Hostname – You can set the name of the device with the hostname command in the global configuration mode. Setting the name of the router does not have any impact on the functions of the router. It will continue to perform normally respective of the name, but it is easier to manage and troubleshoot your network when you give the devices a meaningful name. The example below shows how you can change the hostname. Notice the immediate change in prompt after the command is executed.
Router(config)#hostname Gateway
Gateway(config)#hostname myRouter
  • Clock – You can set the date and time on the router with the clock command in the privileged exec mode. Setting the correct date and time is a requirement for some advanced configuration and it helps when troubleshooting the device. The syntax of the command is clock set hh:mm:ss day month. An example is shown below:
myRouter#clock set 14:12:00 7 June 2011
  • Banners – Banners are messages displayed to users who connect to the routers either through the various lines (console, vty and auxiliary) or through a dial-up. Banners are usually used to display a message prohibiting unauthorized access. There are many types of banners but you need to be aware of three kinds – the exec process creation banner, login banner and the message of the day (motd) banner. The motd banner is displayed first, followed by the login banner. These two banners are displayed before the login prompt. The exec process creation banner is displayed just after the login and before the prompt. You can use the banner command in the global configuration mode to create banners. The syntax for the command is banner {exec | login | motd} delimiter text delimiter. The delimiter is of importance here. It is any character which marks the start and end of the banner text. In the example below, the hash sign (#) is the delimiter.
myRouter(config)#banner motd #
Enter TEXT message.  End with the character ‘#’.
Welcome to myRouter. No unauthorized access.

The above example is repeated below with the delimiter changed to the dollar sign($) and the entire command given in a single line.

myRouter(config)#banner motd $ Welcome to myRouter. No unauthorized access.$

The following output shows the banner displayed when an exec session is started.

myRouter con0 is now available

Press RETURN to get started.

Welcome to myRouter. No unauthorized access.

Securing access to the device

Routers and switches are the core of your network. A malicious user who gets access to these devices can cause network wide problems such as theft of data, loss of connectivity and more. Hence it is essential to secure access to your network devices. IOS provides two basic mechanisms for access restriction – line passwords and enable password/secret.

As you already know, an administrative (exec) session to an IOS device can be started using three methods – console, telnet/ssh and auxiliary. These are also referred to as lines. (The term lines is actually reminiscent of very old technologies so do not worry about why they are called such). The IOS allows you to configure a password on these lines so that anyone connecting to them is required to enter the password before being connected to the CLI. After reaching the CLI prompt, a user is at the user exec mode where they cannot even view the configuration. To be able to view or edit the configuration, the user needs to go to the privileged exec mode using the enable command. The IOS also allows you to configure a password that is required to go to the privileged exec mode. This is called the enable password or secret.

The enable password or secret can be configured using the following command in the global configuration mode:

enable {password | secret} password

There are four things that you should remember about the enable password and secret:

  1. Enable secret is encrypted before being stored in the config while the enable password is stored as plain text. So anyone viewing the config will know the enable password.
  2. If enable secret and enable password both are configured, the secret will be used always.
  3. Enable secret and password cannot have the same value.
  4. When using telnet or ssh to connect to the IOS, you cannot enter the enable mode if an enable secret or password has not been configured.

Here’s an example of how they are configured:

myRouter(config)#enable password test
myRouter(config)#enable secret test123

After the enable password or secret is configured, notice the how the user is prompted for password when then enter the enable command in the user exec mode:

Password: test123 (password will not be shown when typed on the device]

To configure a line password for console, you will first need to enter the line configuration mode for the console using the line console command in the global configuration mode as shown below:

myRouter(config)#line console ?
<0-0>  First Line number

myRouter(config)#line console 0

In the above output, I used a question mark at the end of the first line. The help output shows that 0 is the only option available. First thing to know here is that there can be multiple lines of a kind (example multiple telnet lines). Second you will need to specify the line number that you want to configure. In the case of console, there will always be only a single line, zero, available. So the command line console 0 will bring you to the line configuration mode for the console line (notice the change in router prompt to (config-line)#).

In the line config mode, use the password password command to set a password for the line. After that you will need to use the login command to enable login with the password you just configured. The output below shows an example.

myRouter(config)#line console 0
myRouter(config-line)#password test

Now when someone tries to connect using the console, they will be prompted for a password as shown below.

myRouter con0 is now available

Press RETURN to get started.

User Access Verification

Password: test [password will not be displayed when typed]

Similar to how you configured the console password above, you can configure the password for the auxiliary line by going to the line mode for auxiliary using the line aux 0 command. There is always a single auxiliary line in a device. The example below shows configuration required.

myRouter(config)#line aux 0
myRouter(config-line)#password test

Configuring the password for the telnet lines is no different, but you need to know two things before doing that:

  1. Telnet lines are called vty lines because they are virtual unlike console and auxiliary
  2. Each IOS device has a minimum of 5 vty lines (0 to 4). Some of them can have 15 or more.
  3. You can configure all the vty lines together, in a group or one at a time. They need not have the same configuration.
  4. A new telnet or SSH session will use the lowest available vty line. So there can be 5 telnet or SSH sessions to the device at any time.
  5. Telnet or SSH sessions to the device will not be allowed unless a password has been configured and login is enabled.

To configure a password on line vty, you need to use the password and login commands in the line configuration mode. You can enter the vty line configuration mode using the line vty linenumber linenumber command. The following example shows the available number of vty lines:

myRouter(config)#line vty ?
<0-4>  First Line number
myRouter(config)#line vty 0 ?
<1-4>  Last Line number
myRouter(config)#line vty 0 4

The line vty 0 4 command in the above example will enter the line configuration mode and you will be able to configure all the available vty lines at one time.

The example below shows a password configured for all the vty lines:

myRouter(config)#line vty 0 4
myRouter(config-line)#password test

Once the password has been configured and login enabled, the device will allow Telnet sessions to be initiated to the device. As you already know, Telnet is not a secure protocol because the session is transmitted in plain text and is vulnerable to snooping. To overcome this problem, SSH can be used. SSH encrypts the entire session but it requires encryption keys to start a session. By default IOS does not have these keys and hence a SSH session cannot be initiated. To generate those keys, you must first set the hostname and domain name of the device and then use the crypto key command as shown below:

myRouter(config)#hostname Gateway
Gateway(config)#ip domain-name
Gateway(config)#crypto key generate rsa general-keys modulus 1024
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…
Jun  9 00:43:43.599: %SSH-5-ENABLED: SSH 1.99 has been enabled
Once the keys are generated, the vty line can be configured to accept SSH sessions using the following command:
Gateway(config-line)#transport input ssh telnet

If you leave out the telnet option from the above command, only SSH will be allowed to the device.

One final thing you need to know about passwords is that the line passwords and the enable password is stored in the configuration as plain text. What this means is that anyone who comes across the configuration stored outside the device, can learn the passwords. To prevent this, the passwords can be encrypted using the service password-encryption command in the global configuration mode.