Initial Configuration of IOS Devices

In this post we will take a look at the initial configuration that should be performed on a new device before the actual network configuration is performed.

Most Cisco IOS devices come from the factory with a very basic default configuration, and require configuration before the are deployed. The majority come with no IP addresses, and routers even have all their interfaces shut down by default.

To begin the configuration, the first step is to console into the device, using either a serial port and the Cisco rollover serial cable, or the mini USB port on the newer devices. Console settings should be 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. You need terminal emulation software, such as PuTTY or SecureCRT.

Hostname

The hostname serves a few purposes: it is used in the prompt, making it easier to see what device you are working on, and it is used in self signed certificates and Certificate Signing Requests (CSRs). Usually the first thing you should set on a new device is the hostname, if for no other reason than to make sure you are working on the right device.

Hostname is set with the hostname command:

Router#config terminal
Router(config)#hostname NYRouter1
NYRouter1(config)#

IP Domain Name

IP Domain name is used with the hostname while creating a self signed certificate or a Certificate Signing Request (CSR). It is also used for DNS queries if needed. The domain name should match your DNS domain structure. The domain name is combined with the host name to create the Fully Qualified Domain Name (FQDN) so the result of this and the previous command would be an FQDN of nyrouter1.network.routeswitchblog.com.

NYRouter1#config terminal
NYRouter1(config)#ip domain-name network.routeswitchblog.com
NYRouter1(config)#

Management IP Address

How you set management IP addresses depends on the type of device. Best practice on a router is to create a loopback interface, and assign it a /32 host address. In this case, make sure that the address of the loopback is advertised into your routing domain, or static routes are created. You can also use any of the physical interfaces for management, but using a loopback means you have an interface that will not go down (unless someone shuts it down.) You will also have to bring up a physical interface that you can connect to over the network before you can administer the device remotely or use it for anything.

NYRouter1#config terminal
NYRouter1(config)#interface loopback 0
NYRouter1(config-if)#ip address 192.168.254.1 255.255.255.255
NYRouter1(config-if)#

On a layer 2 switch, the IP address is configured on a VLAN interface. Best practice is to create a management VLAN, and use interfaces on this VLAN for all switches, but any valid VLAN can be used. There needs to be a gateway on this subnet/VLAN for the switch to be reachable from anywhere else on the network. The management VLAN should not contain clients, but might be on used for servers, printers, or something else if you want to save VLAN numbers or IP subnets. You could also use smaller subnets to save IP addresses.

NYSwitch1#config terminal
NYSwitch1(config)#interface vlan 100
NYSwitch1(config-if)#ip address 192.168.254.2 255.255.255.0
NYSwitch1(config-if)#

Default Route

The “ip default-gateway” command is used on layer 2 devices like L2 switches and autonomous access points. Routers and other Layer 3 devices should use a default route.

Switch:

NYSwitch1(config)#ip default-gateway 192.168.254.1

Routers use a route command to 0.0.0.0/0, which includes the entire IPv4 range.

NYRouter1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

In both cases the IP address at the end is the IP address of the next hop.

It is worth noting that the next hop address can be any reachable IP address, not necessarily one on a directly connected segment. This is outside the scope of this post, though.

local user and password

IOS devices can maintain a local user database. Users are created with the username command. Even if you are going to use an authentication server, it is good practice to have one or more local usernames/passwords to be able to log in if the server is not available.

The most common arguments to the username command are password and privilege level. Make sure that when you enter the command with the password argument that it is the last argument in the command, because IOS will use anything after “password” as the password, so

NYRouter1(config)#username admin privilege 15 password cisco

creates a user called admin with superuser privileges and a password of “cisco”, whereas

 NYRouter1(config)#username admin password cisco privilege 15

would create a user called admin with default rights and a password of “cisco privilege 15”

Privilege levels are 0 (default, view only) through 15 (superuser, the same as typing “enable.”) If a user is set with a privilege of 0, they can still use the “enable” command to enter enable mode, whereas a user configured as privilege 15 does not need to. By default, only levels 0 and 15 are defined, others need to be custom defined.

enable secret password

Cisco routers have a privileged (enable) and non-privileged mode. There are actually other modes that can be configured if you need to be more granular, but that is outside the scope of this post. You can set the password with either the “enable password” or “enable secret” command.

“Enable password” saves the password in cleartext, or a reversible encryption if “service password-encryption” is configured.

“Enable secret” stores the password as a one way, non-reversible hash. When the password has to be checked, rather than decrypt the stored password, the device calculates the hash of the password the user entered, and compares the hash to the stored hash.

The hashed value is the more secure option, and should be used.

If both are configured, the password configured with “enable secret” will be used, and the one with “enable password” will be ignored.

exec-timeout

The exec-timeout command is configured under the various lines, and sets the maximum time before it is automatically logged out. The format is “exec-timeout <minutes> <seconds>” in line configuration mode.

In production, these should be set to somewhere around 15 minutes, maybe less in a high security environment. In the lab, it is pretty normal to set the console timeout to “0 0,” meaning the timeout is disabled. You should be careful about setting the timeouts on VTY lines, since a telnet session could be kept open indefinitely. A disconnected session would be disconnected if TCP keepalives are configured, but one that never disconnects from the client side could tie up a VTY line.

NYRouter1(config)#line console 0
NYRouter1(config-line)#exec-timeout 120 0
NYRouter1(config)#

logging synchronous

While we are configuring the timeout on the lines, also configure the “logging synchronous” command under the lines. This command will cause the device to redisplay the command prompt and anything you were typing if log messages are displayed on the console. You may end up turning this off if you are trying to read debug messages on the console, but most of the time you are best off having it enabled.

service password-encryption

By default passwords are stored in the configuration file in plain text, unless they are set with the “secret” keyword rather than the “password” keyword. Issuing the “service password-encryption” command in global config causes the router to encrypt the passwords using a reversible encryption. This encryption is meant to provide “over the shoulder” security only, preventing someone from reading the password if they see it. The algorithm used to encrypt the password is pretty well known, and the passwords can easily be decrypted if someone gains access to the config. It is even possible to decrypt the password on the router.

Note that if you issue the “no service password-encryption” command, new passwords will not be encrypted, but the existing passwords remain encrypted in the configuration.

Where possible, the “secret” keyword should be used. The main reason to not use it is that some authentication methods require access to the plain-text password, not just a hash of it.

copy running-config startup-config

When you are done configuring the device, you need to save the configuration with the “copy run start” command. If you do not save the configuration, it will be lost the next time the router is rebooted.


Comments

Initial Configuration of IOS Devices — 2 Comments

  1. And there is one even more funny command like:

    no service password-recovery

    By using this, the only way to get access to a router without knowing the password is to loose the configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *