Initial Configuration of Cisco Routers and Catalyst Switches

We will consider the initial settings of the Cisco router and Catalyst switch in a simple network environment. This time, the items to be set up in the initial configuration are as follows.

  • hostname
  • login password
  • banner message
  • IP address

Once you’ve configured it, you should also be aware of the fact that you need to make sure that the configuration is correct.

Network diagram

Figure Initial Settings Network Diagram
Figure Initial Settings Network Diagram

The main commands

The following table summarizes the main configuration and verification commands for initial setup.

The table omits the details of the parameters specified in the command.
Configuration commands Summary
(config)#hostname Set the hostname.
(conig)#enable secret
(config)#enable password
Set the password for entering privileged EXEC mode.
(config)#service password-encryption Encrypt the password display.
(config)#banner motd Set the message to be displayed when you log in.
(config)#username password Set a username and password.
(config-line)#login [local]
(config-line)#password
Set the password for the console/AUX/VTY.
(config-line)#exec-timeout Specify a timeout period for console and VTY access.
(config)#interface loopback Create a loopback interface.
(config-if)#ip address Set the IP address for the interface.
(config-if)#no shutdown Activate a interface
Verification commands Summary
#show running-config Display contents of running-config
#show startup-config Display contents of startup-config
#show interface Focuses on the details of the Layer 1/Layer 2 state of the interface.
#show ip interface [brief] It focuses on the details of the Layer 3 state of the interface.
#show protocols Displays the interface status and IP address.
#ping Check the connectivity to the specified IP address or host name.
#traceroute Check the communication route to the specified IP address or host name.
Table Main initialization commands

Configuration and verification

Set the host name

Set the host names for the routers and switches.

Device hostname
Router R1
Layer2 switch SW1

To set the hostname, enter the following command in global configuration mode

Set the hostname

(config)#hostname <hostname>

<hostname> : hostname

The rules for <hostname> are as follows

  • Less than 63 characters
  • Available Character Types
    • Alphabet
    • number
    • -(hyphen)
  • The first character is an alphabet

The following is how the router is configured.

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#

As soon as you enter the command, the hostname is “R1”. Also, “hostname R1” is reflected in running-config.

Password configuration for privileged EXEC mode

Use the “enable” command to set a password for entering privileged EXEC mode. There are two commands for configuring the password

Password configuration for privileged EXEC mode

(config)#enable password <password>
(config)#enable secret <password>

<password> : password

Passwords set in the “enable secret” command are encrypted when you view the configuration in “show running-config”. On the other hand, passwords set by the “enable password” command are not encrypted when you view the configuration “in show running-config”.

If you configured both, the password configured by the “enable secret” command will be applied. To reduce the chance of the password being leaked to anyone other than the administrator, configure the password “cisco” using the “enable secret” command.

The configuration in R1 is as follows

R1(config)#enable secret cisco
R1(config)#end
R1#disable
R1>enable
Password:
R1#show running-config
Building configuration...

- omitted -
!
hostname R1
!
- omitted -
!
enable secret 5 $1$2MAq$beW3VsjpYu2oo3GvzG7ry/
!
- omitted -
!

After configuring the password for “cisco” with the “enable secret” command, we are back in user EXEC mode. Then the password is prompted for when you go into privileged EXEC mode with the “enable” command. when you view the configuration in “show running-config”, the password string of “cisco” is shown encrypted.

Configuring the Console/AUX/VTY Password

Configure the password for access by console, AUX, VTY, etc. Configures the password in line configuration mode as follows

Configuring your line password

(config)#line {console 0|aux 0|vty 0 4}
(config-line)#login [local]
(config-line)#password <password>

<password> : password

If you configure “login local”, you can enable authentication with a local username/password. The commands for setting the local username/password are as follows

User name/password configuration.

(config)#username <username> password <password>

<username> : User name
<password> : password

The table summarizes the console/AUX/VTY passwords to be configured in R1 and SW1.

コンソール cisco
AUX cisco
VTY Local username/password

Username Password
cisco cisco

The configuration in R1 is as follows

R1(config)#line con 0
R1(config-line)#login
% Login disabled on line 0, until 'password' is set
R1(config-line)#password cisco
R1(config-line)#exit
R1(config)#line aux 0
R1(config-line)#login
% Login disabled on line 129, until 'password' is set
R1(config-line)#password cisco
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#login local
R1(config)#username cisco password cisco
The password in this example is a very simple string of characters. Also, since the username and password are the same, it is not a desirable configuration for security reasons. This is just a sample of the initial configuration.

Console/AUX/VTY timeout configuration.

If there is no input for a certain period of time when you are logged into the CLI via console or VTY access, the system times out. To change the timeout time, enter the following command in line configuration mode.

Configuring Line Timeouts

(config)#line {con 0|aux 0|vty 0 4}
(config-line)#exec-timeout <minute> <sec>

<minute> : timeout min
<sec> : timeout sec

The default is five minutes. To disable the timeout, use the command “exec-timeout 0 0” to set the timeout time to zero.

Disable the console timeout time in R1. To do so, the command is as follows.

R1(config)#line con 0
R1(config-line)#exec-timeout 0 0

Encryption of password display

The console/AUX/VTY passwords are not encrypted in the running-config display. encrypting the password display in running-config is the preferred configuration for security purposes. You can encrypt the password display by entering the following command in global configuration mode.

(config)#service password-encryption

In R1, it looks like this

R1(config)#service password-encryption
R1(config)#end
R1#show running-config
Building configuration...
- omitted -
service password-encryption
!
!
username cisco password 7 070C285F4D06
!
- omitted -
!
line con 0
 password 7 094F471A1A0A
 login
line aux 0
 password 7 060506324F41
 login
line vty 0 4
 login local
!
end

R1#

Configuring a Banner Message

You can display a banner message on the console when you log in to the device. Enter the following commands in global configuration mode.

Configuring a Banner Message

(config)#banner motd <message>

<message> : Messages to be displayed

For security purposes, it is preferable to display a banner message that says, “Only authorized users can log in”. The following banner message should be configured.

************************************************
Only administrator can login this device
************************************************

The configuration in R1 is as follows

R1(config)#banner motd ^
Enter TEXT message.  End with the character '^'.
************************************************
Only administrator can login this device
************************************************
^
R1(config)#

The “^” is set as a delimiter. The message will be displayed in multiple lines within the range enclosed by the “^”.

The banner login message also appears before the user authentication prompt, but if you have configured it with a banner motd, it appears afterwards. The banner exec message is the message that appears when you enter EXEC mode after user authentication.

IP Address Configuration

Configure an IP address for the interface. Configuring an interface with an IP address allows you to connect to an IP network and send and receive IP packets. Note that router interfaces are administratively disabled (administratively down) by default with the “shutdown” command. you must enable the interface with the “no shutdown” command. Also, routers are often creating loopback interfaces for management purposes.

IP Address Configuration

(config)#interface <interface-name>
(config-if)#ip address <address> <subnetmask>
(config-if)#no shutdown

<interface-name> : Interface name
<address> <subnetmask> : ip address subnetmask

Device Interface IP address
R1 FastEthernet0/0 192.168.1.254/24
Loopback0 192.168.0.1/32
SW1 Vlan1 192.168.1.250/24
Table IP address to be configured.

The configuration in R1 is as follows

R1(config)#interface loopback 0
*Mar  1 01:48:20.763: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config-if)#ip address 192.168.0.1 255.255.255.255
R1(config-if)#exit
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip address 192.168.1.254 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Mar  1 01:48:49.519: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 01:48:50.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

The configuration for SW1 is as follows.

SW1(config)#interface vlan 1
SW1(config-if)#ip address 192.168.1.250 255.255.255.0

Verify the interface

You can verify the interface status and configured IP address. The show command for checking the interface status and IP address is as follows.

  • show ip interface [brief]
  • show interface
  • show protocols

The show command on R1 is displayed as follows

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.254   YES manual up                    up
Loopback0                  192.168.0.1     YES manual up                    up
R1#show ip interface
FastEthernet0/0 is up, line protocol is up
  Internet address is 192.168.1.254/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
~省略~
Loopback0 is up, line protocol is up
  Internet address is 192.168.0.1/32
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1514 bytes
R1#show interfaces
FastEthernet0/0 is up, line protocol is up
  Hardware is AmdFE, address is cc0c.6410.0000 (bia cc0c.6410.0000)
  Internet address is 192.168.1.254/24
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
Loopback0 is up, line protocol is up
  Hardware is Loopback
  Internet address is 192.168.0.1/32
  MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation LOOPBACK, loopback not set
R1#show protocols
Global values:
  Internet Protocol routing is enabled
FastEthernet0/0 is up, line protocol is up
  Internet address is 192.168.1.254/24
Loopback0 is up, line protocol is up
  Internet address is 192.168.0.1/32

Two interface status are displayed as follows

FastEthernet0/0 is up, line protocol is up

The is “<interface-name> is…” is a state at the physical layer , and the “line protocol is …” is a data link layer state. If they are both up, that’s normal. If they are not both up, then there is a problem and the problem needs to be fixed. The following table summarizes the possible cases of the interface state.

<interface-name> is line protocol is meaning
administratively down down The interface is shutdown. no shutdown required
down down Physical layer problems. Check cable connections, etc.
up down Data link layer problems. Checking the Layer 2 encapsulation protocol, etc.
up up The physical and data link layers are fine.
Table Interface status
The up/up status is only for up tothe data link layer. Communication may not be possible even if up/up due to problems at the network layer or above.

Cisco Basic