9.Cisco Internetworking Operating System (IOS) and Security Device Manager (SDM)
Cisco IOS
• The Cisco IOS is a Cisco proprietary software that is used on Cisco routers and switches.
• At first IOS was developed by William Yeager in 1986, to provide network services and enabled networked applications.
• This software runs on Cisco router and switches such as Catalyst 2950/2960 and 3550/3560 series devices.
• Cisco router IOS software is responsible for
• At first IOS was developed by William Yeager in 1986, to provide network services and enabled networked applications.
• This software runs on Cisco router and switches such as Catalyst 2950/2960 and 3550/3560 series devices.
• Cisco router IOS software is responsible for
- Supporting and transferring network protocols.
- Adding security to strictly control access to network and networking devices to stop unauthorized access.
- Providing scalability for ease of network growth.
- Providing network reliability to ensure that resources are always availableand reachable.
Cisco router
Cisco Router are internetworking devices used to connect different distinct networks. Cisco Router is available in two types:
Non-modular
Non-modular routers are low cost routers with fixed interface or cards. If we want to add ports or interfaces later on we cannot add them.
Modular
Modular routers on other hand are those routers which can extend with certain components, such as interfaces or ports. Hence we can add interface cards later on.
A Cisco 2501 router (Non-Modular)
A Cisco 2600 router (Modular)
Cisco Router Connections
Cisco routers support two types of connections such as:
Ports
• Ports are used for configuration purpose and provide an out-of-band management method that is managing process without affecting traffic flowing through Cisco devices. Cisco router and switches has console port and in some models we can see auxiliary port.
Interfaces
• Interfaces are used to connect devices together like switch to router, router to router, PC to router.
• Interfaces can be used for management purposes but it will affect the performance of the device. Such connections are referred to as inband connections. Cisco router has serial interfaces and Ethernet interfaces, etc.
Connecting to a Cisco Router
For the connection of Cisco Router there are many interfaces available such as:
Console port
• The console port is usually an RJ-45 i.e. an 8-pin modular connection located at the back of the router that can be connected to your computer serial port by a console cable.. While accessing console port, you may or may not be prompted for a password. The new ISR routers use cisco as the username and cisco as the password by default. If your computer does not have a serial interface then you can uses a serial to USB convertor.
Auxiliary port
• We can also use auxiliary port similarly as a console port to connect to a Cisco router. An auxiliary port can also be to connect a modem.
• You can also connect via telnet to a Cisco router. As you all known telnet is a terminal emulation program that acts as though it's a dumb terminal. Using telnet command you can get connected to any of the active interface such as Ethernet or serial port on a router.
• 2600 series router can come with multiple serial interface option, using a serial V.35 WAN connection you can connect it to a T1 or Frame Relay WAN connection. 2600 series router also has one console and one auxiliary connection.
Console port
• The console port is usually an RJ-45 i.e. an 8-pin modular connection located at the back of the router that can be connected to your computer serial port by a console cable.. While accessing console port, you may or may not be prompted for a password. The new ISR routers use cisco as the username and cisco as the password by default. If your computer does not have a serial interface then you can uses a serial to USB convertor.
Auxiliary port
• We can also use auxiliary port similarly as a console port to connect to a Cisco router. An auxiliary port can also be to connect a modem.
• You can also connect via telnet to a Cisco router. As you all known telnet is a terminal emulation program that acts as though it's a dumb terminal. Using telnet command you can get connected to any of the active interface such as Ethernet or serial port on a router.
• 2600 series router can come with multiple serial interface option, using a serial V.35 WAN connection you can connect it to a T1 or Frame Relay WAN connection. 2600 series router also has one console and one auxiliary connection.
Bringing Up a Router
• When the Cisco router is set ON, a test is executed which is known as Power ON Self Test (POST).
• After the test is run properly it checks and then loads the Cisco IOS that is present in the flash memory which is an electronically erasable programmable read-only memory also called as EEPROM.
• After that, the IOS checks and loads the valid configuration i.e. the startup-config which is stored in nonvolatile RAM, or NVRAM.
The following messages appear when router is first time booted or when a router is reloaded.
Here we have used a 2811 router:
System Bootstrap, Version 12.4(13r)T2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
Initializing memory for ECC
cisco 2811 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
Readonly ROMMON initialized
program load complete, entry point: 0x8000f000, size: 0xc940
program load complete, entry point: 0x8000f000, size: 0xc940
The first part of the router boot process output is shown above which shows bootstrap program information that first executes the POST.
• It then tells the router how to load IOS that is default in flash memory. It also shows the RAM size in the router.
• The below information shows us that the IOS is being transfered into RAM:
program load complete, entry point: 0x8000f000, size: 0x3ed1338
Self decompressing the image :
########################################################################## [OK]
• After the IOS is loaded, the router is now ready to run. You can see the IOS version that is stated as advanced security version 12.4(15):
[some output cut]
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 06:21 by pt_rel_team
Image text-base: 0x400A925C, data-base: 0x4372CE20
• There are two FastEthernet interfaces, two serial interfaces. The below router output shows us that there’s 64MB of RAM, 239K of NVARM, and 64MB of flash.
[some output cut]
cisco 2811 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
Processor board ID JAD05190MTZ (4292891495)
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
2 Low-speed serial(sync/async) network interface(s)
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
• When the router is up and ready to run after loading IOS it copies a pre-configuration from NVRAM to RAM that is called startupconfig.
• The copy of this file will be placed in RAM i.e. known as running-config.
2600 series Router
• Here you are about to see, the boot process for non-ISR routers that is similar as for the ISR routers. The following messages appear when 2600 series router is first time booted or when a router is reloaded.
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 65536 Kbytes of main memory
• The below information shows us that the IOS is being transfered into RAM:
program load complete, entry point:0x80008000, size:0x43b7fc
Self decompressing the image :
#######################################################################
#######################################################################
## [OK]
• You can see the IOS version that is stated as version 12.3(20):
Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(20), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Tue 08-Aug-06 20:50 by kesnyder
Image text-base: 0x80008098, data-base: 0x81A0E7A8
• You can see one Ethernet interface and two serial interfaces along with 64MB of RAM, 32KB of NVRAM and 16MB of flash memory.
cisco 2610 (MPC860) processor (revision 0x202) with 61440K/4096K bytes
of memory.
Processor board ID JAD03348593 (1529298102)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
2 Serial(sync/async) network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
After the router is up and ready to run, a valid configuration is loaded from NVRAM known as startup-config. But the bootup differ as there is not a configuration in NVRAM, the router check it on a valid TFTP host. If it fails to find a valid configuration it goes into a mode called as setup mode. Here it process step by step to help you configure the router.
Setup mode is generally not helpful as it cover some global configuration. Whenever you want to enter setup mode you can by just typing setup command.
Here is an example:
Would you like to enter the initial configuration dialog? [yes/no]: y
At any point you may enter a question mark ‘?’ for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets ‘[]’.
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: y
Configuring global parameters:
Enter host name [Router]:Ctrl+C
Configuration aborted, no changes made.
Router Modes
The Cisco IOS command-line interface is divided into different command modes. Each command mode has its own set of commands available for the configuration, maintenance, and monitoring of router and network operations.
• Entering a question mark (?) at the system prompt (router prompt) allows you to obtain a list of commands available for each command mode.
• The standard order that a user would access the modes is as follows:
• Entering a question mark (?) at the system prompt (router prompt) allows you to obtain a list of commands available for each command mode.
• The standard order that a user would access the modes is as follows:
- user EXEC mode
- privileged EXEC mode
- global configuration mode
- specific configuration modes
- configuration submodes
1. User mode (User EXEC mode)
• User Mode is the first mode a user has access to after logging into the router.
• The user mode can be identified by the > prompt following the router name.
• This mode allows the user to execute only the basic commands, such as those that show the system’s status. The router cannot be configured or restarted from this mode.
• The user mode can be identified as shown below
Router>
• The user mode can be identified by the > prompt following the router name.
• This mode allows the user to execute only the basic commands, such as those that show the system’s status. The router cannot be configured or restarted from this mode.
• The user mode can be identified as shown below
Router>
2. Privileged mode (Privileged EXEC Mode)
• Privileged mode allows users to view the system configuration, restart the system, and enter router configuration mode. Privileged mode also allows all the commands that are available in user mode.
• Privileged mode can be identified by the # prompt following the router name. From the user mode, a user can change to Privileged mode, by running the “enable” command.
• Also we can keep a enable password or enable secret to estrict access to Privileged mode. An enable secret password uses stronger encryption when it is stored in the configuration file and it is more safe.
• The Privileged mode can be identified as shown below
Router#
3. Global Configuration mode
Global Configuration mode allows users to modify the running system configuration. From the Privileged mode a user can move to configuration mode by running the “configure terminal” command from privileged mode. To exit configuration mode, the user can enter “end” command or press Ctrl- Z key combination.
The Global Configuration mode can be identified as shown below. Router(config)# The changes you made from configuration mode is permanent and affect the entire router until the next time any changes has been made from the configuration mode.
To change mode from privileged mode to global mode you can just simply type config and press enter which will change mode to default terminal as shown below
Router#config
Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
• To directly make changes in the startup-config, you can use the configure memory or config mem command; it will merge running-config and the startup-config file in RAM.
• Here are some of the other options under the configure command:
Router(config)#exit or press cntl-z
Router#config ?
confirm ----- Confirm replacement of running-config with a new config file
memory ----- Configure from NV memory
network ----- Configure from a TFTP network host
overwrite-network ----- Overwrite NV memory from TFTP network host
replace ----- Replace the running-config with a new config file
terminal Configure from the terminal
<cr>
• There are several submodes like:
Interface Mode: It is used to configure details about a specific router interface, such as an IP address, it looks like this
Router (config-if)#
• To enter interface mode, type interface interface name in the Global configuration mode, eg: Router (config)# interface serial 0/1/0
and then add various parameters to that interface
• Line Configuration Mode: Configure details about like (console, vty, AUX), looks like this
Router(config-line)#
• To enter the Line configuration mode, type line con 0 in the Global configuration Mode and then configure, a lot of things for Console, including Login and Password
• Router Configuration Mode: Configure details about routing protocols looks like this Router(config-router)#
Cisco's Security Device Manager (SDM)
- Cisco Router and Security Device Manager (SDM) is a Web-based device- management tool for Cisco routers that can improve the productivity of network managers, simplify router deployments, and help troubleshoot complex network and VPN connectivity issues.
- Network and security administrators and channel partners can use Cisco SDM for faster and easier deployment of Cisco routers for integrated services such as dynamic routing, WAN access, WLAN, firewall, VPN, SSL VPN, IPS, and QoS.
- Cisco SDM provides a series of easy-to-use wizards that quickly take you step by step through configuring your router, without requiring knowledge of the Cisco IOS software CLI.
- You can use Cisco SDM wizards to:
- Configure additional LAN and WAN connections
- Create firewalls
- Configure VPN, Easy VPN, and DMVPN connections, and create and manage digital certificates
- Perform a security audit on the router and have SDM fix security problems
- Configure basic routing
- Create Network Address Translation (NAT) rules on the router
- Create Quality of Service (QoS) policies
You can use Cisco SDM wizards to:
- Configure additional LAN and WAN connections
- Create firewalls
- Configure VPN, Easy VPN, and DMVPN connections, and create and manage digital certificates
- Perform a security audit on the router and have SDM fix security problems
- Configure basic routing
- Create Network Address Translation (NAT) rules on the router
- Create Quality of Service (QoS) policies
SDM Requirements
Memory Requirements
• A minimum of 6 MB of free memory is required to support all SDM files. 2 MB of router memory is required to support SDM Express when SDM is installed on the PC, and the SDM files on the PC require 5.5 MB.
PC System Requirements
• SDM is designed to run on a personal computer that has a Pentium III or faster processor. SDM can be run on a PC running any of the following operating systems:
Microsoft Windows XP Professional
Microsoft Windows 2003 Server (Standard Edition)
Microsoft Windows 2000 Professional with Service Pack 4 (Windows 2000 Advanced Server is not supported)
Microsoft Windows ME
Microsoft Windows 98 (second edition)
Microsoft Windows NT 4.0 Workstation with Service Pack 4
Microsoft Windows XP Professional with Service Pack 2 or later
Microsoft Windows 2000 Professional with Service Pack 4 or later Web Browser Versions and Java Runtime Environment Versions
Microsoft Windows XP Professional
Microsoft Windows 2003 Server (Standard Edition)
Microsoft Windows 2000 Professional with Service Pack 4 (Windows 2000 Advanced Server is not supported)
Microsoft Windows ME
Microsoft Windows 98 (second edition)
Microsoft Windows NT 4.0 Workstation with Service Pack 4
Microsoft Windows XP Professional with Service Pack 2 or later
Microsoft Windows 2000 Professional with Service Pack 4 or later Web Browser Versions and Java Runtime Environment Versions
SDM can be used with the following browsers:
Internet Explorer version 5.5 and later
Netscape version 7.1 and version 7.2 (not supported on Windows 98) SDM requires Sun Java Runtime
Environment (JRE) version 1.4.2_05 or later, or Java Virtual Machine (JVM) 5.0.0.3810.
Netscape version 7.1 and version 7.2 (not supported on Windows 98) SDM requires Sun Java Runtime
Environment (JRE) version 1.4.2_05 or later, or Java Virtual Machine (JVM) 5.0.0.3810.
Configure Router to support SDM
• To use SDM it is required to enable the HTTP or/and HTTPS servers on your router using a local account:
Router# configure terminal
Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
• HTTPS is supported in all images that support the Crypto/IPSec feature set, starting from Cisco IOS release 12.25(T).
• Then create a user account defined with privilege level 15:
Router(config)# username ciscorouter privilege 15 secret 0 passwd@123
• You will use this username and password to log in to SDM!
Router# configure terminal
Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
• HTTPS is supported in all images that support the Crypto/IPSec feature set, starting from Cisco IOS release 12.25(T).
• Then create a user account defined with privilege level 15:
Router(config)# username ciscorouter privilege 15 secret 0 passwd@123
• You will use this username and password to log in to SDM!
Home Page of SDM
Configure Page of SDM
Monitor Page of SDM
No comments:
Post a Comment