Home |
Basic Management |
Accessing pg2 |
Router(IOS) Software
Commands |
IOS Naming |
Configuration Register |
Password Recovery
Gaining Access to Routers and Switches - Page 1
This Study Guide describes how to access a router through the following methods:
-
Through a direct console connection
-
Over the LAN via Telnet
-
Through a terminal server
Here you will learn how to access a router and switch
through a direct console connection, over the LAN via Telnet, and finally through a
terminal server. This Study Guide reviews how to access a router or switch through a
direct console connection. Next, you will configure the terminal server router for
Telnet access. Then you will access the terminal server over the LAN via Telnet using
a terminal application program running on your PC. Finally, you will configure the
router as the lab terminal server for reverse Telnet to access the lab routers.
Routers and switches can be accessed and configured through various means. To initially configure a Cisco device,
you will need to connect directly through the console port. The console port exists on both routers and switches
and is available to configure and monitor the device.
Direct Access to Routers and Switches Through a Console Port
Most Cisco devices use a rollover cable connected to the console port on the router or switch. For exceptions, consult
the product documentation to verify whether you should use a straight-through or roll over cable .
The figure below shows the cabling for a roll over cable.
The cable is then connected to an RJ-45 to DB-9 or RJ-45 to DB-25 terminal adapter that is attached to a serial
communications port (COM1, COM2, or other COM port) on the PC. Figure 1 shows how this is done.
Figure 1 - Connecting a Device with a Console Cable
When the physical connection is in place, configure the terminal application program on the PC with the following COM settings:
-
9600 bps
-
8 data bits
-
No parity
-
1 stop bit
-
No flow control
These are the default HyperTerminal settings.
In the lab, you will be using the terminal application program HyperTerminal to connect to the terminal server's console port.
Any terminal application could be used based on your personal preference. If another terminal application is used,
consult the product documentation for configuration and setup procedures.
NOTE: The version of HyperTerminal has changed over the years to
address functionality problems within the application. For example, older versions
that came with Windows 95 and NT could not send the Ctrl-Break sequence (needed to
break into the router). An early version that came with NT Service Pack 2 or 3 fixed
this issue but had a problem when pasting several commands into the configuration
script - it took about 5 seconds per line while it sent CPU utilization to 100
percent. The version that comes with NT-SP5, 98, and 2000 is fine. The authors of the
program (Hilgraeve) provide a free update. To obtain the free update, open
HyperTerminal, click Help, About, Upgrade Information, and then follow the upgrade
instructions, or visit
http://www.hilgraeve.com/
Let's demonstrate how this is done.
Accessing the Lab Terminal Server Through the Console Port
The physical cabling between your PC and the router
acting as the terminal server has been configured as shown in Figure 1. With the
physical cabling in place, start the program HyperTerminal on the PC. To do so, click
Start, Programs, Accessories, Communications, HyperTerminal. Then double-click the
HyperTerminal executable (hypertrm.exe) from within Windows, as shown in Figure 2.
Figure 2 - Starting the HyperTerminal Application
Give the new connection a name of LAB, and then click OK, as shown in Figure 3.
Figure 3 - Giving the Connection a Name
In the Connect Using field, select Direct to Com1 from the drop-down menu, as shown in Figure 4.
NOTE: This step is correct for the newest versions of
HyperTerminal. For older versions of HyperTerminal, it is done differently. Hilgraeve
provides a free update to HyperTerminal when used for personal use. Visit
http://www.hilgraeve.com/ and download HyperTerminal Private Edition.
Figure 4 - Selecting the COM Port on PC
Now configure the port settings as follows and as shown in Figure 5. You can click the "Restore Defaults"
button to get the port settings for connection to any Cisco equipment. When finished, click OK:
-
Bits per second: 9600
-
Data bits: 8
-
Parity: none
-
Stop bits: 1
-
Flow control: none
Figure 5 - Configuring HyperTerminal Port Settings
You are initially placed in user EXEC mode of the terminal server. If
you do not see a prompt, hit the Enter key a few times, and then type enable and hit
Enter. You are put into privileged EXEC mode without being prompted for a password
because an enable password has not yet been set, as shown in Figure 6.
Figure 6 - Successful Establishment of EXEC Session Through a Direct Console Connection
Be sure to hit the "Enter" key to connect to the router. If you still do
not get a console prompt, verify that it shows Connected in the bottom-left corner of
the HyperTerminal application, as shown in Figure 6. If not, check the physical
cabling as well as the port settings, and verify that the router has been powered on.
Sometimes with Windows 2000 you may need to change the RJ-45 to DB-9 or RJ-45 to DB-25
terminal adapter from COM port 1 to COM port 2 or vice versa to get a connection. Also
make sure the CMOS settings have enabled your COM ports.
Now that you have successfully connected to the console port of the terminal
server, you will configure the terminal server for Telnet access.
Configuring the Terminal Server for Telnet Access
In this section, you will configure the terminal
server so that you can Telnet to it across the network. When you are connected to the
terminal server, the terminal server will be the single point from which you may
access all other lab routers through reverse Telnet. A terminal server provides
out-of-band access to several devices. Out-of-band access is through a router's
console or aux port versus in-band access that occurs over a network through Telnet or
SNMP. Telnet, reverse Telnet, and a terminal server overview are covered in greater
detail later in the chapter.
The next step is to make the terminal server
accessible over your Ethernet network so that you can access it from any workstation
on the LAN, as shown in Figure 7.
Figure 7 - LAN Configuration for Telnet Access
Telnet access is useful because it eliminates the requirement to be
physically at the terminal server router to gain access. Instead, you can configure
the terminal server so that you can Telnet to it over the LAN, as shown in Figure 7.
Then, from the terminal server, you will be able to access each lab router through
reverse Telnet, as shown in Figure 8.
Reverse Telnet will be explained and demonstrated later.
Figure 8 - Terminal Server Logical Diagram
Begin by configuring the terminal servers' host name, Ethernet IP
address, and vty lines. Because you're still attached via a direct connection to the
terminal server's console port, ensure you're in privileged EXEC mode by typing
enable from user EXEC mode, as in Example 1.
Example 1 - Entering Enable Mode on Terminal Server
Router>enable
Router#
Because the privileged EXEC password has not yet been set,
you are allowed directly into privileged EXEC mode without entering a password, as
denoted by the
Router# prompt in Example 1. To change the host name
on the router, type
configure terminal to enter global configuration mode. Next, issue the
hostname command followed by
Termserver, as shown in Example 2.
Example 2 - Changing the Host Name on the Terminal Server
Router>enableRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Termserver
Termserver(config)#
Notice that the prompt has changed from
Router(config)# to
Termserver(config)#.
Next, from global configuration mode, enter interface configuration mode by typing
interface ethernet0, and assign the IP
address of 10.160.8.1 with a mask of 255.255.255.0 to the Ethernet0 interface. In addition, ensure that the interface is
not shut down by typing
no shutdown from interface configuration mode for Ethernet 0, as demonstrated in Example 3.
Example 3 - Assign the Terminal Server's Ethernet 0 Interface an IP Address and Bring the Interface Out of Shutdown Mode
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Termserver
Termserver(config)#
Termserver(config)#interface ethernet0
Termserver(config-if)#ip address 10.160.8.1 255.255.255.0
Termserver(config-if)#no shutdown
Termserver(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up
Termserver(config-if)#
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Termserver(config-if)#
Notice that you receive a console message indicating that the line protocol on Ethernet 0 is up and the interface is up. You can verify that
Ethernet 0 is up and configured with the proper IP address by typing
show interface ethernet0, as shown in Example 4.
Example 4 - Verifying that Ethernet 0 Is Up and Configured with the Correct IP Address
Termserver#show interface ethernet0
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 0000.0c47.351c (bia 0000.0c47.351c)
Internet address is 10.160.8.1/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 1/75, 0 drops
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 1 packets/sec
6674 packets input, 1267069 bytes, 0 no buffer
Received 6252 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 input packets with dribble condition detected
12718 packets output, 1199744 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
You can see that Ethernet 0 is up as shown in the highlighted lines of Example 4 because the interface is up and the line protocol is up.
In addition, you see that the IP address of 10.160.8.1 and mask of 255.255.255.0 (/24) are configured on the interface.
The workstation has been assigned an IP address of 10.160.8.65 with a subnet mask of 255.255.255.0. From the workstation,
verify that you can
ping he newly assigned IP address on your terminal server's Ethernet 0 interface, as shown in Figure9.
Figure 9 - Verify IP Connectivity Between Workstation and Terminal Server
Success!
vty Line Configuration for Telnet Access
Virtual terminal lines are used to allow remote access to
a router. A virtual terminal line is not associated with either the auxiliary or
console port; instead, it is a "virtual port" on the router. The router has five
virtual terminal lines, by default. You will configure the five vty lines (vty 0
through 4) for Telnet access and set a password of falcons on these lines. In
addition, you want to ensure that, after 15 minutes of inactivity on the vty lines,
the connection times out. To configure the vty lines, you will do the following from global configuration mode:
Step 1 Enter line configuration mode.
Step 2 Enable login on the vty lines.
Step 3 Set a password for Telnet access.
Step 4 Set the exec-timeout interval.
To examine how this is done, first enter line configuration mode for vty lines 0 through 4, as shown in Example 5.
Example 5 - Line Configuration Mode for vty 0 Through 4
Termserver#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Termserver(config)#line vty 0 4
Termserver(config-line)#
You can verify that you have successfully entered line configuration mode because the prompt has changed,
as shown in the highlighted portion of Example 5. Next, enable login on the vty lines and set a Telnet password
of falcons on the terminal server, as in Example 6.
Example 6 - Configure vty Lines with Login and Password Checking
Termserver(config-line)#login
Termserver(config-line)#password falcons
TIP: Remember that if an enable password has not been set on the router, you cannot Telnet into the router. This is true even when a password has
been set on the vty lines. Although not shown here, assume that the terminal server has been configured with the enable password
falcons.
Finally, it is a good idea to set timeout values on your vty lines so that idle Telnet sessions will not remain up indefinitely. By default,
the
exec-timeout is set to 10 minutes on both the console and the vty ports.
The timeout value is specified in minutes and seconds. You will set the timeout value to 15 minutes and 0 seconds on vty lines 0 through 4 using
the
exec-timeout command. If you are unsure of the order in which to specify minutes and
seconds, use context-sensitive help, as shown in Example 7.
Example 7 - Setting the exec-timeout Value to 15 Minutes and 0 Seconds on vty Lines 0 Through 4
Termserver(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Termserver(config-line)#exec-timeout 15 ?
<0-2147483> Timeout in seconds
<cr>
Termserver(config-line)#exec-timeout 15 0
Termserver(config-line)#
Verify the configuration changes in your
running-config by exiting back to privileged EXEC with CTRL-Z and then using a
show running-config command. The highlighted section of Example 8 shows the
last portion of the running-config with the configuration of the five vty lines.
Example 8 - Verify Changes with
show running-config Command
Termserver(config-line)#^Z
Termserver#show running-config
line con 0
login
line 1 16
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 15140A0007252537
login
The end of the configuration file shows all lines on the router, as well as the changes you have made to the vty lines.
Saving the Running Configuration
Save the configuration by typing
copy running-config startup-config from global configuration mode, as shown in Example 9.
Example 9 - Copy running-config to startup-config
Termserver#copy running-config startup-config
Building configuration...
[OK]
Termserver#
NOTE: If you are running Cisco IOS software Release 12.0 or
later, the
copy command may ask for a confirmation in this form: Destination file [startup-config]?
The configuration has been successfully copied from the running configuration to the startup configuration,
as denoted by the
[OK] highlighted in Example 9.
Accessing the Terminal Server from a PC over a LAN/WAN via Telnet
Now you will test to see if you can Telnet to the terminal server at 10.160.8.1. To do so, configure the terminal application program
(HyperTerminal) to Telnet to the router. This is done by starting HyperTerminal and, instead of selecting a COM port to connect through,
selecting TCP/IP (Winsock), as shown in Figure 10.
NOTE: If the TCP/IP option is not available, you have an older
version of the HyperTerminal Application. You can upgrade it at
http://www.hilgraeve.com/.
Figure 10 - HyperTerminal Configured to Use TCP/IP
Next, enter the IP address of 10.160.8.1, as shown in Figure 11.
Figure 11 - Telnet to Ethernet 0 10.160.8.1
You are first prompted for the Telnet password of falcons
that you configured previously in Example 6. When this password is successfully
supplied, you are taken into user EXEC mode. From there, you can type enable
to gain access to privileged EXEC mode.
You have now successfully Telnetted to the terminal server.
Continue on page 2.
Top