Networking

Router Configuration 101: Configuring and securing the router

This three-part series reviews the basics of setting up a Cisco router. Part 1 discussed <a href='http://www.techrepublic.com/5100-10586-5589161.html' target='_blank'>how to boot up your new Cisco router</a> and explained the various router modes. Now, find out how to secure the router with passwords, apply IP addresses to interfaces, and enable those interfaces for use.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Whether it's been years since you've worked with routers or you're just starting out, it never hurts to review the basics—even if you're a seasoned administrator. To answer a recent question from a member, I decided to address the basics of Cisco router configuration in a three-part series. In part 1 of this series, "Router Configuration 101: Setting up the router," I walked you through the process of connecting a new Cisco router, configuring it through the console, and familiarizing yourself with the different IOS administrative modes the router offers.

Last time, we left the router in Global Configuration Mode, where the prompt says router(config)#. Now, let's look at how to secure the router with passwords, apply IP addresses to interfaces, and enable those interfaces for use.

Before we get started, take a look at Figure A, which offers an illustration of what our example network looks like. Prior to configuring any network—even a small one that has only one router—you should always create a network diagram similar to this one.

Figure A

As you can see, this router has two interfaces. The LAN interface goes to the inside network, which should be the Ethernet network connected to the PC. If you're the sole administrator for this network, you can choose the IP address scheme for the LAN from the blocks of RFC 1918 private IP addresses. (While you have other methods, this is currently the most common method of addressing LANs.)

Larger organizations, however, may have a network administrator who lays out the IP addressing for the entire company. In that case, you would obtain the IP address for the LAN from this individual.

The second interface, on the other side of the network diagram, is the WAN. In our example, this is the connection to the Internet service provider (ISP), which, of course, provides the connection to the Internet. The ISP should provide you with the IP address for this link.

Now that we have a visual idea of what we're working with, let's apply some basic configurations to the router, attach IP addresses to our interfaces, and enable those interfaces. Here's the step-by-step process.

Name the router

Everything needs a name: Your PC has a name, and so should your router. Here's an example of naming a router:

Router(config)# hostname Internet-Router
Internet-Router(config)# 

Notice how after changing the name of the router to Internet-Router, the prompt immediately changes as well. That's because the prompt reflects the name of the router, so changing the router's name also changes the prompt.

Secure the Console Port, Auxiliary Port, and VTY lines


Next, you need to secure the Console Port, Auxiliary Port, and VTY lines from unauthorized access. The Console and Auxiliary ports are physical ports on the router.

The VTY lines are inbound Telnet lines that you can use to Telnet to the router for administrative purposes. There are five inbound Telnet lines, labeled 0 to 4.

Here's an example of configuring all three areas, a process that's more or less the same for each:

Internet-Router(config)# line console 0
Internet-Router(config-line)# password Complex21
Internet-Router(config-line)# login
Internet-Router(config-line)# exit

Internet-Router(config)# line aux 0
Internet-Router(config-line)# password Complex21
Internet-Router(config-line)# login
Internet-Router(config-line)# exit

Internet-Router(config)# line vty 0 4
Internet-Router(config-line)# password Complex21
Internet-Router(config-line)# login
Internet-Router(config-line)# exit

Notice how the prompt changes from config to config-line, which indicates that you've moved from Global Configuration Mode to Line Configuration Mode. Global Configuration Mode contains subconfiguration modes, such as Line Configuration Mode. To return to Global Configuration Mode from Line Configuration Mode, use the exit command.

Set an enable secret password

An enable password controls access to Privileged Mode from User Mode. In other words, when you type enable to enter Privileged Mode, the router will prompt you for this password.

Consider this password to be your administrative password, and make sure it differs from the passwords you just assigned. The secret keyword encrypts the password so the prompt won't display it in clear text.

You must set this password when in Global Configuration Mode. Here's an example:

Internet-Router(config)# enable secret Secret99Password

Assign IP addresses and enable interfaces

Next, tell the router which networks the interfaces are in. Since a router transmits information between networks, every interface on a router obviously exists in a different network.

You should already have the IP addresses from the network diagram, so all you need to do is go into Interface Configuration Mode. Listing A shows an example.

First, this labels each interface with a description for documentation purposes. Next, it assigns the IP addresses from the diagram and enables the interfaces. In the Cisco IOS world, putting no in front of a command reverses that command. Therefore, to enable an interface, use the reverse of shutdown—no shutdown.

You may have noticed that this example configured the WAN interface, Serial 0/0, as the Internet interface. This is the typical configuration when connecting a router to an external CSU/DSU that goes to an Internet T1 circuit.

Save the configuration

While it may sound obvious, this step is vital. So far, we've only made these changes in the RAM of the router. As you know, a simple power outage can wipe out anything in RAM. So, you need to save your configuration to nonvolatile RAM (NVRAM) to prevent losing changes if the router loses power or crashes.

Here's an example:

Internet-Router(config)# exit ! to go back to privileged mode
Internet-Router# copy running-configuration startup-configuration

An alternate way to accomplish this—and my preferred method—is by using the obsolete, but still functional, write command. A Cisco router takes the shortest amount of unique characters to represent a command, and wr is the shortest representation of the write command. So, instead of entering the above commands, you can save time and accomplish the same thing by simply entering wr.

Stay tuned: Next time, we'll wrap up this series by configuring the router to communicate with the Internet.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Editor's Picks

Free Newsletters, In your Inbox