Networking

Run remote commands on a Cisco router from your PC

Did you know that you can run Cisco router commands without leaving the Windows command prompt? This can come in handy for scripting and automating router management. Find out how to set it up.

Can you go to a Windows command prompt and run a command on your router? Usually, you would have to Telnet or SSH to the router first to run the command, right?

While this approach works, you can also run router commands without leaving the Windows command prompt, which can come in handy for scripting and automating router management. Let's take a closer look.

What is remote shell (rsh)?

Remote shell (rsh) is a command-line program commonly found in UNIX and Linux systems. Using rsh, you can remotely execute command-line programs on a remote system. This could be another UNIX or Linux system, or it could be a Cisco router or switch. Rsh was part of the BSB UNIX operating system and included with rcp (remote copy) and rlogin (remote login).

While most Linux administrators are already familiar with rsh, some Windows administrators might not be. In fact, Windows XP and Windows Server 2003 both include rsh. Figure A shows a screenshot of using rsh at the command prompt.

Figure A

Figure A

However, when working with rsh, it's important to remember that rsh is insecure -- it does not encrypt the communications between the remote device and the system. You should always configure rsh as securely as possible on the router by locking down the IP address of the management machine and the username.

However, even when taking such precautions, rsh is still very insecure compared to SSH. It's a good idea to use rsh only on a protected, secured, internal network. (By the way, if you're allowing rsh through a firewall, it uses TCP port 514.)

How do I configure rsh on my router?

To be able to run a command on a Windows PC, have it go to the router, execute the command, and then return the output to you, all you need to do is enter two commands. Let's walk through the process.

First, you need to enable the remote shell services on the router. The Cisco IOS calls the remote shell service ip rcmd. To enable this service, enter the following command when in Global Configuration Mode:

Router(config)# ip rcmd rsh-enable

Second, you need to configure the permissions for your workstation and your user to be able to perform these remote shell commands. Here's an example of this command:

Router(config)# ip rcmd remote-host root 192.168.1.45 ddavis enable
Let's take a closer look at this command. The ip rcmd remote-host part is required. Next, you enter the local username on this router of the user that the remote shell will log in under when it runs commands. In this case, we used the local user root. Next, 192.168.1.45 is the IP address of the management workstation that we want to allow to execute these remote shell commands -- in other words, the IP address of the PC. Next, you see my local Windows username: ddavis. In this case, that's the name of the user logged into the Windows XP machine as well as the user who will be executing the rsh command in Windows. If I were running a batch job script that executed the Windows rsh command, I would need to enter the Windows username of the user that the batch job was running under.

Finally, the command contains the enable keyword. This allows the remote shell user access to enable the mode on the router. I could take this a step further and specify the level of access allowed (i.e., levels 1 through 15).

Keep in mind that these two commands assume you already have the router configured and you already have a local user called root. If you don't have a root user, you can use the following command to do so:

Router(config)# username root privilege 15 password C1sCo!

How do I use rsh from my Windows workstation?

Once you've configured the above commands, you can easily run a remote shell command from the Windows command prompt. Figure B offers an example.

Figure B

Figure B

 

Here's the actual command I used:

Z: rsh Router1 -l root sh ver

Here's how the command works:

  • The hostname is the first thing specified (in this case, Router1).
  • Next, I used -l (i.e., the letter L) to specify the remote username that I will use to log in. (Keep in mind that I still have to be user ddavis on the local Windows PC for the security to work. Also, I have to come from the IP address that I've specified -- in other words, this wouldn't work from another workstation.)
  • Finally, specify the command. In this case, I ran the show version command (or sh ver).

What can I do with the rsh command?

In addition to using the show version command, you can also run the show running-configuration (sh run) command or any other privileged level command. Here are some more examples:

  • show ip interface brief
  • show ip route
  • show ip ospf neighbors
  • show ip bgp summary
  • show log

What you can't do is run a Global Configuration Mode command, such as enabling an interface or configuring an IP address. This usually limits you to the show commands.

However, one very useful thing you could do is copy your current configuration to a TFTP server and do it inside a script initiated on the Windows server. For example, you would use the copy running-configuration tftp:/1.1.1.1 command.

What else can I do with remote commands?

If you check out the Cisco IOS documentation that covers remote commands, you'll find that there are a number of options you can use with the remote shell commands. One of the latest features in the Cisco IOS is that you can authenticate incoming rsh and rcp commands using a Cisco IOS access control list.

One of the more interesting variations is that you can use remote copy (rcp). So, I could copy a file using the Windows rcp command from my PC to the router or from the router to the PC -- without ever using TFTP or FTP. (You can enable rcp with the ip rcmd rcp-enable command.

Conclusion

The remote shell (rsh or rcmd) commands can be very useful for remotely administering your router. This is especially true if you want to create a Linux or Windows script that goes out to all routers on your network and performs some show command.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

6 comments
Photogenic Memory
Photogenic Memory

I think so. They way things are today; having open communications between devices; even on a LAN, potentially opens you up to packet sniffing or sometype of security exploit. I mean; if you have small network that can be trusted, perhaps rsh is good alternative to crappy telnet. It's always good to have alternatives. I think most people prefer ssh these days and for many good reasons.

bill.friday
bill.friday

We use scp to automate cisco tasks from a Linux host. One can probably use cygwim from a windows box. scp requires a file and the router prompts you for the password. I store the password separately in a secure area on a Linux host and use an expect script to send the file to the router.

speculatrix
speculatrix

you definitely DO want to be using ssh/scp instead of rsh/rcp, but you'll need the right version of IOS which supports this, and also to create the ssl keys on the switch or router. for many people this will mean buying an IOS upgrade unless you happen to have a cisco maintenance contract which covers it.

biton.walstra
biton.walstra

well if you can spend some $$$ on cisco kit in the first place i don't see any reason why not to upgrade the ios if needed. security has it's price but being compromised is far more expensive... we only use ssh from specific networks for all out cisco kit full stop

Editor's Picks