To configure and manage Cisco routers, you need to be able to interact with them through some kind of connection. First, you must somehow communicate with a router, either by logging into it or by downloading and uploading files to and from it. Once you're successfully hooked up to a router, you must then be able to speak its language, which in Cisco routers are IOS commands.
You can gain access to a router either directly through the console or AUX ports or through a network using the Telnet, SSH (Secure Shell), HTTP, or HTTPS protocol. Network pros generally use SSH for security and convenience. Keep in mind that once a session is established, Telnet and SSH are essentially the same except for one important feature-SSH traffic will be fully encrypted and Telnet will not. Whatever method is used, you need to get into the IOS environment in order to review files and enter commands. Telnet and SSH clients are commonly available for all operating systems. A popular client is PuTTY, available for download at http://www.putty.nl. Once it's downloaded, you just need to double-click it to get started.
Notice in Figure 4-2 that either remote or local hosts can be accessed. The IP address highlighted in Figure 4-2 is for a router on the local area network (LAN) in the same office as our imaginary network administrator. One of the remote IP addresses would be used if the router were located at a remote site (that is, beyond the LAN). Even if you are on the same network with the router, a valid password must be entered in order to gain entry.
Figure 4-2: Configuration can be accomplished by logging on to a router through a Telnet connection
Just in case you ever encounter it, Figure 4-3 shows an error condition that commonly befuddles beginners typing their first IOS commands.
Figure 4-3: Entering a bad command results in an inadvertent broadcast message
What's happening in Figure 4-3 is this: When you enter text that IOS cannot interpret as a command, it assumes that it's a symbolic name for an IP address. IOS has no choice in the matter. After all, one purpose of a router is to communicate with other routers, and no single router has all existing addresses on file. Here, the router attempts to send the symbolic address name to all addresses within its broadcast domain. Broadcasts are always addressed 255.255.255.255 (as you no doubt remember from Chapter 2). After ten seconds or so, the router gives up, displays an error message, and returns to the prompt.
If you enter a bad command into most computer operating systems, you get an error message. Give IOS a bad command, and it assumes the input is a network address and tries to Telnet to it. Normal operating systems know all possible input values that can go into them, but IOS doesn't have that luxury. It deals in network addresses, and routers never assume they know all possible addresses because networks change constantly.
IOS 12.4 features a number of enhancements that build on earlier releases of the IOS platform. There are hundreds of new features in IOS, far more than we have space to cover here. That said, let's take a look at some of the highlights in IOS 12.4.
As with any new operating system, it isn't wise (or even necessary) to immediately make the switch to a new release without first understanding the impact it might have on your network. Cisco recommends upgrading to 12.4 for customers who are using Release 12.3T, since 12.4 provides maintenance for the 12.3T release once it reaches its end of engineering stage. Beyond that, however, it's a good idea to consider what you're using and determine whether the new features in 12.4 are worth your while.
Cisco has beefed up the list of hardware supported in IOS 12.4. It includes Network Analysis Modules (NAM) for module routers, ISP routers, Cisco Unity Express, and IDS Network Module.
Broadband includes DSL aggregation, MPLS features, and dial-like features. Broadband is certainly a more prevalent (and, of course, useful) technology, but some of these features may be a bit more specialized than the average IOS user will need to implement.
IOS 12.4 offers enhanced availability through two features:
Warm upgrade IOS is decompressed and loaded into memory, streamlining the upgrade process. The new image does not need to be added to the flash memory to do this.
Cisco IOS IPSec stateful failover Enables a router to continue processing and forwarding IPSec packets after an outage.
The infrastructure is enhanced in two areas:
Cisco IOS Embedded Event Manager 2.1 Detects events, and triggers local command line actions within the router.
Embedded Resource Manager Allows the monitoring of internal resources and the performance of actions to improve router performance and availability.
IP mobility is enhanced through NAT and Dynamic Security Associations and Key Distribution improvements.
IP multicast enhancements include:
New IPv6 multicast features.
Multicast Source Discovery Protocol (MSDP) enhancements.
PIM-Dense Mode (PIM-DM) Fallback Prevention. This allows PIM-DM to be avoided in multicast situations.
You would expect IP routing to really be the area with lots of new stuff, but it really isn't. Not much Earth-shattering, anyway. One enhancement, however, is that the routemap display through the show commands now includes additional Access Control List (ACL) details.
This is a big new feature in IOS 12.4 and is used to determine the best outbound route, normally when an organization has multiple ISPs. This feature is based on NetFlow and Service Assurance Agent (SAA). OER is able to detect path failures at the WAN edge and reroute accordingly.
OER also includes policy configuration, where you can configure specific policies and switch between them.
IP Services includes an assortment of enhancements, including:
Rate Based Satellite Control Protocol (RBSCP) Provides optimizations for satellite link, which is intended to replace Performance Enhancing Proxies (PEPs).
IP Access Lists Supports filtering on IP Options. You can drop sealed packets or packets that use IP Options. You can also filter packets based on TCP flags.
There are a number of new SNMP Management Information Bases (MIBs) (for more information on MIBs, flip ahead to Chapter 13). Features include locking configuration sessions and fine-grained control over which subsystems can be configured through HTTP. Other features include:
Bandwidth Estimation through Corvil Technology A QoS technology that is licensed for selected routers. You configure SLAs for packet loss levels, delay bounds, and other class bases. The QoS command show policy interface then shows recommended bandwidth levels.
Egress NetFlow Allows the tracking of packets after they leave the router. NetFlow information is accessible through an SNMP MIB.
Configuration Rollback/Replace The jewel in the management instrumentation crown. This allows you to send out the configuration, and then the router generates a list of differences that you can review. This feature allows you to rollback the router to a last known good configuration, so if you make a configuration mistake, you can at least rollback to a working state and take another poke at it.
Embedded Syslog Manager Syslog messages can be customized, sent to specific receivers, or event-correlated within one device to limit event storms.
QoS's functionality has been bolstered in IOS 12.4. In addition to the Corvil technology mentioned earlier, a number of features enhance AutoQoS. Administrators can now display the recommended AutoQoS configuration that would be applied by the tool.
AutoQoS for the Enterprise tracks traffic statistics using Network Based Application Recognition (NBAR), and then a recommended QoS policy is generated based on those metrics.
Another beefy addition to IOS 12.4, security and VPN feature accounts for 62 new features. Some highlights include:
Cisco Security and Router Device Manager (SDM) Combines routing and security with easy-to-use wizards and troubleshooting capabilities. This also allows synchronization of routing and security policies throughout the network.
Transparent IOS IPS This scans traffic at layers 2 and 3, enabling the administrator to deploy IPS in an existing network without altering statically addressed devices.
IPSec Virtual Tunnel Interface This is an interface to support IPSec tunneling. When used with Easy VPN, it allows the creation of virtual IPSec interfaces dynamically and allows the deployment of large IPSec networks with minimal configuration.
This is by no means a complete listing of IOS 12.4's features, but it hits on some of the highlights. Some of the new features are more advanced and may be off the radar for a beginner. However, if you want to see what sorts of features have been included in IOS 12.4, go to http://www.cisco.com/go/ios. This will also detail advances and features included in IOS since this book's publication.
While Cisco IOS is the most prevalent version of Cisco's operating system (be it 10.x all the way through 12.x), Cisco has also created a new operating system that could be looked at as more modular. In May 2004, Cisco released IOS XR for its CRS platform. In addition to the catchier name (inasmuch as an operating system name can be catchy) IOS XR promises more modularity and features beyond its earlier incarnations.
IOS XR's biggest feature is its modular architecture, which offers greater stability and easier management. Cisco is taking any transition slowly. At this point, IOS XR is only used on carrier-class routers, but one could certainly expect that some features will eventually make it into enterprise environments, assuming there is a supporting business requirement.
Current versions of IOS work as a single piece of executable code on the router. As customers demand various features, they are added to the operating system. This means the code requires more memory and system resources to execute.
IOS XR is designed more like a server. It incorporates an underlying operating system, and then services are added as separate processes. Ideally, this will make the operating system more reliable and faster.
The movement to new IOS architectures started late in 2004 as IOS High Availability (IOS-HA) was introduced for the Catalyst 6500 switch. This technology allows 6500s to run dual supervisor cards and failover without losing packets or experiencing any network disruption. This technology was already used on Cisco 12000 Series and is making its way down Cisco's product line.
The move to this different operating system architecture is because the more features added to IOS, the bigger and clunkier the operating system becomes. As such, the IOS XR architecture can include (or not include) features as needed, thus making a sleeker, sexier operating system. Current versions of IOS include millions of lines of code. IOS XR has around 80,000.
Having every feature under the sun is great to round out a device and be able to say, "Hey, it does all this …" But the fact of the matter is that most clients don't need every feature IOS has to offer. All those extra features just slow down the device.
Any computer software environment has its quirks, and IOS is no exception. On one hand, IOS is a purpose-built operating system that has been stripped of all but the bare essentials in order to keep things simple and fast. That's a good thing, but you won't see the plush conveniences that a Mac, X-Windows (UNIX), or Microsoft Windows graphical user interface (GUI) offers. On the other hand, IOS is one of the world's most widely distributed and important operating systems. So, everything you need to operate is inside if you look.
IOS has hundreds of commands. Some can be used anywhere in IOS; others only within a specific area. Even Cisco gurus haven't memorized all the IOS commands. So, like any good operating system, IOS arranges its commands into a hierarchy. Figure 4-4 is an overview of how IOS commands are structured.
Figure 4-4: The IOS command structure has two modes
The first division within IOS is between the User EXEC and Privileged EXEC levels of IOS. User EXEC, of course, contains only a subset of Privileged EXEC's commands. The less powerful User EXEC mode is where connect, login, ping, show, and other innocuous commands reside. These are in Privileged EXEC, too, but privileged mode is where the more powerful, and potentially destructive, commands-such as configure, debug, erase, setup, and others-are exclusively available.
Depending on the IOS feature set installed, there are many more commands in Privileged EXEC than in User EXEC. The commands in User EXEC mode tend to be "flat." In other words, they don't have branches leading to subset commands underneath, as the following example shows:
Router> connect ? WORD IP address or hostname of a remote system <cr>
As a rule, User EXEC mode commands go, at most, just two levels deep. Being more powerful, Privileged EXEC mode commands can go deeper, as the following example sequence shows:
MyRouter#show ip ? access-lists List IP access lists accounting The active IP accounting database aliases IP alias table arp IP ARP table . . .
Theshow ip command has many available arguments (subcommands):
MyRouter#show ip arp ? H.H.H 48-bit hardware address of ARP entry Hostname or A.B.C.D IP address or hostname of ARP entry Null Null interface Serial Serial Ethernet IEEE 802.3 <cr>
Arguments can be modified by other arguments still deeper in the root command's "subcommand" tree:
My Router#show ip arp serial ? <0-3> Serial interface number <cr>
For example, after you've pieced together a full command from the preceding options-ip access-lists serial2, for example-you would enter a carriage return after the "2" for serial line number 2.
Piecing together straightforward command lines is one thing. The real trick is knowing where to find arguments to root commands so that you can put together complete and correct command lines. This is where the IOS help system comes into play.
IOS has a built-in, context-sensitive help system. Context-sensitive means the help system responds with information based on where you are in the system at the time. You can get the broadest kind of context-sensitive help by simply entering a question mark at the prompt. Here, for example, is a listing of all the root commands available in the User EXEC level of IOS:
Router>>? Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry atmsig Execute Atm Signaling Commands clear Reset functions connect Open a terminal connection disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system lat Open a lat connection lock Lock the terminal login Log in as a particular user logout Exit from the EXEC . . .
You can also get what some call "word help" by entering part of a command you don't know followed immediately by a question mark:
Word help is a great way to get definitions and is especially handy for figuring out what truncated commands are, as with show in the preceding example. Another way to get help on a partial command is to simply enter it, whereupon the system will come back with an instruction on how to obtain complete help on the command:
Router>>sh % Type "show ?" for a list of subcommands
Notice that in help's suggested command show ? there is a space between the command and the question mark. As you've by now noticed, there is always a space between a command and its modifier (called an argument). Doing this in a help request is the way to ask for a list of arguments available for the command. In the following example, the question mark asks for all arguments available for the show command:
Router>>show ? bootflash Boot Flash information calendar Display the hardware calendar clock Display the system clock context Show context information dialer Dialer parameters and statistics history Display the session command history hosts IP domain-name, lookup style, nameservers, and host table kerberos Show Kerberos Values location Display the system location . . .
Sometimes, using help in this way is called command-syntax help, because it helps you properly complete a multipart command. Command-syntax help is a powerful learning tool because it lists keywords or arguments available to you at nearly any point in IOS command operations. Remember, the space must be inserted between the command and the question mark in order to use command-syntax help.
In IOS, help plays a more integral role than help systems in normal PC or business application software packages. Those help systems, also context-sensitive, are essentially online manuals that try to help you learn a whole subsection of the application. IOS help is terse: It just wants to get you through the next command line. That's refreshing. Most help systems nowadays seem to assume that you're anxious to spend hours reading all about an entire subsystem when, in fact, you just want to know what to do next.
Don't be confused by the show command's name. show displays running system information. It is not an all-purpose command to "show" help information; the ? command does that. The show command is used to examine router status.
There's more to operating IOS commands than simply "walking rightward" through the root command's subcommand tree. To run IOS, you must learn how to combine different commands-not just modify a single command-in order to form the command lines it takes to do the heavy lifting that network administration requires. But IOS isn't rocket science, as the following example sequence demonstrates:
MyRouter#config Configuring from terminal, memory, or network [terminal]?
In the preceding prompt, we're entering config mode, and IOS wants to know if the configuration will be delivered through network download, copied from an image stored in the router's NVRAM memory, or typed from the terminal. We just as easily could have bypassed the prompt by concatenating the two commands into one command line:
Don't let this throw you: we're not configuring a terminal, as IOS's phrasing seems to imply. In IOS command shorthand, config terminal means we're "configuring from a terminal." The next step is to "point" at the thing to be configured. We'll configure an interface:
MyRouter(config)#interface % Incomplete command.
Instead of asking, "What interface would you like to configure?" IOS cruelly barks back that our command is no good. This is where some user know-how is required:
MyRouter(config)#interface fastethernet 0 MyRouter(config-if)#
IOS wanted to know what physical interface module was to be configured. Told that port number 0 of the Fast Ethernet interface module was the one to be configured, the IOS prompt changes to MyRouter(config-if)#, where the "if" is shorthand for "interface." (Configuration modes will be covered later in this chapter.)
Always keep track of the device you're pointing at when configuring. The IOS config prompt is generic and doesn't tell you at which network interface the (config-if)# prompt is pointed. IOS does not insert the interface's name into the prompt.
Once pointed at the network interface to be configured, from there, router configuration is simply a matter of supplying IOS the configuration parameters for that interface, which we'll cover in a few pages.
An understanding of how IOS syntax works, combined with the help system, is enough for anyone to begin entering correct command lines-with some time and hard work, of course.
Sooner or later, you'll encounter IOS command lines filled with seemingly cryptic symbols. Don't be intimidated by them; they are only commands that expert users have truncated (cut off at the end) to speed up the process of typing commands-and maybe to impress people a bit. IOS is like DOS and most other editors in that it will accept truncated commands. But if the truncated command is not a string of letters unique to the command set, it will generate an error message. For example, if you type the first two letters of a command that another command starts with, you'll get an error message, such as the following:
Router#te % Ambiguous command: ≪te≫
This error is displayed because IOS has three commands beginning with the letter string te: telnet, terminal, and test. If the intent was to Telnet somewhere, one more character will do the job:
If you run across a truncated command you don't understand, simply look it up by using word help in the online help system. Type the truncated command followed immediately by a question mark. Unlike command-syntax help, when using word help, no space should precede the ? command.
IOS keeps a running record of recently entered commands. Being able to recall commands is useful for:
Avoiding having to type commands that are entered repeatedly
Avoiding having to remember long, complicated command lines
The history utility will record anything you enter, even bad commands. The only limit is the amount of buffer memory you dedicate to keeping the history. Here's an example:
Router#show history test tel exit enable
More recently entered commands are toward the top of show history lists. They are not listed in alphabetical order.
Arrow keys can also be used to display prior commands. Using arrow keys saves having to enter the show history command, but only shows prior commands one at a time. Press the Up Arrow (or Ctrl-P) to recall the most recent commands first. If you're already somewhere in the sequence of prior commands, press the Down Arrow (or Ctrl-N) to recall the least recent commands first.
Cisco routers can be in any one of seven possible operating modes, as illustrated in Figure 4-5. Three of them are startup modes. In the other four, network administrators are in either User EXEC mode or Privileged EXEC (enable) mode. Once inside Privileged EXEC, configuration changes can be made either to the entire device or to a specific network interface.
Figure 4-5: Seven operating modes are made possible by Cisco routers
You must keep track of what router mode you are in at all times. Many IOS commands will execute only from a specific mode. As can be seen in Figure 4-5, router modes get more specific-and powerful-as the user traverses toward the center of IOS. It pays to keep an eye on IOS prompts, because they'll always tell you which mode you're in.
Cisco router operating modes exist to perform three general tasks:
Boot a system
Define what commands can be used
Specify which part(s) of the router will be affected by changes made to the config file
Table 4-1 outlines the various IOS modes and what they are used for. As you become more familiar with Cisco internetworking in general, and the IOS software in particular, you will see that most of the action takes place inside the various configuration modes.
Setup mode is used to make a basic working configuration file.
RXBoot mode assists router boot to rudimentary state when a working IOS image can't befound in flash memory.
ROM monitor mode is used by the router if the IOS image can't be found or if the normal boot sequence was interrupted.
User EXEC mode is the first "room" one enters after login; it restricts users to examining router status.
Privileged EXEC mode is entered using an Enable password; it allows users to change the config file, erase memory, and so on.
Global config mode changes parameters for all interfaces.
Config-command mode"targets" changes at specific interfaces.
Configuration modes differ from user modes by nature. The two EXEC modes define what level of IOS commands you may use. By contrast, configuration modes are used to target specific network interfaces-physical or virtual-to which a configuration change applies. For example, you would go into configure interface mode-identified by the (config-if)# prompt-in order to configure a specific Ethernet interface module. There are dozens of configuration modes in all, each targeting different parts of the configuration file. Table 4-2 lists eight of the most common configuration modes.
Router Port Targeted
Entire config file
Entire config file
A look at Table 4-2 tells you that configuration mode is all about instructing IOS on what to do with packets flowing through the device. Some modes apply to packets flowing through specific connection points, such as interfaces, lines, and ports. The other IOS configuration modes deal with routing protocols and tables needed to handle that flow.
There are two types of config files for every router: the running-config file and the startupconfig file. As their names imply, the basic difference is that the running-config file is "live" in the sense that it is running in RAM. Any changes made to the running-config file go into effect immediately. The startup-config file is stored in the router's NVRAM, where the IOS bootstrap program goes to fetch the router's running configuration parameters when starting up.
After changing router-specific parameters, the copy command is used to save and distribute config file changes. As can be seen at the bottom of Figure 4-6, a master config file can be distributed to other routers through a TFTP server.
Figure 4-6: Running-config files and startup-config files are used in different ways