Console Access
By now we would all have been familiar with networking devices like routers, switches etc. Networks basically deal with routing data for which routers play a major role. Likewise switch aids in communication between different network devices.
Note :
Do you know that accessing the console of a router and a switch are similar?
How do we access or configure a router?
Every router has a console port on its back side. This port is used to connect a computer to the router to manage the router since routers doesn’t have a display device of its own.
Image 1: Back side of a Cisco router where the console port is highlighted in red.
This console access is needed initially to install the routers since they do not have any network connection. A roll-over cable known as RJ45 is used to connect a computer terminal to router’s console port.
Image 2: RJ45 roll-over cable.
Below image describes the physical connection between the computer terminal and the router’s console port using the cable.
Image 3: Number 3 in the above image shows the connection between console port of the router and the computer.
To practically understand this connection let us use cisco packet tracer to establish the console connection.
- Open Cisco packet tracer application.
- Select a router from the available devices.
- Select PC from end devices.
- Using the “console” cable from the connections, connect the console port of the router to the rs232 port of the end device.
- Now click on the end device. Navigate to the “Desktop” bar in the pop up.
- Open the Terminal of the desktop and click ok.
- We get the console access of the router using our end device.
Image 4: Console connection using CPT.
Image 5: pop up of the end device where “Desktop” bar should be selected.
Image 6: Terminal under Desktop bar.
Image 7: Terminal of the desktop showing the CLI of the router.
Now we have established a physical connection between computer and the router. Lets see the different modes available for the user to interact with the router to manage it.
User mode
Using the console access of the router, login to the router. As soon the router is up, press enter. We get the user interface mode prompt which is represented as “Router>”.
At the router> prompt, type in a question mark (?) This will list all the User mode commands. Feel free to play with all the available commands. You are in a safe zone. Nothing will be damaged.
Note :
Press the Enter key to the view the commands line by line.
Press the SPACEBAR to view the commands a full screen at a time.
Image 8: User mode of router.
Privileged mode
Enter the privileged mode using the command “enable” or “en”. The prompt will pop up represented as “Router#”. In this mode we can view and change the configuration of the router. This mode is generally used for troubleshooting purpose.
At the router# prompt, type a question mark (?) This will list all available commands in the privileged mode. Use these commands with cautions.
Image 9: Privileged mode of router.
Global Configuration mode
To enter the global configuration mode enter the command “configure terminal” or “conf t”. The prompt will pop up represented as “Router(config)#”. This mode is used to change running configuration of the router.
At the router(config)# prompt, type another question mark (?) This will list all commands available in global configuration mode. Use these commands with cautions.
Image 10: Global configuration mode of router.
How do we exit from the modes?
Press the CONTROL key and the letter Z at the same time. Notice how it takes you out of Configuration mode and brings you back in Privileged mode. You can also use "end" keyword to come back to the priviledged mode.
Type disable. This will put you into where you begin – the User mode.
Type exit, which will log you out of the unit.
Image 11: Exit from modes.
Security for CLI access from console
The console port is most important port on the device because password recovery on the router can only be done using the console port.
Cisco routers are vulnerable if you have a physical access to it. However if someone is trying to access the console port, we can apply security by prompting the user for a password. The below commands helps in protecting the console port of the router.
Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)#password networkgeek
Router(config-line)#login
Router(config-line)#end
Router#show running-config
We can access the console port using the command "line console 0". Once in this line configuration mode, "password password" command helps to secure the console. This password by default is not encrypted. The "login" command tells the router to ask for the password when someone is trying to access the router using the console port. On running the "show running-config" command we can see that the password is seen as clear text.
Note :
The console port is always 0 because there is only one console port on every Cisco device and Cisco starts its numbering of the ports with 0.
Image 12: Login to console using password.
Image 13: Password is not encrypted by default.
Let's say there are two or more administrators who need to access the router. In that case having a common console password is not a best practice so its better to have a username based access to the device. Below is the procedure to configure the same.
Router>enable
Router#configure terminal
Router(config)#username abc secret network
Router(config)#username efg secret geek
Router(config)#line console 0
Router(config-line)#login local
Router(config-line)#end
Router#show running-config
The "username name secret password" command should be used in the global configuration mode. To enable password checking at login, the "login local" command is used in the line configuration mode. The "show running-config" command displays the configured usernames and we can see that the password is encrypted. The keyword secret in the above command uses the MD5 hashing function to encrypt the password, which is a very secure method of protection.
Note :
The username and password are case-sensitive. Users attempting to login with an incorrectly cased username and password will be rejected.
Image 14: Login to console using username and password.
Image 15: Show run command displays the password in encrypted format and not as clear text.
The advantage of using "secret" keyword has been discussed in the below article.
Router security
Now we have established a physical connection between the computer and the router and accessed its command line interface (CLI) using the console port. Also we saw how passwords can be configured to secure the console port. What if the administrator wants to access the router or the switch from a remote location?
Let's learn about Remote Access !!!