Cisco Router に接続し, 機器の設定を行う. Cisco router, switch は IOS が稼働しており, PC から console 接続を行い IOS を操作して設定を行う.

Environment

• Router
  • Cisco 892J
• Console (Rollover) cable
  • Cisco 純正
  • RS-232C interface
• USB serial 変換 cable
  • RS-232C serial port が PC 側に無い為, 本製品を利用
  • ainex ADV-119
    • USB 2.0/1.1規格対応
    • 周辺機器側: D-Sub 9pin オス
    • パソコン側: USB 2.0 Standard-A オス
    • 対応OS: Windows Vista/7/8/8.1 (32/64bit)
  • Mac を利用しているのであれば UGREEN USB serial 変換 cable RS232 USB 9pin とかの方が良いかもしれない.

Procedure

Console 接続

• Cisco router, Catalyst switch を設定するためには, Console (Rollover) cable で PC と接続し, Terminal (iTerm, Terra term 等) を使って設定を行う必要がある.
• Console 接続を行い router に IP address を設定することで remote から IP address 経由で接続可能となる.

PC[USB] -> [USB]USB serial 変換 cable [RS-232C] -> [RS-232C]Console (Rollover) cable -> [Console port]Cisco router, Catalyst switch

• 上記のように cable を接続した後, router の電源を on .
• PC の terminal から接続されている interface を確認する.

$ ls -l /dev/tty.*
crw-rw-rw-  1 root  wheel   18,   0 May  4 19:36 /dev/tty.Bluetooth-Incoming-Port
crw-rw-rw-  1 root  wheel   18,   2 May  8 14:30 /dev/tty.usbserial-1420

# connect router
$ screen /dev/tty.usbserial-1420

• usbserial-1420 が interface .
• 初期起動の log は以下の通りだった.

Press RETLine protocol on Interface Vlan1, changed state to down
*May  8 04:56:17.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet8, changed state to down
*May  8 04:56:17.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*May  8 04:56:18.815: %LINK-3-UPDOWN: Interface FastEthernet8, changed state to down
*May  8 04:56:18.815: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
*May  8 06:25:49.211: %LINK-5-CHANGED: Interface BRI0, changed state to administratively down
*May  8 06:25:51.159: %LINK-5-CHANGED: Interface FastEthernet8, changed state to administratively down
*May  8 06:25:51.159: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
*May  8 06:25:56.215: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.1(3)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sun 27-Mar-11 12:57 by prod_rel_team
*May  8 06:25:56.215: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
*May  8 06:25:56.235: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May  8 06:25:56.235: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*May  8 06:25:58.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
*May  8 06:25:58.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down
*May  8 06:25:58.923: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down
*May  8 06:25:58.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down
*May  8 06:25:58.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4, changed state to down
*May  8 06:25:58.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down
*May  8 06:25:58.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet6, changed state to down
*May  8 06:25:58.971: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet7, changed state to down
Router> # user exec mode.

Host name の設定

# Promote to privileged mode (> to #).
Router>enable

# Change to setting mode.
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#

# Set hostname.
Router(config)#hostname rt-cisco-892-001
rt-cisco-892-001(config)#

# end returns to the privileged exec mode.
# exit returns to the previous layer.
end

# Check configurations (hostname).
rt-cisco-892-001#show running-config
Building configuration...

Current configuration : 1181 bytes
!
! Last configuration change at 17:11:19 UTC Fri May 8 2020
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rt-cisco-892-001
!
boot-start-marker
boot config flash:892config.txt
boot-end-marker
!
no aaa new-model
!
crypto pki token default removal timeout 0
!

Router の interface に IP address を設定

• PC -> router に IP address 経由で通信を行う為, router の interface に IP address を設定する.
• GigabitEthernet0, IP address 192.168.10.1, subnet mask 255.255.255.0 に設定.
• 先ずは GigabitEthernet0 の link status (interface の利用可否) を確認する.

画面を見ると Status：administratively down, Protocol：downになっています.これは利用できない状態なので設定が必要です.

# Check interface link status.
rt-cisco-892-001#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
BRI0                       unassigned      YES unset  administratively down down
BRI0:1                     unassigned      YES unset  administratively down down
BRI0:2                     unassigned      YES unset  administratively down down
FastEthernet0              unassigned      YES unset  down                  down
FastEthernet1              unassigned      YES unset  down                  down
FastEthernet2              unassigned      YES unset  down                  down
FastEthernet3              unassigned      YES unset  down                  down
FastEthernet4              unassigned      YES unset  down                  down
FastEthernet5              unassigned      YES unset  down                  down
FastEthernet6              unassigned      YES unset  down                  down
FastEthernet7              unassigned      YES unset  down                  down
FastEthernet8              unassigned      YES unset  administratively down down
GigabitEthernet0           unassigned      YES unset  administratively down down # down status.
Vlan1                      unassigned      YES unset  down                  down

rt-cisco-892-001#show running-config interface gigabitEthernet0
Building configuration...

Current configuration : 84 bytes
!
interface GigabitEthernet0
 no ip address
 shutdown # port closed.
 duplex auto
 speed auto
end

rt-cisco-892-001>enable
rt-cisco-892-001#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

# Set interface configuration mode.
rt-cisco-892-001(config)#interface gigabitethernet0

# Set IP Address.
rt-cisco-892-001(config-if)#ip address 192.168.10.1 255.255.255.0
rt-cisco-892-001(config-if)#no shutdown
rt-cisco-892-001(config-if)#end
rt-cisco-892-001#
*May  8 18:26:49.192: %SYS-5-CONFIG_I: Configured from console by console
*May  8 18:26:49.452: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*May  8 18:26:50.452: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*May  8 18:26:51.784: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*May  8 18:26:52.784: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down

# Set `no shutdown`, so changed from `administratively down down` to `down down`.
# ※ If you connect a lan cable, it will be `up` status.
rt-cisco-892-001#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.10.1    YES manual down                  down
Vlan1                      unassigned      YES unset  down                  down

# Check GigabitEthernet0 interface settings.
rt-cisco-892-001#show running-config interface gigabitethernet0
Building configuration...
Current configuration : 98 bytes
!
interface GigabitEthernet0
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
end

IP interface status	description
administratively down/down	interface が閉じ, shutdown 状態.
down/down	interface が空き, link status が down.双方装置に cable が接続されていない.
up/up	interface が空き, cable が接続されている.

LAN cable の接続, 疎通確認

GigabitEthernet0 の port WAN GE0 と PC を LAN cable で接続する.

rt-cisco-892-001#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.10.1    YES manual up                    up

up up で LinkUp であることが分かる.

PC 側の IP address を設定する. (今回は debian)

$ sudo vi /etc/NetworkManager/NetworkManager.conf # `managed=false` to `true`

Setting > Network > Wired > IPv4 にて次の通り設定する.

• IPv4 Method: Manual
• Addresses
  • Address: 192.168.10.100
  • Netmask: 255.255.255.0
  • Gateway: 192.168.10.1

$ service network-manager restart

Router から PC へ ping し success になることを確認.

rt-cisco-892-001#ping 192.168.10.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Telnet の設定

• Telnet を行う為に VTY(Virtual Teletype: Cisco router の目に見える LAN port ではなく, ISO で設定される仮想 port) を利用する.
• 今回は VTY port を0~4 で設定 (5 port 作成が可能な状態にする).

先ずは初期設定を確認する.

rt-cisco-892-001#show running-config
line vty 0 4
 login # password setting required for telnet.
 transport input all

telnet の設定を行い, show running-config で設定が反映されているかを確認する.

rt-cisco-892-001#configure terminal
rt-cisco-892-001(config)#line vty 0 4 # changed line configuration mode.
rt-cisco-892-001(config-line)#password <password>
rt-cisco-892-001(config-line)#transport input telnet
rt-cisco-892-001(config-line)#end

# Confirm the settings are reflected.
rt-cisco-892-001#show running-config
line vty 0 4
 password <password>
 login
 transport input telnet

PC 側からtelnet 可能か確認する.

$ telnet 192.168.10.1
Connected to 192.168.10.1.
User Access Verification
Password: # Enter the previously set password.

telnet 先の router において特権 mode になろうとしても password が設定されていない為昇格できない.

rt-cisco-892-001>enable
% No password set
rt-cisco-892-001>

その場合 router 側では次のような log が吐かれる.

*May 10 12:46:17.865: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by vty0 (192.168.10.100)

router 側で password を有効化し, show running-config で設定が反映されているかを確認する. また, PC 側からも特権 mode へ昇格可能かを確認する.

rt-cisco-892-001#configure terminal
rt-cisco-892-001(config)#enable password <password>
rt-cisco-892-001(config)#end

ssh の設定

• ssh を行う為に VTY (Virtual Teletype, Cisco router の ISO で設定される仮想 port) を利用する.
• Cisco router へ ssh 接続したい場合は, password 認証もしくは公開鍵認証を設定する.
  • Cisco IOS image は ssh をサポートするために k9(crypto) image である必要がある.
  • aaa new-model command の扱いを誤り lockouts しないよう注意する.
• Cisco router は, ssh server, client 機能が実装されているが, 利用前に以下を設定する必要がある.
  • Host, domain name の設定
  • ssh 認証用 key の生成
    • 生成すると自動で ssh 有効化
  • ssh login user を作成する
  • telnet は secure では無い為, ssh のみ可とする設定を行う.

default の設定確認.

# Before ssh setting
Router>show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.

Router>show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE

ssh password 認証設定

• 今回は password 認証を設定する.
• ssh で VTY (Virtual Teletype) port login する際, VTY に設定された password ではなく ssh user, password を利用する設定に変更する.

# Set ssh user name and password.
rt-cisco-892-001>enable
Password:
rt-cisco-892-001#configure terminal
rt-cisco-892-001(config)#username <ssh username> password <ssh password>
rt-cisco-892-001(config-line)#login local

# Set local authentication for line VTY.
# Create 5 VTY port.
rt-cisco-892-001(config)#line vty 0 4
rt-cisco-892-001(config-line)#login local

# Set domain name
rt-cisco-892-001(config)#ip domain-name rtp.halu.dev

# Generate ssh key with 1024 bit RSA key module.
rt-cisco-892-001(config)#crypto key generate rsa
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 13 seconds)

ssh 接続のみを許可

telnet は secure ではない為 ssh のみにする.

rt-cisco-892-001#show running-config
line vty 0 4
 password <password>
 login local
 transport input telnet

rt-cisco-892-001(config)#line vty 0 4
rt-cisco-892-001(config-line)#transport input ssh
rt-cisco-892-001(config-line)#end

設定の保存

上記設定値を保存する.

rt-cisco-892-001#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

Refs

• Cisco IOS を実行するルータとスイッチでのセキュア シェルの設定