On to the CLI config of the ISRs. For this portion we are simply going to get the basic configuration done so we can SSH into the routers.
Connect a console cable (or USB cable) to the device and open up your favorite terminal emulator, then boot the router. Eventually you should get a set up prompt. If you don’t and you get a Router> prompt type these two commands:
enable
setup
The setup wizard is pretty straightforward. Follow the prompts and enter the information needed. Note that GigabitEthernet0 is the management interface.
ISR setup |
When you are done with the IP addressing it will ask if you want to run the auto secure wizard. I recommend running that, as it disables some unneeded services, and applies more secure policies. When prompted for SSH, make sure you enable that.
Unfortunately, the setup process does not create a SSL certificate for SSH. To create the certificate use this command from a config prompt (enable, conf t):
cyrpto key generate rsa
Then it will prompt for a bit size. I used 1024 in this example.
RSA key generation |
After generating the key make sure to save the config. From the config prompt, it’s quickest to just type this command:
do wr
Otherwise ‘do write mem’ or ‘do copy run start’ would work. You could also exit the config session and do ‘wr’ or any other variant at the enable prompt.
The other thing that you may need to do is enable routing on the management VRF if you will be connecting from a different network. From a config prompt use this command:
ip route 0.0.0.0 0.0.0.0 Gateway IP
This will route all traffic to the default gateway that you specify. Again, save the changes, then test the SSH connection to the management IP.
The next step will be getting the licenses installed. The first thing we will need is the UDI. From an enable prompt run this command:
show license udi
Make a note of the PID and SN. They will be needed to get the license registered. Now go to the Cisco licensing portal (https://tools.cisco.com/SWIFT/LicensingUI/Quickstart) and select the PAK you want to use, then Get New License. Follow the prompts, making sure to set the quantity, enter the PID and SN, then accept the agreement. This will allow you to download the license file.
Before we can continue, we need a way to move the license file. My personal favorite is the SolarWinds free TFTP server that can be found here: http://www.solarwinds.com/products/freetools/free_tftp_server.aspx
As a side note, if you’re not familiar with Thwack, the SolarWinds user community you should check it out. There’s a lot of good information about both SolarWinds products, but also some general IT info. Plus they have some pretty awesome contests. Check it out: https://thwack.solarwinds.com
Place the downloaded license file (should be a .lic file, so you may need to unzip) into the TFTP root folder and start the TFTP server. Then run the following from an enable prompt:
license install tftp://IP of the TFTP server/license file name.lic
You will of course need to enter the IP of your TFTP server, and the license file name including extension. The process should be pretty quick, and you will get a result that looks like this:
ISR license install |
Repeat that process for all licenses needed.
The last step of the base setup of the device will be to get the firmware to the right level. I decided to match my ISRs and CSRs on 3.16. First, you’ll need to find the current firmware version. You can do that with this command:
show ver
The version should be listed at or near the top of the result. You will also want to make a note of the System image file name and path. If you are going to upgrade the firmware then you will need to download if from Cisco if you haven’t already. When you have the firmware you want you will need to place the .bin file in your TFTP root folder. Then you copy the file to the bootflash directory on the router using this command:
copy tftp://IP of the TFTP server/firmware file name.bin bootflash:
Again, set the IP of your TFTP server, and the firmware file name of the firmware downloaded. It will prompt to confirm the file name, and you can just accept the default, which keeps the same name. The copy process will take a while to complete. When it completes we will verify the file integrity by running this command from and enable prompt:
verify bootflash:firmware file name.bin
This will also take some time to complete. Now we want to check if there is an existing setting for the firmware boot. Run this command from an enable prompt:
show run | in boot system
If nothing is displayed then you are good to move on, but if something is displayed you’ll need to note it and then we will clear it out by running this at a config prompt:
no boot system firmware file location:firmware file name.bin
You could also simply copy the output from the show command, then from a config prompt type “no ” and then paste the command.
The next step is to set the system to boot from that image by issuing this command from a config prompt:
boot system bootflash:firmware file name.bin
Now it’s just a matter of saving the config and reloading the router.
When the router is done booting you can verify the new firmware by logging and running ‘show ver’ again. Verify that the firmware is now the desired version.
Lastly, if you want to clean up the router you can delete the old image file. From an enable prompt type this command:
delete old firmware file location:old firmware file name.bin
You should have the file name and location from the output of the ‘show ver’ command that was done to find the firmware version initially.
Now, one very important note- If this is being done in a lab, and private IP addresses are being used there could be an issue caused by the auto secure script. During the auto secure script it asks if an interface is internet facing. For interfaces that are listed as internet facing it configures the interface to drop packets from private IPs. Since I’m using private IPs to create a virtual internet the auto secure script caused major problems since it effectively dropped all traffic. To check if this could be a problem run this:
show run interface gi0/0/X
In the command replace “X” with the interface that might be internet facing. If this line is present int the config “ip verify unicast source reachable-via rx” then it will cause issues. To remove that command go to a config prompt, then the interface in question, and run this command:
no ip verify unicast source reachable-via rx
The Cisco guide for the ISR initial config can be found here: http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr/initconfig.html#45656
Firmware update guide: https://supportforums.cisco.com/document/98421/how-upgrade-or-downgrade-ios-isr-or-similar-router