Cisco 2921 basic configuration

Cisco ISR 1921
Cisco ISR 1921 with two extra modules
Cisco ISR 2921
Cisco ISR 2921 with three extra modules

In 2019 I bought two legacy Cisco routers, a 1921 and a 2921, and equipped them with a variety of additional modules. These routers are discontinued and Cisco is no longer updating their firmware. These models are no longer competitive for an ISP or a data-intensive corporation, but are still favorites for hands-on learning the basics of Cisco router configuration. My purpose was dual: after taking a course on Cisco router configuration in 2004 as part of two Learning Tree International network certifications, I never had a chance to refresh my knowledge of Cisco routers. In addition, these routers, today worth no more than 100 € apiece (without modules) on the second-hand market, when used on a not-so-fast Internet connection (e.g. a 4G mobile subscription) can still perform better and be more versatile than current home routers costing 2-3 times more.

Although numerous home and small-business routers produced up to 2018 are branded Cisco, they are actually designed by their subsidiary company Linksys. The current discussion does not apply to these Linksys-designed routers.

These routers are configured through the CLICommand Line Interface of Cisco IOSCisco Internetworking Operating System. All, or almost all, of the configuration discussed below still applies to later and more powerful Cisco routers of types frequently used in small-business and ISP networks. 

These legacy Cisco routers can be equipped with WiFi and 4G modules, which are outdated but, inexplicably, more expensive than the router itself on eBay. 16-port, 24-port and larger Gbps Ethernet modules for these routers are also expensive and often do not perform on par with current managed switches of other brands.

The main reason for purchasing these switch modules is when you need to build your own Cisco certification home lab. Using one or two of these modules avoids the need for physically separate Cisco switches. Most of this legacy equipment is fan-cooled and not built to run silently. It can be made almost silent by replacing the internal fans with modern, silent ones, but the cost of doing this to multiple devices like a stack of self-standing switches is obviously higher than just silencing a single router equipped with switch modules. Also, there is no point in using 48-port Ethernet switches when a 16-port module will offer exactly the same configurability.

The actual throughput of these routers in real-world IP routing situations is much less than 1 Gbps. As such, these routers end up being the bottleneck of any network that exceeds about 100 Kbps in Internet throughput.

An additional limit to throughput is the router firmware, in particular its license type. With the "standard" license most Cisco routers are sold with, the performance of the router is throttled down to its nominal specification for each and every service. For example, a router specified to provide a 250 Kbps NAT throughput and a 50 Kbps IPsec throughput is throttled down to 250 Kbps NAT throughput even when it is serving neither IPsec nor any other service. If you want the router to fully provide all the throughput the CPU and hardware are capable of, you must buy the more expensive "performance" license. On the one hand, the standard license guarantees that the nominal specifications are always fulfilled, no matter how many other services are running on the router. On the other hand, most router owners with a "standard" license end up implementing a small subset of the services available on the router, and are thereby underutilizing their router hardware.

Basics of Cisco IOS 

Unlike modern home routers, Cisco routers do not allow configuration via a web GUI. Instead, a telnet connection (secured with SSH if desired, which is highly recommended) is used for all configuration and maintenance. The Cisco IOS syntax used to configure these routers has remained largely stable for over 20 years, with new features configured by following the same general rules. Cisco switches are configured by using a very similar syntax.

One of the general configuration principles is that to negate a command (e.g. to switch off a feature) is typically done with the same command prefixed with no. How to switch off a given feature is the subject of a surprisingly large number of inquiries on Cisco user-support BBs. For example, the command ip nat inside source static defines a static NAT address translation between two IP addresses on networks attached to separate router interfaces. Just deleting this command from the configuration script and re-running the whole script in the CLI still leaves the NAT configured in the router. To actually delete this definition, you must issue the command no ip nat inside source static

If you learn to configure these routers by actually using them (as opposed to using a software router emulator), you will also quickly discover that the router operating system tries to complete reserved words, as long as you type a sufficient amount of characters to make your intentions clear. This makes it faster to configure features, and is just one example of why it is far better to learn by configuring actual routers, rather than emulators. 

Router emulators are often limited in the choice of emulated features and their behavior. Some router emulators fail to correctly emulate the actual behavior and responses of the router. Some are so bad that they let you enter nonsense combinations of commands that an actual router would reject. Other router emulators rigidly expect you to enter commands in a specific sequence, while an actual router is far more flexible in this respect.

Another useful thing to know is that configuration commands can contain comments, just like source code in most programming languages. Comments in Cisco IOS start with an exclamation mark (!) and continue to the end of the line (i.e., there is no token to mark the end of a comment, and multi-line comments are not possible). One line may contain an IOS command followed by a comment. It is also possible to write a line consisting entirely of a comment. Empty lines can be used to separate lines into logical sections, but this has no effect on the configuration results (the Cisco IOS interpreter simply disregards comments and empty lines). I use plenty of comments to document my intentions when writing IOS commands to a text file. You can then export the configuration from a router as the same sequence of commands, albeit all comments are removed and the ordering of the commands can be different from the original.

In general, an entity must be defined in the configuration before its name can be used for further configuration. Aside from this, commands that configure the same feature can, but do not need to, be grouped together in the same section of a configuration file.

I like to write the configuration procedure in a text editor, then paste it into a telnet client (one line at a time if I am uncertain the syntax is correct, or in larger blocks for tried-and-tested procedures), complete of comments and empty lines. The configuration saved in the text file is my permanent record and documentation of the configuration procedure, and I keep a whole history of backups of the changes to the configuration over time. This allows me to change the configuration at any time, then reset the router NVRAM and re-configure it from the ground up. In this way I avoid the need to issue "no" commands to switch off any feature I no longer need and have deleted from the text file, but is still activated on the router (and would not be removed by just running the modified configuration). 

There are multiple access levels in the configuration. The lowest is available immediately after login, and indicated by a prompt beginning with the router name (discussed below) followed by >, for example:

The second level is accessed by issuing the enable command and entering a password. This level is generally used to display information items like the IOS version, amount of memory, amount of IP interfaces and their respective configuration, etc. It is also used to clear the NVRAM (non-volatile memory where the configuration is stored when the router is powered off), and to save the current configuration to NVRAM (each configuration command you issue becomes immediately effective, but the new configuration is only stored in RAM and will be lost if the router is rebooted). Finally, this level is also used to reboot the router. You may periodically need to switch back to the first level (with the exit command) to check certain items, or issue the commands only accessible from this level.

The configuration level is entered by issuing the config command. The prompt adds (config) between router name and #. This level, and higher levels, are where you perform almost all router configuration.

Higher levels are specific to the type of configuration you are carrying out. The type of configuration is indicated in the prompt. For example, to configure an IP interface, issue the interface command:
interface GigabitEthernet0/2

The prompt changes to include the interface word. Issue the commands necessary to configure this interface, and when done type the exit command to return to a lower level.

Finally, some hardware modules, especially multi-port switches, contain their own CPU and NVRAM, and behave like separate devices. When configuring them, the router opens a telnet session to the device and connects it to your telnet client, and the device name (rather than the router name) is displayed in the prompt. The IOS syntax used to configure these modules is largely similar to the router's, except that switches may allow port ranges, instead of a single port, to make configuration faster and less repetitive. Some features of these modules may require a different syntax.

Delete existing configuration and passwords

When you purchase a second-hand router, you may get a unit where the original passwords and configuration have not been erased. It is therefore important that you learn how to override any existing password protection, and to completely delete the configuration and start with a blank slate. Trying to learn how to configure a router without deleting its previous configuration is totally hopeless.

Cisco routers let you delete passwords quite easily, and all you need to do it is physical access to the router.  

Connect the computer serial port to the router Console port (via a USB adapter if the computer lacks hardware serial ports) and set the proper serial parameters in the terminal emulator on the computer (as specified in the router's user guide). Some routers have a USB console port, in this case connect the computer to the router with a USB cable.

Power on the device. In the following configuration, press Enter where you see <Enter>, replace other items in <brackets> with your chosen values.

Press CTRL + C multiple times, until the rommon 1> prompt is displayed.

Type confreg 0x2142 and hit Enter. This sets a special value in the configuration register that enables rommon at the next reboot.

At the rommon 2> prompt, type reset.

Type no after each setup question, or press CTRL + C to skip the setup procedure.

At the Router> prompt, type enable.

At the Router# prompt, type configure terminal.

At the Router(config)# prompt, type enable secret <YourPassword>. This sets your password for future use.

At the Router(config)# prompt, type config-register 0x2102. This puts back the original value into the configuration register. This tells the router not to enter rommon at the next reboot.

After rebooting, at the Router> prompt, type enable.
Password: <YourPassword>
Router# write erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] <Enter>
Router# reload
System configuration has been modified. Save? [yes/no]: yes
Proceed with reload? [confirm]<Enter>

Note that physical access to the router, and in particular to its console port, allows unrestricted access to IOS. Therefore, physical access to the router must be restricted to just the router administrator. Note also that there is an Aux serial port on the router, which allows the same access as the console port. The Aux port was provided to allow connecting to the router via a modem. This is an obvious vulnerability, and today you should never connect a modem (or anything else) to the Aux port.

The following is an example of the remaining basic configuration. Note how some commands are shortened.

Router> ena
Router# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# hostname C1921
C1921(config)# ip domain-name <YourDomain>.LOCAL
C1921(config)# line console 0
C1921(config-line)# logging synchronous
C1921(config-line)# end
! enable SSH (needs configuring an IP address to use)
C1921# conf t
C1921(config)# crypto key generate rsa
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
%SSH-5-ENABLED: SSH 1.99 has been enabled
C1921(config)# ip ssh version 2
C1921(config)# line vty 0 4
C1921(config-line)# transport input ssh
C1921(config-line)# login local
C1921(config-line)# exit
C1921(config)# username <UserName> password <YourPassword>
C1921(config)# enable secret <YourPassword>
C1921(config)# line console 0
C1921(config-line)# exec-timeout 30
C1921(config-line)# session-timeout 30
C1921(config-line)# logging synchronous
C1921(config-line)# no password
C1921(config-line)# login
C1921(config-line)# exit
C1921(config)# exit
C1921# terminal length 0 ! disable the --- More --- prompt
C1921# terminal width 160 ! max terminal line length
*Jan 27 09:35:19.824: %SYS-5-CONFIG_I: Configured from console by console
C1921# copy run start ! copies running config from RAM to NVRAM
Destination filename [startup-config]? <Enter>
Building configuration...


Concluding remarks

The above procedure deletes any router password and router configuration. After configuring the access password to the router, you will normally configure the router remotely via its LAN Ethernet connection(s). I recommend that you use a telnet client with SSH capabilities to configure the router, for example PuTTY.