2.5 – Perform, save and verify initial switch configuration task including remote access management
2 – Implement a small switched network
2.5 – Perform, save and verify initial switch configuration task including remote access management
Prepare to Configure the Switch
The initial startup of a Catalyst switch requires the completion of the following steps:
Step 1. Before starting the switch, verify the following:
- All network cable connections are secure.
- Your PC or terminal is connected to the console port.
- Your terminal emulator application, such as HyperTerminal, is running and configured correctly.
Step 2. Attach the power cable plug to the switch power supply socket. The switch
starts. Some Catalyst switches, including the Cisco Catalyst 2960 series, do not
have power buttons.
Step 3. Observe the boot sequence: When the switch is turned on, the POST begins.
During POST, the LEDs blink while a series of tests determine that the switch is
functioning properly. When the POST has completed, the SYST LED rapidly
blinks green. If the switch fails POST, the SYST LED turns amber.
Observe the Cisco IOS software output text on the console.
During the initial startup of the switch, if POST failures are detected, they are
reported to the console and the switch does not start. If POST completes successfully,
and the switch has not been configured before, you are prompted to
configure the switch.
Navigating Command-Line Interface Modes
As a security feature, Cisco IOS Software separated the EXEC sessions into two access
levels:
- User EXEC: Allows a person to access only a limited number of basic monitoring
commands. User EXEC mode is the default mode you enter after logging in to a Cisco
switch from the CLI. User EXEC mode is identified by the > prompt.
- Privileged EXEC: Allows a person to access all device commands, such as those used
for configuration and management, and can be password-protected to allow only authorized
users to access the device. Privileged EXEC mode is identified by the # prompt.
To change from user EXEC mode to privileged EXEC mode, enter the enable command.
To change from privileged EXEC mode to user EXEC mode, enter the disable command.
On a production network, the switch prompts for the password. Enter the correct password.
By default, the password is not configured. Table bellow shows the Cisco IOS commands used
to navigate from user EXEC mode to privileged EXEC mode and back again.
Navigating Between User EXEC Mode and Privileged EXEC Mode
| Description | CLI |
| Switch from user EXEC to privileged EXEC mode | Switch> enable |
| If a password has been set for privileged EXEC mode, you are prompted to enter it now | Password: <password> |
| The # prompt signifies privileged EXEC mode | Switch# |
| Switch from privileged EXEC to user EXEC mode | Switch# disable |
| The >prompt signifies user EXEC mode | Switch> |
There are many configuration modes. For now, you will explore how to navigate two common
configuration modes: global configuration mode and interface configuration mode.
The example in the Table bellow starts with the switch in privileged EXEC mode. To configure
global switch parameters such as the switch hostname or the switch IP address used for
switch management purposes, use global configuration mode. To access global configuration
mode, enter the configure terminal command in privileged EXEC mode. The prompt
changes to (config)#.
| Description | CLI |
| Switch from privileged EXEC mode to global configuration mode | Switch# configure terminal |
| The (config)# prompt signifies that the switch is in global configuration mode | Switch(config)# |
| Switch from global configuration mode to interface configuration mode for Fast Ethernet interface 0/1 | Switch(config)# interface fastethernet 0/1 |
| The (config-if)# prompt signifies that the switch is in the interface configuration mode | Switch(config-if)# |
| Switch from interface configuration mode to global configuration mode | Swtich(config-if)#exit |
| The (config)# prompt signifies that the switch is in global configuration mode | Switch(config)# |
Configuring interface-specific parameters is a common task. To access interface configuration
mode from global configuration mode, enter the interface interface-name command.
The prompt changes to (config-if)#. To exit interface configuration mode, use the exit
command. The prompt switches back to (config)#, letting you know that you are in global
configuration mode. To exit global configuration mode, enter the exit command again. The
prompt switches to #, signifying privileged EXEC mode.
Using the Help Facility
The Cisco IOS CLI offers two types of help:
- Word help: If you do not remember an entire command but do remember the first few
characters, enter the character sequence followed by a question mark (?). Do not
include a space before the question mark. A list of commands that start with the characters
that you entered is displayed. For example, entering sh ? returns a list of all commands
that begin with the sh character sequence.
- Command syntax help: If you are unfamiliar with which commands are available in
your current context within the Cisco IOS CLI, or if you do not know the parameters
required or available to complete a given command, enter the ? command. When only ?
is entered, a list of all available commands in the current context is displayed. If the ?
command is entered after a specific command, the command arguments are displayed.
If <cr> is displayed, no other arguments are needed to make the command function.
Make sure to include a space before the question mark to prevent the Cisco IOS CLI
from performing word help rather than command syntax help. For example, enter
show ? to get a list of the command options supported by the show command.
The table bellow shows examples of Cisco help functions.
Context-Sensitive Help
| Context | CLI |
| Example of command prompting. In this example, the help function provides a list of commands available in the current mode that start with cl | Switch# cl? |
| Example of incomplete command | Switch# clock % Incomplete command |
| Example of symbolic translation | Switch# clock % Unknown command or computer name or unable to find computer address |
| Example of command prompting. Notice the space. In this example, the help function provides a list of subcommands associated with the clock command. | Switch# clock ? Set Set the time and date |
| In this example, the help function provides a list of command arguments required with the clock set command | Switch# clock set ? hh:mm:ss Current time |
Using the example of setting the device clock, let’s see how CLI help works. If the device
clock needs to be set but the clock command syntax is not known, the context-sensitive
help provides a means to check the syntax.
Context-sensitive help supplies the whole command even if you enter just the first part of
the command, such as cl?.
If you enter the command clock followed by the Enter key, an error message indicates that
the command is incomplete. To view the required parameters for the clock command, enter
?, preceded by a space. In the clock ? example, the help output shows that the keyword set
is required after clock.
If you now enter the command clock set, another error message appears, indicating that the
command is still incomplete. Now add a space and enter the ? command to display a list of
command arguments that are available at that point for the given command.
The additional arguments needed to set the clock on the device are displayed: the current
time using hours, minutes, and seconds.
For an excellent resource on how to use the Cisco IOS CLI – http://www.cisco.com/en/US/products/ps6350/products_installation_and_configuration_guides_list.html.
Verifying Switch Configuration
Now that you have performed the initial switch configuration, you should confirm that the
switch has been configured correctly. In this section, you learn how to verify the switch
configuration using various show commands.
When you need to verify the configuration of your Cisco switch, show commands are very
useful. show commands are executed from privileged EXEC mode. On the table below are presents some
of the key options for the show command that verify many of the configurable switch features.
show Commands
| Description | CLI |
| Displays interface status and configuration for a single or all interfaces available on the switch | Show interface {interface-id | cr} |
| Displays contents of startup configuration | Show startup-config |
| Displays current operating configuration | Show running-config |
| Displays information about flash: file system | Show flash: |
| Displays system hardware and software status | Show version |
| Displays the session command history | Show history |
| Displays IP information. The interface option displays IP interface status and configuration. The http option displays HTTP information about Device Manager running on the switch. The arp option displays the IP ARP table. |
Show ip {interface | http | arp} |
One of the more valuable show commands is the show running-config command, as illustrated below:
| S1# show running-config
Building configuration… Current configuration : 1664 bytes ! version 12.2 <output omitted> ! interface FastEthernet0/18 switchport access vlan 99 switchport mode access <output omitted> ! interface Vlan99 ip address 172.17.99.11 255.255.255.0 no ip route-cache ! ip default-gateway 172.17.99.1 ip http server ! ! <output omitted> ! end S1# |
The show running-config command displays the configuration currently running on the
switch. Use this command to verify that you have correctly configured the switch. Example
above has shaded portions of the output of the S1 switch showing the following:
- Fast Ethernet 0/18 interface configured with the management VLAN 99
- VLAN 99 configured with an IP address of 172.17.99.11 255.255.255.0
- Default gateway set to 172.17.99.1
- HTTP server configured
Another commonly used command is the show interfaces command, which displays status
and statistics information for the interfaces on the switch. The show interfaces command is
used frequently while configuring and monitoring network devices. Recall that you can type
partial commands at the command prompt and, as long as no other command option is the
same, the Cisco IOS software interprets the command correctly. For example, you can use
show int for this command. In the example below shows output from the show interfaces
FastEthernet 0/1 command.
show interfaces fastethernet 0/1 Command
| S1# show interfaces fastethernet 0/1
FastEthernet0/1 is up, line protocol is up Hardware is Fast Ethernet, address is 0019.aa9e.b001 (bia 0019.aa9e.b001) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed, media type is 10/100BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of “show interface” counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns <output omitted> S1# |
The first shaded line in Example above indicates that the Fast Ethernet 0/1 interface is up and
running. The next shaded line shows that the duplex and speed settings are set to auto.
Basic Switch Management
After a switch is up and running in a LAN, a switch administrator must still maintain the
switch. This includes backing up and restoring switch configuration files, clearing configuration
information, and deleting configuration files.
Backing Up and Restoring Switch Configuration Files
A typical job for an apprentice network technician is to load a switch with a configuration.
In this topic, you learn how to load and store a configuration on the switch flash memory
and to a Trivial File Transfer Protocol (TFTP) server.
You have already learned how to back up the running configuration of a switch to the startup
configuration file. You have used the copy running-config startup-config privileged EXEC
command to back up the configurations you have made so far. As you may already know, the
running configuration is saved in RAM and the startup configuration is stored in the NVRAM
portion of flash memory. When you issue the copy running-config startup-config command,
the Cisco IOS software copies the running configuration to NVRAM so that when the switch
boots, the startup-config file with your new configuration is loaded.
You do not always want to save configuration changes you make to the running configuration
of a switch. For example, you might want to change the configuration for a short time period
rather than permanently when testing out some configurations.
If you want to maintain multiple distinct startup-config files on the device, you can copy the
configuration to different filenames, using the copy startup-config flash:filename command.
Storing multiple startup-config versions allows you to roll back to a point in time if your configuration
has problems. On table below shows three examples of backing up the configuration to
flash memory.
Backing Up Configuration Files
| Example | CLI |
| Formal version of Cisco IOS copy command. Confirm the destination filename. Press Enter to accept or Crtl+C to cancel. | S1# copy system:running-config flash:startup-config
Destination filename [startup-config]? |
| Informal version of the copy command. The assumptions are that the running-config is running on the system and that the startup-config file will be sorted in Flash NVRAM. Press Enter key to accept or Crtl+C to cancel. | S1# copy running-config startup-config
Destination filename [startup-config]? |
| Back up the startup-config to a file stored in Flash NVRAM. Confirm the destination filename. Press Enter to accept or Crtl+C to cancel. | S1# copy startup-config flash:config.bak1
Destination filename [config.bak1]? |
The first is the formal and complete syntax. The second is the syntax commonly used. Use
the first syntax when you are unfamiliar with the network device you are working with, and
use the second syntax when you know that the destination is the Flash NVRAM installed on
the switch. The third is the syntax used to save a copy of the startup-config file in flash.
Restoring a configuration is a simple process. You just need to copy the saved configuration
over the current configuration. For example, if you had a saved configuration called
config.bak1, you could restore it over your existing startup-config by entering the Cisco IOS
command copy flash:config.bak1 startup-config. After the configuration has been restored
Chapter 2: Basic Switch Concepts and Configuration 81
to the startup-config, you restart the switch with the reload command in privileged EXEC
mode, as seen in table below; this reloads the switch with the new startup configuration.
Restoring Configuration Files
| Description | CLI |
| Copy the config.bak1 file stored in flash to the startup-configuration assumed to be stored in flash. Press Enter to accept or Crtl+C to cancel. | S1# copy flash:config.bak1 startup-config
Destination filename [startup-config]? |
| Have the Cisco IOS restart the switch. If you have modified the running configuration file, you are asked to save it. Confirm with a “y” or an “n”. To confirm the reload, press Enter to accept or Crtl+C to cancel. | S1# reload System configuration has been modified? [yes/no]: n Proceed with reload? [confirm] |
The reload command halts the system. Use the reload command after configuration information
is entered into a file and saved to the startup configuration.
Clearing Switch Configuration Information
To clear the contents of your startup configuration, use the erase nvram: or the erase startup-
config privileged EXEC command. In the example below illustrates erasing the configuration
files stored in NVRAM.
| S1# erase nvram:
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete S1# |
Configuring Password Options
Securing your switches starts with protecting them from unauthorized access. Next you will
explore configuring passwords for the console line, virtual terminal lines, and access to
privileged EXEC mode. You also learn how to encrypt and recover passwords on a switch.
Securing Console Access
To secure the console port from unauthorized access, set a password on the console port
using the password password line configuration mode command. Use the line console 0
command to switch from global configuration mode to line configuration mode for console
0, which is the console port on Cisco switches. The prompt changes to (config-line)#, indicating
that the switch is now in line configuration mode.
You can set the password for the console by entering the password password command. To
ensure that a user on the console port is required to enter the password, use the login command.
Even when a password is defined, it is not required to be entered until the login command
has been issued.
Securing Console Access
| Description | Command |
| Switches from privileged EXEC mode to global configuration mode | S1# configure terminal |
| Switches from global configuration mode to line configuration mode for console 0 | S1(config)# line console 0 |
| Sets cisco as the password for the console 0 line on the switch | S1(config-line)# password cisco |
| Sets the console line to require the password to be entered before access is granted | S1(config-line)# login |
| Exits from line configuration mode and returns to privileged EXEC mode | S1(config-line)# end |
Securing Virtual Terminal Access
The vty lines on a Cisco switch allow you to access the device remotely. You can perform
all configuration options using the vty lines. You do not need physical access to the switch
to access the vty lines, so it is very important to secure the vty lines. Any user with network
access to the switch can establish a vty remote terminal. If the vty lines are not properly
secured, a malicious user could compromise the switch configuration.
Use the line vty 0 4 command to switch from global configuration mode to line configuration
mode for vty lines 0 through 4.
In the table below shows the commands used to configure and require the password for vty access. You can use the show running-config command to verify your configuration and the copyrunning-config startup config command to save your work.
Securing Virtual Terminal Access
| Description | Command |
| Switches from privileged EXEC mode to global configuration mode | S1# configure terminal |
| Switches from global configuration mode to line configuration mode for vty terminals 0 through 15 | S1(config)# line vty 0 15 |
| Sets cisco as the password for the vty lines on the switch | S1(config-line)# password cisco |
| Sets the vty line to require the password to be entered before access is granted | S1(config-line)# login |
| Exits from line configuration mode and returns to privileged EXEC mode | S1(config-line)# end |
Securing Privileged EXEC Access
Privileged EXEC mode allows any user accessing that mode on a Cisco switch to configure
any option available on the switch. You can also view all the currently configured settings
on the switch, including some of the unencrypted passwords! For these reasons, it is important
to secure access to privileged EXEC mode.
The enable password global configuration command allows you to specify a password to
restrict access to privileged EXEC mode. However, one problem with the enable password
command is that it stores the password in readable text in the startup-config and running-config
files. If someone were to gain access to a stored startup-config file, or temporary
access to a Telnet or console session that is logged in to privileged EXEC mode, that person
could see the password. As a result, Cisco introduced a new password option to control
access to privileged EXEC mode that stores the password in an encrypted format.
You can assign an encrypted form of the enable password, called the enable secret password,
by entering the enable secret command with the desired password at the global configuration
mode prompt. If the enable secret password is configured, it is used instead of the
enable password, not in addition to it. There is also a safeguard built in to the Cisco IOS
software that prevents you from setting the enable secret password to the same password
that is used for the enable password.
In the table below shows the commands used to configure privileged EXEC mode passwords. You
can use the show running-config command to verify your configuration and the copy
running-config startup config command to save your work.
| Description | Command |
| Switches from privileged EXEC mode to global configuration mode | S1# configure terminal |
| Configures the enable secret password to enter privileged EXEC mode | S1(config)# enable secret password |
| Exits from line configuration mode and returns to privileged EXEC mode | S1(config)# end |
If you need to remove the password requirement to access privileged EXEC mode, you can
use the no enable password and no enable secret commands from global configuration
mode.
Encrypting Switch Passwords
When configuring passwords in the Cisco IOS CLI, by default all passwords, except for
the enable secret password, are stored in clear-text format within the startup-config and
running-config files. In the example below shows an abbreviated screen output from the show
running-config command on the S1 switch. The clear-text passwords are shaded. It is universally
accepted that passwords should be encrypted and not stored in clear-text format.
The Cisco IOS command service password-encryption encrypts the passwords in the configuration
file.
| <output omitted>
! line con 0 password cisco login line vty 0 4 password cisco no login line vty 5 15 password cisco no login ! end S1# configure terminal S1(config)# service password-encryption S1(config)# end <output omitted> ! line con 0 password 7 030752180500 login line vty 0 4 password 7 1511021F0725 no login line vty 5 15 password 7 1511021F0725 no login ! end |
When the service password-encryption command is entered from global configuration
mode, all system passwords are stored in an encrypted form. As soon as the command is
entered, all the currently set passwords are converted to encrypted passwords. At the bottom
of example above, the encrypted passwords are shaded.
Password Recovery
After you set passwords to control access to the Cisco IOS CLI, you need to make sure that
you remember them. In case you have lost or forgotten access passwords, Cisco has a password
recovery mechanism that allows administrators to gain access to their Cisco devices.
The password recovery process requires physical access to the device.
You may not be able to actually recover the passwords on the Cisco device, especially if
password encryption has been enabled, but you are able to reset them to a new value.
To recover the password on a Catalyst 2960 switch, use the following steps:
How To
Step 1. Connect a terminal or PC with terminal-emulation software to the switch console
port.
Step 2. Set the line speed on the emulation software to 9600 baud.
Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds,
press the Mode button while the System LED is still flashing green.
Continue pressing the Mode button until the System LED turns briefly amber
and then solid green. Then release the Mode button.
Step 4. Initialize the flash file system using the flash_init command.
Step 5. Load any helper files using the load_helper command.
Step 6. Display the contents of flash memory using the dir flash: command:
Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat
16128000 bytes total (10003456 bytes free)
Step 7. Rename the configuration file to config.text.old, which contains the password
definition, using the rename flash:config.text flash:config.text.old command.
Step 8. Boot the system with the boot command.
Step 9. You are prompted to start the setup program. Enter N at the prompt and then,
when the system prompts whether to continue with the configuration dialog,
enter N.
Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.
Step 11. Rename the configuration file to its original name using the rename
flash:config.text.old flash:config.text command.
Step 12. Copy the configuration file into memory using the copy flash:config.text
system:running-config command. After this command has been entered, the
following is displayed on the console:
Source filename [config.text]?
Destination filename [running-config]?
Press Return in response to the confirmation prompts. The configuration file is
now reloaded, and you can change the password.
Step 13. Enter global configuration mode using the configure terminal command.
Step 14. Change the password using the enable secret password command.
Step 15. Return to privileged EXEC mode using the exit command.
Step 16. Copy the running configuration to the startup configuration file using the copy
running-config startup-config command.
Step 17. Reload the switch using the reload command.
Chapter 2: Basic Switch Concepts and Configuration 91
Note
The password recovery procedure can be different depending on the Cisco switch series, so you
should refer to the product documentation before you attempt a password recovery.
See
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml
for password recovery procedures for each Cisco product.
Login Banners
The Cisco IOS command set includes a feature that allows you to configure messages that
anyone logging on to the switch sees. These messages are called login banners and message
of the day (MOTD) banners.
You can define a customized banner to be displayed before the username and password
login prompts by using the banner login command in global configuration mode. Enclose
the banner text in quotations or using a delimiter unique relative to any other character
appearing in the banner string.
Securing Privileged EXEC Access
| Description | Command |
| Switches from privileged EXEC mode to global configuration mode | S1# configure terminal |
| Configures a login banner | S1(config)# banner login “Authorized Personal Only!” |
The MOTD banner displays on all connected terminals at login and is useful for sending
messages that affect all network users (such as impending system shutdowns). The MOTD
banner displays before the login banner if it is also configured.
Define the MOTD banner by using the banner motd command in global configuration
mode. Enclose the banner text in quotations or with a delimiter that is unique relative to all
the text enclosed by it.
In the table below shows the S1 switch being configured with a MOTD banner to display “Device
maintenance will be occurring on Friday!”
Securing Privileged EXEC Access
| Description | Command |
| Switches from privileged EXEC mode to global configuration mode | S1# configure terminal |
| Configures a MOTD login banner | S1(config)# banner motd #”device maintenance will be occurring on Friday!”# |
