To configure the swich we can use Putty or MobaXterm
a. Verify the network documentation and use tests to isolate problems.
b. Determine an appropriate solution for a given problem.
c. Implement the solution.
d. Test to verify the problem is resolved.
e. Document the solution.
User Exec mode (view only mode):
Switch>
Router>
Privileged EXEC mode (access to all commands):
Switch#
Router#
Global config mode
Switch(config)#
Two main subconfiguration modes:
Switch(config-line)#
Switch(config-if)#
Help mode -> ?
Switch>? -> user EXEC mode help
Router#? -> privileged EXEC mode
Switch(config)# -> global configuration mode help
Switch(config)#in? -> autocomplete commands
interface
Switch(config)#interface ? -> tells next parameter/argument
Ethernet IEEE 802.3
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel Ethernet Channel of interfaces
Vlan Catalyst Vlans
range interface range command
Switch(config)#interface
Command syntax checker
Switch(config)#interface 33
^
% Invalid input detected at '^' marker.
Switch(config)#
Ambiguous syntax ckecker
Switch(config)#i ?
% Ambiguous command: "i "
Switch(config)#i?
interface ip
Switch(config)#inerface
% Incomplete command.
Switch(config)#
Keystrokes to enhance command line editing.
| Keystroke | Description |
|---|---|
| Tab | Completes a partial command name entry. |
| Backspace | Erases the character to the left of the cursor. |
| Ctrl+D | Erases the character at the cursor. |
| Ctrl+K | Erases all characters from the cursor to the end of the command line. |
| Esc D | Erases all characters from the cursor to the end of the word. |
| Ctrl+U or Ctrl+X | Erases all characters from the cursor back to the beginning of the command line. |
| Ctrl+W | Erases the word to the left of the cursor. |
| Ctrl+A | Moves the cursor to the beginning of the line. |
| Left Arrow or Ctrl+B | Moves the cursor one character to the left. |
| Esc B | Moves the cursor back one word to the left. |
| Esc F | Moves the cursor forward one word to the right. |
| Right Arrow or Ctrl+F | Moves the cursor one character to the right. |
| Ctrl+E | Moves the cursor to the end of command line. |
| Up Arrow or Ctrl+P | Recalls the previous command in the history buffer, beginning with the most recent. |
| Down Arrow or Ctrl+N | Goes to the next line in the history buffer. |
| Ctrl+R or Ctrl+I or Ctrl+L | Redisplays the system prompt and command line after a console message is received. |
Keystrokes that can be used after a “--More--” prompt.
| Keystroke | Description |
|---|---|
| Enter Key | Displays the next line. |
| Space Bar | Displays the next screen. |
| Any other key * | Ends the display string, returning to previous prompt. |
| * Except 'y', which answers "yes" to the --More-- prompt, and acts like the Space bar. |
Commands used to exit out of an operation.
| Keystroke | Description |
|---|---|
| Ctrl-C | When in any configuration mode, ends the configuration mode and returns to privileged EXEC mode. |
| When in setup mode, aborts back to the command prompt. | |
| Ctrl-Z | When in any configuration mode, ends the configuration mode and returns to privileged EXEC mode. |
| Ctrl-Shift-6 | All-purpose break sequence used to abort DNS lookups, traceroutes, pings, etc. |
access privileged EXEC mode -> enable
exit privileged mode -> disable
access the global configuration mode -> configure terminal
shorthand: config t
exit global config mode -> exit
Switch(config)# line console 0
Switch(config-line)# exit
Switch(config)#
move from any subconfiguration mode to the privileged EXEC mode -> end
Switch(config-line)# end
Switch#
move directly from one subconfiguration mode to another
Switch(config-line)# interface FastEthernet 0/1
Switch(config-if)#
verify ssh support on the device -> show ip ssh
| Command | shorthand |
|---|---|
| config terminal | conf t |
| enable | enab |
| no logging console | no log con |
| no shutdown | no shut |
| copy running-config start-config | copy run start |
| interface | int |
Step 1. Configure the device name.
Step 2. Secure privileged EXEC mode.
Step 3. Secure user EXEC mode.
Step 4. Secure remote Telnet/SSH access.
Step 5. Secure all passwords in the config file.
Step 6. Provide legal notification.
Step 7. Save the configuration.
Naming guidelines for hosts:
Eg. SW-Floor-1 for a switch
Switch# configure terminal
Switch(config)# hostname Sw-Floor-1
Sw-Floor-1(config)#
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line console 0
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#
Remove user EXEC password -> disable password
Add a password to the privileged EXEC
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# enable password class
Sw-Floor-1(config)# exit
Sw-Floor-1#
Remove privileged password -> no enable password
Add a crypted password to the privileged EXEC
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# enable secret class
Sw-Floor-1(config)# exit
Sw-Floor-1#
Remove secret password -> no enable secret
(up to 16 VTY lines numbered 0 to 15)
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# line vty 0 15
Sw-Floor-1(config-line)# password cisco
Sw-Floor-1(config-line)# login
Sw-Floor-1(config-line)# end
Sw-Floor-1#
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# service password-encryption
Sw-Floor-1(config)#
The command applies weak encryption to all unencrypted passwords. This encryption applies only to passwords in the configuration file, not to passwords as they are sent over the network. The purpose of this command is to keep unauthorized individuals from viewing passwords in the configuration file.
Use the show running-config command to verify that passwords are now encrypted.
To create a banner message of the day on a network device, use the banner motd # the message of the day # global config command. The “#” in the command syntax is called the delimiting character. It is entered before and after the message.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# banner motd #Authorized Access Only#
configure the IP domain -> ip domain-name 'domain-name'
give a name to the device -> hostname 'name'
password protect privileged EXEC -> enable secret 'password'
password protect user EXEC ->
line console 0
password 'password'
login
exit
encrypt existing and future passwords -> service password-encryption
There are two system files that store the device configuration:
startup-config - This is the saved configuration file that is stored in NVRAM. It contains all the commands that will be used by the device upon startup or reboot. Flash does not lose its contents when the device is powered off.
running-config - This is stored in Random Access Memory (RAM). It reflects the current configuration. Modifying a running configuration affects the operation of a Cisco device immediately. RAM is volatile memory. It loses all of its content when the device is powered off or restarted.
show running-config
copy running-config startup-config
shorthand: cop r st or copy run start
copy startup-config flash
erase startup-config
Prompt warning coming next
show flash
S1#dir ?
flash: Directory of file nbame
nvram: Directory or file name
S1#dir nvram:
Directory of nvram:/
238 -rw- 1205 <no date> startup-config
1205 bytes total (237588 bytes free)
S1#
Possible by using the reload privileged command or copying the startup-configuration to the running-configuration:
copy startup-configuration running-configuration
The downside to using the reload command to remove an unsaved running config is the brief amount of time the device will be offline, causing network downtime.
Verify the condition of the switch interfaces: show ip interface brief
Show the vlans: show vlan
Show the interfaces: show interface switchport
Show the trunk state: show interface trunk
no vlan <id>
Switch(config)#interface vlan <id>
Switch(config-if)#no ip address
Switch(config)#interface fa0/24
Switch(config-if)#no switchport access vlan <id>
A port must have a vlan assigment (default vlan 1)
If you need it to be completely disconnected, set it to a nonexistent VLAN and shut down the port.
Switch(config)#interface fa0/24
Switch(config-if)#switchport access vlan 999
Switch(config-if)#no switchport access vlan 1
Switch(config-if)#shutdown
Switch(config)#no ip default-gateway <ip>
Prevent the "Translating..... domain server (255.255.255.255)" messages from appearing:
R1#xxxx
Translating "xxxx"...domain server (255.255.255.255)
(255.255.255.255)
Translating "xxxx"...domain server (255.255.255.255)
% Unknown command or computer name, or unable to find computer address
R1#
Disable the default behavior of the router that attempts to resolve the invalid command into an IP address. Enter no ip domain lookup command in the global configuration mode to disable this feature.
source: https://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/46253-ipdomain-lookup.html
This command stops the messages from being echoed to the console (still sent to syslog).
no logging console or no log con
Router(config)# hostname <hostname>Router(config)# enable secret <password>Router(config)# line console 0Router(config-line)# password <password>Router(config-line)# loginRouter(config-line)# line vty 0 4Router(config-line)# password <password>Router(config-line)# loginRouter(config-line)# transport input {ssh|telnet}Router(config-line)# exitRouter(config)# service password-encryptionRouter(config)# banner motd <delimiter> message <delimiter>Router(config)# endRouter# copy running-config startup-configConfiguration example.
R1> enable
R1# configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
R1(config)# interface gigabitEthernet 0/0/0
R1(config-if)# description Link to LAN
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# ipv6 address 2001:db8:acad:10::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
*Aug 1 01:43:53.435: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
*Aug 1 01:43:56.447: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Aug 1 01:43:57.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
R1(config)#
R1(config)#
R1(config)# interface gigabitEthernet 0/0/1
R1(config-if)# description Link to R2
R1(config-if)# ip address 209.165.200.225 255.255.255.252
R1(config-if)# ipv6 address 2001:db8:feed:224::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
*Aug 1 01:46:29.170: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to down
*Aug 1 01:46:32.171: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to up
*Aug 1 01:46:33.171: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up
R1(config)#
show ip interface brief
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 192.168.10.1 YES manual up up
GigabitEthernet0/0/1 209.165.200.225 YES manual up up
Vlan1 unassigned YES unset administratively down down
show ipv6 interface brief
R1# show ipv6 interface brief
GigabitEthernet0/0/0 [up/up]
FE80::201:C9FF:FE89:4501
2001:DB8:ACAD:10::1
GigabitEthernet0/0/1 [up/up]
FE80::201:C9FF:FE89:4502
2001:DB8:FEED:224::1
Vlan1 [administratively down/down]
unassigned
R1#
Note:
VLAN1 : VLAN par défaut. Le commutateur est connecté au routeur via ce VLAN. Il peut être utilisé mais ne peut pas être modifié ou supprimé.
Sw3#conf t
Sw3(config)#int FastEthernet0/10
Sw3(config-if-range)#switchport access vlan 30
Sw3(config-if-range)#exit
Sw3#conf t
Sw3(config)#int range FastEthernet0/10-15
Sw3(config-if-range)#switchport access vlan 30
Sw3(config-if-range)#exit
| Commands | Description |
|---|---|
show ip interface brief show ipv6 interface brief |
The output displays all interfaces, their IP addresses, and their current status. The configured and connected interfaces should display a Status of "up" and Protocol of "up". Anything else would indicate a problem with either the configuration or the cabling. |
show ip route show ipv6 route |
Displays the contents of the IP routing tables stored in RAM. |
show interfaces |
Displays statistics for all interfaces on the device. However, this command will only display the IPv4 addressing information. |
show ip interface |
Displays the IPv4 statistics for all interfaces on a router. |
show ipv6 interface |
Displays the IPv6 statistics for all interfaces on a router. |
show vlan |
Show the vlans |
Step 1. Verify SSH support
show ip ssh
Step 2. Configure the IP domain
ip domain-name <domain-name>
Step 3. Enable the SSH server on the switch and generate an RSA key pair
crypto key generate rsa
Step 4. Configure local authentication method (user authentication)
username <username> secret <password>
Step 5. Configure the vty lines
line vty 0 15
Step 6. Enable SSH version 2 (ssh v1 has security flaws, switch to ssh v2)
ip ssh version 2
To delete the RSA key pair and disable the ssh server:
crypto key zeroize rsa
line vty 0 4
password 'password'
login local -> (to require local authentication for SSH connections from the local username database)
transport input ssh
exit
check the SSH connections to the device -> show ssh
S1# show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys (of at least 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
S1# configure terminal
S1(config)# ip domain-name cisco.com
S1(config)# crypto key generate rsa
The name for the keys will be: S1.cisco.com
...
How many bits in the modulus [512]: 1024
...
S1(config)# username admin secret ccna
S1(config-line)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit
S1(config)# ip ssh version 2
S1(config)# exit
S1#
To configure an IPv4 default gateway
ip default-gateway 'ip-address'
To access the switch remotely, an IP address and a subnet mask must be configured on the SVI. To configure an SVI on a switch, use the interface vlan 1 global configuration command.
Sw-Floor-1# configure terminal
Sw-Floor-1(config)# interface vlan 1
Sw-Floor-1(config-if)# ip address 192.168.1.20 255.255.255.0
Sw-Floor-1(config-if)# no shutdown
Sw-Floor-1(config-if)# exit
Sw-Floor-1(config)# ip default-gateway 192.168.1.1
enable
conf t
hostname <name of the router>
line console 0
password cisco
login
exit
enable secret class
service password-encryption
interface g0/0
ip address 192.168.0.1 255.255.255.192
no shutdown
exit
interface g0/1
ip address 192.168.0.65 255.255.255.192
no shutdown
end
copy run start
startup-config
enable
conf t
hostname <name of the switch>
line console 0
password cisco
login
exit
enable secret class
service password-encryption
interface vlan 1
ip address 192.168.0.2 255.255.255.192
no shutdown
exit
ip default-gateway 192.168.0.1
end
copy run start
startup-config
For a cisco catalyst 2960
What we'll accomplish here
First we connect to the switch on the serial console port.
First screen
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Wed 26-Jun-13 02:49 by mnguyen
Press RETURN to get started!
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Switch>
Switch>enable
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname Sw3
Sw3(config)#
Sw3(config)#line con 0
Sw3(config-line)#password cisco
Sw3(config-line)#login
Sw3(config-line)#exit
Sw3(config)#
Sw3(config)#
Sw3(config)#enable secret class
Sw3(config)#
Sw3#conf t
Sw3(config)#service password-encryption
Sw3(config)#exit
Sw3(config)#
Sw3(config)#
Sw3(config)#banner motd @
Enter TEXT message. End with the character '@'.
*************************************************************
This is the TSSR isle 3 Switch number 30
Unauthorized access prohibited!
Administrator, please refrain from doing silly things!
*************************************************************
@
Sw3(config)#
copy run start
This step is not needed in our scenario.
I still give it here in case of need.¶ Give an IP address to vlan 1
Sw3(config)# Sw3(config)#interface vlan 1 Sw3(config-if)#ip address 192.168.1.30 255.255.255.0 Sw3(config-if)#exit Sw3(config)#
Sw3#conf t
Sw3(config)#vlan 99
Sw3(config-vlan)#name Administration
Sw3(config-vlan)#exit
Sw3(config)#interface vlan 99
Sw3(config-if)#ip address 192.168.99.30 255.255.255.0
Sw3(config-if)#no shut
Sw3(config-if)#^Z
Sw3#
Sw3# show ip interface brief
Sw3(config)#int FastEthernet0/24
Sw3(config-if)#switchport mode access
Sw3(config-if)#switchport access vlan 99
Sw3(config-if)#no shut
Sw3(config-if)#end
copy run start
Now we create two more vlans and attach
them to a specific range of ports
Sw3#conf t
Sw3(config)#vlan 30
Sw3(config-vlan)#name HR
Sw3(config-vlan)#exit
Sw3(config)#int vlan 30
Sw3(config-if)#ip address 192.168.30.1 255.255.255.0
Sw3(config-if)#no shut
Sw3(config-if)#exit
Sw3(config)#vlan 31
Sw3(config-vlan)#name IT
Sw3(config-vlan)#exit
Sw3(config)#int vlan 31
Sw3(config-if)#ip address 192.168.31.1 255.255.255.0
Sw3(config-if)#no shut
Sw3(config-if)#^Z
Sw3#show vlan
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gig0/1
Gig0/2
30 VLAN0030 active
31 VLAN0031 active
99 VLAN0099 active Fa0/24
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Sw3#conf t
Sw3(config)#int range FastEthernet0/10-15
Sw3(config-if-range)#switchport access vlan 30
Sw3(config-if-range)#exit
Sw3(config)#int range FastEthernet0/15-20
Sw3(config-if-range)#switchport access vlan 31
Sw3(config-if-range)#end
Sw3#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/21, Fa0/22, Fa0/23
Gig0/1, Gig0/2
30 VLAN0030 active Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14
31 VLAN0031 active Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20
99 VLAN0099 active Fa0/24
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
copy run start
Sw3#show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
Sw3(config)#ip domain-name tssr.com
Sw3(config)#crypto key generate rsa
The name for the keys will be: Sw3.tssr.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Sw3(config)#username admin secret class
*Mar 1 1:31:43.501: %SSH-5-ENABLED: SSH 1.99 has been enabled
Sw3(config)#line vty 0 15
Sw3(config-line)#transport input ssh
Sw3(config-line)#login local
Sw3(config-line)#exit
Sw3(config)#ip ssh version 2
Sw3(config)#exit
Sw3#
copy run start
Sw3#show run
Building configuration...
Current configuration : 2122 bytes
!
version 15.0
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Sw3
!
no logging console
enable secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
ip ssh version 2
ip domain-name tssr.com
!
username admin secret 5 $1$mERr$9cTjUIEqNGurQiFU.ZeCi1
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
switchport access vlan 30
!
interface FastEthernet0/11
switchport access vlan 30
!
interface FastEthernet0/12
switchport access vlan 30
!
interface FastEthernet0/13
switchport access vlan 30
!
interface FastEthernet0/14
switchport access vlan 30
!
interface FastEthernet0/15
switchport access vlan 31
!
interface FastEthernet0/16
switchport access vlan 31
!
interface FastEthernet0/17
switchport access vlan 31
!
interface FastEthernet0/18
switchport access vlan 31
!
interface FastEthernet0/19
switchport access vlan 31
!
interface FastEthernet0/20
switchport access vlan 31
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
no ip address
!
interface Vlan31
ip address 192.168.30.31 255.255.255.0
!
interface Vlan99
ip address 192.168.99.30 255.255.255.0
!
banner motd ^C
*************************************************************
This is the TSSR isle 3 Switch number 30
Unauthorized access prohibited!
Administrator, please refrain from doing silly things!
*************************************************************
^C
!
!
!
line con 0
password 7 0822455D0A16
login
!
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
!
!
!
end
enable
conf t
no log con
hostname Sw3
line con 0
password cisco
login
exit
enable secret class
service password-encryption
banner motd @
*************************************************************
This is the TSSR isle 3 Switch number 30
Unauthorized access prohibited!
Administrator, please refrain from doing silly things!
*************************************************************
@
vlan 99
name Administration
exit
int vlan 99
ip address 192.168.99.30 255.255.255.0
no shut
exit
int FastEthernet 0/24
description ADMINISTRATION_ACCESS
switchport access vlan 99
no shut
exit
vlan 30
name HR
exit
vlan 31
name IT
exit
int vlan 30
ip address 192.168.30.1 255.255.255.0
no shut
exit
int vlan 31
ip address 192.168.31.1 255.255.255.0
no shut
exit
int range FastEthernet 0/10-15
description TSSR_3_1
switchport access vlan 30
exit
int range FastEthernet 0/15-20
description TSSR_3_2
switchport access vlan 31
exit
ip domain-name tssr.com
crypto key generate rsa
1024
username admin secret class
line vty 0 15
transport input ssh
login local
exit
ip ssh version 2
exit