June 4, 2019 at 18:52Training Cisco 200-125 CCNA v3.0. Day 9. The physical world of switches. Part 1
- Transfer
- Tutorial
In the last video tutorial, we talked about configuring switches, but now we’ll look at how they interact with other devices and how in practice they connect to each other. We will not waste time and immediately turn to the topic of today's lesson. First of all, I want to talk about topology: we have two different topologies - physical and logical.
The difference between them is very simple, and there is one important thing that you must learn about before diving into the real world of networking. Let me take a pen and draw a route from Dubai to New York on this map. What I drew is not a ground trip, but an air flight. Logically, you just make a trip from Dubai to New York, but physically everything is not so simple - first you have to go to the airport and get a ticket. You can book it online or buy it at the box office, you can use a credit card or cash to buy it, you can go to the airport by taxi or by your own car and leave it at the airport. Then your ticket must be checked, you must go through customs control, that is, you will have to do many different things before getting on board the plane. After that, you will fly to New York, and a similar procedure will be repeated there - passing control, getting luggage, you can hire a taxi or ask friends to pick you up from the airport to finally get to your destination. This is how you can imagine the difference between the logical and physical network topology.
If you look at the following figure, you can see how people imagine the network.
The computer is connected to the hub, the hub with the switch, the switch to another computer. On the right, 2 computers are connected to the switch, and on the left two computers are connected to the hub, while the hub and the switch are connected to each other. This is the logical network topology.
If you use the Cisco Packet Tracer program shown in the picture, then the Logical button will be located at the top left, by clicking on which you can see the logical topology of your network. If I click on the Physical button next to it, I will see the physical network topology. To do this, from the “Physical Device Location” menu, I select the Rack - “Rack” option and a Cisco rack will appear in front of me, on which my switch and hub are located.
I want to show you an image of a real rack, which I just took from the Internet, so I do not have any rights to it. Above you see a link to the site, where I got this picture.
In this rack, several Cisco devices are mounted and fixed, which are then connected to each other to create the network of the desired configuration. This is what the physical topology of the network looks like, and you can add the devices you need to any free compartment of the rack, grouping them by type - a switch above the switch, a hub next to the hub, etc. You can then build your network simply by connecting devices in a rack with cables. In our figure, the green cable connects the hub to the PC0 and PC1 computers, and the orange cable connects the hub to one of the switch ports. Another green cable connects the switch to a third PC2 computer. Thus, many devices are attached to the switch.
This is what the physical network topology is all about. As soon as you add new devices to the logical topology of the network, they will immediately appear on the tab of the Physical program (physical devices) already installed on the Cisco rack.
I want you to understand the difference between the physical and logical topology of the network, because most often when network problems occur, you have exactly the same connection as shown in the logical topology diagram. But if you come to a new place of work, then you do not have a logical topology that you can refer to. You work with the physical network topology, you go to the server and look at all these devices installed in the rack. In order to make a network of them, you must use various protocols, for example, VTP, which we will talk about in one of the following video tutorials. You use these protocols to determine which devices are connected to which ports. You can define this physically and try to create a logical topology. That’s basically what I wanted to tell,
Let's do what we learned in the previous lesson, so I will go over these 10 commands, or 10 basic switch configuration settings, which we must perform for any new device.
In the case of the above example of the logical topology of the network, you must configure the hub and switch so that they can interact with our 4 computers. Let's start with the switch, to do this, click on it and enter the command line terminal.
First, configure the host name and name it SW1. Next, we must create a welcome banner on which we write the following phrase: “Do not enter! This is a dangerous switch! You will be held accountable for this! ”
After the previous lesson, many people ask me why you need to use the ampersand in the parameters of the banner line. You can not use &, use any other character, enclosing it in quotation marks. The basic rule when creating a banner is not to use this character, enclosed in quotation marks, as the initial character for the banner text. If I print an ampersand in front of the lower field of asterisks, only the text located above this ampersand is saved, and everything that is below it will not be remembered by the system. Thus, if I want to use the ampersand & in my text, I must set a different character, for example, the closing bracket “)” as the label for the end of the banner text, placing it in quotation marks instead of &.
I will show it in the following example - I will set the symbol “)”, and then I will print a new banner text and end the bottom row of asterisks with this closing bracket. If now I press “Enter”, then the entire banner text in front of this bracket will be automatically saved. Thus, if you want to end your message with a character, just do not start the message with that character.
So, we have created a welcome banner and now we can proceed to setting a password on the console. To do this, we type line con 0 at the command line, because the console is a communication line, and we only have one console port, so we will designate the console with zero. I need to set a password on the console, so first I type in the password console on the command line and assign the cisco password, and in the next line I still need to enter the word login. What does this login mean?
If I type the no login command now, many people will think that this will mean that there is no password for the console and will be completely wrong! Login means just checking the password that the user enters. If I type no login, this check will not be performed, but this does not mean that we will not have a password. Login is like a door guard who asks anyone for a password, and if the password is incorrect, they will not let him in. The absence of a login means that the “entrance door” of the console port will be open all the time for any traffic that will pass through the port without asking for a password.
For any Cisco device, by default, the console port is open, and anyone who connects to it can go into the device’s settings. Therefore, you need to configure the console port of the switch so as to prevent unauthorized access to it, that is, enter the login command.
Next, we need to set a password on Telnet. This is a virtual communication line, so I print line vty and since the numbering of these lines can be from 0 to 15, you can assign from 0 to 4 or from 0 to 15 of these lines. I select a value from 0 to 4. Next, we proceed in the same way as assigning a password to the console: I assign a password with the password telnet command and type login in the next line to ensure it is verified. This means that anyone who tries to connect to the switch via Telnet will have to enter the correct password.
Next, I enter the do sh run command to look at the current device configuration. We have 16 Telnet lines, and for the lines of the first part of the range from 0 to 4, we have a telnet password and login, and for the second part from 5 to 15 of the virtual line there is only a login. The question is why we have a separation of parameters for lines 0-4 and 5-15. If you think that this was due to the fact that I chose only four working lines, then this is not entirely wrong.
Now I will explain to you. In total, we have 16 virtual lines from 0 to 15, and for the Cisco switch, this means that 16 users can connect to it at the same time. If I enter the line vty 0 15 command, it means that I assign a password to all 16 users.
Now I will set a password and login for all 16 lines, and if you look at the configuration, you will see that now we have a password and login for both lines 0-4 and lines 5-15.
What does it mean? As I said, 16 people will be able to connect to the switch using the telnet password, but the difference between 0-4 and 5-15 exists because most older models of Cisco switches have only 5 virtual lines from 0 to 4, and only new models there are all 16 virtual lines 0-15. Therefore, Cisco believes that if you assign one password to all 16 lines, this may cause a problem. It may happen that you copy the configuration settings of one device and want to transfer it to other devices. But if you try to use the switch settings with 16 lines for a switch with 5 lines, the command will not be accepted. Therefore, Cisco advises - even if you use a switch with 16 virtual lines, use separate telnet password and login settings for lines 0-4 and lines 5-16, so that you don’t have problems with older switch models, because the command for the line vty 0 4 parameter is compatible with all models. The second part, line vty 0 15, is applicable only to new devices.
Thus, if you copy the settings of the new switch and want to apply them to the switch of the old model, you only copy the lines:
line vty 0 4
password telnet
login
Because the new switches will not understand the command for virtual lines 5-15, since they only have 5 lines. This is the reason why Telnet configuration is divided into 2 parts.
If I want all Telnet lines to be accessible to any user, I use the commands:
line vty 0 15
no login
But this is not what we need - we, on the contrary, want to protect the switch from unauthorized access. I will show you how to do this in a minute, for now, we need to configure the IP for our switch. To do this, I use the int vlan 1 command and add the IP address and subnet mask: add 10.1.1.1 255.255.255.0, committing the changes with the no sh (no shutdown) command.
Now let's go back to the logical topology scheme and configure the IP address using the first PC0 computer.
To do this, I enter the necessary parameters in the network settings window of the computer. We do not need to enter the default gateway parameters, since we have only 1 network.
Next, I check whether the switch responds and make sure that everything works as it should. The fact that the first request generated a timeout error is explained by the fact that our computer turned to the device without knowing its MAC address, and subsequent requests were successful. So, I type ping 10.1.1.10 on the command line and see the welcome banner of the switch - this means that I connected to it.
At the same time, the switch did not ask me for the password, because we left the Telnet line open - if you look at the switch configuration, you can see that for all lines from 0 to 15, the no login parameter is used, that is, anyone can connect to this switch via Telnet protocol just by using its IP address. If we now enter the en (enable) command to proceed with setting the parameters, we will see the message% No password set - “Password not set”. This is one of the security mechanisms of Cisco, which requires that the user knows the password, allowing configuration of the switch.
Therefore, we will go to the switch settings configuration window and use the enable password enable command, where the word enable will be our password. If now enter this word in the computer command line terminal, then we will get access to the switch settings, as evidenced by the appearance of the line SW1 #.
Thus, the Cisco security mechanism ensures that even if we do not activate the enable password request function, we will still be unable to access the switch settings.
Let me remind you that if you go to the CLI tab of the Cisco Packet Tracer program, you can configure access through the console port. Thus, if you enter the device through the console port and do not provide password access, this will not be a problem, because you can activate the password request later when you configure the entire configuration. But if you enter the switch through a virtual Telnet line, you will not get access to the settings if you do not use the enable password command in the switch settings first.
Since we do not want any Telnet user to have access to the settings, we must create a password. Suppose we are going to use only 1 virtual line, so we enter the line vty 0 command. This will mean that the enable password parameter will be valid only for this single line. Next, I enter the password check - the word login, in the next line I type password telnet and then exit.
For all other 15 lines from 1 to 15, I will enter the no password and login parameter.
What does this mean? If I ask the system again to show me the configuration of the switch with the sh run command, I will see the following: for the vty 0 line we have both a password and a login, and for lines 1-4 the login is activated, this is our “guard”, but the password is not set . This means that you can enter any password to enter the switch settings. At the same time, messages are displayed on the screen in which it says: "Logging into the system through such and such a line is impossible until a password is set."
Now, if I go to the command prompt window of the computer and enter telnet 10.1.1.10, I will see a welcome banner asking me to enter a password. Let's go back to the logical topology and configure the network for the second computer, PC1, by entering the IP address 10.1.1.2 and the subnet mask 255.255.255.0. We will not touch the default gateway, because we have only one network, and then we ping the switch to make sure that the connection is established.
If now we try to enter the switch settings from the second computer using the telnet 10.1.1.10 command, we will not succeed - the system will display a message that the connection is already in use by another host, since we have only one Telnet line at number 0.
If you look at the command line terminal, we will see that line 0 is already occupied by another device, and until I disconnect it, the new device will not be able to connect to the switch.
Now I will type the exit command to disconnect, enter the telnet 10.1.1.10 command again in the command prompt window of the second computer, and as you can see, now it was able to connect to the switch. Now I enter the word telnet as a password and can enter the device settings.
If I want several devices to be able to connect to the switch at the same time, I have to configure it accordingly.
So, we set the parameters Telnet password and Enable password, and now let's move on to IP address management - IP management. If we want to contact a device belonging to another network, our switch must know how this can be done. Therefore, we return to the computer’s network settings and assign a default gateway by assigning our network router the IP address 10.1.1.100. Using this address, our device will be able to communicate with devices located outside the 10.1.1.2/24 network.
If our computer wants to connect to a device whose first three octets of IP address will be other than 10.1.1, the switch organizes this connection through a default gateway with an IP address of 10.1.1.100. If you recall our example with hotels, you will immediately understand what it is about - if you want to go to another hotel, you will need to leave your hotel through the front door.
24:20 min
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read aboutHow to build the infrastructure of the building. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?
The difference between them is very simple, and there is one important thing that you must learn about before diving into the real world of networking. Let me take a pen and draw a route from Dubai to New York on this map. What I drew is not a ground trip, but an air flight. Logically, you just make a trip from Dubai to New York, but physically everything is not so simple - first you have to go to the airport and get a ticket. You can book it online or buy it at the box office, you can use a credit card or cash to buy it, you can go to the airport by taxi or by your own car and leave it at the airport. Then your ticket must be checked, you must go through customs control, that is, you will have to do many different things before getting on board the plane. After that, you will fly to New York, and a similar procedure will be repeated there - passing control, getting luggage, you can hire a taxi or ask friends to pick you up from the airport to finally get to your destination. This is how you can imagine the difference between the logical and physical network topology.
If you look at the following figure, you can see how people imagine the network.
The computer is connected to the hub, the hub with the switch, the switch to another computer. On the right, 2 computers are connected to the switch, and on the left two computers are connected to the hub, while the hub and the switch are connected to each other. This is the logical network topology.
If you use the Cisco Packet Tracer program shown in the picture, then the Logical button will be located at the top left, by clicking on which you can see the logical topology of your network. If I click on the Physical button next to it, I will see the physical network topology. To do this, from the “Physical Device Location” menu, I select the Rack - “Rack” option and a Cisco rack will appear in front of me, on which my switch and hub are located.
I want to show you an image of a real rack, which I just took from the Internet, so I do not have any rights to it. Above you see a link to the site, where I got this picture.
In this rack, several Cisco devices are mounted and fixed, which are then connected to each other to create the network of the desired configuration. This is what the physical topology of the network looks like, and you can add the devices you need to any free compartment of the rack, grouping them by type - a switch above the switch, a hub next to the hub, etc. You can then build your network simply by connecting devices in a rack with cables. In our figure, the green cable connects the hub to the PC0 and PC1 computers, and the orange cable connects the hub to one of the switch ports. Another green cable connects the switch to a third PC2 computer. Thus, many devices are attached to the switch.
This is what the physical network topology is all about. As soon as you add new devices to the logical topology of the network, they will immediately appear on the tab of the Physical program (physical devices) already installed on the Cisco rack.
I want you to understand the difference between the physical and logical topology of the network, because most often when network problems occur, you have exactly the same connection as shown in the logical topology diagram. But if you come to a new place of work, then you do not have a logical topology that you can refer to. You work with the physical network topology, you go to the server and look at all these devices installed in the rack. In order to make a network of them, you must use various protocols, for example, VTP, which we will talk about in one of the following video tutorials. You use these protocols to determine which devices are connected to which ports. You can define this physically and try to create a logical topology. That’s basically what I wanted to tell,
Let's do what we learned in the previous lesson, so I will go over these 10 commands, or 10 basic switch configuration settings, which we must perform for any new device.
In the case of the above example of the logical topology of the network, you must configure the hub and switch so that they can interact with our 4 computers. Let's start with the switch, to do this, click on it and enter the command line terminal.
First, configure the host name and name it SW1. Next, we must create a welcome banner on which we write the following phrase: “Do not enter! This is a dangerous switch! You will be held accountable for this! ”
After the previous lesson, many people ask me why you need to use the ampersand in the parameters of the banner line. You can not use &, use any other character, enclosing it in quotation marks. The basic rule when creating a banner is not to use this character, enclosed in quotation marks, as the initial character for the banner text. If I print an ampersand in front of the lower field of asterisks, only the text located above this ampersand is saved, and everything that is below it will not be remembered by the system. Thus, if I want to use the ampersand & in my text, I must set a different character, for example, the closing bracket “)” as the label for the end of the banner text, placing it in quotation marks instead of &.
I will show it in the following example - I will set the symbol “)”, and then I will print a new banner text and end the bottom row of asterisks with this closing bracket. If now I press “Enter”, then the entire banner text in front of this bracket will be automatically saved. Thus, if you want to end your message with a character, just do not start the message with that character.
So, we have created a welcome banner and now we can proceed to setting a password on the console. To do this, we type line con 0 at the command line, because the console is a communication line, and we only have one console port, so we will designate the console with zero. I need to set a password on the console, so first I type in the password console on the command line and assign the cisco password, and in the next line I still need to enter the word login. What does this login mean?
If I type the no login command now, many people will think that this will mean that there is no password for the console and will be completely wrong! Login means just checking the password that the user enters. If I type no login, this check will not be performed, but this does not mean that we will not have a password. Login is like a door guard who asks anyone for a password, and if the password is incorrect, they will not let him in. The absence of a login means that the “entrance door” of the console port will be open all the time for any traffic that will pass through the port without asking for a password.
For any Cisco device, by default, the console port is open, and anyone who connects to it can go into the device’s settings. Therefore, you need to configure the console port of the switch so as to prevent unauthorized access to it, that is, enter the login command.
Next, we need to set a password on Telnet. This is a virtual communication line, so I print line vty and since the numbering of these lines can be from 0 to 15, you can assign from 0 to 4 or from 0 to 15 of these lines. I select a value from 0 to 4. Next, we proceed in the same way as assigning a password to the console: I assign a password with the password telnet command and type login in the next line to ensure it is verified. This means that anyone who tries to connect to the switch via Telnet will have to enter the correct password.
Next, I enter the do sh run command to look at the current device configuration. We have 16 Telnet lines, and for the lines of the first part of the range from 0 to 4, we have a telnet password and login, and for the second part from 5 to 15 of the virtual line there is only a login. The question is why we have a separation of parameters for lines 0-4 and 5-15. If you think that this was due to the fact that I chose only four working lines, then this is not entirely wrong.
Now I will explain to you. In total, we have 16 virtual lines from 0 to 15, and for the Cisco switch, this means that 16 users can connect to it at the same time. If I enter the line vty 0 15 command, it means that I assign a password to all 16 users.
Now I will set a password and login for all 16 lines, and if you look at the configuration, you will see that now we have a password and login for both lines 0-4 and lines 5-15.
What does it mean? As I said, 16 people will be able to connect to the switch using the telnet password, but the difference between 0-4 and 5-15 exists because most older models of Cisco switches have only 5 virtual lines from 0 to 4, and only new models there are all 16 virtual lines 0-15. Therefore, Cisco believes that if you assign one password to all 16 lines, this may cause a problem. It may happen that you copy the configuration settings of one device and want to transfer it to other devices. But if you try to use the switch settings with 16 lines for a switch with 5 lines, the command will not be accepted. Therefore, Cisco advises - even if you use a switch with 16 virtual lines, use separate telnet password and login settings for lines 0-4 and lines 5-16, so that you don’t have problems with older switch models, because the command for the line vty 0 4 parameter is compatible with all models. The second part, line vty 0 15, is applicable only to new devices.
Thus, if you copy the settings of the new switch and want to apply them to the switch of the old model, you only copy the lines:
line vty 0 4
password telnet
login
Because the new switches will not understand the command for virtual lines 5-15, since they only have 5 lines. This is the reason why Telnet configuration is divided into 2 parts.
If I want all Telnet lines to be accessible to any user, I use the commands:
line vty 0 15
no login
But this is not what we need - we, on the contrary, want to protect the switch from unauthorized access. I will show you how to do this in a minute, for now, we need to configure the IP for our switch. To do this, I use the int vlan 1 command and add the IP address and subnet mask: add 10.1.1.1 255.255.255.0, committing the changes with the no sh (no shutdown) command.
Now let's go back to the logical topology scheme and configure the IP address using the first PC0 computer.
To do this, I enter the necessary parameters in the network settings window of the computer. We do not need to enter the default gateway parameters, since we have only 1 network.
Next, I check whether the switch responds and make sure that everything works as it should. The fact that the first request generated a timeout error is explained by the fact that our computer turned to the device without knowing its MAC address, and subsequent requests were successful. So, I type ping 10.1.1.10 on the command line and see the welcome banner of the switch - this means that I connected to it.
At the same time, the switch did not ask me for the password, because we left the Telnet line open - if you look at the switch configuration, you can see that for all lines from 0 to 15, the no login parameter is used, that is, anyone can connect to this switch via Telnet protocol just by using its IP address. If we now enter the en (enable) command to proceed with setting the parameters, we will see the message% No password set - “Password not set”. This is one of the security mechanisms of Cisco, which requires that the user knows the password, allowing configuration of the switch.
Therefore, we will go to the switch settings configuration window and use the enable password enable command, where the word enable will be our password. If now enter this word in the computer command line terminal, then we will get access to the switch settings, as evidenced by the appearance of the line SW1 #.
Thus, the Cisco security mechanism ensures that even if we do not activate the enable password request function, we will still be unable to access the switch settings.
Let me remind you that if you go to the CLI tab of the Cisco Packet Tracer program, you can configure access through the console port. Thus, if you enter the device through the console port and do not provide password access, this will not be a problem, because you can activate the password request later when you configure the entire configuration. But if you enter the switch through a virtual Telnet line, you will not get access to the settings if you do not use the enable password command in the switch settings first.
Since we do not want any Telnet user to have access to the settings, we must create a password. Suppose we are going to use only 1 virtual line, so we enter the line vty 0 command. This will mean that the enable password parameter will be valid only for this single line. Next, I enter the password check - the word login, in the next line I type password telnet and then exit.
For all other 15 lines from 1 to 15, I will enter the no password and login parameter.
What does this mean? If I ask the system again to show me the configuration of the switch with the sh run command, I will see the following: for the vty 0 line we have both a password and a login, and for lines 1-4 the login is activated, this is our “guard”, but the password is not set . This means that you can enter any password to enter the switch settings. At the same time, messages are displayed on the screen in which it says: "Logging into the system through such and such a line is impossible until a password is set."
Now, if I go to the command prompt window of the computer and enter telnet 10.1.1.10, I will see a welcome banner asking me to enter a password. Let's go back to the logical topology and configure the network for the second computer, PC1, by entering the IP address 10.1.1.2 and the subnet mask 255.255.255.0. We will not touch the default gateway, because we have only one network, and then we ping the switch to make sure that the connection is established.
If now we try to enter the switch settings from the second computer using the telnet 10.1.1.10 command, we will not succeed - the system will display a message that the connection is already in use by another host, since we have only one Telnet line at number 0.
If you look at the command line terminal, we will see that line 0 is already occupied by another device, and until I disconnect it, the new device will not be able to connect to the switch.
Now I will type the exit command to disconnect, enter the telnet 10.1.1.10 command again in the command prompt window of the second computer, and as you can see, now it was able to connect to the switch. Now I enter the word telnet as a password and can enter the device settings.
If I want several devices to be able to connect to the switch at the same time, I have to configure it accordingly.
So, we set the parameters Telnet password and Enable password, and now let's move on to IP address management - IP management. If we want to contact a device belonging to another network, our switch must know how this can be done. Therefore, we return to the computer’s network settings and assign a default gateway by assigning our network router the IP address 10.1.1.100. Using this address, our device will be able to communicate with devices located outside the 10.1.1.2/24 network.
If our computer wants to connect to a device whose first three octets of IP address will be other than 10.1.1, the switch organizes this connection through a default gateway with an IP address of 10.1.1.100. If you recall our example with hotels, you will immediately understand what it is about - if you want to go to another hotel, you will need to leave your hotel through the front door.
24:20 min
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199 in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read aboutHow to build the infrastructure of the building. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?