June 3, 2019 at 18:52Training Cisco 200-125 CCNA v3.0. Day 8. Switch setup
- Transfer
- Tutorial
Welcome to the world of switches! Today we’ll talk about switches. Suppose you are a network administrator and are in the office of a new company. A manager comes up to you with a switch “out of the box” and asks to configure it. You might have thought that we are talking about a conventional electric switch (in English, the word switch means both a network switch and an electric switch - approx. Translator), but this is not so - I mean a network switch, or a Cisco switch.
So, the manager gives you the new Cisco switch, which has many interfaces. It can be 8.16 or a 24-port switch. In this case, the slide shows the switch, which has 48 ports in front, divided into 4 sections of 12 ports. As we know from previous lessons, there are several more interfaces behind the switch, one of which is the console port. The console port is used for external access to the device and allows you to see how the switch operating system loads.
We have already discussed the case when you want to help your colleague and use remote desktop. You connect to his computer, make changes, but if you want your friend to restart the computer, you will lose access and will not be able to watch what happens on the screen at the time of loading. This problem occurs if you do not have external access to this device and you are connected to it only over the network.
But if you have offline access, you can see the boot screen, unpacking iOS, and other processes. Another way to access this device is to connect to any of the front ports. If you have configured IP address management on this device, as will be shown in this video, you can access it via Telnet. The problem is that you will lose this access as soon as the device turns off.
Let's see how you can perform the initial setup of a new switch. Before proceeding directly to configuration, we need to introduce some basic rules.
For most of the video tutorials, I used GNS3, an emulator that allows you to emulate the Cisco IOS operating system. In many cases, I need more than one device, for example, if I show how routing is done. In this case, I may need, for example, four devices. Instead of buying physical devices, I can use the operating system of one of my devices, connect it to GNS3 and emulate this iOS on multiple instances of virtual devices.
Therefore, I do not need to physically have five routers, I can only have one router. I can use the operating system on my computer, install the emulator and get 5 instances of devices. In the following video tutorials, we will look at how to do this, but for today the problem of using the GNS3 emulator is that it cannot be used to emulate a switch because the Cisco switch has ASIC hardware chips. This is a special integrated circuit, which, in fact, makes the switch a switch, so you can not just emulate this hardware function.
In general, the GNS3 emulator helps to work with the switch, but there are some functions that cannot be implemented using it. So for this tutorial and some other videos, I used other Cisco software called Cisco Packet Tracer. Do not ask me how to access the Cisco Packet Tracer, you can learn about it using Google, I can only say that you must be a member of Network Academy to obtain such access.
You can have access to the Cisco Packet Tracer, you can have access to a physical device or to GNS3, you can use any of these tools while studying the Cisco ICND course. You can use GNS3 if you have a router, an operating system and a switch, and it will work without problems, you can use a physical device, or Packet Tracer - just decide what suits you best.
But in my video tutorials I’m going to use Packet Tracer, so I’ll have a couple of videos, one exclusively for Packet Tracer and one exclusively for GNS3, I will post them soon, in the meantime we will use Packet Tracer. This is how it looks. If you also have access to Network Academy, you can access this program, and if not, you can use other tools.
So, since today we are talking about switches, I will check the Switches item, select the model of the 2960 series switch and drag its icon into the program window. If I double-click on this icon, I will go to the command line interface.
Next, I see how the switch operating system loads.
If you take a physical device and connect it to a computer, you will see exactly the same picture of Cisco IOS boot. You see that the operating system has been unpacked, and you can read some restrictions on the use of the software and the license agreement, copyright information ... all this is displayed in this window.
Next, the platform on which the OS is running will be shown, in this case the switch WS-C2690-24TT, and all the hardware functions will be displayed. The version of the program is also displayed here. Next, we go directly to the command line, if you remember, here we have tips for the user. For example, the symbol (>) prompts you to enter a command. From the video tutorial “Day 5”, you know that this is the initial, lowest mode of access to the device settings, the so-called EXEC user mode. This access can be obtained on any Cisco device.
If you use Packet Tracer, you get off-line OOB access to the device and you can track how the device loads. This program simulates access to a switch through a console port. How do you switch from user EXEC mode to privileged EXEC mode? You print the “enable” command and press “Enter”, you could also use the hint just by typing “en” and getting possible variants of commands starting with these letters. If you just enter the letter “e”, the device will not understand what you mean, because there are three commands starting with “e”, but if I type “en”, the system will understand that the only word starting with these two letters is this is enable. Thus, by entering this command, you will gain access to the privileged mode Exec.
In this mode, we can do everything that was shown on the second slide - change the host name, set the login banner, Telnet password, enable password entry, configure the IP address, set the default gateway, give the command to disconnect the device, cancel the entered previous commands and save your configuration changes.
These are the 10 basic commands that you use when initiating a device. To enter these parameters, it is necessary to use the global configuration mode, which we will now switch to.
So, the first parameter is the host name, it applies to the entire device, so its change is made in the global configuration mode. To do this, we enter the Switch (config) # parameter on the command line. If I want to change the host name, I enter NetworKing hostname in this line, press “Enter”, and I see that the Switch device name has changed to NetworKing. If you connect this switch to a network where there are already many other devices, this name will serve as its identifier among other network devices, so try to come up with a unique name with meaning for your switch. So, if this switch is installed, say, in the administrator’s office, then you can name it AdminFloor1Room2. Thus, if you give the device a logical name, it will be very easy for you to determine which switch you are connecting to. It is important,
The following is the Logon Banner parameter. This is the first thing anyone who enters into this device with a login will see it. This parameter is set using the #banner command. You can then enter the abbreviation motd, Message of The Day, or "message of the day." If I enter a question mark in the line, I get a message of the form: LINE with banner-text c.
This looks confusing, but just means that you can enter text from any character except “c,” which in this case is a separating character. So, let's start with the ampersand (&). I press “Enter”, and the system writes that now you can enter any text for the banner and end it with the same character (&) with which the line begins. So I started with an ampersand and should end my message with an ampersand.
I will start my banner with a line of asterisks (*), and in the next line I will write “The most dangerous switch! Do not enter"! I think it's cool, anyone will be scared when they see such a welcome banner.
This is my "message of the day." To check how it looks on the screen, I press CTRL + Z to switch from global mode to privileged EXEC mode, from where I can exit settings mode. This is how my message looks on the screen and this is how anyone who logs in to this switch will see it. This is what is called the login banner. You can be creative and write anything you want, but I advise you to approach this with all seriousness. I mean that some people instead of reasonable text posted pictures of symbols that did not carry any semantic meaning as a welcome banner. Nothing can stop you from doing this kind of “creativity”, just remember that with extra characters you overload the device’s memory (RAM) and the configuration file that is used to start the system.
Next, we will consider the password for the Console Password console. It prevents random people from entering the device. Suppose you left the device open. If I am a hacker, I’ll connect my laptop using the console cable to the switch, use the console to enter the switch and change the password or do something else malicious. But if you use the password on the console port, then I can only log in with this password. You don’t want anyone to just log into the console and change something in the settings of your switch. So, let's first look at the current configuration.
Since I'm in config mode, I can enter do sh run commands. The show run command is an EXEC privileged mode command. If I want to enter global mode from this mode, I must use the do command. If we look at the console line, we will see that by default there is no password and line con 0 is displayed. This line is located in one section, and below is another section of the configuration file.
Since there is nothing in the “line console” section, this means that when I connect to the switch through the console port, I will get direct access to the console. Now, if you enter “end”, you can go back to privileged mode and switch to user mode from it. If I press "Enter" now, I’ll get directly into the command prompt mode, because there is no password, otherwise the program would ask me to enter it to enter the configuration settings.
So, press “Enter” and print line con 0 in the line, because in Cisco devices everything starts from scratch. Since we have only one console, it is denoted by the abbreviation "con". Now, in order to assign a password, for example, the word “Cisco”, we need to print the password cisco command in the NetworKing (config-line) # line and press Enter.
Now we have set a password, but for now, something is missing. Let's try again and exit the settings. Despite the fact that we have set a password, the system does not request it. Why?
She doesn’t ask for a password, because we don’t interrogate her. We set a password, but did not specify a line in which it is checked if traffic starts to flow to the device. What should we do? We must again return to the line where we have line con 0, and enter the word "login".
This means that you need to verify the password, that is, a login is required to enter the system. Let's check what we did. To do this, exit the settings and return to the banner window. You see that right below it we got a line that requires you to enter a password.
If I enter the password here, I can go into the device settings. Thus, we have effectively prevented access to the device without your permission, and now only those who know the password can log into the system.
Now you see that we have a small problem. If you print something that the system does not understand, it thinks it is a domain name and tries to find the server domain name by allowing a connection with the IP address 255.255.255.255.
This can happen, and I'll show you how to turn off this message. You can simply wait until the request time has elapsed, or use the keyboard shortcut Control + Shift + 6, sometimes it works even on physical devices.
Then we need to make sure that the system does not look for a domain name, for this we enter the command “no IP-domain lookup” and check how it worked.
As you can see, now you can work with the switch settings without any problems. If we again exit the settings on the welcome screen and make the same mistake, that is, enter an empty line, the device will not waste time searching for the domain name, but simply display the message “unknown command.” So, setting the login password is one of The main things you will need to do on your new Cisco device.
Next, we will consider the password for the Telnet protocol. If for the password on the console we had “con 0” in the line, for the password on Telnet the default parameter is “line vty”, that is, the password is configured in virtual terminal mode, because Telnet is not a physical, but a virtual line. The first parameter of line vty is 0, and the last is 15. If we set parameter 15, this will mean that you can create 16 lines to access this device. That is, if we have several devices in the network, when connecting to the switch via Telnet protocol, the first device will use line 0, the second - line 1, and so on up to line 15. Thus, 16 people can connect to the switch at the same time, and when the user tries to connect to the seventeenth person, the switch will inform that the connection limit has been reached.
We can set a common password for all 16 virtual lines from 0 to 15, following the same concept as when setting the password for the console, that is, we enter the password command in the line and set the password, for example, the word “telnet”, and then enter the command "Login". This means that we do not want people to log in to the device using the Telnet protocol without a password. Therefore, we give instructions to check the login and only after that provide access to the system.
At the moment, we cannot use Telnet, because access to the device using this protocol can be made only after setting up some IP address on the switch. Therefore, to check Telnet settings, let's first move on to managing IP addresses.
As you know, the switch works on the 2nd level of the OSI model, has 24 ports and therefore cannot have any specific IP address. But we must assign an IP address to this switch if we want to connect to it from another device to manage IP addresses.
So, we need to assign one IP address to the switch, which will be used for IP management. To do this, we will introduce one of my favorite commands “show ip interface brief” and we will be able to see all the interfaces present in this device.
Thus, I see that I have twenty-four FastEthernet ports, two GigabitEthernet ports, and one VLAN interface. VLAN is a virtual network, later we will examine its concept in detail, for now I will say that each switch comes with one virtual interface called a VLAN interface. We use it to control the switch.
Therefore, we will try to access this interface and enter the vlan 1 parameter on the command line. Now you see that the command line has the form NetworKing (config-if) #, which means that we are in the management interface of the VLAN switch. Now we enter the command for setting the IP address of this type: Ip add 10.1.1.1 255.255.255.0 and press "Enter".
We see that this interface appeared in the list of interfaces marked “administratively down”. If you see such an inscription, this means that for this interface there is a “shutdown” command that allows you to disable the port, and in this case, this port is disabled. You can execute this command for any interface whose characteristics line is marked “down”. For example, you can go to the FastEthernet0 / 23 or FastEthernet0 / 24 interface, give the command “shutdown”, after which the port will be marked as “administratively down” in the list of interfaces, that is, disabled.
So, we looked at how the shutdown port shutdown command works. In order to enable the port or even to include something in the switch, the Negating Command, or "negation of the command" is used. For example, in our case, the use of such a command would mean “no shutdown”. This is a very simple command from the single word “no” - if the command “shutdown” means “turn off the device”, then the command “no shutdown” means “turn on the device”. Thus, by denying any command using the “no” particle, we command the Cisco device to perform the exact opposite action.
Now I will enter the command “show ip interface brief” again, and you will see that the state of our VLAN port, which now has the IP address 10.1.1.1, has changed from the “down” - “off” to “up” - “on” position , however, the string "down" is still listed in the protocol line.
Why does the VLAN protocol not work? Because directly at the moment he does not see any traffic passing through this port, because, if you remember, in our virtual network there is only one device - a switch, and in this case there can be no traffic. Therefore, we will add another device to the network, the PC-PT personal computer (PC0).
You don’t have to worry about the Cisco Packet Tracer, in one of the following videos I will show in more detail how this program works, for now we just have a general overview of its features.
So, now I activate the PC simulation, click on the computer icon and draw a cable from it to our switch. A message appeared in the console that the linear protocol of the VLAN1 interface changed state to UP, since we had traffic from the PC. As soon as the protocol noted the appearance of traffic, it immediately went into a ready state.
If you again give the command “show ip interface brief”, you can see that the FastEthernet0 / 1 interface changed its state and the state of its protocol to UP, because it was connected to it from the computer cable through which traffic began to flow. The VLAN interface also went into active state because it “saw” traffic on this port.
Now we click on the computer icon to see what it is. This is just a simulation of a PC running Windows, so we’ll go over to the network configuration settings to assign the computer an IP address of 10.1.1.2 and assign a subnet mask of 255.255.255.0.
We do not need a default gateway, because we are on the same network as the switch. Now I will try to ping the switch with the command “ping 10.1.1.1”, and, as you can see, the ping was successful. This means that now the computer can access the switch and we have the IP address 10.1.1.1 through which the switch is managed.
You may ask why the first computer request received a “timeout” response. This happened because the computer did not know the MAC address of the switch and had to send an ARP request first, so the first access to the IP address 10.1.1.1 failed.
Let's try using the Telnet protocol by typing “telnet 10.1.1.1” in the console. We communicate with this computer via Telnet with the address 10.1.1.1, which is nothing more than a virtual switch interface. After that, in the command line terminal window, I immediately see the welcome banner of the switch that we installed earlier.
Physically, this switch can be located anywhere - on the fourth or first floor of the office, but in any case we find it using Telnet. You see that the switch is asking for a password. What is this password? We set two passwords - one on the console, the other on VTY. Let's first try to enter the password on the cisco console, and you see that it is not accepted by the system. Then I try the “telnet” password on VTY and it worked. The switch accepted the VTY password, so line vty password is what works using the Telnet protocol used here.
Now I try to enter the “enable” command, to which the system responds with “no password set” - “no password set.” This means that the switch allowed me access to the user settings mode, but did not give me privileged access. To switch to privileged mode EXEC, I need to create something called “enable password", that is, enable the password. To do this, we again go to the switch settings window to allow the system to use the password.
To do this, using the “enable” command, we switch from the user EXEC mode to the privileged EXEC mode. Once we enter “enable”, the system also requires a password, because this function will not work without a password. Therefore, we again return to the simulation of obtaining console access. I already have access to this switch, so in the IOS command-line interface window, in the NetworKing (config) # enable line, I need to add “password enable”, that is, activate the password use function.
Now let me try again to type “enable” on the computer’s command line and press “Enter”, after which the system asks for a password. What is this password? After I typed and entered the “enable” command, I got access to privileged mode EXEC. Now I have access to this device through a computer, and I can do whatever I want with it. I can go to “conf t”, I can change the password or host name. Now I will change the host name to SwitchF1R10, which means "ground floor, room 10". Thus, I changed the name of the switch, and now it shows me the location of this device in the office.
If you return to the switch command line interface window, you can see that its name has changed, and I did this remotely during a Telnet session.
This is how we get access to the switch via Telnet: we assigned a host name, created a login banner, set a password for the console and a password for Telnet. Then we made password entry available, created the IP management feature, activated the “shutdown” function and the ability to deny the command.
Next, we need to assign a default gateway. To do this, we again go into the global configuration mode of the switch, type the command “ip default-gateway 10.1.1.10” and press “Enter.” You may ask why we need a default gateway if our switch is a device of the 2nd level of the OSI model.
In this case, we connected the PC to the switch directly, but let's assume that we have several devices. Suppose that the device from which I initiated Telnet, that is, a computer, is on the same network, and the switch with the IP address 10.1.1.1 is on the second network. In this case, Telnet traffic came from another network, the switch should send it back, but does not know how to get there. The switch determines that the IP address of the computer belongs to another network, so you must use the default gateway to communicate with it.
Thus, we set the default gateway for this device so that when traffic arrives from another network, the switch can send a response packet to the default gateway, which forwards it to the final destination.
Now we finally look at how to save this configuration. We have made so many changes to the settings of this device that now it’s time to save them. There are 2 ways to save.
One of them is to enter the “write” command in privileged EXEC mode. I print this command, press “Enter” and the system responds with the message “Building configuration - OK”, that is, the current device configuration has been successfully saved. What we did before saving is called the “working configuration of the device”. It is stored in the RAM of the switch and after it is turned off it will be lost. Therefore, we need to write everything that is in the working configuration to the boot configuration.
Regardless of what is in the working configuration, the “write” command copies this information and writes it to the boot configuration file, which is independent of RAM and is located in the non-volatile memory of the NVRAM switch. When the device boots, the system checks whether the NVRAM has a boot configuration, and turns it into a working configuration by loading the parameters into the RAM memory. Each time we use the “write” command, the working configuration parameters are copied and saved in NVRAM.
The second way to save configuration parameters is to use the old do write command. If we use this command, first we need to enter the word “copy”. After that, the Cisco operating system will ask you where to copy the settings from: from the file system via ftp or flash, from the working configuration or from the boot configuration. We want to make a copy of the running-configuration working configuration parameters, so we enter this phrase in the line. Then the system will again issue a question mark, asking where to copy the parameters, and now we indicate startup-configuration. Thus, we copied the working configuration to the boot configuration file.
You need to be very careful with these commands, because if you copy the boot configuration to the working configuration, which is sometimes done when setting up a new switch, we will erase all the changes and get the boot with zero parameters. Therefore, you need to carefully consider what and where you are going to save after you have configured the switch configuration parameters. So you save the configuration, and now, if you reload the switch, it will return to the same state as it was before the reboot.
So, we examined how to configure the basic parameters of the new switch. I know that many of you first saw the device command line interface, so it may take some time to learn everything shown in this video tutorial. I advise you to review this video several times until you understand how to use the various configuration settings, EXEC user mode, EXEC privileged mode, global configuration mode, how to use the command line to enter subcommands, change the host name, create a banner, and so on.
We reviewed the basic commands that you must know and which are used in the initial configuration of any Cisco device. If you know the commands for the switch, then you know the commands for the router.
Just remember which mode each of these basic commands is given from. For example, the host name and the login banner are part of the global configuration, to assign a password to the console you need to use the console, the Telnet password is assigned in the VTY line from zero to 15. To manage the IP address you need to use the VLAN interface. You must remember that the “enable” function is disabled by default, so you may need to enable it by entering the “no shutdown” command.
If you need to assign a default gateway, you enter global configuration mode, use the ip default-gateway command and assign the IP address to the gateway. Finally, you save your changes using the “write” command or copying the working configuration to the boot configuration file. I hope this video was very informative and helped you learn our online course.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until the summer for free when paying for a period of six months, you can order here .
Dell R730xd 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?
So, the manager gives you the new Cisco switch, which has many interfaces. It can be 8.16 or a 24-port switch. In this case, the slide shows the switch, which has 48 ports in front, divided into 4 sections of 12 ports. As we know from previous lessons, there are several more interfaces behind the switch, one of which is the console port. The console port is used for external access to the device and allows you to see how the switch operating system loads.
We have already discussed the case when you want to help your colleague and use remote desktop. You connect to his computer, make changes, but if you want your friend to restart the computer, you will lose access and will not be able to watch what happens on the screen at the time of loading. This problem occurs if you do not have external access to this device and you are connected to it only over the network.
But if you have offline access, you can see the boot screen, unpacking iOS, and other processes. Another way to access this device is to connect to any of the front ports. If you have configured IP address management on this device, as will be shown in this video, you can access it via Telnet. The problem is that you will lose this access as soon as the device turns off.
Let's see how you can perform the initial setup of a new switch. Before proceeding directly to configuration, we need to introduce some basic rules.
For most of the video tutorials, I used GNS3, an emulator that allows you to emulate the Cisco IOS operating system. In many cases, I need more than one device, for example, if I show how routing is done. In this case, I may need, for example, four devices. Instead of buying physical devices, I can use the operating system of one of my devices, connect it to GNS3 and emulate this iOS on multiple instances of virtual devices.
Therefore, I do not need to physically have five routers, I can only have one router. I can use the operating system on my computer, install the emulator and get 5 instances of devices. In the following video tutorials, we will look at how to do this, but for today the problem of using the GNS3 emulator is that it cannot be used to emulate a switch because the Cisco switch has ASIC hardware chips. This is a special integrated circuit, which, in fact, makes the switch a switch, so you can not just emulate this hardware function.
In general, the GNS3 emulator helps to work with the switch, but there are some functions that cannot be implemented using it. So for this tutorial and some other videos, I used other Cisco software called Cisco Packet Tracer. Do not ask me how to access the Cisco Packet Tracer, you can learn about it using Google, I can only say that you must be a member of Network Academy to obtain such access.
You can have access to the Cisco Packet Tracer, you can have access to a physical device or to GNS3, you can use any of these tools while studying the Cisco ICND course. You can use GNS3 if you have a router, an operating system and a switch, and it will work without problems, you can use a physical device, or Packet Tracer - just decide what suits you best.
But in my video tutorials I’m going to use Packet Tracer, so I’ll have a couple of videos, one exclusively for Packet Tracer and one exclusively for GNS3, I will post them soon, in the meantime we will use Packet Tracer. This is how it looks. If you also have access to Network Academy, you can access this program, and if not, you can use other tools.
So, since today we are talking about switches, I will check the Switches item, select the model of the 2960 series switch and drag its icon into the program window. If I double-click on this icon, I will go to the command line interface.
Next, I see how the switch operating system loads.
If you take a physical device and connect it to a computer, you will see exactly the same picture of Cisco IOS boot. You see that the operating system has been unpacked, and you can read some restrictions on the use of the software and the license agreement, copyright information ... all this is displayed in this window.
Next, the platform on which the OS is running will be shown, in this case the switch WS-C2690-24TT, and all the hardware functions will be displayed. The version of the program is also displayed here. Next, we go directly to the command line, if you remember, here we have tips for the user. For example, the symbol (>) prompts you to enter a command. From the video tutorial “Day 5”, you know that this is the initial, lowest mode of access to the device settings, the so-called EXEC user mode. This access can be obtained on any Cisco device.
If you use Packet Tracer, you get off-line OOB access to the device and you can track how the device loads. This program simulates access to a switch through a console port. How do you switch from user EXEC mode to privileged EXEC mode? You print the “enable” command and press “Enter”, you could also use the hint just by typing “en” and getting possible variants of commands starting with these letters. If you just enter the letter “e”, the device will not understand what you mean, because there are three commands starting with “e”, but if I type “en”, the system will understand that the only word starting with these two letters is this is enable. Thus, by entering this command, you will gain access to the privileged mode Exec.
In this mode, we can do everything that was shown on the second slide - change the host name, set the login banner, Telnet password, enable password entry, configure the IP address, set the default gateway, give the command to disconnect the device, cancel the entered previous commands and save your configuration changes.
These are the 10 basic commands that you use when initiating a device. To enter these parameters, it is necessary to use the global configuration mode, which we will now switch to.
So, the first parameter is the host name, it applies to the entire device, so its change is made in the global configuration mode. To do this, we enter the Switch (config) # parameter on the command line. If I want to change the host name, I enter NetworKing hostname in this line, press “Enter”, and I see that the Switch device name has changed to NetworKing. If you connect this switch to a network where there are already many other devices, this name will serve as its identifier among other network devices, so try to come up with a unique name with meaning for your switch. So, if this switch is installed, say, in the administrator’s office, then you can name it AdminFloor1Room2. Thus, if you give the device a logical name, it will be very easy for you to determine which switch you are connecting to. It is important,
The following is the Logon Banner parameter. This is the first thing anyone who enters into this device with a login will see it. This parameter is set using the #banner command. You can then enter the abbreviation motd, Message of The Day, or "message of the day." If I enter a question mark in the line, I get a message of the form: LINE with banner-text c.
This looks confusing, but just means that you can enter text from any character except “c,” which in this case is a separating character. So, let's start with the ampersand (&). I press “Enter”, and the system writes that now you can enter any text for the banner and end it with the same character (&) with which the line begins. So I started with an ampersand and should end my message with an ampersand.
I will start my banner with a line of asterisks (*), and in the next line I will write “The most dangerous switch! Do not enter"! I think it's cool, anyone will be scared when they see such a welcome banner.
This is my "message of the day." To check how it looks on the screen, I press CTRL + Z to switch from global mode to privileged EXEC mode, from where I can exit settings mode. This is how my message looks on the screen and this is how anyone who logs in to this switch will see it. This is what is called the login banner. You can be creative and write anything you want, but I advise you to approach this with all seriousness. I mean that some people instead of reasonable text posted pictures of symbols that did not carry any semantic meaning as a welcome banner. Nothing can stop you from doing this kind of “creativity”, just remember that with extra characters you overload the device’s memory (RAM) and the configuration file that is used to start the system.
Next, we will consider the password for the Console Password console. It prevents random people from entering the device. Suppose you left the device open. If I am a hacker, I’ll connect my laptop using the console cable to the switch, use the console to enter the switch and change the password or do something else malicious. But if you use the password on the console port, then I can only log in with this password. You don’t want anyone to just log into the console and change something in the settings of your switch. So, let's first look at the current configuration.
Since I'm in config mode, I can enter do sh run commands. The show run command is an EXEC privileged mode command. If I want to enter global mode from this mode, I must use the do command. If we look at the console line, we will see that by default there is no password and line con 0 is displayed. This line is located in one section, and below is another section of the configuration file.
Since there is nothing in the “line console” section, this means that when I connect to the switch through the console port, I will get direct access to the console. Now, if you enter “end”, you can go back to privileged mode and switch to user mode from it. If I press "Enter" now, I’ll get directly into the command prompt mode, because there is no password, otherwise the program would ask me to enter it to enter the configuration settings.
So, press “Enter” and print line con 0 in the line, because in Cisco devices everything starts from scratch. Since we have only one console, it is denoted by the abbreviation "con". Now, in order to assign a password, for example, the word “Cisco”, we need to print the password cisco command in the NetworKing (config-line) # line and press Enter.
Now we have set a password, but for now, something is missing. Let's try again and exit the settings. Despite the fact that we have set a password, the system does not request it. Why?
She doesn’t ask for a password, because we don’t interrogate her. We set a password, but did not specify a line in which it is checked if traffic starts to flow to the device. What should we do? We must again return to the line where we have line con 0, and enter the word "login".
This means that you need to verify the password, that is, a login is required to enter the system. Let's check what we did. To do this, exit the settings and return to the banner window. You see that right below it we got a line that requires you to enter a password.
If I enter the password here, I can go into the device settings. Thus, we have effectively prevented access to the device without your permission, and now only those who know the password can log into the system.
Now you see that we have a small problem. If you print something that the system does not understand, it thinks it is a domain name and tries to find the server domain name by allowing a connection with the IP address 255.255.255.255.
This can happen, and I'll show you how to turn off this message. You can simply wait until the request time has elapsed, or use the keyboard shortcut Control + Shift + 6, sometimes it works even on physical devices.
Then we need to make sure that the system does not look for a domain name, for this we enter the command “no IP-domain lookup” and check how it worked.
As you can see, now you can work with the switch settings without any problems. If we again exit the settings on the welcome screen and make the same mistake, that is, enter an empty line, the device will not waste time searching for the domain name, but simply display the message “unknown command.” So, setting the login password is one of The main things you will need to do on your new Cisco device.
Next, we will consider the password for the Telnet protocol. If for the password on the console we had “con 0” in the line, for the password on Telnet the default parameter is “line vty”, that is, the password is configured in virtual terminal mode, because Telnet is not a physical, but a virtual line. The first parameter of line vty is 0, and the last is 15. If we set parameter 15, this will mean that you can create 16 lines to access this device. That is, if we have several devices in the network, when connecting to the switch via Telnet protocol, the first device will use line 0, the second - line 1, and so on up to line 15. Thus, 16 people can connect to the switch at the same time, and when the user tries to connect to the seventeenth person, the switch will inform that the connection limit has been reached.
We can set a common password for all 16 virtual lines from 0 to 15, following the same concept as when setting the password for the console, that is, we enter the password command in the line and set the password, for example, the word “telnet”, and then enter the command "Login". This means that we do not want people to log in to the device using the Telnet protocol without a password. Therefore, we give instructions to check the login and only after that provide access to the system.
At the moment, we cannot use Telnet, because access to the device using this protocol can be made only after setting up some IP address on the switch. Therefore, to check Telnet settings, let's first move on to managing IP addresses.
As you know, the switch works on the 2nd level of the OSI model, has 24 ports and therefore cannot have any specific IP address. But we must assign an IP address to this switch if we want to connect to it from another device to manage IP addresses.
So, we need to assign one IP address to the switch, which will be used for IP management. To do this, we will introduce one of my favorite commands “show ip interface brief” and we will be able to see all the interfaces present in this device.
Thus, I see that I have twenty-four FastEthernet ports, two GigabitEthernet ports, and one VLAN interface. VLAN is a virtual network, later we will examine its concept in detail, for now I will say that each switch comes with one virtual interface called a VLAN interface. We use it to control the switch.
Therefore, we will try to access this interface and enter the vlan 1 parameter on the command line. Now you see that the command line has the form NetworKing (config-if) #, which means that we are in the management interface of the VLAN switch. Now we enter the command for setting the IP address of this type: Ip add 10.1.1.1 255.255.255.0 and press "Enter".
We see that this interface appeared in the list of interfaces marked “administratively down”. If you see such an inscription, this means that for this interface there is a “shutdown” command that allows you to disable the port, and in this case, this port is disabled. You can execute this command for any interface whose characteristics line is marked “down”. For example, you can go to the FastEthernet0 / 23 or FastEthernet0 / 24 interface, give the command “shutdown”, after which the port will be marked as “administratively down” in the list of interfaces, that is, disabled.
So, we looked at how the shutdown port shutdown command works. In order to enable the port or even to include something in the switch, the Negating Command, or "negation of the command" is used. For example, in our case, the use of such a command would mean “no shutdown”. This is a very simple command from the single word “no” - if the command “shutdown” means “turn off the device”, then the command “no shutdown” means “turn on the device”. Thus, by denying any command using the “no” particle, we command the Cisco device to perform the exact opposite action.
Now I will enter the command “show ip interface brief” again, and you will see that the state of our VLAN port, which now has the IP address 10.1.1.1, has changed from the “down” - “off” to “up” - “on” position , however, the string "down" is still listed in the protocol line.
Why does the VLAN protocol not work? Because directly at the moment he does not see any traffic passing through this port, because, if you remember, in our virtual network there is only one device - a switch, and in this case there can be no traffic. Therefore, we will add another device to the network, the PC-PT personal computer (PC0).
You don’t have to worry about the Cisco Packet Tracer, in one of the following videos I will show in more detail how this program works, for now we just have a general overview of its features.
So, now I activate the PC simulation, click on the computer icon and draw a cable from it to our switch. A message appeared in the console that the linear protocol of the VLAN1 interface changed state to UP, since we had traffic from the PC. As soon as the protocol noted the appearance of traffic, it immediately went into a ready state.
If you again give the command “show ip interface brief”, you can see that the FastEthernet0 / 1 interface changed its state and the state of its protocol to UP, because it was connected to it from the computer cable through which traffic began to flow. The VLAN interface also went into active state because it “saw” traffic on this port.
Now we click on the computer icon to see what it is. This is just a simulation of a PC running Windows, so we’ll go over to the network configuration settings to assign the computer an IP address of 10.1.1.2 and assign a subnet mask of 255.255.255.0.
We do not need a default gateway, because we are on the same network as the switch. Now I will try to ping the switch with the command “ping 10.1.1.1”, and, as you can see, the ping was successful. This means that now the computer can access the switch and we have the IP address 10.1.1.1 through which the switch is managed.
You may ask why the first computer request received a “timeout” response. This happened because the computer did not know the MAC address of the switch and had to send an ARP request first, so the first access to the IP address 10.1.1.1 failed.
Let's try using the Telnet protocol by typing “telnet 10.1.1.1” in the console. We communicate with this computer via Telnet with the address 10.1.1.1, which is nothing more than a virtual switch interface. After that, in the command line terminal window, I immediately see the welcome banner of the switch that we installed earlier.
Physically, this switch can be located anywhere - on the fourth or first floor of the office, but in any case we find it using Telnet. You see that the switch is asking for a password. What is this password? We set two passwords - one on the console, the other on VTY. Let's first try to enter the password on the cisco console, and you see that it is not accepted by the system. Then I try the “telnet” password on VTY and it worked. The switch accepted the VTY password, so line vty password is what works using the Telnet protocol used here.
Now I try to enter the “enable” command, to which the system responds with “no password set” - “no password set.” This means that the switch allowed me access to the user settings mode, but did not give me privileged access. To switch to privileged mode EXEC, I need to create something called “enable password", that is, enable the password. To do this, we again go to the switch settings window to allow the system to use the password.
To do this, using the “enable” command, we switch from the user EXEC mode to the privileged EXEC mode. Once we enter “enable”, the system also requires a password, because this function will not work without a password. Therefore, we again return to the simulation of obtaining console access. I already have access to this switch, so in the IOS command-line interface window, in the NetworKing (config) # enable line, I need to add “password enable”, that is, activate the password use function.
Now let me try again to type “enable” on the computer’s command line and press “Enter”, after which the system asks for a password. What is this password? After I typed and entered the “enable” command, I got access to privileged mode EXEC. Now I have access to this device through a computer, and I can do whatever I want with it. I can go to “conf t”, I can change the password or host name. Now I will change the host name to SwitchF1R10, which means "ground floor, room 10". Thus, I changed the name of the switch, and now it shows me the location of this device in the office.
If you return to the switch command line interface window, you can see that its name has changed, and I did this remotely during a Telnet session.
This is how we get access to the switch via Telnet: we assigned a host name, created a login banner, set a password for the console and a password for Telnet. Then we made password entry available, created the IP management feature, activated the “shutdown” function and the ability to deny the command.
Next, we need to assign a default gateway. To do this, we again go into the global configuration mode of the switch, type the command “ip default-gateway 10.1.1.10” and press “Enter.” You may ask why we need a default gateway if our switch is a device of the 2nd level of the OSI model.
In this case, we connected the PC to the switch directly, but let's assume that we have several devices. Suppose that the device from which I initiated Telnet, that is, a computer, is on the same network, and the switch with the IP address 10.1.1.1 is on the second network. In this case, Telnet traffic came from another network, the switch should send it back, but does not know how to get there. The switch determines that the IP address of the computer belongs to another network, so you must use the default gateway to communicate with it.
Thus, we set the default gateway for this device so that when traffic arrives from another network, the switch can send a response packet to the default gateway, which forwards it to the final destination.
Now we finally look at how to save this configuration. We have made so many changes to the settings of this device that now it’s time to save them. There are 2 ways to save.
One of them is to enter the “write” command in privileged EXEC mode. I print this command, press “Enter” and the system responds with the message “Building configuration - OK”, that is, the current device configuration has been successfully saved. What we did before saving is called the “working configuration of the device”. It is stored in the RAM of the switch and after it is turned off it will be lost. Therefore, we need to write everything that is in the working configuration to the boot configuration.
Regardless of what is in the working configuration, the “write” command copies this information and writes it to the boot configuration file, which is independent of RAM and is located in the non-volatile memory of the NVRAM switch. When the device boots, the system checks whether the NVRAM has a boot configuration, and turns it into a working configuration by loading the parameters into the RAM memory. Each time we use the “write” command, the working configuration parameters are copied and saved in NVRAM.
The second way to save configuration parameters is to use the old do write command. If we use this command, first we need to enter the word “copy”. After that, the Cisco operating system will ask you where to copy the settings from: from the file system via ftp or flash, from the working configuration or from the boot configuration. We want to make a copy of the running-configuration working configuration parameters, so we enter this phrase in the line. Then the system will again issue a question mark, asking where to copy the parameters, and now we indicate startup-configuration. Thus, we copied the working configuration to the boot configuration file.
You need to be very careful with these commands, because if you copy the boot configuration to the working configuration, which is sometimes done when setting up a new switch, we will erase all the changes and get the boot with zero parameters. Therefore, you need to carefully consider what and where you are going to save after you have configured the switch configuration parameters. So you save the configuration, and now, if you reload the switch, it will return to the same state as it was before the reboot.
So, we examined how to configure the basic parameters of the new switch. I know that many of you first saw the device command line interface, so it may take some time to learn everything shown in this video tutorial. I advise you to review this video several times until you understand how to use the various configuration settings, EXEC user mode, EXEC privileged mode, global configuration mode, how to use the command line to enter subcommands, change the host name, create a banner, and so on.
We reviewed the basic commands that you must know and which are used in the initial configuration of any Cisco device. If you know the commands for the switch, then you know the commands for the router.
Just remember which mode each of these basic commands is given from. For example, the host name and the login banner are part of the global configuration, to assign a password to the console you need to use the console, the Telnet password is assigned in the VTY line from zero to 15. To manage the IP address you need to use the VLAN interface. You must remember that the “enable” function is disabled by default, so you may need to enable it by entering the “no shutdown” command.
If you need to assign a default gateway, you enter global configuration mode, use the ip default-gateway command and assign the IP address to the gateway. Finally, you save your changes using the “write” command or copying the working configuration to the boot configuration file. I hope this video was very informative and helped you learn our online course.
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analogue of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until the summer for free when paying for a period of six months, you can order here .
Dell R730xd 2 times cheaper? Only we have 2 x Intel TetraDeca-Core Xeon 2x E5-2697v3 2.6GHz 14C 64GB DDR4 4x960GB SSD 1Gbps 100 TV from $ 199in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $ 99! Read about How to Build Infrastructure Bldg. class using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?