Welcome to the world of switches! Today we will talk about switches. Let's assume that you are a network administrator and you are in the office of a new company. A manager approaches you with an out-of-the-box switch and asks you to set it up. You might think that we are talking about an ordinary electrical switch (in English, the word switch means both a network switch and an electrical switch - translator's note), but this is not so - it means a network switch, or a Cisco switch.
So, the manager gives you a new Cisco switch, which is equipped with many interfaces. It can be 8,16 or 24 port switch. In this case, the slide shows a switch that has 48 ports on the front, divided into 4 sections of 12 ports. As we know from previous lessons, there are several more interfaces behind the switch, one of which is the console port. The console port is used for external access to the device and allows you to see how the switch operating system is loading.
We have already discussed the case when you want to help your colleague and use remote desktop. You connect to his computer, make changes, but if you want your friend to restart the computer, you will lose access and will not be able to watch what is happening on the screen at the time of loading. This issue occurs if you do not have external access to this device and are only connected to it over a network.
But if you have offline access, you can see the boot screen, IOS unpacking and other processes. Another way to access this device is to connect to any of the front ports. If you have configured IP address management on this device, as shown in this video, you will be able to access it via Telnet. The problem is that you will lose this access as soon as the device turns off.
Let's see how you can do the initial setup of a new switch. Before we go directly to the configuration settings, we need to introduce a few basic rules.
For most of the video tutorials, I used GNS3, an emulator that allows you to emulate the Cisco IOS operating system. In many cases I need more than one device, for example if I am showing how routing is done. In this case, I may need, for example, four devices. Instead of buying physical devices, I can use the operating system of one of my devices, connect it to GNS3, and emulate that IOS on multiple virtual device instances.
So I don't need to physically have five routers, I can only have one router. I can use the operating system on my computer, install an emulator, and get 5 device instances. We will look at how to do this in later video tutorials, but today the problem with using the GNS3 emulator is that it is impossible to emulate the switch with it, because the Cisco switch has hardware ASIC chips. It's a special IC that actually makes a switch a switch, so you can't just emulate this hardware function.
In general, the GNS3 emulator helps to work with the switch, but there are some functions that cannot be implemented using it. So for this tutorial and some other videos, I used another Cisco software called Cisco Packet Tracer. Don't ask me how to get access to Cisco Packet Tracer, you can find out about it using Google, I will only say that you must be a member of Network Academy to get this access.
You may have access to Cisco Packet Tracer, you may have access to a physical device or GNS3, you may use any of these tools while studying the Cisco ICND course. You can use GNS3 if you have a router, operating system and switch and it will work without problems, you can use a physical device or Packet Tracer - just decide what suits you best.
But in my video tutorials I'm going to use Packet Tracer specifically, so I'll have a couple of videos, one exclusively for Packet Tracer and one exclusively for GNS3, I'll post them soon, but for now we'll use Packet Tracer. Here's what it looks like. If you also have access to Network Academy, you will be able to access this program, and if not, you can use other tools.
So, since today we are talking about switches, I will check the Switches item, select the switch model of the 2960 series and drag its icon into the program window. If I double click on this icon, I will go to the command line interface.
Next, I see how the switch operating system is loaded.
If you take a physical device and connect it to a computer, you will see exactly the same picture of booting Cisco IOS. You can see that the operating system has been unpacked, and you can read some of the software usage restrictions and license agreement, copyright information... all this is displayed in this window.
Next, the platform on which the OS is running will be shown, in this case the WS-C2690-24TT switch, and all the functions of the hardware will be displayed. The program version is also displayed here. Next, we go directly to the command line, if you remember, here we have hints for the user. For example, the symbol ( > ) invites you to enter a command. From the Day 5 video tutorial, you know that this is the initial, lowest mode for accessing device settings, the so-called user EXEC mode. This access can be obtained from any Cisco device.
If you use Packet Tracer, you get offline OOB access to the device and you can see how the device boots up. This program simulates access to the switch through the console port. How do you change from user EXEC mode to privileged EXEC mode? You type the command "enable" and hit enter, you could also use a hint just by typing "en" and get the possible command options starting with those letters. If you just enter the letter "e", the device will not understand what you mean because there are three commands that begin with "e", but if I type "en", the system will understand that the only word that begins with these two letters is this is enable. Thus, by entering this command, you will get access to the privileged Exec mode.
In this mode, we can do everything that was shown on the second slide - change the host name, set the login banner, Telnet password, enable password entry, configure the IP address, set the default gateway, give the command to turn off the device, cancel the entered earlier commands and save the configuration changes made.
These are the 10 basic commands you use when you initialize a device. To enter these parameters, you must use the global configuration mode, which we will now switch to.
So, the first parameter is the hostname, it applies to the entire device, so changing it is done in global configuration mode. To do this, we enter the Switch (config) # parameter on the command line. If I want to change the hostname, I enter hostname NetworKing in this line, press Enter, and I see that the Switch device name has changed to NetworKing. If you join this switch to a network where there are already many other devices, this name will serve as its identifier among other network devices, so try to come up with a unique name for your switch with meaning. So, if this switch is installed, say, in the administrator's office, then you can name it AdminFloor1Room2. Thus, if you give the device a logical name, it will be very easy for you to determine which switch you are connecting to. This is important, as it will help you not to get confused in the devices as the network expands.
Next comes the Logon Banner parameter. This is the first thing that anyone who logs into this device with a login will see. This parameter is set using the #banner command. Next, you can enter the abbreviation motd, Message of The Day, or "message of the day". If I enter a question mark in the line, I get a message like: LINE with banner-text with.
It looks confusing, but it simply means that you can enter text from any character other than "s", which in this case is the separator character. So let's start with the ampersand (&). I press enter and the system says that you can now enter any text for the banner and end it with the same character (&) that starts the line. So I started with an ampersand and I have to end my message with an ampersand.
I will start my banner with a line of asterisks (*) and on the next line I will write “The most dangerous switch! Do not enter"! I think it's cool, anyone will be scared to see such a welcome banner.
This is my "message of the day". To check how it looks on the screen, I press CTRL+Z to switch from global mode to privileged EXEC mode, from where I can exit settings mode. This is how my message looks on the screen and this is how anyone who logs in to this switch will see it. This is what is called the login banner. You can be creative and write whatever you want, but I advise you to take it seriously. I mean, some people instead of reasonable text placed pictures of symbols that did not carry any semantic load as a welcome banner. Nothing can stop you from doing such "creativity", just remember that with extra characters you are overloading the device's memory (RAM) and the configuration file that is used at system startup. The more characters in this file, the slower the switch is loaded, so try to minimize the configuration file, making the content of the banner crisp and clear.
Next, we will look at the password on the Console Password. It prevents random people from entering the device. Let's assume you left the device open. If I am a hacker, I will connect my laptop with a console cable to the switch, use the console to log into the switch and change the password or do something else malicious. But if you use a password on the console port, then I can only log in with this password. You don't want someone to just log into the console and change something in your switch settings. So let's look at the current configuration first.
Since I'm in config mode, I can type do sh run commands. The show run command is a privileged EXEC mode command. If I want to enter global mode from this mode, I must use the "do" command. If we look at the console line, we see that by default there is no password and line con 0 is displayed. This line is located in one section, and below is another section of the configuration file.
Since there is nothing in the “line console” section, this means that when I connect to the switch through the console port, I will get direct access to the console. Now, if you type "end", you can return back to privileged mode and from there go to user mode. If I press Enter now, I'll go straight into command line prompt mode, because there's no password here, otherwise the program would ask me for it to enter the configuration settings.
So, let's press "Enter" and type line con 0 on the line, because in Cisco devices everything starts from scratch. Since we have only one console, it is abbreviated "con". Now, to assign a password, for example the word "Cisco", we need to type the command password cisco in the NetworKing (config-line) # line and press Enter.
Now we have set a password, but we are still missing something. Let's try everything again and exit the settings. Despite the fact that we have set a password, the system does not ask for it. Why?
She doesn't ask for a password because we don't ask her. We set a password, but did not specify a line in which it is checked if traffic begins to arrive on the device. What should we do? We must again return to the line where we have line con 0, and enter the word "login".
This means that you need to verify the password, i.e. a login is required to log in. Let's check what we got. To do this, exit the settings and return to the banner window. You can see that immediately below it we have a line that requires you to enter a password.
If I enter the password here, I can enter the device settings. In this way, we have effectively prevented access to the device without your permission, and now only those who know the password can enter the system.
Now you see that we have a little problem. If you type something the system doesn't understand, it thinks it's a domain name and tries to find the server's domain name by allowing a connection to the IP address 255.255.255.255.
This can happen, and I'll show you how to stop this message from appearing. You can just wait until the request times out, or use the keyboard shortcut Control + Shift + 6, sometimes it works even on physical devices.
Then we need to make sure that the system does not look for a domain name, for this we enter the “no IP-domain lookup” command and check how it worked.
As you can see, now you can work with the switch settings without any problems. If we again exit the settings to the welcome screen and make the same mistake, that is, enter an empty string, the device will not waste time searching for a domain name, but will simply display the message "unknown command". So, setting a login password is one of the main things you will need to do on your new Cisco device.
Next, we will consider the password for the Telnet protocol. If for the password to the console we had “con 0” in the line, for the password on Telnet the default parameter is “line vty”, that is, the password is configured in virtual terminal mode, because Telnet is not a physical, but a virtual line. The first line vty parameter is 0 and the last one is 15. If we set the parameter to 15, it means that you can create 16 lines to access this device. That is, if we have several devices on the network, when connecting to the switch using the Telnet protocol, the first device will use line 0, the second - line 1, and so on up to line 15. Thus, 16 people can connect to the switch at the same time, and the switch will inform the seventeenth person when trying to connect that the connection limit has been reached.
We can set a common password for all 16 virtual lines from 0 to 15, following the same concept as when setting a password on the console, that is, we enter the password command in the line and set the password, for example, the word "telnet", and then enter the command "login". This means that we don't want people to log in to the device using Telnet protocol without a password. Therefore, we instruct to check the login and only after that grant access to the system.
At the moment, we cannot use Telnet, because access to the device via this protocol can only be done after setting up an IP address on the switch. Therefore, to check the Telnet settings, let's first move on to managing IP addresses.
As you know, the switch works at layer 2 of the OSI model, has 24 ports and therefore cannot have any specific IP address. But we must assign an IP address to this switch if we want to connect to it from another device to manage IP addresses.
So, we need to assign one IP address to the switch, which will be used for IP management. To do this, we will enter one of my favorite commands "show ip interface brief" and we will be able to see all the interfaces present on this device.
Thus, I see that I have twenty-four FastEthernet ports, two GigabitEthernet ports, and one VLAN interface. VLAN is a virtual network, later we will take a closer look at its concept, for now I will say that each switch comes with one virtual interface called VLAN interface. This is what we use to manage the switch.
Therefore, we will try to access this interface and enter the vlan 1 parameter on the command line. Now you can see that the command line has become NetworKing (config-if) #, which means that we are in the VLAN switch management interface. Now we will enter a command to set an IP address like this: Ip add 10.1.1.1 255.255.255.0 and press "Enter".
We see that this interface has appeared in the list of interfaces marked "administratively down". If you see such an inscription, it means that for this interface there is a “shutdown” command that allows you to disable the port, and in this case this port is disabled. You can run this command on any interface that has a "down" mark in its characteristic stack. For example, you can go to the FastEthernet0/23 or FastEthernet0/24 interface, issue the “shutdown” command, after which this port will be marked as “administratively down” in the list of interfaces, that is, disabled.
So, we have looked at how the command to disable the "shutdown" port works. In order to enable the port or even enable anything in the switch, use the Negating Command, or “command negation”. For example, in our case, using such a command would mean "no shutdown". This is a very simple one-word "no" command - if the "shutdown" command means "turn off the device", then the "no shutdown" command means "turn on the device". Thus, negating any command with the particle "no", we command the Cisco device to do exactly the opposite.
Now I will enter the “show ip interface brief” command again, and you will see that the state of our VLAN port, which now has an IP address of 10.1.1.1, has changed from “down” - “off” to “up” - “on” , but the log string still says "down".
Why is the VLAN protocol not working? Because right now he does not see any traffic passing through this port, since, if you remember, there is only one device in our virtual network - a switch, and in this case there can be no traffic. Therefore, we will add one more device to the network, a PC-PT(PC0) personal computer.
Don't worry about Cisco Packet Tracer, in one of the following videos I will show you how this program works in more detail, for now we will just have a general overview of its capabilities.
So, now I will activate the PC simulation, click on the computer icon and run a cable from it to our switch. A message appeared in the console stating that the line protocol of the VLAN1 interface changed its state to UP, since we had traffic from the PC. As soon as the protocol noted the appearance of traffic, it immediately entered the ready state.
If you give the “show ip interface brief” command again, you can see that the FastEthernet0 / 1 interface has changed its state and the state of its protocol to UP, because it was to it that the cable from the computer was connected, through which the traffic began to flow. The VLAN interface also went up because it "saw" traffic on that port.
We will now click on the computer icon to see what it is. This is just a simulation of a Windows PC, so we will go to the network configuration settings to give the computer an IP address of 10.1.1.2 and assign a subnet mask of 255.255.255.0.
We don't need a default gateway because we are on the same network as the switch. Now I will try to ping the switch with the “ping 10.1.1.1” command, and, as you can see, the ping was successful. This means that now the computer can access the switch and we have an IP address of 10.1.1.1 through which the switch is managed.
You may ask why the computer's first request received a "timeout" response. This was due to the fact that the computer did not know the MAC address of the switch and had to first send an ARP request, so the first call to the IP address 10.1.1.1 failed.
Let's try using the Telnet protocol by typing "telnet 10.1.1.1" into the console. We communicate with this computer using the Telnet protocol with the address 10.1.1.1, which is nothing more than a virtual switch interface. After that, in the command line terminal window, I immediately see the welcome banner of the switch that we installed earlier.
Physically, this switch can be located anywhere - on the fourth or on the first floor of the office, but in any case we find it using Telnet. You see that the switch is asking for a password. What is this password? We set up two passwords - one for the console, the other for the VTY. Let's first try to enter the password on the "cisco" console and you can see that it is not accepted by the system. Then I try the password "telnet" on the VTY and it worked. The switch accepted the VTY password, so the line vty password is what works on the Telnet protocol used here.
Now I try to enter the “enable” command, to which the system responds “no password set” - “password is not set”. This means that the switch allowed me access to the user settings mode, but did not give me privileged access. In order to get into privileged EXEC mode, I need to create what is called "enable password", i.e. enable the password. To do this, we again go to the switch settings window to allow the system to use a password.
To do this, we use the "enable" command to switch from user EXEC mode to privileged EXEC mode. Since we enter "enable", the system also requires a password, because this function will not work without a password. Therefore, we again return to the simulation of obtaining console access. I already have access to this switch, so in the IOS CLI window, in the NetworKing (config) # enable line, I need to add “password enable”, that is, activate the password use function.
Now let me try again typing "enable" at the computer's command prompt and hitting "Enter", which prompts the system for a password. What is this password? After I typed and entered the "enable" command, I got access to privileged EXEC mode. Now I have access to this device through a computer, and I can do whatever I want with it. I can go to "conf t", I can change the password or hostname. I will now change the hostname to SwitchF1R10, which means "ground floor, room 10". Thus, I changed the name of the switch, and now it shows me the location of this device in the office.
If you return to the switch command line interface window, you can see that its name has changed, and I did this remotely during a Telnet session.
This is how we access the switch via Telnet: we have assigned a hostname, created a login banner, set a password for the console and a password for Telnet. We then made password entry available, created the IP management capability, enabled the "shutdown" feature, and enabled the command negation capability.
Next, we need to assign a default gateway. To do this, we again switch to the global switch configuration mode, type the command "ip default-gateway 10.1.1.10" and press "Enter". You may ask why we need a default gateway if our switch is a layer 2 device of the OSI model.
In this case, we connected the PC to the switch directly, but let's assume that we have several devices. Let's say that the device from which I initiated Telnet, that is, the computer, is on one network, and the switch with the IP address 10.1.1.1 is on the second network. In this case, the Telnet traffic came from another network, the switch should send it back, but does not know how to get there. The switch determines that the computer's IP address belongs to another network, so you must use the default gateway to communicate with it.
Thus, we set the default gateway for this device so that when traffic arrives from another network, the switch can send a response packet to the default gateway, which forwards it to its final destination.
Now we will finally look at how to save this configuration. We've made so many changes to this device's settings that it's time to save them. There are 2 ways to save.
One is to enter the "write" command in privileged EXEC mode. I type this command, press Enter, and the system responds with the message "Building configuration - OK", that is, the current configuration of the device was successfully saved. What we did before saving is called the "working device configuration". It is stored in the RAM of the switch and will be lost after it is turned off. Therefore, we need to write everything that is in the working configuration to the boot configuration.
Whatever is in the running configuration, the "write" command copies this information and writes it to the boot configuration file, which is independent of RAM and resides in the NVRAM switch's non-volatile memory. When the device boots, the system checks if there is a boot configuration in NVRAM and turns it into a working configuration by loading the parameters into RAM. Every time we use the "write" command, the running configuration parameters are copied and stored in NVRAM.
The second way to save configuration settings is to use the old "do write" command. If we use this command, then first we need to enter the word "copy". After that, the Cisco operating system will ask where you want to copy the settings: from the file system via ftp or flash, from the working configuration or from the boot configuration. We want to make a copy of the running-configuration parameters, so we type this phrase into the line. Then the system will again issue a question mark, asking where to copy the parameters, and now we specify startup-configuration. Thus, we copied the working configuration into the boot configuration file.
You need to be very careful with these commands, because if you copy the boot configuration into the working configuration, which is sometimes done when setting up a new switch, we will destroy all the changes made and get a boot with zero parameters. Therefore, you need to be careful about what and where you are going to save after you have configured the switch configuration parameters. This is how you save the configuration, and now, if you reboot the switch, it will return to the same state that it was before the reboot.
So, we have examined how the basic parameters of the new switch are configured. I know that this is the first time many of you have seen the device's command line interface, so it may take some time to absorb everything shown in this video tutorial. I advise you to watch this video several times until you understand how to use the different configuration modes, user EXEC mode, privileged EXEC mode, global configuration mode, how to use the command line to enter subcommands, change the hostname, create a banner, and so on.
We have covered the basic commands that you must know and that are used during the initial configuration of any Cisco device. If you know the commands for the switch, then you know the commands for the router.
Just remember which mode each of these basic commands is issued from. For example, the hostname and login banner are part of the global configuration, you need to use the console to assign a password to the console, the Telnet password is assigned in the VTY line from zero to 15. You need to use the VLAN interface to manage the IP address. You should remember that the "enable" feature is disabled by default, so you may need to enable it by entering the "no shutdown" command.
If you need to assign a default gateway, you enter global configuration mode, use the "ip default-gateway" command, and assign an IP address to the gateway. Finally, you save your changes using the "write" command or copying the running configuration to the boot configuration file. I hope this video was very informative and helped you to master our online course.
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps free until summer when paying for a period of six months, you can order .
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com