Upload
eustace-fowler
View
332
Download
5
Tags:
Embed Size (px)
Citation preview
Cisco Router & Switch Configuration
1
Configuration modes: Global configuration mode
– SwitchX#configure terminal
– SwitchX(config)#
Interface configuration mode
– SwitchX(config)#interface fa0/1
– SwitchX(config-if)#
Configuring the Switch
Configuring Switch Identification
• Sets the local identity for the switch
Example:SwitchX(config)#interface vlan 1
SwitchX(config-if)#ip address 10.5.5.11 255.255.255.0
SwitchX(config-if)#no shutdown
Note: It is necessary to use the no shutdown command to make the interface operational.
SwitchX(config)#interface vlan 1
SwitchX(config-if)#ip address {ip address} {mask}
Configuring the Switch IP Address
SwitchX(config)#ip default-gateway 172.20.137.1
Example:
SwitchX(config)#ip default-gateway {ip address}
Configuring the Switch Default Gateway
Saving Configurations
Copies the current configuration to NVRAM
SwitchX#
SwitchX#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
SwitchX#
Configuring a Switch Password
Configuring the Login Banner
– Defines and enables a customized banner to be displayed before the username and password login prompts.
SwitchX# banner login " Access for authorized users only. Please enter your
username and password. "
Telnet vs. SSH Access
– Telnet• Most common access method• Insecure
– SSH-encrypted
!– The username command create the username and password for the SSH session
Username cisco password cisco
ip domain-name mydomain.com
crypto key generate rsa
ip ssh version 2
line vty 0 4
login local
transport input ssh
Cisco Catalyst 2960 Series
SwitchX(config-if)#switchport port-security [ mac-address mac-address | mac-address sticky [mac-address] | maximum value | violation {restrict | shutdown}]
SwitchX(config)#interface fa0/5
SwitchX(config-if)#switchport mode access
SwitchX(config-if)#switchport port-security
SwitchX(config-if)#switchport port-security maximum 1
SwitchX(config-if)#switchport port-security mac-address sticky
SwitchX(config-if)#switchport port-security violation shutdown
Configuring Port Security
SwitchX#show port-security [interface interface-id] [address] [ | {begin | exclude | include} expression]SwitchX#show port-security interface fastethernet 0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 20 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0000.0000.0000
Security Violation Count : 0
Verifying Port Security on the Catalyst 2960 Series
SwitchX#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------------
Fa0/5 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
SwitchX#sh port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0008.dddd.eeee SecureConfigured Fa0/5 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Verifying Port Security on the Catalyst 2960 Series (Cont.)
Half Duplex (CSMA/CD)
Unidirectional data flow
Higher potential for collision
Hub connectivity
Full Duplex
Point-to-point only
Attached to dedicated switched port
Requires full-duplex support on both ends
Collision-free
Collision detect circuit disabled
Duplex Overview
Cisco Catalyst 2960 Series
SwitchX(config)#interface fa0/1
SwitchX(config-if)#duplex {auto | full | half}
Cisco Catalyst 2960 Series
SwitchX(config)#interface fa0/1
SwitchX(config-if)#speed {10 | 100 | 1000 | auto}
Setting Duplex and Speed Options
SwitchX#show interfaces fastethernet0/2
FastEthernet0/2 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0008.a445.9b42 (bia 0008.a445.9b42)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s
input flow-control is unsupported output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:57, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
323479 packets input, 44931071 bytes, 0 no buffer
Received 98960 broadcasts (0 multicast)
1 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 36374 multicast, 0 pause input
0 input packets with dribble condition detected
1284934 packets output, 103121707 bytes, 0 underruns
Showing Duplex Options
Router Configuration
16
Locating Cisco IOS Software
Using the boot system Command
Configuration Register Values
The order in which the router looks for system bootstrap information depends on the Boot Field setting in the configuration register. You can change the default configuration register setting with the global configuration mode command config-register. Use a hexadecimal number as the argument for this command.
Identifying Boot Image Source
Software Components in Memory
Fields in the IOS Name
The confreg Command
The tftpdnld Command
Configuring Router Passwords
Enhanced Username Password Security
router(config)#
username name secret {[0] password | 5 encrypted-secret}
• Uses MD5 hashing for strong password protection
• Better than the type 7 encryption found in service password-encryption command
Boston(config)#username rtradmin secret 0 CISCO
Boston(config)#username rtradmin secret 5 cisco
router(config)#
username name password {[0] password | 7 hidden-password}
• Traditional user configuration with plaintext password
Configuring Banner Messagesrouter(config)#
banner {exec | incoming | login | motd | slip-ppp}d message d
• Specifies what is “proper use” of the system
• Specifies that the system is being monitored
• Specifies that privacy should not be expected when using this system
Boston(config)#banner motd %WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. %
Configuring Router Identification
RouterX(config)#interface type number
RouterX(config-if)#
type includes serial, ethernet, token ring, fddi, hssi, loopback, dialer, null, async, atm, bri, tunnel, and so on
number is used to identify individual interfaces
RouterX(config-if)#exit
Quits from current interface configuration mode
RouterX(config)#interface type slot/port
RouterX(config-if)#
For modular routers, selects an interface
Configuring an Interface
RouterX(config-if)# description string
string is a comment or a description to help you remember what is attached to this interface.
The maximum number of characters for the string argument is 238.
Configuring an Interface Description
RouterX#configure terminal
RouterX(config)#interface serial 0
RouterX(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up Enables an interface that is administratively shut down
RouterX#configure terminal
RouterX(config)#interface serial 0
RouterX(config-if)#shutdown
%LINK-5-CHANGED: Interface Serial0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down Administratively turns off an interface
Disabling or Enabling an Interface
Configuring IP Addresses
– Unique addressing allows communication between end stations
– Path choice is based on destination address
Configuring Interfaces
Router(config-if)#exit
Router(config)#interface serial 0
Router(config-if)#ip add 172.16.10.1 255.255.255.0
Router(config-if)#clock rate 64000 (only if DCE)
Router(config-if)#no shutdown
Rick Graziani [email protected]
u
34
Configuring an SSH Server forSecure Management and
Reporting•Austin2#configure terminalAustin2(config)#ip domain-name cisco.comAustin2(config)#crypto key generate rsa general-keys modulus 1024
•Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled
•Austin2(config)#ip ssh timeout 120Austin2(config)#ip ssh authentication-retries 4Austin2(config)#line vty 0 4Austin2(config-line)#no transport input telnetAustin2(config-line)#transport input sshAustin2(config-line)#end
1. Configure the IP domain name2. Generate the RSA keys3. Configure the SSH timeout interval4. Configure the SSH retries5. Disable vty inbound Telnet sessions6. Enable vty inbound SSH sessions
Configuring a Static Default Route
– The CPE can use a static default route to reach all remote destinations.
ip route 0.0.0.0 0.0.0.0 interface number
router(config)#
Host name resolution
Router# ping 172.16.32.1Router# ping Auckland
Router# telnet 192.168.53.1Router# telnet Beirut
Router# traceroute 192.168.89.1Router# traceroute Capetown
Rick Graziani [email protected]
u
37
• The Cisco IOS software maintains a cache of host name-to-address mappings for use by EXEC commands.
• This cache speeds up the process of converting names to addresses.
• Host names, unlike DNS names, are significant only on the router on which they are configured. (DNS is also an option – later)
Host name resolution
• This does not make the router a DNS (Domain Name Server).• This command does not turn your router into a DNS server.• This command does not effect packets entering your router to be routed.• This only affects the IOS commands entered at the router prompt.• Multiple ip addresses can be entered in case one interface is down.• It is usually a good idea to use the same list of names on all your router
configs.
Rick Graziani [email protected]
u
38
Router(config)# ip host SantaCruz 172.16.32.1 192.168.53.1
Configuring Multiple IP Addresses
show and debug Commands
Considerations When Using debug Commands
– May generate output in a variety of formats that may not identify the problem
– Require high overhead, possibly disrupting network device operation
– Useful for obtaining information about network traffic and router status
Commands Related to debug
service timestamps debug datetime msec
RouteX(config)#
Adds a time stamp to a debug or log message
no debug all
RouteX#
Disables all debug commands
show processes
RouteX#
Displays the CPU utilization for each process
RouteX#
terminal monitor
Displays debug output on your current vty session