Post on 09-Mar-2015
transcript
This course
Basis knowledge about Cisco hardware/softwareIntroduction to Cisco‘s IOSHow to configure an IOS based switch
Examples for Cat2950 / Cat 3550Basic admin tasksNO: advanced features, routing, CatOS
Cisco
World-wide one of the biggest supplier of network hardware (about 60% world-wide)Near 100% probability packet will pass a Cisco machine while traveling the internetSingle point of failure?
Monoculture are never good!Latest security bug (were we lucky?)
Cisco Hardware
Wide range from small (AP, VoIP-Phone, ...) ...... to big (ISP core routers)Main Software is IOSBut others exists:
Web Interfaces („older“ AP, VoIP)CatOS for „older“ Catalysts / Supervisor boards
Cisco Catalyst Switches
Big HardwareFull hot-swapable / redundanceSlot1 Supervisor BoardN Slots extensions
Network portsFeature Cards eg. RSM, MSFC, ...
Cisco IOS
Internetwork Operating System„one-size“ fits all (??)Not really: highly dependant on hardware/versionMain interface: command line (CLI)
Console and telnetnewer versions: web interface (don‘t use it!) and SSH (V1.5, single(/tripple) DES)
IOS user management
„old-model“: no users, only passwordsPrivilege levels: from 0 (user nobody) to 15 (user root)Login with user passwordTo configure: „enable“ + enable password (== „su -“)„new-model“: define users with privilege levelsOne exception:
On console: priv15 -> priv0 downgradethus: „enable“ + password still needed
Cisco IOS CLI
Comfortable user interfaceCommand completion: <TAB>Got stuck/what command was that? <?>
Show all available commandsShow next required parameter
<?>: anyplace, anytime, anywhereCommand shortening:
„show version“ -> „sh ver“Usually use short command (beginners: use <TAB> !!)
IOS configs
Getting started:„show version“ -> „sh ver“ (HW/SW info)„show interfaces“ -> „sh int“
Two configurations:running-config (the current configuration): „sh run“startup-config (config loaded after a reload): „sh start“
BEWARE: only non-default entries are shown(so what are the default entries? That depends ...)
IOS edit config
change running configuration-> changes take immediate effekt (this is dangerous!!)To configure: „configure terminal“ -> „conf t“To exit from configuration „exit“ (up one level) or <CONTROL>-Z to quit configuration modeAfter changes, check config: „sh run“Everything is fine: „copy run start“Something bad happened: „reload“ or hard power-cycle
startup-config will be loaded
IOS edit config (2)
Disable command „X“:„no X“ (copy the whole command line!)Disable an Interface „shutdown“Classical small reboot:„shut“ + „no shut“ on Interface
IOS interfaces
Physical interfaces (numbers depending on HW):In general: Hardware{slot/}numberFastEthernet0/X (F0/X)GigabitEthernet0/X (G0/X)
Show interface configuration:„sh run int F0/1“
Show interface status:„sh int F0/1“
IOS interface statusswitch-cat3550-0195-1#sh int g0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 000c.ce42.b681 (bia000c.ce42.b681)
Description: Uplink c100-e3
[...]
Full-duplex, 1000Mb/s
[...]
IOS Interface status (2)
5 minute input rate 2219000 bits/sec, 234 packets/sec
5 minute output rate 2725000 bits/sec, 381 packets/sec
310311669 packets input, 132621980 bytes, 0 no buffer
Received 911690 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 675982 multicast, 0 pause input
0 input packets with dribble condition detected
Rule of thumb: <1000 packets/sec are OKLook out for errors (== link/cabel problems)
IOS VLANs
Defining a VLAN:Older versions: logical interface: „int vlanX“New version: „vlan database“
„show“ vlans„vlan X“ define a VLAN (options possible)„apply“ save the latest VLAN modifications (don‘t forget)
Logical VLAN interfaces only used for assigning IP addresses
IOS configure interfaces
„conf t“„int F0/Y“„switchport access vlan X“Interface F0/Y is now member of the VLAN XReminder: VLANs in FB3 domain:
VLAN X -> 134.102.X/24VLAN 83 -> 134.102.112/21 VLAN 86 -> 172.21/16 VLAN 229 -> 134.102.124/24
IOS configure trunks
Trunk: in the case a physical link which transmits more then one VLANTwo protocols ISL (Cisco) and IEEE802.1q (== dot1q)dot1q is the standard„conf t“, „int G0/X“ as usual„switchport mode trunk“ (== this port is a trunk)„switchport trunk allowed vlan 1,86,218,224“ „switchport trunk encapsulation dot1q“ (Cat 3550 only)
The Cat3550 speaks ISL and dot1q (2950 is dot1q-only)
Cisco 2950/3550 step by step
Configure via console 9600,8N1Initial setup: should be OK, no need to give an IP addressThree passwords (login, secret, enable)Start configuration: „conf t“no ip http serverhostname switch-catXXXX-YYYY
step by step (2)
Configure users and passwordsaaa new-modelaaa authentication login default local
aaa authorization exec default localservice password-encryptionusername root privilege 15 password XXXXXX
enable password XXXXXX
username root privilege 15 password 7 0011223344Enable password 7 4433221100BEWARE: keep these line secret (not a one-way-func.!!!)
step by step (3)
Configure DNS server and domainip domain-name informatik.uni-bremen.deip name-server 134.102.218.46
ip name-server 134.102.200.14
Configure timeserver and logging timestampsntp server 130.149.17.21ntp server 192.43.244.18
ntp peer 134.102.204.114service timestamps debug datetime msecservice timestamps log datetime msec
step by step (4)
Define available VLANs(this is „outside“ of „configure terminal“)vlan database
vlan X
vlan Yapplyexit
Define logical Interface with IP addressint vlan X
ip address 134.102.X.Y 255.255.255.0
step by step (5)
Define a trunk (uplink)interface GigabitEthernet0/11description Uplink from FooBar
switchport trunk encapsulation dot1q (3550 only)switchport trunk allowed vlan 1,X,Y,Zswitchport mode trunk
(Switch should now be remotly accessible)Define VLANs for every interfaceswitchport access vlan X
step by step (6)
Loghostlogging facility local1logging 134.102.X.Z
Miscellaneous (this needs checking)spanning-tree mode pvstno spanning-tree optimize bpdu transmissionspanning-tree extend system-id
Define usefull aliasesalias exec 0 term len 0alias exec c conf talias exec cpu sh proc cpu
Cisco Discovery Protocoll
IOS announces presence on every Link (layer 2)Platform, SW version, IP address, Outgoing PortEnabled by default on every interfaceDisable: „no cdp enable“ (e.g. wanted on ATM)Check informations:„sh cdp neighbors“„sh cdp entry *“ (check verbose all gathered informations)
Standard admin tasks
Tools like ping/traceroute/telnet are availableAdvanced modus: e.g. „ping <RETURN>“Pipe/grep-like command availableOnly for „long-output“ commands„command | {begin,exclude,include} expressionVery usefull:„sh arp“ (+ grep)„sh mac-address-table“(+ grep)
IOS update
Don‘t do it! I‘m seriuos!!!First problem: CCO account with permissions to download software needed. (-> ZfN)Find out current SW version running („sh ver“)Find out new needed version (Cisco documentation!)READ the documentation!!Always have a known good image readyCheck reboot on serial console!!Worst case: machine does not boot -> Boot Rom
IOS update (2)
Check space on internal flash Delete unwanted stuff (e.g. delete html/*)DOS like commands: dir, delete, copy„dir“ or „dir flash:“ (bootflash:, slotX, ...)Copy new image to flash (rcp and tftp available)Usually TFTP: „copy tftp://134.102.218.99/newimage.bin“ flash:Check the image: „verify flash:newimage.bin“
IOS update (3)
Check the configuration register („sh ver“)Lowest two bits define boot behaviour Both set: use user config (this is wanted!)Check current boot path: „sh boot“Empty path: use first image found on flash:„boot system flash:newimage.bin;flash:oldimage.binCheck everything again!„reload“ and cross your fingers
Hints to get started
Use „show“ a lot: „sh ?“ and „sh X ?“! Use „command ?“ a lot! (Find out about parameters)Unknown interesting command: Use google:
site:cisco.com „command foo“ „12.1“site:cisco.com „command foo“ „2950“
„term mon“ + „sh log“