Cisco Technologies, Routers, and Switches • Chapter 1 73 Hardware is Lance, address is 00e0.b05a.d998 (bia 00e0.b05a.d998) Internet address is 192.168.123.50/24 MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 93866 packets input, 13802455 bytes, 0 no buffer Received 47471 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 234089 packets output, 24304032 bytes, 0 underruns 0 output errors, 2 collisions, 31 interface resets 0 babbles, 0 late collision, 19 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Increasing Efficiency by Using Shortcuts Until now, we have purposefully and completely written out the entire string when entering commands. Cisco software does support a shorthand version of its command syntax.You can enter only a partial portion of the command as long as you provide enough for the IOS to rec- ognize it. For example, you can enter copy run star, which the router will recognize to mean copy running-configuration startup-configuration. The following example uses shortcuts rather than spelling out the full command. In this example, we are entering privileged mode and configuring an IP address for the Ethernet 0 interface. Our final task is copying the running configuration to NVRAM: 6Router-1>en 6Router-1# conf t Enter configuration commands, one per line. End with CNTL/Z. 6Router-1(config)# int e0 6Router-1(config-if)# ip add 10.1.1.1 6Router-1(config-if)# ex 6Router-1(config)# ^Z 6Router-1(config)# copy run star www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 73 74 Chapter 1 • Cisco Technologies, Routers, and Switches In the preceding example, we entered privileged mode by entering en instead of typing enable, then entered configuration mode by entering config t, which the router recognized as configure terminal. We next entered interface configuration mode by typing int e0, which the router recognized as interface Ethernet 0. We then configured an IP address by using the IP add command. After existing with ex for exit, we copied running configuration NVRAM with copy run star for the command copy running-config startup-config. The rule for shortcuts is that you can reduce a command as long as it is unique from other commands. For example, you could not reduce disable to DI, because disconnect also starts with DI, so you would need to use DISA, and conversely, disconnect would need to be DISC. If you do not enter enough information to make the command unique, you will be met with an error stating % Ambiguous command:.This indicates that you need to type more of the command. The auto-complete feature automatically completes a command when you simply press the Tab key.You must enter enough information for the command to be unique or it will not work. The following code example demonstrates this feature. In this example you are trying to enter the configure terminal command.You start by trying to enter con, but this does not work because both the configure and connect commands start with ”“con,” so you have to enter enough information to make it unique by entering conf.You follow this by t and hit the Tab key to get the terminal word to appear: 6Router-1# con 6Router-1# conf 6Router-1# configure t 6Router-1# configure terminal A set of shortcuts is also available with specific keystrokes to move the cursor and perform other actions. ■ CTRL + A Move to the beginning of a line ■ CTRL + E Move to the end of a line ■ CTRL + R Redisplay a line ■ CTRL + K Erase all from cursor to end of line ■ CTRL + X Erase all from cursor to beginning of line ■ CTRL + W Erase a Word ■ CTRL + X Exit Configuration Mode The autocommand Feature Cisco routers can automate tasks that are associated with terminal lines using the autocommand option. autocommand allows the execution of any EXEC mode command when a connection is established to a terminal line.This is convenient when you want to control the operating char- acteristics of a dial-in modem. www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 74 Cisco Technologies, Routers, and Switches • Chapter 1 75 For example, if you want to have users dial in to an access server and connect to a UNIX host, this can be done automatically as soon as the session is established. In the following example, the autocommand feature establishes a session to a UNIX host with an IP address of 192.168.1.1. line vty 129 autocommand connect 192.168.1.1 The autocommand feature can issue any EXEC command, not just Telnet sessions.You can configure the autocommand feature for remote support by technical staff; if you want them to be able to dial in and view the TCP/IP routing table, you can use the autocommand feature to automate this process, as illustrated in the following example: line vty 129 autocommand show ip route Menus Menus can be configured within Cisco IOS to provide users connecting to a router with an easy-to-use interface. Users do not need to learn the underlying command syntax to accomplish basic tasks.The following is an example of a basic menu that users can utilize to access network services. Welcome to the Corporate Network Type a number to select an option; Type 9 to exit the menu. 1 Connect to VMS (LAT) 2 Connect to the IBM Mainframe (TN3270) 3 Read E-Mail 4 Start PPP Exit the Menu When users connect to this router, this is the menu they see.The following is the command structure for the menu shown previously: menu Basic title ^C Welcome to the Corporate Network Type a number to select an option; Type 9 to exit the menu.^C menu Basic text 1 Connect to VMS (LAT) menu Basic command 1 LAT CENTRAL menu Basic text 2 Connect to the IBM Mainframe (TN3270) menu Basic command 2 tn3270 mainframe menu Basic text 3 Read E-Mail menu Basic command 3 telnet mail.corp.com menu Basic text 4 Start PPP www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 75 76 Chapter 1 • Cisco Technologies, Routers, and Switches menu Basic command 4 ppp menu Basic text 9 Exit the Menu menu Basic command 9 exit menu Basic clear-screen menu Basic default 3 Menus can have a title that is displayed when the menu starts, which is created with the menu name title delimiter command.The delimiter is the ASCII character the router will use to signify the end of the character string used for the title.Typically, you would not want to use a standard letter, because that letter may appear in the text you enter.A rarely used character such as a tilde (~) can save you quite a bit of frustration. To create the entries the users will see when the menu is executed, you use the menu name text item text command. ■ Item The number that you want to appear next to the text. ■ Number The number that the users will use to invoke that particular selection. It is important to note that menus can only have 18 entries, but Cisco has built in the ability to create submenus. When all entries have been created, configure the commands that will be executed when a user picks a menu option.To do this, you use the menu name command item text format.The item is the number of the command you want to use, while the text is the actual command executed. It is important to note that the value placed in the text portion corresponds exactly to the command a user would enter if they were connected to the router with no menu system. You also have some additional controls over the way a menu is displayed and operates. Commands such as menu title clear-screen make the router insert 24 new lines, which effectively clears the screen. It is important to note that the menu system default is a standard “dumb” terminal that only displays text in a 24-line-by-80-column format. With the use of submenus, a very com- plex and feature-rich menu system can be created. It is important to note that all menus should have an exit menu option, otherwise, you can get stuck in a menu loop with no way to exit. CATOS Command Syntax and Basic Configuration There are several ways to configure a Cisco Catalyst switch. We do not cover configuration via menu selection or via Web interface, as they provide enough structure and information to guide you through the process of configuration. Instead, we focus on CLI configuration, which is more complex and has more parameters with which to contend. Our discussion is complicated by the fact that the OS for the Catalyst line has and is still evolving into the more familiar Cisco IOS syntax (variously known as integrated or native mode). However, there is still a large base of switches that have the “original” Catalyst OS on them, known by its legion of trusty set commands. Further compounding the confusion of what commands to use are semi-evolved versions of the Catalyst OS that contain commands that appear to be a mix of IOS and CATOS commands. We discuss and provide examples of using both types of commands to accomplish the same task. www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 76 Cisco Technologies, Routers, and Switches • Chapter 1 77 You console or Telnet (if networking is configured) to switch, and execute the necessary commands at the prompt.The CATOS automatically saves the changes as you make; the CAT IOS does not. Configuring Network Parameters If you want to manage your switch remotely (Telnet, SNMP, and other means that require an IP address), you need to configure the network parameters of that switch, including an address, mask, and default gateway at a minimum.There are currently three types of management inter- faces used by the CATOS for management: ■ SL0 SLIP-based connection to the console port on the SE module for out-of-band management.This can be used for remote dial-in sessions to the switch via a modem. ■ SC0 A logical in-band management interface assigned to VLAN1 by default, but can be assigned to any VLAN. Doing so will make it reachable provided that you have a route to and from its assigned VLAN. ■ ME1 A reserved, dedicated Ethernet port for out-of-band management of the switch. It is not assigned to any VLAN, but exists as a “stand alone” network port. The following shows how to configure these management interfaces. Notice that since we are using addresses from the same subnet for SC0 and ME1, we downed one interface in favor of the other in order to operate. We also, for fun, put SC0 in VLAN999 before we downed it, just to show that we are the boss of this switch and can put the SC0 interface in any VLAN we want. We also identified the default gateway. set interface sc0 1 10.11.20.111/255.255.254.0 10.11.21.255 set int sc0 999 interface sc0 vlan set. set interface sc0 down set interface me1 10.11.20.110 255.255.254.0 10.11.21.255 set ip route default 10.11.20.1 On a switch with IOS, the above interfaces do not exist. Instead, you specify and address a VLAN on the switch as follows. While this example shows the management interface in VLAN1, it can actually be in any VLAN. interface vlan 1 ip address 10.11.20.110 255.255.254.0 ip default-gateway 10.11.20.1 Once you have configured networking on the Catalyst, you can then Telnet in or perform other network tasks on the switch. www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 77 78 Chapter 1 • Cisco Technologies, Routers, and Switches Securing the Switch To protect the Catalyst, you can use local authentication, or authenticate via a TACACS, RADIUS, or Kerberos. In our example, we show both methods.To use local authentication with CATOS, specify: set password cisco set enablepass cisco To use TACACS+: set authentication enable tacacs all primary set authentication login tacacs all primary set tacacs server 10.11.20.20 primary With Catalyst IOS, the same thing is accomplished with the following series of commands. enable password cisco enable secret cisco vity 0 4 password cisco aaa new-model aaa authentication login default tacacs-server host 10.11.20.20 Creating VLANs VLANs define and contain the broadcasts for a network.The first step in VLAN creation (regard- less of which OS is being used) must be to define the Virtual Trunking Protocol (VTP) domain. VTP is used between switches to exchange information about the VLANs that each services. Each switch can belong to only one VTP domain at a time; information is only exchanged by switches in the same VTP domain. Without VTP, switches would not be able to share informa- tion about their VLANs.A switch can serve in one of the following VTP domains. ■ Server Can create and modify VLANs, which are advertised throughout the VTP domain.This is the default mode. ■ Client Does not originate or modify any VLANs; receives information from the server. ■ Transparent Does not uses or depend on VTP, nor are VLANs created on it sent to other switches in the VTP domain. Essentially turns off VTP on the switch. In VTP transparent mode, VLAN configurations are saved in nonvolatile memory, but they are not advertised to other switches.To define VLANs, execute the following series of commands. The set vlan command is used to add ports to a VLAN. www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 78 Cisco Technologies, Routers, and Switches • Chapter 1 79 # vtp set vtp domain BEST_CISCO_BOOK set vlan 999 name BEST_CISCO_BOOK set vlan 999 4/3 The native mode equivalent is: vlan database vtp domain BEST_CISCO_BOOK vlan database vlan 999 mtu 1500 interface fa4/3 switchport mode access switchport access vlan 999 Port Configuration You can change the parameters of a port such as its speed, duplex settings, and other parameters as shown. Port security allows you to restrict what MAC addresses may be connected to a partic- ular port: you can simply enable it with no parameters and the first detected MAC address will be the only one allowed on this port or you can specify MAC addresses (up to 1024) manually. The other port commands used in this section are self explanatory by their names. When port security is enabled, the port cannot be a trunk or have SPAN enabled, set port security 4/3 enable aa-bb-cc-dd-ee-ff-11 set port speed 4/3 100 set port name 4/3 Best_Cisco_Port set port duplex 4/3 auto The CAT IOS version of the same commands are: interface fastethernet4/3 description Best_Cisco_Port speed 100 duplex auto port security The port security command is slightly different in the IOS for the Catalyst in that you cannot specify a MAC address. www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 79 80 Chapter 1 • Cisco Technologies, Routers, and Switches Enabling Trunking Trunking is the use of switch ports to transport multiples VLANs, often with several ports grouped together with Etherchannel to provide redundancy and the increased bandwidth neces- sary to transport multiple networks.The process of configuring a port as trunk is simply a matter of identifying it as such. Cisco supports two types of trunking. Cisco developed the InterSwitch Link (ISL) trunking protocol for its switches.The IEEE developed 802.1q as a vendor-independent standard for trunking. ISL can only be used on Cisco products, while 802.1q can enable interoperation with non-Cisco switches.Auto-negotiation of a trunking protocol is possible (for example, set trunk 4/11 desirable negotiate). Since we are firm believers in vendor-independent standards, we configure for 802.1.q in our examples. We clarify the parameters and options associated with the various trunk commands. set trunk mod_num/port_num [on | desirable | auto | nonegotiate] dot1q isl negotiate ■ On Converts ports to a trunk. ■ Off Converts trunk to a regular port. ■ Desirable Converts port to trunk if neighbor is configured for trunking. ■ Auto Port is converted to trunk if neighbor trunking state is on or desirable. ■ Nonnegotiate Neighbor trunk has to be manually configured. ■ ISL Specifies ISL as the trunking protocol. ■ Dot1q Specifies 802.1q as the preferred trunking protocol. ■ Negotiate Will negotiate which trunking protocol to use with a neighbor. By default, when you define a trunk, all VLANs will be transported over it. If this is not desirable, you can remove all VLANs from the trunk with the clear trunk command, and then add only those VLANs you want to trunk with the set trunk x/x #### where x/x is the port being trunked and #### is the number of the VLAN to be transported. The following example shows how to configure a trunk on a switch using CATOS commands. set trunk 4/1-2 on dot1q Complete this command on the neighboring switch, and you will have an 802.1q trunk transporting all VLANs.You can confirm the status of your trunking efforts with: Syngress_4006 (enable) show trunk * - indicates vtp domain mismatch Port Mode Encapsulation Status Native vlan 4/1 nonegotiate dot1q trunking 1 4/2 nonegotiate dot1q trunking 1 www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 80 Cisco Technologies, Routers, and Switches • Chapter 1 81 Port Vlans allowed on trunk 4/1 1-1005 4/2 1-1005 Port Vlans allowed and active in management domain 4/1 1,998-999 4/2 1,998-999 Port Vlans in spanning tree forwarding state and not pruned 4/1 1,999 4/2 1,999 Trunking on a Catalyst IOS switch is configured through the process shown.The ports to be used for trunking are configured as pure Layer 2 interfaces.The switchport command config- ures the port to be a trunk, as well as specifying parameters such as 802.1q. interface FastEthernet4/1 no ip address switchport switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet4/2 no ip address switchport switchport trunk encapsulation dot1q switchport mode trunk View your trunk port details with show interface fastethernet 4/1 trunk, for example. Networking Monitoring and Packet Capture All Cisco Catalyst switches have the ability to copy traffic inbound and outbound on any port to another port for monitoring and analysis.This feature is known as Switch Port Analyzer (SPAN) is useful for determining what traffic in what amounts and types is transiting a particular switch port. On a CATOS switch, span is enabled and disabled with the following commands. If you are going to use SPAN regularly, ensure that the first SPAN command you learn is set span disable all to turn off all SPAN operations. set span disable [dest_mod/dest_port | all] www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 81 82 Chapter 1 • Cisco Technologies, Routers, and Switches set span {_mod/src_ports | src_vlan } {dest_mod/dest_port} [rx | tx | both] [filter {vlan}][inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [create] For example, to monitor all traffic from port 3/1 to monitoring port 4/1, you would execute the following command. By default, traffic transmitted and received on the port is captured. set span 3/1 4/1 The CAT IOS equivalent is provided here. { no } port monitor [interface | vlan vlan-id] Notice that you execute this command on the monitoring interface by identifying the source interface or VLAN, as shown. interface Fastethernet4/1 port monitor fa3/1 You are Not Alone—Resources for Cisco Hardware and Software The configuration of Cisco products can become quite complex as your network grows, or the demand for new services increases. It can be a very delicate balancing act to get the mix of hard- ware and software working exactly as needed. Complications can arise as you add new hardware, turn on new features, or bugs are discovered at the last minute. When that happens, knowing where to go for assistance can be immeasurably invaluable, especially when it is just you at 2:00 AM in the morning needing a solution by 6AM and it is something that you have never seen before.The following are resources that can be of great assistance for whatever problems you may encounter, or if you need to master new hardware, software, or features in general. Cisco Technical Support—General Your starting point for obtaining assistance from Cisco is the Technical Support page at www.cisco.com/en/US/partner/support/index.html is shown in Figure 1.32. www.syngress.com 253_BDCisco_01b.qxd 10/15/03 9:20 AM Page 82 [...]... password cisco ! interface Ethernet0 ip address 1 92. 168.1.1 25 5 .25 5 .25 5.0 no shutdown ! interface BRI0 ip address 1 92. 168.3 .2 255 .25 5 .25 5.0 encapsulation ppp dialer map ip 1 92. 168.3.1 name central broadcast 555-6790 dialer-group 2 ppp authentication pap chap ! access-list 122 permit ip any any dialer-list 2 protocol ip list 122 Authentication Failures Most PAP and CHAP authentication failures using Cisco. .. branch password cisco ! interface Ethernet0 ip address 10.1.1.1 25 5 .25 5 .25 5.0 no shutdown ! interface BRI0 ip address 1 92. 168.3.1 25 5 .25 5 .25 5.0 encapsulation ppp dialer map ip 1 92. 168.3 .2 name branch broadcast 555-6789 dialer-group 2 ppp authentication pap chap ! access-list 122 permit ip any any dialer-list 2 protocol ip list 122 Branch Ethernet Figure 2. 11 Using Both PAP and CHAP Ethernet 106 10/13/03... 25 5 .25 5 .25 5.0 no shutdown ! interface BRI0 ip address 1 92. 168.3 .2 255 .25 5 .25 5.0 encapsulation ppp dialer map ip 1 92. 168.3.1 name central broadcast 555-6790 dialer-group 2 ppp authentication chap ! access-list 122 permit ip any any dialer-list 2 protocol ip list 122 Figure 2. 11 tries PAP authentication first; if that fails, it next tries CHAP www.syngress.com 25 3_BDCisco_ 02. qxd 5:40 PM Page 106 Chapter 2. .. 1 92. 168.3.1 25 5 .25 5 .25 5.0 encapsulation ppp dialer map ip 1 92. 168.3 .2 name branch broadcast 555-6789 dialer-group 2 ppp authentication chap ! access-list 122 permit ip any any dialer-list 2 protocol ip list 122 Branch Ethernet Ethernet Figure 2. 10 Example CHAP Configuration hostname Branch ! isdn switch-type basic-5ess ! username central password cisco ! interface Ethernet0 ip address 1 92. 168.1.1 25 5 .25 5 .25 5.0... switch-type basic-5ess ! username central password cisco ! interface Ethernet0 ip address 1 92. 168.1.1 25 5 .25 5 .25 5.0 no shutdown ! interface BRI0 ip address 1 92. 168.3 .2 255 .25 5 .25 5.0 encapsulation ppp dialer map ip 1 92. 168.3.1 name central broadcast 555-6790 dialer-group 2 ppp authentication pap ! access-list 122 permit ip any any dialer-list 2 protocol ip list 122 The PAP configuration shown here is not optimal:... • Chapter 2 T-1 56K Circuit Leased Line Central hostname Central ! interface Ethernet0 ip address 10.1.1.1 25 5 .25 5 .25 5.0 no shutdown ! interface Serial0 ip address 1 92. 168.3.1 25 5 .25 5 .25 5.0 no shutdown ! router rip network 1 92. 168.3.0 network 10.0.0.0 Ethernet Ethernet Figure 2. 4 Point-to-Point HDLC Configuration Branch hostname Branch ! interface Ethernet0 ip address 1 92. 168.1.1 25 5 .25 5 .25 5.0 no shutdown... interface Ethernet0 ip address 10.1.1.1 25 5 .25 5 .25 5.0 no shutdown ! interface BRI0 ip address 1 92. 168.3.1 25 5 .25 5 .25 5.0 encapsulation ppp dialer map ip 1 92. 168.3 .2 name branch broadcast 555-6789 dialer-group 2 ppp authentication pap ! access-list 122 permit ip any any dialer-list 2 protocol ip list 122 ISDN Branch Ethernet Figure 2. 9 Example PAP Configuration Ethernet 104 10/13/03 hostname Branc h ! isdn... CHAP for authentication .The calling peer then requests a challenge .The authenticator issues the CHAP verification “challenge” to the peer in the form of a random selection (like a number) that is encrypted using its ID/password .The peer in turn uses its password to encrypt the challenge using a one-way hash, and sends the encrypted result back to the authenticator The authenticator authenticates the received... to each other until framing is agreed upon and the link is established Once the PPP link has been established, the authentication phase begins, in which the peer repeatedly sends its ID/password in cleartext to the authenticator until the authentication is validated or the connection is terminated .The authenticator validates the ID/password by checking for a match of the ID/password in its authentication... authentication performed over the line www.syngress.com 25 3_BDCisco_ 02. qxd 10/13/03 5:40 PM Page 101 Wide Area Networking (WAN) • Chapter 2 101 4 Saving the configuration changes to nonvolatile RAM (NVRAM) To configure IP over PPP on an ISDN interface on a Cisco router, follow these steps: 1 Enter the enable mode using the enable command so that the configuration of the router can be changed 2 Enter the . interface me1 10.11 .20 .110 25 5 .25 5 .25 4.0 10.11 .21 .25 5 set ip route default 10.11 .20 .1 On a switch with IOS, the above interfaces do not exist. Instead, you specify and address a VLAN on the switch as. VLAN. www.syngress.com 25 3_BDCisco_01b.qxd 10/15/03 9 :20 AM Page 78 Cisco Technologies, Routers, and Switches • Chapter 1 79 # vtp set vtp domain BEST_ CISCO_ BOOK set vlan 999 name BEST_ CISCO_ BOOK set vlan 999 4/3 The native mode. assistance from Cisco is the Technical Support page at www .cisco. com/en/US/partner/support/index.html is shown in Figure 1. 32. www.syngress.com 25 3_BDCisco_01b.qxd 10/15/03 9 :20 AM Page 82 Cisco Technologies,