Cisco IOS for dummies

Beginners class today

Markus Germeier mager@tzi.de

This course
Basis knowledge about Cisco hardware/software Introduction to Ciscos IOS How to configure an IOS based switch Examples for Cat2950 / Cat 3550 Basic admin tasks NO: advanced features, routing, CatOS

Cisco
World-wide one of the biggest supplier of network hardware (about 60% world-wide) Near 100% probability packet will pass a Cisco machine while traveling the internet Single point of failure? Monoculture are never good! Latest security bug (were we lucky?)

Cisco Hardware
Wide range from small (AP, VoIP-Phone, ...) ... ... to big (ISP core routers) Main Software is IOS But others exists: Web Interfaces (older AP, VoIP) CatOS for older Catalysts / Supervisor boards

Cisco Catalyst Switches

Big Hardware Full hot-swapable / redundance Slot1 Supervisor Board N Slots extensions Network ports Feature Cards eg. RSM, MSFC, ...

Cisco IOS
Internetwork Operating System one-size fits all (??) Not really: highly dependant on hardware/version Main interface: command line (CLI)
Console and telnet

newer versions: web interface (dont use it!) and SSH (V1.5, single(/tripple) DES)

IOS user management

old-model: no users, only passwords Privilege levels: from 0 (user nobody) to 15 (user root) Login with user password To configure: enable + enable password (== su -) new-model: define users with privilege levels One exception: On console: priv15 -> priv0 downgrade thus: enable + password still needed

Cisco IOS CLI

Comfortable user interface Command completion: <TAB> Got stuck/what command was that? <?> Show all available commands Show next required parameter <?>: anyplace, anytime, anywhere Command shortening:
show version -> sh ver

Usually use short command (beginners: use <TAB> !!)

IOS configs
Getting started: show version -> sh ver (HW/SW info) show interfaces -> sh int

Two configurations:
running-config (the current configuration): sh run startup-config (config loaded after a reload): sh start

BEWARE: only non-default entries are shown (so what are the default entries? That depends ...)

IOS edit config

change running configuration -> changes take immediate effekt (this is dangerous!!) To configure: configure terminal -> conf t To exit from configuration exit (up one level) or <CONTROL>-Z to quit configuration mode After changes, check config: sh run Everything is fine: copy run start Something bad happened: reload or hard power-cycle
startup-config will be loaded

IOS edit config (2)

Disable command X: no X (copy the whole command line!) Disable an Interface shutdown Classical small reboot: shut + no shut on Interface

IOS interfaces
Physical interfaces (numbers depending on HW): In general: Hardware{slot/}number FastEthernet0/X (F0/X) GigabitEthernet0/X (G0/X)

Show interface configuration:

sh run int F0/1

Show interface status:

sh int F0/1

IOS interface status

switch-cat3550-0195-1#sh int g0/1 GigabitEthernet0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 000c.ce42.b681 (bia 000c.ce42.b681) Description: Uplink c100-e3 [...] Full-duplex, 1000Mb/s [...]

IOS Interface status (2)

5 minute input rate 2219000 bits/sec, 234 packets/sec 5 minute output rate 2725000 bits/sec, 381 packets/sec 310311669 packets input, 132621980 bytes, 0 no buffer Received 911690 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 675982 multicast, 0 pause input 0 input packets with dribble condition detected

Rule of thumb: <1000 packets/sec are OK Look out for errors (== link/cabel problems)

IOS VLANs
Defining a VLAN: Older versions: logical interface: int vlanX New version: vlan database show vlans vlan X define a VLAN (options possible) apply save the latest VLAN modifications (dont forget)

Logical VLAN interfaces only used for assigning IP addresses

IOS configure interfaces

conf t int F0/Y switchport access vlan X Interface F0/Y is now member of the VLAN X Reminder: VLANs in FB3 domain:
VLAN X -> 134.102.X/24 VLAN 83 -> 134.102.112/21 VLAN 86 -> 172.21/16 VLAN 229 -> 134.102.124/24

IOS configure trunks

Trunk: in the case a physical link which transmits more then one VLAN Two protocols ISL (Cisco) and IEEE802.1q (== dot1q) dot1q is the standard conf t, int G0/X as usual switchport mode trunk (== this port is a trunk) switchport trunk allowed vlan 1,86,218,224 switchport trunk encapsulation dot1q (Cat 3550 only)
The Cat3550 speaks ISL and dot1q (2950 is dot1q-only)

Cisco 2950/3550 step by step

Configure via console 9600,8N1 Initial setup: should be OK, no need to give an IP address Three passwords (login, secret, enable) Start configuration: conf t
no ip http server hostname switch-catXXXX-YYYY

step by step (2)

Configure users and passwords
aaa new-model aaa authentication login default local aaa authorization exec default local service password-encryption username root privilege 15 password XXXXXX enable password XXXXXX

username root privilege 15 password 7 0011223344 Enable password 7 4433221100 BEWARE: keep these line secret (not a one-way-func.!!!)

step by step (3)

Configure DNS server and domain
ip domain-name informatik.uni-bremen.de ip name-server 134.102.218.46 ip name-server 134.102.200.14

Configure timeserver and logging timestamps

ntp server 130.149.17.21 ntp server 192.43.244.18 ntp peer 134.102.204.114 service timestamps debug datetime msec service timestamps log datetime msec

step by step (4)

Define available VLANs (this is outside of configure terminal)
vlan database vlan X vlan Y apply exit

Define logical Interface with IP address

int vlan X ip address 134.102.X.Y 255.255.255.0

step by step (5)

Define a trunk (uplink)
interface GigabitEthernet0/11 description Uplink from FooBar switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,X,Y,Z switchport mode trunk

(3550 only)

(Switch should now be remotly accessible) Define VLANs for every interface
switchport access vlan X

step by step (6)

Loghost
logging facility local1 logging 134.102.X.Z

Miscellaneous (this needs checking)

spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id

Define usefull aliases

alias exec 0 term len 0 alias exec c conf t alias exec cpu sh proc cpu

Cisco Discovery Protocoll

IOS announces presence on every Link (layer 2) Platform, SW version, IP address, Outgoing Port Enabled by default on every interface Disable: no cdp enable (e.g. wanted on ATM) Check informations: sh cdp neighbors sh cdp entry * (check verbose all gathered informations)

Standard admin tasks

Tools like ping/traceroute/telnet are available Advanced modus: e.g. ping <RETURN> Pipe/grep-like command available Only for long-output commands command | {begin,exclude,include} expression Very usefull: sh arp (+ grep) sh mac-address-table(+ grep)

IOS update
Dont do it! Im seriuos!!! First problem: CCO account with permissions to download software needed. (-> ZfN) Find out current SW version running (sh ver) Find out new needed version (Cisco documentation!) READ the documentation!! Always have a known good image ready Check reboot on serial console!! Worst case: machine does not boot -> Boot Rom

IOS update (2)

Check space on internal flash Delete unwanted stuff (e.g. delete html/*) DOS like commands: dir, delete, copy dir or dir flash: (bootflash:, slotX, ...) Copy new image to flash (rcp and tftp available) Usually TFTP: copy tftp://134.102.218.99/newimage.bin flash: Check the image: verify flash:newimage.bin

IOS update (3)

Check the configuration register (sh ver) Lowest two bits define boot behaviour Both set: use user config (this is wanted!) Check current boot path: sh boot Empty path: use first image found on flash: boot system flash:newimage.bin;flash:oldimage.bin Check everything again! reload and cross your fingers

Hints to get started

Use show a lot: sh ? and sh X ?! Use command ? a lot! (Find out about parameters) Unknown interesting command: Use google: site:cisco.com command foo 12.1 site:cisco.com command foo 2950

term mon + sh log