Just like a computer a switch or router requires an operating system to support the hardware. Cisco IOS is the operating system that you will find on the switches and routers and some other devices like wireless access points.
When you work with Cisco routers and switches you will do most of the configuration using the CLI (Command Line Interface). For some of you this might prove challenging in the beginning and it will take some time to become familiar with the CLI, however once you get used to it I promise that it’s the fastest and most convenient method to configure routers or switches.
The CLI can be accesses by using the blue Cisco console cable (it’s called a rollover cable) or remotely using telnet or SSH. I’ll show you how to do this later in this chapter.
SDM (Security and Device Manager) or CCP (Cisco Configuration Professional) for routers.
SDM was the first version of the GUI but now it has been replaced by CCP.
Since Cisco updated the CCNA exam(s) in 2013, they completely removed SDM and CCP from the CCNA blueprint. You will only have to work with the CLI.
The advantage of a GUI is that it has wizards that let you configure complex things with a few clicks. The downside however is that A) you might have no idea what you are doing and
B) when you need to troubleshoot you’ll need the CLI 9 out of 10 times.
We will start with the basic configuration of a cisco device. First I will use a switch to demonstrate the CLI but the same commands work on a router. Secondly I will demonstrate CCP on a router.
This is the topology that I am using:
Let’s take a switch out of the box and start it, see what it does shall we? I’ll be using the following items:
First of all we need to have a switch. I have a Cisco Catalyst 3560 that I’ll use for my demonstration.
Secondly we’ll need one of those Cisco console cables or we can’t connect our computer to the switch.
If you don’t have a COM / serial port on your computer or laptop, use your USB to serial cable.
The last thing you require is an application to connect to your serial port.
You can download putty to start with it it’s a free app ( I’m not doing advertising for all of those things it’s just that I’m using them)
Make sure you select serial and type in the correct COM port number. If you don’t know the COM port number you can look it up in the windows device manager. You need to leave
speed at 9600. Click on open and you will have access to your switch.
When you start a switch for the first time its initial configuration is enough to make it work and “switch” traffic for the computers connected to it.
As soon as you power on the switch this is what it will do:
- Check the hardware.
- Locate the Cisco IOS image.
- Locate and apply configuration (if available). This is what it looks like on a real switch:
Above you see that it’s checking the flash drive of the switch. Next step is to load the IOS image that it found on the flash drive:
IOS images are stored on the flash drive in a compress format, it will be uncompressed and copied to the RAM of the switch.
Now IOS is loaded you will see something like this:
Above you see this banner and the IOS version that I’m running. This is a Cisco 3560 switch. Next step is that IOS will check the flash drive:
And once it’s done it will do a POST (Power On Self-Test):
Once the POST is done we’ll get a final warning:
And finally you’ll see an overview of the hardware that this switch offers:
Once the switch is done you finally get to see this message:
If the switch does not have a configuration, you’ll see the following:
If you type yes and press enter it will walk you through a wizard where you can configure some basic settings.
I’m going to skip it since we’ll configure everything ourselves. You’ll end up with this after skipping the wizard:
Right now you are in user mode and you can recognize it because of the > symbol. When you are in user mode you don’t have full access to the device. What we want is privileged mode which is also known as enable mode.
This is how we do it:
That’s it! We are now in privileged mode where we have full access to our device. You can recognize it because of the # symbol. If I want to return back to user mode I can do this:
You’ll probably never use it but you can type disable to get back to user mode.
So you have full access to your device…now what? Welcome to the marvelous world of typing commands to get things done. Let’s start with a simple example. We’ll configure the clock on our switch so I can demonstrate how the CLI works:
Whenever I partially type a command I can use the ? to see my options. I typed in “cl?” and the CLI tells me that there are two commands that start with the letters “cl”. There’s the “clear” command and the “clock” command. Let’s try the clock:
When you see % incomplete command the CLI is expecting more information. Let’s find out: It wants us to type “set” so we can set the time and date. Let’s obey and do it:
It’s still incomplete…let’s see why:
Now we are getting somewhere
The time is right but it IOS tells us it’s expecting something more …
It wants a day and month so let’s give it what it wants:
When I try to type the month something goes wrong. This means that it’s expecting a different input and what I did is not acceptable. The ^ symbol tells us what is invalid. I should have typed “January” instead of the number “1”. Let’s finish the clock:
Once you type in a command that is correct and press enter you won’t see anything like “command accepted”. Only a fresh new empty line proves to us that the command has been accepted. So it’s 2019 why I’m stick to 2013 ah because it’s the date when CCNA changes! The cool thing about the command line is that you don’t have to fully type commands. Let me give you an example:
Typing the letters “clo” is enough for IOS to understand that I meant the clock command. This works everywhere:
Just typing “s” is enough for IOS to understand that I meant “set”. If you don’t type enough letters you will see this:
Your switch will tell you ambigious command which means it doesn’t know what you mean, here’s why:
Both “clear” and “clock” start with “cl” so IOS doesn’t know which of the two commands you want to use.
The CLI offers a couple of useful shortcuts for us to use:
- You can press the TAB button to auto-complete a command or keyword. This is VERY useful. If you type “clo” and then press TAB it will auto-complete “clo” to “clock”.
- CTRL-A brings your cursor to the beginning of the line. This is faster than pressing the left arrow.
- CTRL-E brings your cursors to the end of the line. This is faster than pressing the right arrow.
- CTRL-SHIFT-6 interrupts processes like a PING.
- CTRL-C aborts the current command that you were typing and exits configuration mode.
- CTRL-Z ends configuration mode.
Cisco IOS keeps a history of all the commands you previously typed in. You can view them with the following command:
Above you see an overview with the commands I have used so far. By default it will only save the last 10 typed commands but we can increase the history size:
Use the terminal history size command to change it. I’ve set it to 30 commands.
By pressing the UP or DOWN arrow you can browse through commands you have previously used.
If you want to see an overview of your device’s capabilities you can use the following command:
Show version will display our model, hardware, interfaces and more. We also saw this output when we just started the switch. And I see that my system is in 2013 hey wake up it’s 2019!
Let’s take a closer look at the interfaces that this switch has:
The show ip interface brief is a very useful command. It shows us all the interfaces and their status. This switch has 24x FastEthernet interfaces and 2x Gigabit Interfaces.
The keyword status tells us whether the interface is up or down. This is the physical status so it means whether there is a cable connected to the interface or not. The keyword protocol tells us if the interface is operational or not. It’s possible that the status shows an interface as up but that the protocol is down because of a security violation.
If we want we can take a closer look at one of the interfaces:
Use the show interface command and specify the interface that you want to look at. Above you can see an example of the FastEthernet 0/2 interface. Some of the things that we see are the status, the speed (100Mbit) and the duplex settings (full-duplex). You can also see the number of incoming and outgoing packets.
So now you have an idea how the CLI works, let’s continue by creating a basic configuration for our device.
Most of the things we want to configure on a Cisco switch or router have to be done from the configuration mode:
Use the configure terminal command to get into the configuration mode. You can recognize the configuration mode because it now says (config)#.
If you try to run a show command from the configuration mode you will get an error like this:
This is because you are running a “global” command from the “configuration mode”. It might be annoying to switch between “global” mode and “configuration mode” all the time so there is a workaround for this:
Type do in front of the show command and it will work anyway.
Let’s give my switch another name. If you have a large network it’s useful to give all of your devices a unique name:
Use the hostname command to change it to whatever you like.
If we want to change the configuration of an interface we need to access the interface configuration. You can do it like this:
Type the interface command and the interface number you want to configure. You can see we are in the interface configuration because it says (config-if)#. If we want we can change the duplex and/or speed settings:
Use the duplex and speed command to change them. In my example I changed duplex to full and speed to 100Mbit.
If you have many interfaces it might be useful to configure a description so you know which interface connects to which device:
By typing interface I can access the configuration for a specific interface. You can recognize this because the terminal now says (config-if)#. The description command lets us set a description.
If you want to configure a lot of interface it might be time-consuming to configure them one at a time.
We can also select a range of interfaces and configure all of them at the same, here’s how to do it:
The interface range commands lets us select multiple interfaces. I used it to select interface FastEthernet 0/3,4,5,6,7,8,9 and 10.
Whenever you want to go back from the interface configuration to the global configuration mode you can do it like this:
Just type exit and you’ll be back in the global configuration mode.
Right now everyone can connect to our switch and configure whatever you like. It’s a good idea to protect it by setting some passwords. One of the things we can do is protect the console port:
First I use the password command to set a password. I also need to supply the login command otherwise the switch won’t ask for the password. Now every time I connect the blue Cisco console cable this will happen:
Before I get to the user mode I have to type in a console password. This will ensure that not just anyone can connect a console cable and configure our switch.
I can also protect the privileged (enable) mode. Right now it works like this:
We type in “enable” and you have full access to the switch. It’s wise to configure our switch so it will prompt for a password every time someone wants to access the privileged mode.
We can do it like this:
Use the enable password command to set a password. Now whenever I want to access the privilege mode this will happen:
Besides setting passwords it might be a good idea to configure a banner with a warning message:
The banner command lets us configure a banner. You need to use a symbol to tell the switch when the banner begins and ends. I used the % symbol but you can use any symbol
you like. Now whenever someone wants to log into our switch this is what they will see:
Above you see the banner that I configured.
Right now we are still connected to the switch using the blue console cable. We can also connect to it remotely using telnet or SSH. We will have to configure an IP address on our device first if we want this.
This is how you do it on a switch:
The VLAN 1 interface can be used for management. I need to type in an IP address and subnet mask. This interface is disabled by default so I need to type no shutdown to activate it.
If you have a router you can configure an IP address like this:
On a router you have to configure an IP address on one of the interfaces. I’ll use the Fastethernet 0/0 interface.
Let’s configure telnet so that we can access the device remotely:
A switch or router has a number of virtual lines that you can use for remote access. These are called VTY (Virtual Terminal) lines. I can configure these using the line vty command. In my example I’m selecting VTY line 0 up to 4 so that’s 5 virtual lines total.
I have configured a password and the login command is required otherwise the switch Won’t ask for the password.
Now you can connect a UTP cable from your computer to the switch and use putty to telnet to the switch:
Just select telnet and type in the IP address of your switch. Click on Open and it will connect to it.
Telnet is convenient and easy to configure but it’s also insecure because everything is sent in clear-text. It’s better to configure SSH. SSH can also be used to connect remotely to your switch (or router) but all traffic will be encrypted.
Not all IOS versions offer SSH by default. Check your IOS version to see if it’s possible to configure SSH.
Here’s how to configure SSH:
SSH works with usernames. I’ll create an account for myself and a password.
We need to configure a domain name because SSH requires certificates. You can pick anything you like.
Now we can generate the keys that SSH requires:
Use crypto key generate to generate some RSA keys for SSH. The key should be at least 1024 bits. By default it will enable SSH version 1.99 but for security reasons it’s better to use version 2:
Use ip ssh version 2 to switch to version 2. Last step is to configure the VTY lines:
First we use login local to tell the switch to use the local database with the username that I configured. We also require the transport input command so that we only allow SSH and no telnet.
We can test our configuration with putty:
Click on the SSH button and type in the IP address of the device. Click on Open and you‟ll be able to connect.
Everything that you configure on a switch or router is stored in a configuration file called the
You can take a look at the running configuration like this:
Use the show running-config command to take a look at the running configuration. This is the configuration that is active at the moment.
If you want to remove something from the running-config you can use the no keyword in front of it. For example:
Typing no hostname Godzilla would remove this line from the running-config.
The running-config is active in RAM which means that if you power off your device, your configuration is gone.
Of course we can save our running-config in a permanent location; this is how we do it:
We need to use the copy command to copy the running-config to the startup-config. The startup-config is saved in NVRAM. Whenever you power on your device, it will look for the startup-config in the NVRAM and copy it to the running-config in our RAM.
If you want to remove your configuration we can delete the startup-config:
Type erase startup-config to delete it from the NVRAM. You will have to reload your switch or router before this will take effect:
You can do this with the reload command.
If you looked closely at the output of the show running-config command you could see that all passwords are there in clear-text. This doesn’t sound like a very good idea right?
Anyone that has access to our configuration file will have the passwords. There is a command that lets us encrypt all the passwords in the configuration.
The service password-encryption command will encrypt all passwords in the configuration.
Let’s take a look at the difference:
I didn’t include everything from the running-config, just the passwords to keep it readable.
You can see that the passwords have been encrypted and that there’s a “7” in front of the password. This encryption type is called type 7 that’s why you see it.
Now this looks great but in reality it’s a bad idea to use this form of encryption since it’s
Of course Cisco has a solution for this. Instead of the poor type 7 encryption we can use MD5 hashes for most of our passwords. This is far more secure so let me show you how to do this for your “enable” password:
Instead of the keyword “password” you should use secret. This will create a MD5 hash of the password and save it in the running-config.
Let’s take a look:
Above you see the MD5 hash of the password, not the actual password that is encrypted.
It might become annoying to browse through the entire running-config everytime you want to check just one item. Cisco IOS has a couple of “operators” that we can use to make our lives easier:
Instead of just typing “show running-config” and hitting enter I can use the | include
operator so it shows me only the lines that have the word “secret” in them.
I can also use | begin and it will not start at the beginning of the config but at the section that I request. Above I’m using it to show the “line con 0” configuration and everything below.
Any other useful commands? One of the annoying things of the CLI is that whenever you type in a wrong command you’ll see something like this:
By accident I type “clockk” but this command doesn’t exist. What Cisco IOS thinks is that you typed in the hostname of a device you want to telnet to. As a result it will do a DNS lookup for the hostname “clockk” but of course it will never get a response. This can take 1 or 2 seconds and you can’t abort it. We can solve this by using the following command:
The no ip domain-lookup command will tell our switch that it shouldn’t try any DNS lookups. Now whenever you type in a wrong command you don’t have to wait for a DNS lookup that will never be successful.
Sometimes the CLI will show you notification messages like this one:
It can be useful to see these kind of messages but the annoying part is that when you are typing a command, the CLI will output these notifications on top of whatever you are typing.
You can see it in my example above, I was trying the hostname command while suddenly an interface went down. Now I can’t see what I was typing…
There’s a command to prevent this:
Use the logging synchronous command to keep the last line readable. I have to do this for the console and the VTY lines (telnet or SSH) separately. Let me show you the difference:
Above you see that the command line is now at the bottom and the notification appeared above it.
When you are taking a break from playing with your device you’ll notice that Cisco IOS will kick you out of the CLI after a while and you’ll have to login again.
We can prevent this:
Setting it to 0 with the exec-timeout command means the console will never kick you out. This is useful for our lab environment but in a production network I wouldn’t recommend this for security reasons.
Besides the CLI we can use the GUI to configure our switches or routers. CCP is no longer in CCNA exams!