Tip:
Highlight text to annotate it
X
All right, it's time to continue on in the switching base configuration.
Before we do, I have to show something really cool that I just discovered.
So, so CBT Nuggets got me this, this keyboard from Logitech which is a solar keyboard
which is the cool in and out of it. So that actually has like little solar panels
on this thing, but I went for the Numlock and I accidentally hit this button.
It's a little sunshine on there. Now, come on, that is awesome.
I've got like a laxometer for my keyboards that's,
that tells me how much solar energy my keyboard is getting and, you know, and see,
so I'm walking around obviously blocking my fluorescent lighting.
So fluorescent lights apparently charge this keyboard but look I can put my hands over,
it's like, "Oh no, down, look, zero, energy reserves."
You know, you move your hands off and. So, so this-- this I've got to say, thank
you Logitech. Nice touch.
You could have just done the solar keyboard and that would have been cool,
but adding the little laxometer there, that was something.
Okay, so before we dive into the new stuff, let'*** what we did in the last nugget.
We went in, global config mode and set the host name.
We learn about negating the command by putting no in front of anything that we could type.
We could type in the console password. We went under line console zero and put in
the password. And also typed in the log in to require log
ins to that port because it didn't work otherwise. Exactly, the opposite with Telnet where log
in is the default, remember that, with no password under there.
So we need to set a password for the remote Telnet.
And then we learned about the enable password and enable secret which two different things
that do the same thing, one in an old command which was enable password and you type
in your password which stores it in a clear text format in the running config.
Also, enable-- well, actually, sorry about-- My mind just jump to another topic, I want
to-- Hey, I'm going go write something down.
I don't want to forget about this. I'll just put sync, or let me just do it S-Y-N
and then what was the-- P-W-E-N-C. Just those would be my quick reminders to
make sure I don't forget that. So, enable password, clear text, enable secret
being the encrypted or hash version of the password that's stored in the running
config. If you turn on the enable secret, then the
enable password is no longer used. It's just there for backwards compatibility.
So that's, that's where we've come from. Now before, before we-- all these things that
are coming to my mind that I want to show you.
Before we dive into the new stuff, I actually want to talk about this, this little junk
notes that I'm putting down that at the bottom.
These aren't really, I would say commands that you would, you would say "Oh man,
you got to know for certification." Or you go to know to know that for real but
man, I will tell you, they will, they will make it just easier to work with.
This is good advice. So let me, let me first off get back in to
my switch from-- This is, I left the config from the last nugget,
still on here. Now you notice that I'm logged out.
That is because on the console port, there is a time-out setting.
So after you are idle for so long, it will kick you off and put you back to the log on
screen, that's good security, but a lot of times if
you're in a lab environment and you're trying to learn that kind of scene, CBT Nuggets,
that kind of thing, it's handy to not be kicked off the device.
So, what I can do is I can go into global configuration mode, go into line VTY--
sorry, not VTY, line consoles, that's where we are.
Line console zero and there's a command that is actually exact dash time-out.
So I can type in exact time-out and tell it how long I want to be able
to stay idle before I will naturally time-out the connection.
So, I can say, you know, five minutes or 10 minutes or whatever I want.
I can even get, you know, if I do 5 minute, I can get into the seconds and say 5 minutes,
43 seconds countdown, synchronized watches. But for lab environments, now this is lab
environments only. One of the things that I commonly do is I
just, you know, it's lab switch. I'm not really needing to worry about security.
So I'll type in exact time-out zero, zero. And what that does is set my time-out to disabled.
So I will always stay logged in. A matter of fact, a shorter way that you can
do that and this is one of my base commands that I type when I get on the switch is know
exact dash time-out and that will turn it off as well.
It says, I'm not going to-- I'm not going to time out.
Okay, so that's, that's kind of handy feature number one that just popped into my head.
Second one is the logging synchronous. And here's, here's what I mean.
All throughout the series, we are going to be getting status messages on the console
port. So let me give you an example, let' say I
want to get out of the line config mode, right? And I want to do some show command.
So, here, I'm going to do this quickly. So I'm going to hit control z, I dropped out
into a show-- [noise] See what I mean? I've kind of, I'm having deja vu.
Did I show you this already? If I did, forgive me but-- So you see what
I've done. I've kind of cut my command in half.
I'm typing at the end of this, backspace, I'm deleting the message.
I mean, what's up with that? If I were, if I had the sense about me, I
could type in, it would work just fine. But the status messages will always go in
line. Now one of the ways we can get around that
is by doing the tab key, I can do show run it
and I'm like, "Oh man, it cut what I'm typing." I hit the tab key and it kind of fixes that
for me. That's one way but what if you could set it
up to where you don't even have to do that. Well, I'm going to go onto the console port
and there's a command called logging synchronous. Hit enter.
What that command does is tell the IOS to paint the, the status messages
and then repaint what you were typing below. I probably could have find a better way to
say that but you get the point right? So I'm going to do, control z, I'll do a show--
Oh, that was nice. See what it did?
So instead of putting me at the end of this message where I'm typing,
it now painted my line back here which fit. I mean it's just make it so, so handy because
I know when people are first getting started in Cisco, that's the number one question they
get to ask. They go, how do I turn off those messages?
Yeah, you know, you know the ones I cut when I'm typing in half, how do I turn those off?
Well you don't want to turn them off because those are kind
of your life blood of the Cisco device. They tell you what's going on behind the scenes
and you want to know, you want to see those messages.
I mean, right now we're just seeing this device was configured by console,
you know, it's a little status message. But eventually, we're going to see interface
up, interface down. You know, all those kind of messages which
are key to see. So, that's the other thing.
Okay, what was supposed the last thing? PWNC. So last nugget, let me go and add, last
nugget we removed the enabled password. I'm going to put it back in there.
But one of the things that you, you may have notice in all of the show runs,
show running config that I was doing in the last nugget,
is we have this clear text passwords here. Not only, not only the enable password but
if I shoot down here, and I see line VTY, I mean password Cisco, password Cisco.
So again, if I've got that strange fellow looking over my shoulder,
I'm like [noise] you know, I'm putting my hand over the window, don't look at that.
Well Cisco has a command that allows you to encrypt those passwords.
And I, if you could've see me I put encrypt in those little, like "encrypt" those password.
And the command is actually simple. It's service password encryption.
So you type that from global config mode and immediately,
I go back and do a show run and man, look at that-- bum!
Encyptomagic, enable password is encrypted. I scrolled down to my VTY lines, my console
port, encrypted everywhere, so I'm like, "Man, that's awesome.
That's feels good." Well Cisco did not design that to be a strong
algorithm. As a matter of fact, they've partnered up
with Cracker Jacks, remember the Cracker Jacks boxes
with the little secret decoder ring inside? To come up with a shared algorithm, both Cracker
Jacks and Cisco uses the same. I mean, it's so incredibly weak that you could
go on to Google and type in let's just try crack Cisco password.
Let's do crack Cisco password. There we go.
First link on our Cisco password, crack-o-matic. I go in there and type in that encrypted version
and I go correct. There it is.
[laughs] I know, you're like, "Seriously?!" Totally! All that, that, that encryption is
meant to do is-- where am I? All it is meant prevent to the line of site.
Like, it's a whole lot harder to remember 1306, 1E0--
you know all of that than it is to remember Cisco if you see it.
So, it is not-- don't give that, get that like warm and fuzzy.
That's going to secure me forever kind of feeling from that.
However I will tell you this. They enable secret, you notice, notice the
two different, I call them encryption modes. So these guys used what's called type seven.
Notice this all about type seven Cisco password that it can do.
The enable secret actually uses type five right here.
It's actually MD5 hashing is what that is. It's not encryption at all.
It's a hash which-- I think I'll actually talk about that later when we talk about SSH.
That is very secure. It is, the only way to break that is through
something called a brute force attack which is the weakest kind of hacking attack
that you can do. Any password can be broken given enough time
and computing power. But this, this is one of the most secure ways
to set the password. So, that's the three little pieces I want
to add there. Okay, now let's get into the rest of this.
We've got all of our password set up so we're ready to enable and manage our switch remotely,
however we haven't given it an IP address yet.
Now to assign the IP address to a switch, you need to understand just a little bit about
VLANs. And that's, that's why I wanted to break the
base configuration into two nuggets 'cause I really wanted to
give enough time to this to where I-- I'm not just like, okay, do this
and nobody really understands why they're doing what they're doing.
So, VLANs, let me see if I can give you the very small nutshell version right now
and then we'll expand much more on it later when we do the full VLAN nuggets, but we've
got switches, right? And by default switches are all one network.
So, here's our little six ports switch if you will, they're all one networks.
So, when I plug a computer into here and a computer into here I know that those guys
are on the same network, they can send a broadcast
to each other, they can send an ARP to figure out each other's MAC address and they can
communicate directly and all that, it's only-- it's only once we want to get off of our network
that we need a router and the router allows us
to leave our local area network or a LAN and get off to the WAN or the internet, or wherever--
whatever destination we're trying to reach that's the job of what a router does.
Well, VLAN's kind of been the rules a little bit, they've say, "Well,
I tell you what within the switch we can break this switch into two different networks."
We can have, well say the red network on the left side
and the purple network on the right side. So, now all of the computers that are plugged
into the red network can communicate with each other but they can't talk to the
purple network and same thing with the purple network who've got-- actually
I don't know how we just jam two ethernet ports
in the same hole there, but we'll go with it.
We've got the devices in the purple network I can talk together, but they can't talk
to the red network without a router and that's where we could actually plug a router
into each side of the switch one port into the red side, one port into the purple side
and that allows us to communicate between, it gives you a ton of advantage to be able
to do this, you can set up security boundaries to where, okay, well accounting is over there,
sales is over there, you can put up, you know, the server is over there, it gives you a lot--
a lot easier way of managing your IP. I mean there's a lot of advantages to VLANs,
but I don't want to dive pass that point right now
because it will explode into a giant VLAN discussion.
So, let's get back to the point on hand. We've got all of these ports on a switch that
when you pull a Cisco switch out of the box it's doing VLANs, whether you
like or not, whether you configured them or not we are you're always doing VLANs
on Cisco switches 'cause that's the base feature that they support.
So, what is that mean? That means every port when you pull it out
are all part of VLAN 1. It's actually the default VLAN, VLAN 1 and
that's why we don't know that we're doing VLANs is because if all the
ports are member of the same VLAN then it's like we're not doing VLANs at all, right,
because everybody can talk together and work together.
Well, the Cisco switches allow you to create these things known as VLAN interfaces,
I don't know why I started writing ter, let's do interfaces.
And VLAN interfaces are virtual interfaces, as in they don't really exist, I can't see
them and touch them and squeeze them, but they
are there, they are reachable on the switch for my VLAN.
So, for example let's say-- now VLANs, well I give them colors often, they're actually
numbers. So, let's say the red VLAN is really VLAN
10, right? And the purple VLAN is really VLAN 131 you
can-- there's 4,096 numbers, so we can just pick
a number, right? So, that-- those are the different VLANs.
Now, the Cisco switches give us the ability to go into them and say,
I want to create interface, VLAN 10. Now, that interface doesn't really exist like
I said I can't see it, but its there's, it's this virtual interface that I can reach
from anything, any port that is in VLAN 10. So, you know, I could give it the IP address
10.10.1.1/24, right? Give it that IP address and immediately all
of the computers provided they're in the same network, you know, IP address
wise they will be able too reach that VLAN interface, now why would they do
that? Well, they can access the switch, they can
ping the switch, I mean they can manage the switch
that way and all that, that's kind of where we're going here and there is actually a lot
of bigger picture reasons why we would do that,
it deals with something called layer 3 switching, but I'm going to save that for later
on because right now we're just at the basic configuration,
but without understanding this concepts it won't make sense what we have to do
to assign a management IP address. So, what we do on a Cisco switch out of the
box is we go into interface VLAN 1 and then we give it an IP address, whatever
IP address who want to give it 10.5.9.20, okay?
So, or again whatever IP address we want to give it.
And now that IP address and that management interface is reachable from all ports
that are assigned or belong to VLAN 1. Okay, so let me clear all that off and show
you what I mean here. So, I've got a switch sitting next to me at
the Cisco 3550 it got 24 ports of 10/100 lob [phonetic], I've got a computer
plugged in here and to port 11. Let me give you a little view of the nomenclature
or kind of the way that Cisco switches refer to their ports.
They don't just say port 11, they'll say for instance FastEthernet, 0/11, why do they
do that? So, a lot of times when you deal with Cisco
devices it always uses ports that are based on module and port number.
So, for example-- let me just show you a router, you know, if I have a router I might have
for instance I'll take a router that I grew up with when I was working Cisco,
Cisco 3640 was my dream router back in the day because it had four modules where you
could put in whatever interfaces you want, so you could
slide a card in here and it might have two FastEthernet ports.
And so, this would be considered FastEthernet 0/0 because this is considered module 0
and that's the first port on there which is 0, and this would be considered FastEthernet
0/1 because its again module 0 and then that's
the second port on there. So, you come over here, this is considered
module 1 and let's say you put a serial port in there.
So, this would be serial 1/0 'cause that's the first 0 port, see kind of how that works?
So, you get all these modules going on, you know, maybe a FastEthernet interface
up here would be FastEthernet 3/0, module 3 port 0.
Well, on Cisco switches all their stackable switches are considered module 0 and that's
because a lot of their switches support what's called StackWise or stacking technology.
So, you can take Cisco switches, this pretty cool you can take Cisco switches
and they have these big old fat cables that you put in the back
and connect multiple Cisco switches together. So, let's say now 3550 doesn't do this, but
let's just say this is switch 1, switch 2, and then you've got switch 3 down here which
maybe [inaudible] change to this guy, and then lose back up here and plugs in here
because that way you don't want for instance this guy to die and that leaves
switch 1 and 3 stranded. So, it's always good to do that and this creates
what's called the stack. The beauty of having a stack is literally
the back plain of shared. So, you don't have, you know, normally to
connect switches together, you do this little connection with a crossover
cable or something like that to where switches are linked.
Well, you don't have to worry about that, you don't have to worry about bottlenecking
on that port either because this literally combines all of the bandwidth
that these switches can put out over those switches.
And you can even, I mean some of the switches, you can do things like redundant power to
where, you know, they're all plugged into the wall
and let's say this power supply goes out he can actually pull power from that cable,
isn't that cool? So, that's-- that's one of the things that
you can do. Now, if you do that, if you use StackWise
then the first switch will be, you know, you'll confi-- oh I should say it also unifies
your managements, so I can log into this switch and configure
all three of them. So, this one would be for instance FastEthernet
0/5 would be port 5 on here. This one would be FastEthernet 1/5 'cause
this whole switch becomes module 1, this one might become FastEthernet 2/5.
Now, I'm using FastEthernet but we would also have the G-- Gigabit Ethernet.
So, let me get you a little familiar with what this looks like
and then I'll get back to my scenario. When you go to my switch and I'll type in
my favorite command in all Cisco, seriously it is always been my favorite command
show IP interface brief which gives you a summary view of the interfaces
on the switch and you can see that this 3550 switch has those 24 FastEthernet
ports that are all lined up there ready to work,
you can see that-- I thought it was in 11 but I'm actually in 14, I've got my computer
plugged in to FastEthernet 0/14 because it shows the
status is up and the protocol is up if-- we'll talk about this later, but this is essentially
layer 1of the OSI model, this is layer 2 of the OSI model, we're communicating.
I also see down at the bottom this one supports, it has these things known as SFP modules,
no-- no this isn't SFPs, no these GBICs.
There's different kinds of modules depending on what kind
of switch you have, SFP I talked about this, right?
I think early on in the series. SFP is a small-- was it small form factor
pluggable or something, something of that affect.
Yeah, these switches have these little holes in them.
[laughs] These little holes called SFP ports and you can get fiber optic transceivers
or you can-- I mean, there's all kinds of stuff that you can plug
in there to give it functionality. Well, the 3550s has something called GBICs
[phonetic], these are kind of going by the wayside for the most part but they're
kind of big square holes, and you can do the same thing, you can buy
fiber optic modules for those and plug them in there
so that's the gigabit ports that we have on this device.
So, I've got my computer plugged in right here.
Now notice, when I did that show IP interface brief, look at the very first-- what did I
do? All right, look at the very first interface.
The VLAN1. Notice, its IP address is unassigned, all
the-- you know, everything it's saying it's down,
it's down, it's down. Now, VLAN while knowing what we know about
VLANs, I'm going to type in the command I haven't
shown you yet. Yeah, it's called show VLAN.
This shows me there is-- I mean, I guess you can argue, these are VLANS but those are--
it's kind of like this is for token ring networks. I mean, these are on there juts because of
the standards but they're unsupported. VLAN1 is where all the action is happening
out of the box 'cause I can see all my ports are a member of VLAN1.
So if I want to assign VLAN1 a management IP address, I go in, I do interface VLAN1.
So now, again, getting the flow down, we got to make sure we got it,
user mode to privilege mode is that-- that's on through enabled.
We go to global configuration mode, we do that by typing in config t
and then we can branch into all the submodes. Like here, we went to console, line console
zero or line VTY zero space 15. Or, now, we're going in to interface VLAN.
So I mean interface configuration mode, get back.
So, I'm in interface configuration mode and now all the commands
that I have here affect this VLAN. So, this VLAN interface so I'm going to type
in the IP address, it's the command I do of this switch is going to be, let's just
do 10 dot and I'll use a question mark. We can either get it through DHCP like have
a DHCP give it me or I'll just say it's going to be static, 10.1.1.10, how is that?
And I'll do the question mark. Some [inaudible] 2555, 255, 255, 0, here is
the question mark. Do I want to make this a secondary address?
No, this is the primary. Okay, enter.
Now, I'm going to go back and do a show IP interface brief because I want you to see
now that now this guy has an IP address so he
can be reached on that but there's still a problem.
Almost every switch starts with their VLAN interface administratively down.
That means, it's turned off and so, even though I can configure this from the console board,
I can't get to a remote LAN 'til I give it an IP address and I turn on the VLAN interface.
Well, how do I do that? Well, let me do a quick-- I'm going to do
a show run, I'm going to start using some filtering commands
so we don't have to see everything. Now, you know, show run is the running config,
it's all the commands we've typed in. I'm actually going to add on show me the running
config for interface VLAN1. And right there, I see VLAN1, there's the
IP address and what do you see under that? Shutdown! This interface is shutdown, okay.
So, I don't want that, I want it turned on. So now, let's put some of the pieces together
we've talked about, how do you negate a shutdown state, what do
you think? Well, go into the CISCO device, you're probably
thinking what I'm thinking. Interface VLAN1, no shutdown.
And so that's kind of weird, it's kind of a double negative if you will.
I'm not-- you would think you would say like enable or power on or Go-go gadget interface
or something but we're saying, no shutdown, like take off this shutdown status and turn
it on. And we see our first real status messages,
the interface VLAN1 has changed you up, line protocol has changed you up.
If I go back and do a show IP interface brief again.
And you notice, every time I do something, I'm hitting control Z to drop back to privilege
mode because I can't do show commands from these
submodes, they're not supported directly from there.
So, I see VLAN1 is given this IP address and I see the status up, line protocol is up.
Okay, okay, we're getting there. So, I've got my computer plugged into fast
internet 0/14, well, let's do a little magic. I'm going to open the control panel on my
computer, actually, I should probably start here, control panel,
get all Windows 7. I'm going to click on the network status,
go to the adaptor settings and I'm actually connected,
I've got my normal network card so I can surf the internet
when I have whimsical thoughts and all that. But right next to this, I have the Apple USB
ethernet adaptor. It's just that little USB ethernet adaptor
that I grab for my MacBook and plug into this. And so I'm going to go to properties and give
this an IP address that's in that same network, so 10.1.1.10.
I'm going to put this guy in 10.1.1.-- I don't know, what do you want to give him,
how's a hundred? 255, 255, 255, 0, we don't even have to give
it a default gateway 'cause there is none, this is a simple of a network as it gets.
So I'm going to click close on that, let's open a command prompts.
And by the way, you will have to know some basic windows command prompt skills like Ping
and telnet and NS-- no, you won't need NSLOOKUP but that'd be a good one to know,
trace route, we'll expand on this as we go. But first I'm going to do, let's do a show
IP interface brief. [laughs] What am I doing, I'm in the command
prompt. IP config.
IP again, has been in CISCO a little too long. So right there, I see this is my IP address,
this is a sign of my LAN2 interface so let's see if we can ping the switch.
I always ping before I telnet because if you telnet, it will hang there for 30 seconds.
Okay, that's not what I expect, okay, phew! As I-- I expected that to work.
So, sometimes, you lost the first ping just because the computer has to send an art message,
wait for it to come back and by then, the ping has timed out.
So we are pinging, I'll hit the up here just to prove it one more time.
We're getting there less than a millisecond. So now, I can type in telnet 10.1.1.10.
Come on Windows, why would Microsoft remove telnet, hang on.
We got a-- if you haven't seen this before, you got to go into control panel, Windows
features and nowadays, they, you know, Microsoft, it
is a new computer so Microsoft has disabled the telnet clients
on windows by default. So yeah, we'll pause it while it's doing this.
Okay, that was fast. So, I'm going to close that back down.
Now, I should be able to hit telnet 10.1.1.10, enter, bam!
I'm sitting there from my command prompt. So now, I can log in, I'm going to type in
CISCO which is my password. CBT nugget is my enable password and I'm there.
Now, you can see behind the scenes, I'm actually there
on the console port, up here I'm on the VTY LAN.
So actually check this out, watch this. When I go into global config mode, unless
just, you know, blah, I'm doing some config, whatever it's going to say invalid input.
So, I'm going to exit back out and watch what the console port does.
Look at that, it says, somebody-- now notice, it didn't show me anything up here
because by default, those-- these are actually called syslog messages.
Those syslog messages are not sent to anything but the console port.
So, I look and I see now-- and so before, it was saying configured from console by console
like somebody is configuring the console of this device, configuring the commands
on this device using a console cable. Now down here, I see configured from console
by VTY0 as in somebody has logged in to that first VTY port on here.
That's kind of want to-- that 100. Now, I'm just getting kind of giddy, let's
do this. I'm going to open a second command prompt
and I'm going to start another telnet message unless telnet.
So, remember I said there were 16 telnet ports and we could have 16 people at the same time,
you could even have them all from the same device if you wanted too.
I'm going to tell that another session of this device.
I go to the CISCO, enable CBT nuggets. I'm going to go into go over config mode,
watch status message this time, what do you think it's going to say?
Come on, predict with me. What's it going to say when I exit out of
config mode? Configured from console by VTY1 because this
guy came in on the second telnet port, this guy came in on the first telnet port
so anything that he does is VTY0, anything that he does is on VTY1.
Now, I want to go back because I know some of you--
sometimes, I try to predict the questions because I think like a lab, you go,
can I set different telnet passwords like we did that line VTY zero space 15
and we configured all of them with the same password.
I know some of which probably think can I have in line VTY0 and do one password,
VTY1 into another password, VTY2 and do another password?
The answer is, yes you could. You could put different passwords on every
single one of those VTY ports when you're securing your device but, my goodness,
you won't want to do that because you never know, I mean, it's
good old Forrest Gump, right. It's like a box of chocolate, you never know
what VTY line you're going to get when you telling that in so you never know
which password is going to be required when you're doing that.
So, good, so that's configuring the management VLAN or IP address of the switch.
Now, we move down to the default gateway. Yeah, I got to clear off a little drawing
room here. So, we move down to the default gateway slash,
slash, slash, slash. Default gateway allows you to manage the switch
remotely. Well, hang on, let me-- so we already did,
right? We're already measuring the switch remotely
but I mean, really remotely to where right now,
the only way that we're able to manage that switch is because we're plugged in to it
and we happen to be on the same network. Now if we did a chain, another switch to that,
we could yeah, we could plug in there 'cause these are all
one network and I could telnet over and manage to switch that way, but what about when I
go home for the evening? What about when I'm sitting on the sunny beach
in California on a sunny day with my lawn chair watching the waves crashing
in over at the barrier with a laptop on the beach and suddenly [inaudible] card
and I want to be able to telnet into that switch from there, how do I do it?
The way that I do it is by going into the switch and telling it, yes, this is your IP
address which we just did and this how you can get
off of your network so that you can communicate with people that are not on your network.
So that's going to be the IP address of the router or the default gateway.
So I would go in this and so now, this is just my sample situation.
We created interface VLAN1 and we give it the IP address 10.1.1.10 so let's just say
that this default gateway, this router has the IP address 10.1.1.10 and I want to be
able to tell my switch, go there to get off the
network so Jeremy [phonetic] can manage you from the sunny beach in California.
So the way that I do that is go to global config mode 'cause it's actually global,
it's not just for that VLAN interface, it affects the whole switch.
I'm going to type in from global IP default gateway and then the IP address
that I want to go to, 10.1.1.10, enter. And now, this switch knows how to get off
its own network. I can verify it-- by the way, I know at the
very bottom, I have verification commands which I'm doing as I'm going along this entire
time. But so far, I would say show run is a big
one so you can see all your commands that you've
typed in. This is literally by the way, when you do
a show run, this is literally the commands that are typed
into the switch. Like we typed in IP default gateway and that
is it. And so, if you ever wanted to make a backup
of your configuration and all of a sudden, you know, boom, your switch post up, you got
to put it in a new one, you're like, "Oh man, I got to type all this in."
No you don't. You can actually take this entire configuration,
go into global configuration mode and just paste it, you know.
So select all, highlight the whole config from notepad or whatever, control C,
copy it to your clipboard, go into global configuration mode on the new switch,
the key is remember, start from global config mode and hit paste
and it will literally reconfigure the whole switch
for you just by typing in all those commands. So now, I've got the default gateway which
is able to go out there. Now, we're going to get a little bit later
into some more advanced configuration where we--
we're going to talk about routing tables and so on but if I do a show IP route,
this guy is not a router yet but he will be. But for now, he's not and so I can see right
away, he said, no. Well, if I'm going to route, I'm going to
send all my packets to the default gateway 10.1.1.1.
Okay, shutdown, this commands, we already talked about by turning it off.
However, there is a time where we might want to turn it on.
It is a best practice, you know, normally, what usually happens is you go to that cabling
room. Remember this guy to where people, you know,
the wiring company will wire your whole building up
and somebody comes in, sometimes you, sometimes somebody else and they plug in all these cables.
You go, "Okay, will all those go to live jacks so let's push those into the switch itself.
Well, the problem is, some of those probably go to jacks that you're not even think about.
I mean, one of them might run through the wall and come out in the lobby
of your building underneath a chair in the sitting area where somebody could come
in with a laptop that is infected with who knows what and they're like, I need to plug
in. Look at it, I'll just run my cable and then
click death, [noise] you know, destroy. You've introduced evil devices onto your network
and as soon as you do that, you know, you're at risk or you could have, you know,
another one of these cables run to the break room, you know, where people
unmonitored can plug whatever they want and, you know, an Xbox or whatever into the network,
maybe devices that just aren't appropriate to be on the company.
I mean, those all kinds of things. Either way, the best practice per CISCO is
to shutdown any port that is not in use. So, when I go back to my switch, I'd be right
here, sit down on the console board 'cause it's
prettier than the command line. So I'm going to go back on my switch, I'm
going to go, show an IP interface brief. I see all of these ports right now are there,
you know, but they're all down 'cause nothing's plugged
into him except this guy which is my computer and I can see he's up.
Well, what I can do is I can go into interface FastEthernet 0/1 and that-- by the way, we
all-- we typically abbreviate FastEthernet at FA.
It's not some kind of acronym, right, it's just the first two letters of fast, you know,
because sometimes, you'll have switches with fiber interfaces and F and most
of the time you won't but F will config that you won't know if it's a fiber or fast
and so I usually type FA or hit tab key or whatever filling in for you, port.
0/1 and I'm going to do a shutdown. So that one went to the break room, right?
And immediately, the status message comes back,
the port has now changed to administratively down.
I'm going to show you a tip 'cause I'm kind of tired of exiting.
CISCO has a trick that they've introduced called the do command.
Actually, I don't know if the switch can do it but you can type in do
from any configuration mode and do show commands without actually backing out.
Let me just see if this one will do it, this one might now, oh it does, good.
Okay so, the do command allows you to type in, you know, show commands or do ping commands
from modes that you normally couldn't do it and normally I have to exit all the way back
out to Privileged mode but this is kind of handy.
So, I'm going to do a do show IP interface brief and I can see that FastEthernet 0/1
has gone from a state of down to now administratively
down. Administratively down, anytime you see that
messages, it means it shut down, that's a key number one of troubleshooting.
If a port is not working and you see it administratively down, that's easy,
you just need to go in and do a no shutdown. Now, I can even do a range, watch this.
let's say, I know that ports 1 through 10 are not going to be used for quite some time,
they all plug in to areas of the building that aren't in use yet.
So I'm going to do interface-- well actually, not just FastEthernet,
I'll do interface range FastEthernet 0/1, let's do through 10.
Now, some switches make you have the spacing exact, you need one space dash space 10.
Most switches are flexible, it will let you, you know,
do something like this or whatever you want. This one, this one is one of the flexible
one so it's IOS version dependent. I just know I've run into somewhere it's like,
it's an invalid command and, you know, the question mark doesn't really show spaces
too well. So, I can do a shutdown and that will take
down 10 ports all at the same time. [noise] The status messages began, right.
So, it's all those messages are starting to flow out now administratively down.
And I can do that do show IP interface brief and now, I see all of those guys are shutdown.
Okay, so last couple commands, first off, a log on banner.
So log on banners are just a good practice to cover your self legally so there's a tale
going around the internet, it could be true, might
not be, I don't know, but either way, it sounds true where a couple of guys hacked
into a college campus server and destroyed everything, destroyed the data,
I mean caused massive data loss for their college campus.
They were caught and taken to court and their lawyer found a way to get them out of trouble
because they said, well, we logged on to the system and it said, welcome.
And apparently in the good old United States of America saying welcome is enough to say,
well, you can come on and then destroy everything
and you'll be just fine. So, and it's funny 'cause I've told that story
before and someone said, "Oh yeah, and then I also heard if you have a welcome
mat on your doormat in your doorstep, somebody can break in your house and legally,
they're covered because said, and that was like come on, come on" but and
then last I checked in, I don't have a welcome mat at home so be advised.
So, best thing to do is do a good-- it's odd log on here.
Doesn't have to be long, doesn't have to be anything really fancy, I mean, you can get--
I mean, the government publishes, you know, the government approved the log on banner
from the Department of Defense if you want to Google that.
But really, you can put whatever you want. The way that you do is from global config
because it affects the entire switch. Let me type in banner, follow that question
mark. You can see there's a lot of banners that
you could do. Really two main ones that you want to look
at, you got banner log in which is used for telnet
and SSH sessions or you can do banner MOTD which is used for everywhere, I mean console
port, everything shows the message of the day logged
on banner. So, usually, people will configure a MOTD.
So we hit the question mark and it says, this is probably the most confusing help that
exist in Cisco. It says, insert line, notice all capitals.
It says, see banner tech C where C is the delimiting character.
What it's trying to say, put your log on banner between this character that tells me
where you start and where you end your log on banner.
And so, we can use any delimiting character that you want.
Let's say, I want to use the plus sign. I could type-- there's couple ways I could
do this, I could type in banner MOTD plus and I could say, unauthorized access prohibited.
And then put a plus at the end and now, I've entered my log on banner.
So now, I can exit out and hit the enter key and well, kind of got the status message.
So I hit the enter key and we see unauthorized access prohibited.
Notice the plus signs aren't because the plus signs are really just there to say,
this is the start and the end of the log on banner.
I got to come out with a password that I can talk and type at the same time.
Okay, there we go. So I'm in global config mode, so, another
way to do it is I could do banner MOTD and I could do a plus sign and just hit the
enter key and it takes me into this little editor system to where it
says, enter your text message and with the character
plus. Again, that delimiting character, whatever
character I use, I can use anything, I use the plus so I mean, this allows you
get a little fancy I can say, you know, log in and die, you know, whatever you want
to do. Now, though be careful with this.
I've logged on the systems where it says something like, "You can't hack this,"
you know, and then I'm like all right. Like, I'm not even a hacker.
There's not a malicious bone in my body but when I saw that message I'm like, "I bet you
I can," you know, so you don't want to inspire people
to hack you. So, you know, something nice and simple but
a lot times again, just Google what the government uses and you'll
be-- you'll be pretty much covered. But, that will now display a log on banner
every single time somebody logs in so, pretty straightforward.
All right, so last one is saving your configuration so we've got everything, right.
Saving your configuration probably the biggest piece of this all because all of this,
every single commands that we've typed on this device is sitting in RAM.
Now, RAM, if, you know, if you've dealt with computers, it's great because it's fast,
it's extremely fast and efficient however, it's volatile.
So if the power goes out, you'll loss all of it.
Well, in the CISCO world, you actually have two different places to store things.
Well, there's actually a number but two big ones, running config and startup config.
So running config is in RAM and we'll be lost every single time you power down,
startup config is in NVRAM. Let me guess what NV stands for, Non-Volatile,
you got it. So Non-Volatile RAM is saved so when the switch
power is down, you can still keep that configuration.
Now, there's an advantage to having this and, you know, I've had a lot of people say, "Well,
why not-- how come just like as you type commands, it doesn't save it NVRAM?"
Well, there's a lot of times where you'll be in the midst of doing some configuration
and you really mess things up, I mean, it happens, you know,
when you configuring you're like, "Oh man, I've gone so far,
I don't even know what I've done to undo it anymore."
Well, as long as you don't save your configuration, you can just restart the device
and you get the old configuration back before you made all your changes.
So, it's good to have the two configurations but you do want to remember to save it.
Command is very simple, we type in copy running config, startup config, hit the enter key.
Now, it comes up, I don't event know why the Cisco device ask through this question
for this one because it says, destination file name, startup config.
I've seen biggest mistake you can make is say, "Well, yes, yes that's what I want."
No, you don't want that because those switch only looks for one file when it's booting
and that's a file name startup config. So if you want whatever is in the brackets
there to be your name, all you have to do is press the enter key
and it will use that file name. If you put Y there, it will save the configuration
in NVRAM as a file named Y and the switch doesn't know what to do with
that file. A shortcut that has been around since Cisco
begin is also, you can type in write memory. I like that because it doesn't even ask you
a file name. It just says, I'm going to save it.
Or even a shorter shortcut is just WR. So we can trim it down shorter and shorter
and shorter. Now, the write memory does not work on all
devices, Cisco has been slowly fading that away
but it will work on I would say, 99 percent of Cisco devices that you run into.
If you ever want to see what's in these configurations, you can do show start and a show run.
Matter of fact, let me show you this. Let's just make a difference.
Let's do a host name, Lalala [phonetic]. All right, host name Lalala and that I'm going
to do a show run and there's my host name Lalala, right there
that's in RAM, the memory. Or I can do a show start-- show startup config
and you can see that the original name is CBT switch so that's
what's an NVRAM. So if I rebooted the device right now, it
reverse back to that original configuration where as right now, what's running was actually
active is the host name Lalala. So all these commands that I've typed without
saving the configuration will exist only in RAM.
That now puts a base configuration in place on our Cisco switch.
Now keep in mind, in all of that configuration that we did,
we didn't really configure any features as in the switch isn't operating any differently,
all it is is having the ability to be securely managed from a remote location
so that we can do whatever we need that we can enable some of the features that we're
going to be talk about a little bit later but this
provides a foundation. So, what I would do is I would really encourage
you to flip back to that slide that I just was--
I've been working through with the check box that's showing here's the base configuration.
If you have access to a Cisco switch, let that be your test guide.
So if you're preparing for certification, you know that on the exam,
there are going to be simulation questions where you are working through, you know,
practical examples of configuring Cisco devices that feels real.
And what I just showed you that base configuration would be an example
of one simulation where the simulation question comes in and says, "Hey,
this is what you need to configure it, now go."
So, staring at that checklist not really looking at any commands,
see if you're able to configure a Cisco switch. If you don't have access to a Cisco switch,
that's okay, it will just be a little more difficult 'cause
you don't have the help. Maybe just open Notepad or Microsoft Word
or something like that and just start typing the commands that you
would enter if you were in a simulated environment.
That will get your base foundation config ready for the upcoming nuggets.
I hope this been informative for you and like that thank you for viewing.