Cisco Lab
By now you should have completed the Student Setup Guide: https://richwebinc.sharepoint.com/sites/neatrack2/SitePages/Student-Setup-(KVM-and-Cisco).aspx
In this lab, you will learn the basics of Cisco routing and switching. The techniques you learn in this lab will show how a single inbound connection can be spread all across a myriad of machines efficiently. The command line interface for Cisco products can be intimidating to beginners, and as such the reader can expect this document to serve as instruction as well as a guide to basic commands.
By the end of this lab the user should be able to remotely access the switch from the server via Ethernet connection.
Accessing a Cisco Switch
Accessing the Switch Terminal
Note: Anything in this
fonts
or
fonts
means that you’ll be typing in the terminal or what you’ll be seeing in the terminal.
After entering your username (which should be admin) and password (which should be 15.learner), you should get a prompt like this:
sw-neatrack>
This is the command line for the switch. Now enter the following command to access privileged mode:
sw-neatrack>enable
sw-neatrack#
You are now in privileged mode (if you see the “#” next to the switch name). In this mode, you are able to see the configuration and setup of the switch. However, this mode is not designed to edit that configuration. To actually edit the config of the switch, use the following command:
sw-neatrack#configure terminal
sw-neatrack(config)#
This is configuration mode. As long as you see the “(config)#”, you are able to change the config of the switch.
Viewing the Configuration
The whole configuration of the switch is located in a file you can see from this view. To see this file, run
do show run
and something like this should appear:
sw-neatrack(config)#do show run
Building configuration…
Current configuration : 3627 bytes
!
version 12.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service linenumber
!
logging buffered 512000 debugging
no logging console
!
clock timezone est -5
clock summer-time est recurring
ip subnet-zero
!
–More–
The “Do” command only works in configuration mode. Essentially, it tells the switch to run the following command as opposed to modifying a configuration. “Show run” shows the running configuration seen on the switch.
You can see the rest of the switches config by pressing enter for one line at a time or spacebar for a page at a time. You can exit out of this view by typing another command or CTRL + C.
This is extremely useful with Cisco switches. They are designed to be easy to configure thus, this isn’t just the configuration scheme but also a set of commands to set up a switch. If you copied the whole configuration of a Cisco switch and pasted it in the terminal of a clean switch, they would become identical switches.
SSH
SSH is the process of remotely accessing a machine through an encrypted line. To allow SSH into a machine, it must have a key that allows access to encrypt the line. To generate these keys, run the following command. If it prompts you to overwrite old keys, say yes. Use a 1024 bit key. Then run the rest of the commands to ensure SSH is properly configured.
sw-neatrack(config)#crypto key generate rsa
The name for the keys will be: trainswitch.train.local.
% You already have RSA keys defined for trainswitch.train.local..
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
sw-neatrack(config)# ip ssh logging events
sw-neatrack(config)# ip ssh authentication-retries 2
sw-neatrack(config)# ip ssh time-out 30
sw-neatrack(config)# ip ssh version 2
crypto key generate rsa
this command puts an RSA host key pair in flash memory and makes it so you can SSH into the device, if it does not have SSH already enabled.
How many bits in modulus
you choose the size of the RSA key in bits, generally 1024 is the default but if you want higher security, a higher number is better, like 2048
ip ssh logging events
this logs all of the SSH log in attempts, both successful and failed, and it logs who was trying to log into the device
ip ssh authentication-retries 2
this limits the number of times a user can try to login before being kicked out of the SSH session the user is trying to make
ip ssh time-out 30
this is the time limit that the device waits for the SSH server to negotiate a session key and the encryption used when connected with a device
ip ssh version 2
this specifies that this is a secure method for establishing an SSH connection compared to using Telnet or FTP
Creating a Login for Console
These commands will create a user for anyone requesting access to the switch. Privilege 15 is the highest available, “secret” is a more secure type of password.
sw-neatrack(config)# username admin privilege 15 secret 15.learner
sw-neatrack(config)# service password-encryption
username admin privilege 15 secret 15.learner: this creates the username that is allowed toe log into the device, the level 15 is allowing the user to have full access to the device, and the secret is the password that is associated with the username
service password-encryption: this makes the password encrypted so that even if someone goes into the device and tries to find passwords of other users, they won’t be able to because the password would look like a jumble of letters and numbers; without this command anyone who logs into the device and gain access to the passwords of any other users on the device
AAA Commands
AAA stands for Authentication, Authorization, & Accounting. These commands regulate how logins, permissions, and logging are managed. These basic commands are often used for setting up a Cisco device.
sw-neatrack(config)# aaa new-model
sw-neatrack(config)# aaa authentication login default local
sw-neatrack(config)# aaa authorization exec default local if-authenticated
sw-neatrack(config)# aaa session-id common
aaa new-model: this makes AAA enabled on the device
aaa authentication login default local: this lets the device use the local database that is on the device to authenticate a user; however, you can use a RADIUS or TACACS server to authenticate a user
aaa authorization exec deafault local if-authenticated: this allows a user who has already been authenticated through a successful login, be authenticated again if the router loses communication between the device and its local database
aaa session-id common: this makes sure that the session ID is maintained throughout authentication, authorization, and accounting packets in the session
Console Configuration
These commands will effect a user consoling in via the switch’s serial port
sw-neatrack(config)# line con 0
sw-neatrack(config-line)# session-timeout 60
sw-neatrack(config-line)# exec-timeout 60 0
sw-neatrack(config-line)# privilege level 15
sw-neatrack(config-line)#transport preferred none
line con 0: this is the console port that connects to the device; there is usually only 1, so this is the only choice, however, there are some cases that there are more which will be labeled
session-timeout 60: this is the time the session will wait for the user to type in something, if the timeout expires, the session will close
exec-timeout 60 0: this will disconnect the console if a user doesn’t do anything after 60 seconds, this will also make the user type in the password to log back into the device
privilege level 15: again, this command gives the user all available access to the device
transport preferred none: this command helps prevent any typos one might make while in the command line from making a misleading DNS lookup
These commands will affect a user SSHing in via ethernet
sw-neatrack(config)# line vty 0 15
sw-neatrack(config-line)# session-timeout 60
sw-neatrack(config-line)# exec-timeout 60 0
sw-neatrack(config-line)# privilege level 15
sw-neatrack(config-line)#transport preferred none
sw-neatrack(config-line)#transport input ssh
Many of these will be the same as for the serial port but there are some differences that will be noted here:
line vty 0 15: vty stands for virtual teletype which acts as a virtual port for SSH or Telnet and you can have up to 16 connections to choose from (0-15)
transport input ssh: this creates an encrypted connection between the user and the device, which will usaully need a username and password
Vlan Access
In a switch, different ports can have access to different vlans. This allows for the virtual creation of separate networks with no connections to each other. We already set up vlan 60 at the beginning of the year. To create or modify a vlan, enter the “int” command followed by the vlan number. We’re going to continue to use 60 because we have vlan 10 or whatever was chosen to be our Internet access.
To create a vlan on the switch, use the basic command “vlan x” where x is the number vlan you are creating. For example, when making vlan 60:
sw-neatrack(config)#vlan 60
sw-neatrack(config-vlan)#
You have now created vlan 60 on this machine. You know you are in VLAN config mode by the “(config-vlan)#” prompt. While you are here, go ahead and give your VLAN a name. You can do this like so:
sw-neatrack(config-vlan)#name test_vlan
sw-neatrack(config-vlan)#
In this case, we named our vlan “test_vlan”. Exit this specific VLAN configuration with the “exit” command like so:
sw-neatrack(config-vlan)#exit
sw-neatrack(config)#
Now you are back in interface mode, once again denoted by the “(config)#” prompt.
There are two ways VLANs are edited. You already used the first. The second form edits the VLAN as an interface. This allows us to give the VLAN layer 3 qualities such as an IP address. To enter interface config of a VLAN, use the following:
sw-neatrack(config)#int vlan 60
sw-neatrack(config-if)#
You are now in the configuration mode for that VLAN, as seen by the “(config-if)#” where “if” is short for interface.
VLAN Settings
There are a few common settings that you can change inside of a VLAN. For example, “desc” (or description) allows the user to enter a small phrase describing what that VLAN is used for. Give a description to your VLAN.
Each VLAN also has an IP address. Follow these commands to give the switch an IP address:
sw-neatrack(config)#int Vlan 60
sw-neatrack(config-if)# ip address 172.30.60.10 255.255.255.0
We are using 172.30.60.10 because 172.30.60.15 is already in use for the DHCP server and we don’t want to cause a conflict in IP addresses.
Finally, we want to enable the VLAN. This essentially allows us to turn it on. Use this command:
sw-neatrack(config-if)#no shutdown
Port Access
If you scrolled down far enough on the switch configuration, you would see that each different port has its own configuration with a variety of settings. You can select a port by running the following command where ? is the port number you wish to access:
sw-neatrack(config)#int f 0/?
That line also highlights the autocompletion of Cisco devices. If there are no other words that fit the beginnings of the words in a command, Cisco automatically completes the command. The above command is the same as:
sw-neatrack(config-if)#interface fastEthernet 0/?
We’ve already configured a range of ports to use during the Student Setup Lab, so we don’t need to configure another range. However, feel free to go over how to select a range and apply configurations to it in the instructions below.
To select more than one port, we use the “range” keyword. You can configure each port manually but selecting all of them is much faster. Example:
sw-neatrack(config)#int ra F 0/9 - 16
sw-neatrack(config-if-range)#
Most of the words I used auto-completion on, but you know you selected ports when you see “trainswitch(config-if-range)#” in the parenthesis.
Port Configuration
There are various settings we can apply to ports on a switch. The first is assigning what kind of data it deals with which VLAN. We set up VLAN 60 for the first few ports at the beginning of the year, so we won’t apply a new VLAN to the rest of the ports on the switch in case we add more in future labs. To assign a VLAN to a port, use the “switchport access” command followed by VLAN and the number. Below is an example giving ports 10 through 12 access to VLAN 60:
sw-neatrack(config)#int ran f 0/10 - 12
sw-neatrack(config-if-range)#switchpo acc vl 60
Now, if you go ahead and plug (or unplug and plug back in) a device to that port, it will take about 30 seconds for the light above the port to turn green, signaling access. (NOTE: if you do this with the machine you are currently working on, you will need to reconnect to the switch!) That a lot slower than you have probably seen in just about every other ethernet port.
Ports connecting have three stages: Listening, learning, and forwarding. During those first 30 seconds the port was listening and learning before it started forwarding. To bypass this delay, we can enable portfast. Portfast allows a port to instantly enter the forwarding stage and allow internet access to the connected device. To enable portfast, use the following command on all ports you use. If you disconnect and reconnect your device, you should see that the orange light turns green much faster.
sw-neatrack(config-if-range)#spanning-tree portfast trunk
There are two main port types we use. The first is an access port. An access port allows for a straight connection to the source with no complexities. A trunk port, on the other hand, tags the end of packets with a short key. This key states what network is being sent through that line. If you wish to use more than one network or vlan in a single port, trunking must be enabled. You can enable trunking with the “switchport mode” command followed by trunk, but DO NOT do this for your selected ports.
Another useful feature of Cisco switches is the ? in Cisco. If you type switchport mode ? into the console, the following will appear:
sw-neatrack(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
It lists the different options for the command. This works after any incomplete command in Cisco, even if there is no command and only the ?. Feel free to experiment with this. But we’ll go over these options in detail:
access: forces any device pluggged into this type of port to only communicate with devices that share the same VLAN
dynamic: gives port profiles to devices connected without needing access or trunk (not commonly used but still an option)
trunk: lets multiple devices from different VLANs go onto the same port instead of limiting to only one VLAN
Type the “exit” command until you are back in privileged mode. Your screen should look something like this:
sw-neatrack(config-if)#exit
sw-neatrack(config)#exit
sw-neatrack#
Possibly the most important part of switching is saving your changes. To do this, use the following command. Do this every time you are done editing a Cisco device. If the device loses power, it will revert back to its last saved config.
sw-neatrack#write mem
Building configuration...
[OK]
sw-neatrack#
After this, you can reenter configuration mode.
Before you disconnect your console port, create a banner for your switch. This will appear anytime someone connects to it. Use the following command:
banner motd ^
Welcome to my switch!
^
motd: stands for Message of the Day
You can put anything between the carrots. After you finish this, run the “write mem” command to save your work. Disconnect your console cable.
Once you ssh into the switch, print out (on the screen) the run config for your switch using the following:
sw-neatrack>enable
sw-neatrack#show run
Configuring a Cisco Router
Now one of the useful qualities of Cisco devices is that the basic structure and feel of setting up different devices is very similar. For basic purposes, a Cisco Router and Switch will have many similar configuration commands. Make sure that are consoled into the router and that you have followed the same setup instructions up to (but not including) the Vlan and Port Configuration section for the router as you did for the switch in the Student Setup. This will set up the basic configuration while leaving the ports untouched. You then need to do the same commands as above to set up SSH, a user account, AAA, and the console configuration. These commands do the same thing on both the switch and the router, so rather than directly influencing the network, they allow you better configure and manage these devices.
One of the important functionalities for a router is for it to have different ip addresses on each of its ports. This can be true on a switch as well, but it is especially important on a router. Because of this, we can set the ip address on the outward facing port (typically FastEthernet0/0) to be a static ip on a WAN, as well as a static ip on the internal LAN (typically on port FastEthernet0/1) such as 192.168.1.1 so that devices connected on the switch can reach it.
Setting up an ip address on a port is relatively straightforward: just enter the interface configuration and run a command to specify the address and subnet mask. After doing so, it is important to make sure the interface is up by doing “no shutdown”. Do the example shown below:
sgw-neatrack(config)#int gi 0/0
sgw-neatrack(config-if)# no ip address
sgw-neatrack(config-if)# no shutdown
sgw-neatrack(config)#int gi 0/0.60
sgw-neatrack(config-subif)# encapsulation dot1Q 60
sgw-neatrack(config-subif)# ip address 172.30.60.1 255.255.255.0
sgw-neatrack(config-subif)# no shutdown
This will set the ip address of the internal facing port, which should be connected to your switch already, to 172.30.60.1 as well as specifying it is on a /24 subnet. This works well when there is only one internal network, but using vlans, we can have whole collection of internal networks, each on different subnets. Because of that, we will often want the router to be able to serve each of these different vlans, which we can use sub-interfaces to do. We will touch in more detail during the static routing lab how to set up a sub-interface, but using the entire physical interface works in this example.
With all of the configurations, it would help to have a visual. Your physical network as of now should look like the following:
NOTE: This is only for the KVM Lab where you’ll be making a DHCP server. Once you get to the Static Routing Lab, this will be changed.
SSH Testing
At this point, both the switch and the router should have ports that are connected to the 172.30.60.0/24 network. If these ports are connected together by an ethernet cable, they should be able to talk directly to each other. If they are not already connected, either attach a cable from the router’s internal port to one of the switch’s ports configured on vlan 60, or connect the router’s internal port to one of the switch’s ports, then configure the port on the switch to access vlan 60.
By doing this, we make a connection where both the switch are attached to each other and are on the same network, therefor allowing them to communicate. We can test this by using the ssh command, which will allow you to access a console over the network. While connected to the router, use this command (make sure you are not in the configuration terminal):
sgw-neatrack# ssh -l admin 172.30.60.10
If you get a response along the lines of diffie-hellman… etc., you should be able to enter this to fix it.
ssh -o KexAlgorithms=diffie-hellman-group1-sha1 -o Ciphers=aes256-cbc admin@172.30.60.10