Tag Archives: ICND1: 640-822

More Handy IOS Commands

I was re configuring my 2950, and wondered why I couldn’t delete a VLAN. There is a database of VLANs that resides on the flash drive, and is used to keep the VLAN configurations. If this file is not purged, the VLANs will not be deleted. So lets take a look at some commands that allow us access to the Flash drive.

The show and directory commands

This was an odd one; you can issue a show flash: to see the content of the flash drive, but my version of IOS only covers the flash drive. To see the nvram, you need to issue a dir command.

sh flash: gives this output:

s2950#sh flash:
Directory of flash:
 2 -rwx 109 Mar 01 1993 00:01:46 +00:00 info
 3 -rwx 270 Jan 01 1970 00:01:48 +00:00 env_vars
 7 -rwx 3086328 Mar 01 1993 00:03:22 +00:00 c2950-i6q4l2-mz.121-22.EA2.bin
 8 drwx 3968 Mar 01 1993 00:03:52 +00:00 html
 341 -rwx 109 Mar 01 1993 00:04:20 +00:00 info.ver
 343 drwx 128 Mar 01 1993 00:00:12 +00:00 crashinfo
7741440 bytes total (3170304 bytes free)
s2950#

Where as dir all-filesystems gives us this:

s2950#dir all-filesystems
Directory of flash:/
 2 -rwx 109 Mar 01 1993 00:01:46 +00:00 info
 3 -rwx 270 Jan 01 1970 00:01:48 +00:00 env_vars
 7 -rwx 3086328 Mar 01 1993 00:03:22 +00:00 c2950-i6q4l2-mz.121-22.EA2.bin
 8 drwx 3968 Mar 01 1993 00:03:52 +00:00 html
 341 -rwx 109 Mar 01 1993 00:04:20 +00:00 info.ver
 343 drwx 128 Mar 01 1993 00:00:12 +00:00 crashinfo
7741440 bytes total (3170304 bytes free)

Directory of nvram:/
 27 -rw- 3092 <no date> startup-config
 28 ---- 5 <no date> private-config
32768 bytes total (29619 bytes free)

Directory of system:/
 2 dr-x 0 <no date> memory
 1 -rw- 2938 <no date> running-config
No space information available

 

The more command

The more command is used to view text files and other than the IOS image itself (which is compressed) most of the files appear to be text files.

The syntax is more [where]:[what]

For instance, more flash:text.dat will show you the contents of the file text.dat.

The erase command

Erase allows you to erase and entire drive, for instance erase:nvram will erase all files stored on the nvram. This can be both very useful and very dangerous. I’ve used it for erasing configs, by just clearing the nvram completely, however the command erase:startup-config also works in that specific case.

The delete Command

Delete uses the same syntax as the show command and allows the deletion of files on a file by file basis. For instance delete flash:config.old would delete the file config.old.

There are other file handling commands, this list is not exhaustive, however, I haven’t had a need to use them yet. When I do, I’ll be sure to write about it.

 

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Configuring Switches

Its easy to get sucked into configuring routers because there is so much to configure, so I’m calling time out on the routers and shifting focus to the switches. So lets look at some fun things to do with switches.

 

Configure an IP address and default gateway.

I guess at first I didn’t think too deeply about this because I’ve been using the console port to connect to my switches, but if we are to telnet into them, they need to have an IP address. If I run sh run on my 2950, I get the following after the last physical interface:

!
interface GigabitEthernet0/2
 switchport mode access
 switchport port-security
 shutdown
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!

We have seen Vlan 1 before; it is the default VLAN on the switch. We can use it as the management VLAN if we want to or define a new VLAN for that function. The only issue with using telnet to control the switch is that we need one port for this function.

So to configure the VLAN with an IP address, we need to:

interface Vlan1
 description : Management VLAN
 ip address 172.16.4.2 255.255.255.0
 no ip route-cache
!
ip default-gateway 172.16.4.1
ip http server
!
line con 0
 logging synchronous
line vty 0 4
 password cisco
 logging synchronous
 login

You can see the commands require to make this work. Don’t forget to the password command in the line vty config, or your telnet connection will be refused, This will work, but there is one more password we need to configure. As this stands, we can telnet into the switch, but we cannot enter enable or config mode. We need to set our secret to be able to do that.

s2950(config)#enable secret ccna
s2950(config)#exit

And that should do it. I can now telnet into my switch.

 

Changing the Port Speed and Duplex

Depending on the situation, you may just elect to leave everything in Auto, but there again it is good to know how to hard code the ports, and the commands for speed and duplex are pretty straight forward.

s2950(config-if)#speed ?
 10       Force 10 Mbps operation
 100      Force 100 Mbps operation
 auto     Enable AUTO speed configuration

and …

s2950(config-if)#duplex ?
 auto     Enable AUTO duplex configuration
 full     Force full duplex operation
 half     Force half-duplex operation

 

Changing Multiple ports

This is great if we have just a single or a couple of ports to change but lets say we need to change 12 or 24 or even all 48 ports. That’s quite the task! There is of course a short cut and it is the interface range command.

s2950(config)#int range fast0/1 - 24 
s2950(config-if-range)#speed 100
s2950(config-if-range)#exit
s2950(config)#exit
s2950#

But I hear you say, what if the ports we need to change are not contiguous?
The answer is still the same range command, but with commas,

s2950(config)#int range fa0/4 , fa0/7 , fa0/9 
s2950(config-if-range)#speed 10
s2950(config-if-range)#exit
s2950(config)#exit
s2950#

The big gotcha here is remembering to put the spaces in the right place and remembering to use the full name of the port, not just the number as in the contiguous example above.

 

 

 

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Passwords

When I first started learning about Cisco equipment, I was totally confused by the morass of passwords and secrets, so here is a handy breakdown on just passwords and secrets.

Passwords are our first line of defense against intrusion, be it deliberate or accidental.

A password is better than no password, and a complex password is better than a simple password. What is a complex password? One that has a larger number of characters (8+) and uses an alphanumeric string (a mix of letters, numbers and symbols) rather than words.

The first thing to note about Cisco equipment is that there are several passwords used to provide different layers of protection to the switch or router. Now you can leave the unit open and not set any passwords at all, or you can lock the unit down tighter than a nun’s virtue, and everything in between.

I found it easier to get a handle on all these passwords by placing them into two groups:

  • Mode protection
  • Access protection

Mode Passwords

With no passwords or secrets set, you can move from user mode to user privilege mode to global configuration mode just typing the appropriate commands. There are two basic commands to control mode access

  • enable password
  • enable secret

We need to know both for the exams, but in the real world we will only use enable secret.

If we use enable password , that will set a password, and can store the password encrypted or in clear text. A better way to protect privilege mode is to use the enable secret command, which encrypts the password by default. If you have enabled a password and a secret, the secret will always take precedence and the password will be ignored.

Enable password and Secret
Enable Password (plain text) and Secret (Hashed with MD5)

Password Encryption

When running a sh run command, any passwords set will be in plain text. This is a security risk, and leaves the unit open to, at the very least, an over the shoulder attack. We can secure our passwords using the password encryption command service password-encryption

The number following this command is the level of encryption. Level 5 is the default and is easy to crack. level 7 is preferable and is very hard to crack. The enable secret is encrypted at level 5 by default.

 

Access Protection

There are three ways of gaining access to the router or switch;

  • The console port
  • The Aux port
  • The vty lines via Telnet / ssh

By default, all of these ports are essentially open – no password and complete open access. Telnet actually will not let you login to a router if there is no password set. Once in however, the default is privilege mode 15.

To protect these inputs we can add the expression password to the line config.

in global config mode we use:

(config)# line vty 0 4
(config-line)# password (password) -- this password is for this port(s) only
(config-line)# login

This gets you into user mode. If you type enable to get into use privilege mode, the unit will do one of two things – prompt for the password/secret or deny access if no password/secret is set. As I noted above, each port can be configured to have its own unique password.

We can make this even more secure by requiring a username and password to gain access:
First we set our user name and password

(config)# username admin password cisco

This username/password combination is used where ever login local is used.
Then we configure our VTY lines:

(config)# line vty 0 4
(config-line)# login local

The login local command tells the router to look at its local user list. However, when we login we will still not be able to gain access to privilege mode (unless the privilege modifier is used in the username statement – see below)

Modifying the username command thus, will get us into privilege mode regardless of the enable secret/password.

(config)# username admin privilege 15 password cisco

We can set these access controls on the console, tty and aux ports.

 

The Username Command

We can use the username command to create users (and for the purposes of CCENT and CCNA, these are local users) that we then use to provide login access. This helps us protect remote logins, like telnet.

A username does not apply to the enable and global config commands.

username tony password 7 0822455D0A16

– – notice how the password is encrypted.

we can set up any number of users and configure them accordingly using this statement.

 

Privilege mode

The privilege command is a modifier used with other commands to control just how much access each user has. There are a number of user ‘levels’ that grant users capabilities. Privilege 15 is the highest and allows complete configuration of the router or switch. Lower levels have lesser capabilities down to 0. Privilege can be set on a per interface basis, so console access might be 15 and telnet only 8, for example, or a per user basis as part of the username command.

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Progress Report

So where am I right now?

The euphoria over passing the CCENT has faded and i’m back to studying again. The question for me now is; what is my long term goal in all of this. The more I do this, the more I enjoy it, so I want to go deeper, but what direction do I want to take my new networking career?

I’m not sure yet is the best answer I have, so what I intend to do is take a broad spread of certifications and courses. This does two things for me:

  • it exposes me to a lot of networking concepts and I can feel out what fits with me and what doesn’t. That should help point me in a direction, career wise.
  • It establishes a known knowledge base to work from, and can help me identify areas of weakness and strength.

With that in mind, here is the path I have mapped out for myself so far:

cert plan

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone