Module 1: Basic Device

Configuration

Switching, Routing and Wireless

Essentials v7.0 (SRWE)
1.1 Configure a Switch with
Initial Settings

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
 Configure a Switch with Initial Settings
Switch Boot Sequence
After a Cisco switch is powered on, it goes through the following five-step boot
sequence:
Step 1: First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks
the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash device that makes up
the flash file system.
Step 2: Next, the switch loads the boot loader software. The boot loader is a small program
stored in ROM that is run immediately after POST successfully completes.
Step 3: The boot loader performs low-level CPU initialization. It initializes the CPU registers,
which control where physical memory is mapped, the quantity of memory, and its speed.
Step 4: The boot loader initializes the flash file system on the system board.
Step 5: Finally, the boot loader locates and loads a default IOS operating system software image
into memory and gives control of the switch over to the IOS.
 Configure a Switch with Initial Settings
The boot system Command
• The switch attempts to automatically boot by using information in the BOOT environment variable. If this
variable is not set, the switch attempts to load and execute the first executable file it can find.
• The IOS operating system then initializes the interfaces using the Cisco IOS commands found in the
startup-config file. The startup-config file is called config.text and is located in flash.
• In the example, the BOOT environment variable is set using the boot system global configuration mode
command. Notice that the IOS is located in a distinct folder and the folder path is specified. Use the
command show boot to see what the current IOS boot file is set to.

Command Definition

boot system The main command

flash: The storage device

c2960-lanbasek9-mz.150-2.SE/ The path to the file system

c2960-lanbasek9-mz.150-2.SE.bin The IOS file name

 Configure a Switch with Initial Settings
Switch LED Indicators
System LED (SYST): Shows whether the system is receiving power and functioning
properly.
Redundant Power Supply LED (RPS): Shows the RPS status.
Port Status LED (STAT): When green, indicates port status mode is selected, which
is the default. Port status can then be understood by the light associated with
each port.
Port Duplex LED (DUPLX): When green, indicates port duplex mode is selected.
Port duplex can then be understood by the light associated with each port.
Port Speed LED (SPEED): When green, indicates port speed mode is selected. Port
speed can then be understood by the light associated with each port.
Power over Ethernet LED (PoE): Present if the switch supports PoE. Indicates the
PoE status of ports on the switch.

The Mode button is used to move between the different modes – STAT, DUPLX,
SPEED, and PoE
 Configure a Switch with Initial Settings
Recovering from a System Crash
The boot loader provides access into the switch if the operating system cannot be used because of missing or
damaged system files. The boot loader has a command line that provides access to the files stored in flash
memory. The boot loader can be accessed through a console connection following these steps:
Step 1. Connect a PC by console cable to the switch console port. Configure terminal emulation software to
connect to the switch.
Step 2. Unplug the switch power cord.
Step 3. Reconnect the power cord to the switch and, within 15 seconds, press and hold down
the Mode button while the System LED is still flashing green.
Step 4. Continue pressing the Mode button until the System LED turns briefly amber and then solid green;
then release the Mode button.
Step 5. The boot loader switch: prompt appears in the terminal emulation software on the PC.
The boot loader command line supports commands to format the flash file system, reinstall the operating
system software, and recover a lost or forgotten password. For example, the dir command can be used to
view a list of files within a specified directory.
 Configure a Switch with Initial Settings
Switch Management Access
To prepare a switch for remote management
access, the switch must be configured with an
IP address and a subnet mask.
• To manage the switch from a remote
network, the switch must be configured
with a default gateway. This is very similar
to configuring the IP address information
on host devices.
• In the figure, the switch virtual interface
(SVI) on S1 should be assigned an IP
address. The SVI is a virtual interface, not a
physical port on the switch. A console cable
is used to connect to a PC so that the
switch can be initially configured.
 Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode for the SVI. S1(config)# interface vlan 99
Configure the management interface IPv4
S1(config-if)# ip address 172.17.99.11 255.255.255.0
address.
Configure the management interface IPv6
S1(config-if)# ipv6 address 2001:db8:acad:99::1/64
address
Enable the management interface. S1(config-if)# no shutdown

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config
 Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Step 2: Configure the Default Gateway
• The switch should be configured with a default gateway if it will be managed remotely from
networks that are not directly connected.
• Note: Because, it will receive its default gateway information from a
router advertisement (RA) message, the switch does not require an
IPv6 default gateway.
Task IOS Commands

Enter global configuration mode. S1# configure terminal

Configure the default gateway for the switch. S1(config)# ip default-gateway 172.17.99.1

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config
 Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Step 3: Verify Configuration
• The show ip interface brief and show ipv6 interface brief commands are useful for
determining the status of both physical and virtual interfaces. The output shown confirms that
interface VLAN 99 has been configured with an IPv4 and IPv6 address.
Note: An IP address applied to the SVI is only for remote management access to the switch; this
does not allow the switch to route Layer 3 packets.
1.2 Configure Switch Ports

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
 Configure Switch Ports
Duplex Communication
• Full-duplex communication increases bandwidth efficiency by allowing both ends of a
connection to transmit and receive data simultaneously. This is also known as bidirectional
communication and it requires microsegmentation.
• A microsegmented LAN is created when a switch port has only one device connected and is
operating in full-duplex mode. There is no collision domain associated with a switch port
operating in full-duplex mode.
• Unlike full-duplex communication, half-duplex communication is unidirectional. Half-duplex
communication creates performance issues because data can flow in only one direction at a
time, often resulting in collisions.
• Gigabit Ethernet and 10 Gb NICs require full-duplex connections to operate. In full-duplex
mode, the collision detection circuit on the NIC is disabled. Full-duplex offers 100 percent
efficiency in both directions (transmitting and receiving). This results in a doubling of the
potential use of the stated bandwidth.
 Configure Switch Ports
Configure Switch Ports at the Physical Layer (Cont.)

Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode. S1(config)# interface FastEthernet 0/1

Configure the interface duplex. S1(config-if)# duplex full

Configure the interface speed. S1(config-if)# speed 100

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config
 Configure Switch Ports
Auto-MDIX
• When automatic medium-dependent interface crossover (auto-MDIX) is enabled, the switch
interface automatically detects the required cable connection type (straight-through or crossover)
and configures the connection appropriately.
• When connecting to switches without the auto-MDIX feature, straight-through cables must be used
to connect to devices such as servers, workstations, or routers. Crossover cables must be used to
connect to other switches or repeaters.
• With auto-MDIX enabled, either type of cable can be used to connect to other devices, and the
interface automatically adjusts to communicate successfully.
• On newer Cisco switches, the mdix auto interface configuration mode command enables the feature.
When using auto-MDIX on an interface, the interface speed and duplex must be set to auto so that
the feature operates correctly.
Note: The auto-MDIX feature is enabled by default on Catalyst 2960 and Catalyst 3560 switches but is
not available on the older Catalyst 2950 and Catalyst 3550 switches.
To examine the auto-MDIX setting for a specific interface, use the show controllers ethernet-
controller command with the phy keyword. To limit the output to lines referencing auto-MDIX, use
the include Auto-MDIX filter.
 Configure Switch Ports
Switch Verification Commands
Task IOS Commands

Display interface status and configuration. S1# show interfaces [interface-id]

Display current startup configuration. S1# show startup-config

Display current running configuration. S1# show running-config

Display information about flash file system. S1# show flash

Display system hardware and software status. S1# show version

Display history of command entered. S1# show history

S1# show ip interface [interface-id]

Display IP information about an interface. OR
S1# show ipv6 interface [interface-id]
S1# show mac-address-table
Display the MAC address table. OR
S1# show mac address-table
 Configure Switch Ports
Verify Switch Port Configuration
The show running-config command can be used to verify that the switch has been correctly
configured. From the sample abbreviated output on S1, some important information is shown in the
figure:
• Fast Ethernet 0/18 interface configured with the management VLAN 99
• VLAN 99 configured with an IPv4 address of 172.17.99.11 255.255.255.0
• Default gateway set to 172.17.99.1
 Configure Switch Ports
Verify Switch Port Configuration (Cont.)
The show interfaces command is another commonly used command, which displays status and statistics
information on the network interfaces of the switch. The show interfaces command is frequently used when
configuring and monitoring network devices.

The first line of the output for the show interfaces fastEthernet 0/18 command indicates that the
FastEthernet 0/18 interface is up/up, meaning that it is operational. Further down, the output shows that the
duplex is full and the speed is 100 Mbps.
 Configure Switch Ports
Network Access Layer Issues (Cont.)
The show interfaces command
output displays counters and
statistics for the
FastEthernet0/18 interface, as
shown here:
 Configure Switch Ports
Network Access Layer Issues (Cont.)
Some media errors are not severe enough to cause the circuit to fail but do cause network
performance issues. The table explains some of these common errors which can be detected using
the show interfaces command.
Error Type Description

Input Errors Total number of errors. It includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts.

Packets that are discarded because they are smaller than the minimum packet size for the medium. For
Runts
instance, any Ethernet packet that is less than 64 bytes is considered a runt.
Packets that are discarded because they exceed the maximum packet size for the medium. For example, any
Giants
Ethernet packet that is greater than 1,518 bytes is considered a giant.

CRC CRC errors are generated when the calculated checksum is not the same as the checksum received.

Sum of all errors that prevented the final transmission of datagrams out of the interface that is being
Output Errors
examined.

Collisions Number of messages retransmitted because of an Ethernet collision.

Late Collisions A collision that occurs after 512 bits of the frame have been transmitted
1.3 Secure Remote Access

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
 Secure Remote Access
Telnet Operation
Telnet uses TCP port 23. It is an older
protocol that uses unsecure plaintext
transmission of both the login
authentication (username and password)
and the data transmitted between the
communicating devices.
A threat actor can monitor packets using
Wireshark. For example, in the figure the
threat actor captured the
username admin and password ccna from a
Telnet session.
 Secure Remote Access
SSH Operation
Secure Shell (SSH) is a secure protocol that uses TCP
port 22. It provides a secure (encrypted) management
connection to a remote device. SSH should replace
Telnet for management connections. SSH provides
security for remote connections by providing strong
encryption when a device is authenticated (username
and password) and also for the transmitted data
between the communicating devices.

The figure shows a Wireshark capture of an SSH

session. The threat actor can track the session using
the IP address of the administrator device. However,
unlike Telnet, with SSH the username and password
are encrypted.
 Secure Remote Access
Configure SSH
Before configuring SSH, the switch must be minimally configured with a unique hostname and the correct network
connectivity settings.
Step 1: Verify SSH support - Use the show ip ssh command to verify that the switch supports SSH. If the switch is not running an IOS
that supports cryptographic features, this command is unrecognized.
Step 2: Configure the IP domain - Configure the IP domain name of the network using the ip domain-name domain-name global
configuration mode command.
Step 3: Generate RSA key pairs - Generating an RSA key pair automatically enables SSH. Use the crypto key generate rsa global
configuration mode command to enable the SSH server on the switch and generate an RSA key pair.

Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration
mode command. After the RSA key pair is deleted, the SSH server is automatically
disabled.
Step 4: Configure user authentication - The SSH server can authenticate users locally or using an authentication server. To use the local
authentication method, create a username and password pair using the username username secret password global configuration
mode command.
Step 5: Configure the vty lines - Enable the SSH protocol on the vty lines by using the transport input ssh line configuration mode
command. Use the line vty global configuration mode command and then the login local line configuration mode command to require
local authentication for SSH connections from the local username database.
Step 6: Enable SSH version 2 - By default, SSH supports both versions 1 and 2. When supporting both versions, this is shown in
the show ip ssh output as supporting version 2. Enable SSH version using the ip ssh version 2 global configuration command.
 Secure Remote Access
Verify SSH is Operational
On a PC, an SSH client such as PuTTY, is used to connect to an SSH server. For example, assume the following is
configured:
• SSH is enabled on switch S1
• Interface VLAN 99 (SVI) with IPv4 address 172.17.99.11 on switch S1
• PC1 with IPv4 address 172.17.99.21
Using a terminal emulator, initiate an SSH connection to the SVI VLAN IPv4 address of S1 from PC1.
When connected, the user is prompted for a username and password as shown in the example. Using the
configuration from the previous example, the username admin and password ccna are entered. After entering the
correct combination, the user is connected via SSH to the command line interface (CLI) on the Catalyst 2960 switch.
 Secure Remote Access
Verify SSH is Operational (Cont.)
To display the version and configuration data for SSH on the device that you configured as an SSH server, use
the show ip ssh command. In the example, SSH version 2 is enabled.
1.4 Basic Router Configuration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
 Basic Router Configuration
Configure Basic Router Settings
Cisco routers and Cisco switches have many similarities. They support a similar modal operating system, similar
command structures, and many of the same commands. In addition, both devices have similar initial
configuration steps. For example, the following configuration tasks should always be performed. Name the
device to distinguish it from other routers and configure passwords, as shown in the example.
 Basic Router Configuration
Configure Basic Router Settings (Cont.)
Configure a banner to provide legal notification of unauthorized access, as shown in the example.

Save the changes on a router, as shown in the example.

 Basic Router Configuration
Configure Router Interfaces
Routers support LANs and WANs and can interconnect different types of networks; therefore, they support
many types of interfaces. For example, G2 ISRs have one or two integrated Gigabit Ethernet interfaces and
High-Speed WAN Interface Card (HWIC) slots to accommodate other types of network interfaces, including
serial, DSL, and cable interfaces.

To be available, an interface must be:

• Configured with at least one IP address - Use the ip address ip-address subnet-mask and the ipv6
address ipv6-address/prefix interface configuration commands.
• Activated - By default, LAN and WAN interfaces are not activated (shutdown). To enable an interface, it
must be activated using the no shutdown command. (This is similar to powering on the interface.) The
interface must also be connected to another device (a hub, a switch, or another router) for the physical
layer to be active.
• Description - Optionally, the interface could also be configured with a short description of up to 240
characters. It is good practice to configure a description on each interface. On production networks, the
benefits of interface descriptions are quickly realized as they are helpful in troubleshooting and in
identifying a third-party connection and contact information.
 Basic Router Configuration
Configure Router Interfaces (Cont.)
The example shows the configure for the interfaces on R1:
 Basic Router Configuration
IPv4 Loopback Interfaces
Another common configuration of Cisco IOS routers is enabling a loopback interface.
• The loopback interface is a logical interface that is internal to the router. It is not assigned to a physical port
and can never be connected to any other device. It is considered a software interface that is automatically
placed in an “up” state, as long as the router is functioning.
• The loopback interface is useful in testing and managing a Cisco IOS device because it ensures that at least
one interface will always be available. For example, it can be used for testing purposes, such as testing
internal routing processes, by emulating networks behind the router.
• Loopback interfaces are also commonly used in lab environments to create additional interfaces. For
example, you can create multiple loopback interfaces on a router to simulate more networks for
configuration practice and testing purposes. The IPv4 address for each loopback interface must be unique
and unused by any other interface. In this curriculum, we often use a loopback interface to simulate a link to
the internet.
• Enabling and assigning a loopback address is simple:

Router(config)# interface loopback number

Router(config-if)# ip address ip-address subnet-mask
1.5 Verify Directly Connected
Networks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
 Verify Directly Connected Networks
Interface Verification Commands
There are several show commands that can be used to verify the operation and configuration of
an interface.

The following commands are especially useful to quickly identify the status of an interface:
• show ip interface brief and show ipv6 interface brief - These display a summary for all
interfaces including the IPv4 or IPv6 address of the interface and current operational status.
• show running-config interface interface-id - This displays the commands applied to the
specified interface.
• show ip route and show ipv6 route - These display the contents of the IPv4 or IPv6 routing
table stored in RAM. In Cisco IOS 15, active interfaces should appear in the routing table with
two related entries identified by the code ‘C’ (Connected) or ‘L’ (Local). In previous IOS
versions, only a single entry with the code ‘C’ will appear.
 Verify Directly Connected Networks
Verify Interface Status
The output of the show ip interface brief and show ipv6 interface brief commands can be used to quickly reveal the
status of all interfaces on the router. You can verify that the interfaces are active and operational as indicated by the
Status of “up” and Protocol of “up”, as shown in the example. A different output would indicate a problem with either
the configuration or the cabling.
 Verify Directly Connected Networks
Verify IPv6 Link Local and Multicast Addresses
The output of the show ipv6 interface brief command displays two configured IPv6 addresses per interface.
One address is the IPv6 global unicast address that was manually entered. The other address, which begins
with FE80, is the link-local unicast address for the interface. A link-local address is automatically added to an
interface whenever a global unicast address is assigned. An IPv6 network interface is required to have a link-
local address, but not necessarily a global unicast address.

The show ipv6 interface gigabitethernet 0/0/0 command displays the interface status and all of the IPv6
addresses belonging to the interface. Along with the link local address and global unicast address, the output
includes the multicast addresses assigned to the interface, beginning with prefix FF02, as shown in the
example.
 Verify Directly Connected Networks
Verify Routes
The output of the show ip route and show
ipv6 route commands reveal the three
directly connected network entries and the
three local host route interface entries, as
shown in the example.

The local host route has an administrative

distance of 0. It also has a /32 mask for
IPv4, and a /128 mask for IPv6. The local
host route is for routes on the router that
owns the IP address. It is used to allow the
router to process packets destined to that
IP.