Exercise 1 - Essential switch

configuration
In this exercise you will configure some essential settings on a Cisco switch. These settings can be
configured using the initial configuration dialog which is displayed when you power on a switch for
the first time or when the configuration has been erased. Instead of using the initial configuration
dialog, we will use the command line interface (or CLI) to configure the settings detailed in this
module. It is uncommon that the initial configuration dialog is used in the real world, and as almost
all of your Cisco configurations will be done using the CLI, experience using the CLI is vital.
Please refer to your course material for reference on the commands used in this exercise, or use your
preferred search engine to gain an understanding of these tasks.
To put in to context how and what you are accessing when using this remote lab, here is some brief
information on the devices you have access to.
At the current time of writing, the lab has two different types of switches, a Cisco 2960 24 port
series and a Cisco 3750v2 (or v1 depending on the lab) series.
The Cisco 3750 series switch has power over Ethernet (PoE) capabilities which enable connections
to devices that are capable of drawing their power source from the network, such as a Cisco IP
phone or camera for example. As corporate and SME networks are moving towards IP telephony,
providing power over the network to these devices has become very popular.
On the front of the switch are the switch interfaces where the network cables go and a small button
which changes the LEDs on the front of the switch to do various things.
Below are images of the front of both the Cisco 3750 and the Cisco 2960 series switches. These are
the exact devices you will be accessing.
Cisco 3750 Series Switch
Below is an image showing the front of the 3750 series switch. Here you can see 24 RJ45
(commonly called copper) based network interfaces, these are capable of 10/100Mbps speed, on the
right you can see 2 * slots which you can insert a small transceiver module; these can provide fibre
based connectivity instead of just copper based RJ45 connections. Typically they will be used to
uplink to another switch, perhaps a distribution or core switch, but they could connect to any other
compatible device.
On the far right you can see the mounting bracket which is used to mount the switch in to a 19inch
cabinet or rack (these are often called ears).

Below is a shot of the left of the switch. Here you can see the mode button which changes the LED
functions, by default the LEDs of the 24 RJ45 interfaces show activity, however they can show the
various functions shown in the image below, for example they can show you the active duplex mode
of the interface, full or half-duplex.

On the rear of the 3750 switch we have the power connector (not shown in this image), and 3 other
connectors, two for stacking switches together using a stack cable, and finally the console port.

The console port is very important; its through this connection that you have access to the device.
When you configure a physical switch in real life you would normally have a small blue cable that
plugs in to this console port and the other end in to your laptop or PC etc. Then you would use your
favourite terminal program, hyperterminal, putty, Tera Term (there are many) to connect and make
your initial configuration so that you can then complete your configuration remotely over the
network.
In the lab environment, that cable is replaced by the internet and the terminal software is replaced by
your web browser and a special client so that you can see the terminal screen. Apart from this,
everything else is as it would be in the real world!
Cisco 2960 Series Switch
On the front of the Cisco 2960 switch you can see similar connections to the 3750. You will notice
that in this particular model we have 4 interfaces that are slightly different, two which are the same
as the Cisco 3750 where you can insert a small transceiver, the other two are RJ45 copper based
gigabit uplinks, these provide a cost effective way to get a gigabit uplink to the switch without
requiring any further investment.

The rear of the 2960 is missing the stacking capabilities, but has a console port and power socket in
the same way the Cisco 3750 series does.
An important note about these switches: Different models (in the same range) may have different
connections and look slightly different. For example you can get 48port versions of these switches,
these would have more interfaces to connect your network devices, PCs, printers etc.
Switch / Router modes
Before starting, if you are not aware of the different command line modes that you can be in on a
Cisco device, these are the common ones:
User Exec mode, signified by the > at the end of the device name, for example:
NYACCESS1>
Privileged mode, signified by the # symbol at the end of the device name, for example:
NYACCESS1#
Global configuration mode (or simply configuration mode), signified by the (config)# at the end of
the device name, for example:
NYACCESS1(config)#
There are many other modes which branch from configuration mode, such as line configuration
mode or vlan configuration mode which will change the command prompt slightly. The most
common is interface configuration mode, this looks like NYACCESS1(config-if)#
Configuring the switch
**** When using ANY lab you MUST set the ALL passwords to lower case cisco unless
specified. This enables us to successfully recover the devices once you have finished. ****
Powering on a device
In the web page, on the left hand side it shows your lab devices, your color scheme may look
different to the image, but the layout will look the same.
Click on the NYACCESS1 device, you will notice the centre window changes slightly, at the
bottom is a power on icon; click this icon to power on the switch.

The centre panel will change to the devices terminal. This is exactly the same as if you were using
Putty or another terminal program via the console port. During this power on stage you will see a lot
of information on the screen; this is the boot process which you should observe.
It may take a few moments for some information to be displayed, this is perfectly normal!
One thing to bear in mind here, this is a real device, depending on the IOS size, the type of switch,
the different boot processes etc the device can take a good few minutes to boot, this is exactly what
happens when you power a switch (or router) on from cold.

In the above screenshot you can see the switch booting.
After the switch has successfully loaded its IOS image and gone through the various boot stages you
will see a message stating Press RETURN to get started! It may be mixed up in a lot of other
messages so you will need a keen eye.
Press RETURN to get started!

*Mar 1 00:01:01.496: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/1, changed state to up

*Mar 1 00:01:30.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Vlan1, changed state to up

Go ahead and press return. You should see the initial configuration dialog message.
--- System Configuration Dialog ---

Enable secret warning

----------------------------------

In order to access the device manager, an enable secret is required

If you enter the initial configuration dialog, you will be prompted
for the enable secret

If you choose not to enter the initial configuration dialog, or if you
exit setup without setting the enable secret,

please set an enable secret using the following CLI in configuration
mode-

enable secret 0

----------------------------------

Would you like to enter the initial configuration dialog? [yes/no]:

The initial configuration dialog is a menu driven process enabling you to configure some basic
switch items. Feel free to run through this, but we will not be using this to make our configuration
changes.
At the [yes / no] prompt, type no to quit the setup, you will get the prompt shown below.
Would you like to enter the initial configuration dialog? [yes/no]: no

Switch>

You will notice the prompt changes to Switch>. If you remember, the arrow symbol signifies that
you are in user exec mode. The Switch text prior to this symbol is the hostname of the device; lets
make our first configuration changes.
To have the correct privileges to make a configuration change you will need to get to privileged
mode which is signified by a hash/pound sign at the end of the prompt. To get to privileged mode
simply type enable. Some people call this enable mode, but I prefer privileged mode.
Switch>enable

Switch#



Note: As the switch is yet to be configured you will not be prompted for a password, however in
normal operation outside of the lab environment you would almost certainly be prompted to enter in
a password when entering privileged mode, we will configure a password later to see this in action.
Hostnames and passwords
Make sure you are in privileged mode and use the following steps to make the configuration changes
listed below:
Set the hostname to NYACCESS1
Set an enable password
Set an enable secret
Step 1
As the rest of the modules in this course refer to this switch as NYACCESS1, change the hostname
to be NYACCESS1.
To do this, enter global configuration mode and use the hostname command to change the
hostname. Throughout all of the exercises the configuration will be shown in full as shown in the
output below. You will need to follow the output and extract the commands:
Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname NYACCESS1

NYACCESS1(config)#

For example in the above output, you should have typed:
configure terminal

hostname NYACCESS1

All the other text is what would be displayed on your terminal screen providing you have followed it
exactly.
Notice that as soon as you entered the hostname command that the hostname changed. This is an
important point because almost all changes that you make are committed as soon as you press the
return/enter key. You do not commit the changes separately, they are committed immediately.
Step 2
Configure an enable password, to do this use the enable password global configuration command,
ensure you stick to the passwords outlined in the lab guides - failure to do so will delay the
recycling of the lab you have access to, impacting all of our users access to the labs:
NYACCESS1(config)#enable password cisco1

Test this configuration change by exiting privileged mode. When configuring Cisco switches and
routers, if you are in any configuration mode you can use the exit command to move back one level,
or drop out to privileged mode if you are in global configuration mode. You can also use the shortcut
CTRL+Z to exit all the way back to privileged mode, from any configuration mode.
Type exit to get from global configuration mode back to privileged mode, then type disable to get
back to user exec mode.
NYACCESS1(config)#exit

NYACCESS1#disable

NYACCESS1>

*Mar 1 00:30:56.642: %SYS-5-CONFIG_I: Configured from console by
console

You will notice that the switch prints a log message to the screen stating the switch has been
configured. These log messages are logged to anything connected to the console port by default, you
can turn this off, however I recommend keeping it enabled whilst you are using the labs as you will
use these log messages to understand what is happening on the switch (there may be places where
we recommend turning logging off so follow the guides).
Logging does not appear by default when using a remote access connection such as telnet or SSH,
this must be turned on separately.
Once you are in user exec mode, switch back to privileged mode, remember the enable command?
NYACCESS1>

NYACCESS1>enable

Password:

NYACCESS1#

Notice that this time you are prompted to enter a password, type in cisco1 which you previously
configured.
There is a problem with the enable password. Use the show running-config command to observe
the switches full running configuration. On the first page, look for the command enable password
cisco1.
NYACCESS1#show running-config

Building configuration...

Current configuration : 1304 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NYACCESS1

!

boot-start-marker

boot-end-marker

!

enable password cisco1

(Output omitted)

Notice that the password is printed in clear text which is considered to be a security issue.
To page through your configuration you can use the space bar, or the enter/return key for a line-by-
line stepping. You can also press q or CTRL+C or CTRL+Z to stop viewing any output that
requires paging.
Step 3
To resolve the password issue, configure an enable secret and compare this to the enable password.
Enter global configuration mode and use the enable secret configuration command to set a password
of cisco
NYACCESS1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

NYACCESS1(config)#enable secret cisco

NYACCESS1(config)#

As you did before, quit back to privileged mode, then type disable to exec privileged mode.
NYACCESS1(config)#exit

NYACCESS1#disable

NYACCESS1>

Enter privileged mode, which password do you have to type to gain access once more, cisco1 or
cisco? There is clearly a password preference to which the switch accepts.
View the running configuration once more, again find the enable password configuration line:
NYACCESS1#show running-config

Building configuration...



Current configuration : 1396 bytes

!

! Last configuration change at 00:03:44 UTC Mon Mar 1 1993

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NYACCESS1

!

boot-start-marker

boot-end-marker

!

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

enable password cisco1

(Output omitted)

Notice that the enable secret configuration command is encrypted and the enable password is not!
Clearly it is better to have your passwords in an encrypted form in your configuration files than the
clear text little brother.
Note: You can use the service password-encryption global configuration mode to hide your
passwords, the clear text ones.
Configure this setting as follows:
NYACCESS1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

NYACCESS1(config)#service password-encryption

To view the effect this command has had, view the running configuration once more, but this time
you can use a filter on the command so that you can focus on one particular element, the enable
password.
There are a number of filters you can use at the end of many commands. These are invoked when
you use the pipe | symbol, for example, the command below will filter the running config and show
you only lines that contain the words enable password:
show running-config | include enable password
Use this command in privileged mode:
NYACCESS1#show running-config | include enable password

enable password 7 13061E01080355

Can this password be decrypted?
Startup vs Running configuration
When you make changes to a switches configuration (this is also the same as a router), you are
making changes to the running-configuration of the device. When you reboot the router or switch,
the running configuration disappears and as the device boots the startup configuration is loaded from
NVRAM.
This is an important concept for two reasons.
Firstly, if you do not save your changes then when the device reboots, loses power etc. an older
configuration may be loaded from NVRAM which you may not have been expecting.
Secondly, the first point may seem like a bad thing; however, in fact this can work in a network
engineers favour. Lets say for example that you are configuring a remote device that is located in
another state or country. If you make a mistake in your configuration and you lose remote access to
the device, what would you do? Worst case scenario you have to visit the device and repair the issue,
best case scenario you can contact someone in the remote location to reboot the device, assuming
they can access the physical location where the device is located.
Now, in the second point we can use the first point to our advantage. You can in fact tell the switch
or router to reboot itself in a number of minutes or hours time. Its very common for an engineer
who is configuring a device to issue this command in case the configuration goes wrong for any
reason; it offers the ability to reboot to a known working state of course you must make anyone
who will be affected aware of the reboot (this is what change control is for!).
Often, I will do the following:
1) Save the running configuration to startup configuration.
2) Issue the privileged mode command reload in 15 which tells the switch or router to reload in 15
minutes.
3) Make my configuration changes within the 15 minute window.
4) Cancel the reload using the privileged mode command reload cancel
5) If my configuration goes wrong, in 15 minutes the device will reboot and I can start over,
hopefully not making the same mistake again.
Viewing, creating and erasing a startup configuration
Step 1
To view the startup configuration, you simply use the privileged mode command show startup-
config:
NYACCESS1#show startup-config

startup-config is not present

Step 2
As you can see, we are yet to make a startup configuration. To create one, you can use the privileged
mode command copy running-config startup-config. You are then prompted to confirm the
destination filename, the default option is in the square brackets, and in this case you can simply
press the return/enter key:
NYACCESS1#copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

NYACCESS1#

Re-issue the show startup-config command, if you like you can compare this to the show running-
config command, of course they should be the same at this point as we have not made any additional
configuration changes. Again use q or CTRL+C etc to stop having to page through the
configuration:
NYACCESS1#show startup-config

Using 1321 out of 65536 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname NYACCESS1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$X6J/$BoRnT/XUD.K51kTXBrwFh1

enable password 7 13061E01080355

!

!

!

no aaa new-model

system mtu routing 1500

(Output omitted)

Step 3
To erase the startup configuration, use the write erase or erase startup-config privileged mode
commands:
NYACCESS1#erase startup-config

Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]

[OK]

Erase of nvram: complete

NYACCESS1#

*Mar 1 00:12:50.694: %SYS-7-NV_BLOCK_INIT: Initialized the geometry
of nvram

Once you have erased the startup configuration, use the show startup-config command once more,
you will notice that there is no startup configuration again. Leave this as the case (dont write your
configuration again).
Viewing system information
The final command in this exercise enables you to view which operating system version the switch
(or router) is running and a number of other technical details such as modules or interfaces that are
installed in the device etc.
You can have multiple operating system files living in the devices flash memory. In a later module
you will learn how to change these, however for now, view which operating system the device is
running using the show version command. This command can be executed in both user and
privileged modes:
Some of the output below has been omitted.
NYACCESS1>show version

Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version
12.2(55)SE5, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Thu 09-Feb-12 19:11 by prod_rel_team

Image text-base: 0x00003000, data-base: 0x01400000

ROM: Bootstrap program is C2960 boot loader

BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(53r)SEY3,
RELEASE SOFTWARE (fc1)

NYACCESS1 uptime is 41 minutes

System returned to ROM by power-on

System image file is "flash:/c2960-lanlitek9-mz.122-55.SE5/c2960-
lanlitek9-mz.122-55.SE5.bin"

cisco WS-C2960-24TC-S (PowerPC405) processor (revision P0) with 65536K
bytes of memory.

Processor board ID FCQ1702X5ZX

Last reset from power-on

1 Virtual Ethernet interface

24 FastEthernet interfaces

2 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.



64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : F0:29:29:7D:30:00

Motherboard assembly number : 73-12601-06

Power supply part number : 341-0097-03

Motherboard serial number : FCQ17020W53

Power supply serial number : ALD1650B2BU

Model revision number : P0

Motherboard revision number : A0

Model number : WS-C2960-24TC-S

System serial number : FCQ1702X5ZX

Top Assembly Part Number : 800-32798-02

Top Assembly Revision Number : A0

Version ID : V08

CLEI Code Number : COMSH00ARE

Hardware Board Revision Number : 0x0A

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 26 WS-C2960-24TC-S 12.2(55)SE5 C2960-LANLITEK9-
M

Configuration register is 0xF

In the output you can see the operating system version (in the output above it is c2960-lanlitek9-
mz.122-55.SE5.bin, or 12.2(55)SE5. You can also see the switch has been up for 41 minutes, has 26
interfaces and you can see the switches serial number etc.
Your IOS version may be different to this output so dont worry.
Leave this switch powered on and continue to the next exercise.