Chapter 7
Infrastructure Management
THE FOLLOWING CCNA ROUTING AND SWITCHING EXAM OBJECTIVES ARE COVERED IN THIS CHAPTER:
In this chapter, I will discuss managing the devices that comprise your network infrastructure. The topics will include device maintenance and the monitoring of devices. We'll also describe the tools used to troubleshoot and resolve issues and l will close the chapter with a discussion of network programmability.
Configure and verify device-monitoring protocols
Although Simple Network Management Protocol (SNMP) certainly isn't the oldest protocol ever, it's still pretty old, considering it was created way back in 1988 (RFC 1065)!
SNMP is an Application layer protocol that provides a message format for agents on a variety of devices to communicate with network management stations (NMSs)—for example, Cisco Prime or HP Openview. These agents send messages to the NMS station, which then either reads or writes information in the database that's stored on the NMS and called a management information base (MIB).
The NMS periodically queries or polls the SNMP agent on a device to gather and analyze statistics via GET messages. End devices running SNMP agents would send an SNMP trap to the NMS if a problem occurs. This is demonstrated in Figure 7.1.
Admins can also use SNMP to provide some configurations to agents as well, called SET messages. In addition to polling to obtain statistics, SNMP can be used for analyzing information and compiling the results in a report or even a graph. Thresholds can be used to trigger a notification process when exceeded. Graphing tools are used to monitor the CPU statistics of Cisco devices like a core router. The CPU should be monitored continuously and the NMS can graph the statistics. Notification will be sent when any threshold you've set has been exceeded.
SNMP has three versions, with version 1 being rarely, if ever, implemented today. Here's a summary of these three versions.
SNMPv1
SNMPv1 supports plain-text authentication with community strings and uses only UDP.
SNMPv2c
SNMPv2 supports plain-text authentication with community strings with no encryption but provides GET BULK, which is a way to gather many types of information at once and minimize the number of GET requests. It offers a more detailed error message reporting method called INFORM, but it's not more secure than v1. It uses UDP even though it can be configured to use TCP.
SNMPv3
SNMPv3 supports strong authentication with MD5 or SHA, providing confidentiality (encryption) and data integrity of messages via DES or DES-256 encryption between agents and managers. GET BULK is a supported feature of SNMPv3, and this version also uses TCP.
Management Information Base (MIB)
With so many kinds of devices and so much data that can be accessed, there needed to be a standard way to organize this plethora of data, so MIB to the rescue! A management information base (MIB) is a collection of information that's organized hierarchically and can be accessed by protocols like SNMP. RFCs define some common public variables, but most organizations define their own private branches along with basic SNMP standards. Organizational IDs (OIDs) are laid out as a tree with different levels assigned by different organizations, with top-level MIB OIDs belonging to various standards organizations.
Vendors assign private branches in their own products. Let's take a look at Cisco's OIDs, which are described in words or numbers to locate a particular variable in the tree, as shown in Figure 7.2.
Luckily, you don't need to memorize the OIDs in Figure 7.2 for the Cisco exams!
To obtain information from the MIB on the SNMP agent, you can use several different operations:
- GET: This operation is used to get information from the MIB to an SNMP agent.
- SET: This operation is used to get information to the MIB from an SNMP manager.
- WALK: This operation is used to list information from successive MIB objects within a specified MIB.
- TRAP: This operation is used by the SNMP agent to send a triggered piece of information to the SNMP manager.
- INFORM: This operation is the same as a trap, but it adds an acknowledgment that a trap does not provide.
Configuring SNMP
Configuring SNMP is a pretty straightforward process for which you only need a few commands. These five steps are all you need to run through to configure a Cisco device for SNMP access:
- Configure where the traps are to be sent.
- Enable SNMP read-write access to the router.
- Configure SNMP contact information.
- Configure SNMP location.
- Configure an ACL to restrict SNMP access to the NMS hosts.
The only required configuration is the IP address of the NMS station (Step 1 above) and the community string ( Step 2 above) because the other three are optional. The community string acts as a password or authentication string. Here's an example of a typical SNMP router configuration:
Router(config)#snmp-server host 1.2.3.4
Router(config)#snmp-server community ?
WORD SNMP community string
Router(config)#snmp-server community Todd ?
<1-99> Std IP accesslist allowing access with this community string
<1300-1999> Expanded IP accesslist allowing access with this community
string
WORD Access-list name
ipv6 Specify IPv6 Named Access-List
ro Read-only access with this community string
rw Read-write access with this community string
view Restrict this community to a named MIB view
<cr>
Router(config)#snmp-server community Todd rw
Router(config)#snmp-server location Boulder
Router(config)#snmp-server contact Todd Lammle
Router(config)#ip access-list standard Protect_NMS_Station
Router(config-std-nacl)#permit host 192.168.10.254
Entering the snmp-server command enables SNMPv1 on the Cisco device.
You can enter the ACL directly in the SNMP configuration to provide security, using either a number or a name. Here is an example:
Router(config)#snmp-server community Todd Protect_NMS_Station rw
Notice that even though there's a boatload of configuration options under SNMP, you only really need to work with a few of them to configure a basic SNMP trap setup on a router. First, I set the IP address of the NMS station where the router will send the traps; then I chose the community name of Todd with RW access (read-write), which means the NMS will be able to retrieve and modify MIB objects from the router. Location and contact information comes in really handy for troubleshooting the configuration. Make sure you understand that the ACL protects the NMS from access, not the devices with the agents!
Let's define the SNMP read and write options.
Read-only Gives authorized management stations read access to all objects in the MIB except the community strings and doesn't allow write access
Read-write Gives authorized management stations read and write access to all objects in the MIB but doesn't allow access to the community strings
Syslog
Reading system messages from a switch's or router's internal buffer is the most popular and efficient method of seeing what's going on with your network at a particular time. But the best way is to log messages to a syslog server, which stores messages from you and can even time-stamp and sequence them for you, and it's easy to set up and configure!
Syslog allows you to display, sort, and even search messages, all of which makes it a really great troubleshooting tool. The search feature is especially powerful because you can use keywords and even severity levels. Plus, the server can email admins based on the severity level of the message.
Network devices can be configured to generate a syslog message and forward it to various destinations. These four examples are popular ways to gather messages from Cisco devices:
- Logging buffer (on by default)
- Console line (on by default)
- Terminal lines (using the terminal monitor command)
- Syslog server
As you already know, all system messages and debug output generated by the IOS go out only the console port by default and are also logged in buffers in RAM. And you also know that Cisco routers aren't exactly shy about sending messages! To send message to the VTY lines, use the terminal monitor command. We'll also add a small configuration needed for syslog, which I'll show you soon in the configuration section.
So by default, we'd see something like this on our console line:
*Oct 21 17:33:50.565:%LINK-5-CHANGED:Interface FastEthernet0/0, changed
state to administratively down
*Oct 21 17:33:51.565:%LINEPROTO-5-UPDOWN:Line protocol on
Interface FastEthernet0/0, changed state to down
And the Cisco router would send a general version of the message to the syslog server that would be formatted into something like this:
Seq no:timestamp: %facility-severity-MNEMONIC:description
The system message format can be broken down in this way:
Seq no This stamp logs messages with a sequence number, but not by default. If you want this output, you've got to configure it.
timestamp Data and time of the message or event, which again will show up only if configured
facility The facility to which the message refers
severity A single-digit code from 0 to 7 that indicates the severity of the message
MNEMONIC Text string that uniquely describes the message
description Text string containing detailed information about the event being reported
The severity levels, from the most severe level to the least severe, are explained in Table 7.1. Informational is the default and will result in all messages being sent to the buffers and console.
Table 7.1 Severity levels
Severity Level |
Explanation |
Emergency (severity 0) |
System is unusable. |
Alert (severity 1) |
Immediate action is needed. |
Critical (severity 2) |
Critical condition |
Error (severity 3) |
Error condition |
Warning (severity 4) |
Warning condition |
Notification (severity 5) |
Normal but significant condition |
Informational (severity 6) |
Normal information message |
Debugging (severity 7) |
Debugging message |
Understand that only emergency-level messages will be displayed if you've configured severity level 0. But if, for example, you opt for level 4 instead, level 0 through 4 will be displayed, giving you emergency, alert, critical, error, and warning messages too. Level 7 is the highest-level security option and displays everything, but be warned that going with it could have a serious impact on the performance of your device. So always use debugging commands carefully, with an eye on the messages you really need to meet your specific business requirements!
Configuring and Verifying Syslog
As I said, Cisco devices send all log messages of the severity level you've chosen to the console. They'll also go to the buffer, and both happen by default. Because of this, it's good to know that you can disable and enable these features with the following commands:
Router(config)#logging ?
Hostname or A.B.C.D IP address of the logging host
buffered Set buffered logging parameters
buginf Enable buginf logging for debugging
cns-events Set CNS Event logging level
console Set console logging parameters
count Count every log message and timestamp last occurrence
esm Set ESM filter restrictions
exception Limit size of exception flush output
facility Facility parameter for syslog messages
filter Specify logging filter
history Configure syslog history table
host Set syslog server IP address and parameters
monitor Set terminal line (monitor) logging parameters
on Enable logging to all enabled destinations
origin-id Add origin ID to syslog messages
queue-limit Set logger message queue size
rate-limit Set messages per second limit
reload Set reload logging level
server-arp Enable sending ARP requests for syslog servers when
first configured
source-interface Specify interface for source address in logging
transactions
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
Router(config)#logging console
Router(config)#logging buffered
Wow—as you can see in this output, there are plenty of options you can use with the logging command! The preceding configuration enabled the console and buffer to receive all log message of all severities, and don't forget that this is the default setting for all Cisco IOS devices. If you want to disable the defaults, use the following commands:
Router(config)#no logging console
Router(config)#no logging buffered
I like leaving the console and buffer commands on in order to receive the logging info, but that's up to you. You can see the buffers with the show logging command here:
Router#sh logging
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 29 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
No active filter modules.
Trap logging: level informational, 33 message lines logged
Log Buffer (4096 bytes):
*Jun 21 23:09:37.822: %SYS-5-CONFIG_I: Configured from console by console
Router#
The default trap (message from device to NMS) level is debugging, but you can change this too. And now that you've seen the system message format on a Cisco device, I want to show you how you can also control the format of your messages via sequence numbers and time stamps, which aren't enabled by default. We'll begin with a basic, simple example of how to configure a device to send messages to a syslog server, demonstrated in Figure 7.3.
A syslog server saves copies of console messages and can time-stamp them for viewing at a later time. This is actually pretty easy to configure, and here's how doing that would look on the SF router:
SF(config)#logging 172.16.10.1
SF(config)#logging informational
This is awesome—now all the console messages will be stored in one location to be viewed at your convenience! I typically use the logging host ip_address command, but logging ip_address without the host keyword gets the same result.
We can limit the amount of messages sent to the syslog server, based on severity, with the following command:
SF(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>
SF(config)#logging trap informational
Notice that we can use either the number or the actual severity level name—and they are in alphabetical order, not severity order, which makes it even harder to memorize the order! (Thanks, Cisco!) Since I went with severity level 6 (Informational), I'll receive messages for levels 0 through 6. These are referred to as local levels as well, such as, for example, local6—no difference.
Now let's configure the router to use sequence numbers:
SF(config)#no service timestamps
SF(config)#service sequence-numbers
SF(config)#^Z
000038: %SYS-5-CONFIG_I: Configured from console by console
When you exit configuration mode, the router will send a message like the one shown in the preceding code lines. Without the time stamps enabled, we'll no longer see a time and date, but we will see a sequence number.
So we now have the following:
- Sequence number: 000038
- Facility: %SYS
- Severity level: 5
- MNEMONIC: CONFIG_I
- Description: Configured from console by console
I want to stress that of all of these, the severity level is what you need to pay attention to the most for the Cisco exams as well as for a means to control the amount of messages sent to the syslog server.
Exam Essentials
Remember the differences between SNMPv2 and SNMPv3. SNMPv2 uses UDP but can use TCP; however, v2 still sends data to the NMS station in clear text, exactly like SNMPv1, plus SNMPv2 implemented GETBULK and INFORM messages. SNMPv3 uses TCP and authenticates users, plus it can use ACLs in the SNMP strings to protect the NMS station from unauthorized use.
Troubleshoot network connectivity issues using ICMP echo-based IP SLA
I want to mention one thing that can help you troubleshoot your IP network, and this is using IP Service-Level Agreements (SLAs), which will allow us to use IP SLA ICMP echo to test far-end devices instead of pinging manually.
There are several reasons to use the IP SLA measurements:
- Edge-to-edge network availability monitoring
- For example, packet loss statistics
- Network performance monitoring and network performance visibility
- For example, network latency and response time
- Troubleshooting basic network operation
- For example, end-to-end network connectivity
Here are the steps to configure IP SLA:
Step 1: Enable an IP SLA operation, which enters the IP SLA configuration mode. Choose any number from 1 to 2.1 billion as an operation number.
R1(config)#ip sla 1
Step 2: Configure the IP SLA ICMP Echo test and destination.
R1(config-ip-sla)#icmp?
icmp-echo icmp-jitter
R1(config-ip-sla)#icmp-echo ?
Hostname or X:X:X:X::X
Hostname or A.B.C.D Destination IPv6/IP address or hostname
R1(config-ip-sla)#icmp-echo 172.16.20.254
Step 3: Set the test frequency.
R1(config-ip-sla-echo)#frequency ?
<1-604800> Frequency in seconds (default 60)
R1(config-ip-sla-echo)#frequency 10
Step 4: Schedule your IP SLA test.
R1(config-ip-sla-echo)#exit
R1(config)#ip sla schedule ?
<1-2147483647> Entry number
R1(config)#ip sla schedule 1 life ?
<0-2147483647> Life seconds (default 3600)
forever continue running forever
R1(config)#ip sla schedule 1 life forever start-time ?
after Start after a certain amount of time from now
hh:mm Start time (hh:mm)
hh:mm:ss Start time (hh:mm:ss)
now Start now
pending Start pending
R1(config)#ip sla schedule 1 life forever start-time now
Step 5: Verify IP SLA operation.
Use the following commands:
Show ip sla configuration
Show ip sla statistics
R1 should have an ICMP Echo test configured to the remote server address and the test should run every 10 seconds and be scheduled to run forever.
R1#show ip sla configuration
IP SLAs Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: icmp-echo
Target address/Source address: 172.16.20.254/0.0.0.0
Type Of Service parameter: 0x0
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Verify data: No
Vrf Name:
Schedule:
Operation frequency (seconds): 10 (not considered if randomly scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
[output cut]
R1#sh ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Type of operation: icmp-echo
Latest RTT: 1 milliseconds
Latest operation start time: *15:27:51.365 UTC Mon Jun 6 2016
Latest operation return code: OK
Number of successes: 38
Number of failures: 0
Operation time to live: Forever
The IP SLA 1 test on R1 has been successfully performed 38 times and the test never failed.
Exam Essentials
Describe the steps to configure IP SLA. The steps in order are as follows:
- Step 1: Enable an IP SLA operation.
- Step 2: Configure the IP SLA ICMP Echo test and destination.
- Step 3: Set the test frequency.
- Step 4: Schedule your IP SLA test.
- Step 5: Verify IP SLA operation.
Configure and verify device management
There are a number of settings that are commonly configured on a device to aid in the management of the device. In this section, we'll talk about some of these settings and we'll also discuss other tools that help you to manage the routers and switches in your network.
Backup and Restore Device Configuration
Any changes that you make to the configuration are stored in the running-config file. And if you don't enter a copy run start command after you make a change to running-config, that change will totally disappear if the device reboots or gets powered down. As always, backups are good, so you'll want to make another backup of the configuration information just in case the router or switch completely dies on you. Even if your machine is healthy and happy, it's good to have a backup for reference and documentation reasons!
Next, I'll cover how to copy the configuration of a router to a TFTP server as well as how to restore that configuration.
Backing Up the Cisco Configuration
To copy the configuration from an IOS device to a TFTP server, you can use either the copy running-config tftp or the copy startup-config tftp command. Either one will back up the router configuration that's currently running in DRAM or one that's stored in NVRAM.
Verifying the Current Configuration
To verify the configuration in DRAM, use the show running-config command (sh run for short) like this:
Router#show running-config
Building configuration...
Current configuration : 855 bytes
!
version 15.0
The current configuration information indicates that the router is running version 15.0 of the IOS.
Verifying the Stored Configuration
Next, you should check the configuration stored in NVRAM. To see this, use the show startup-config command (sh start for short) like this:
Router#sh start
Using 855 out of 524288 bytes
!
! Last configuration change at 04:49:14 UTC Fri Mar 5 1993
!
version 15.0
The first line shows you how much room your backup configuration is taking up. Here, we can see that NVRAM is about 524 KB and that only 855 bytes of it are being used. But memory is easier to reveal via the show version command when you're using an ISR router.
If you're not sure that the files are the same and the running-config file is what you want to go with, then use the copy running-config startup-config command. This will help you ensure that both files are in fact the same. I'll guide you through this in the next section.
Copying the Current Configuration to NVRAM
By copying running-config to NVRAM as a backup, as shown in the following output, you ensure that your running-config will always be reloaded if the router gets rebooted. Starting in the 12.0 IOS, you'll be prompted for the filename you want to use:
Router#copy running-config startup-config
Destination filename [startup-config]?[enter]
Building configuration...
[OK]
The reason the filename prompt appears is that there are now so many options you can use when using the copy command—check it out:
Router#copy running-config ?
flash: Copy to flash: file system
ftp: Copy to ftp: file system
http: Copy to http: file system
https: Copy to https: file system
null: Copy to null: file system
nvram: Copy to nvram: file system
rcp: Copy to rcp: file system
running-config Update (merge with) current system configuration
scp: Copy to scp: file system
startup-config Copy to startup configuration
syslog: Copy to syslog: file system
system: Copy to system: file system
tftp: Copy to tftp: file system
tmpsys: Copy to tmpsys: file system
Copying the Configuration to a TFTP Server
Once the file is copied to NVRAM, you can make a second backup to a TFTP server by using the copy running-config tftp command, or copy run tftp for short. I'm going to set the hostname to Todd before I run this command:
Todd#copy running-config tftp
Address or name of remote host []? 10.10.10.254
Destination filename [todd-confg]?
!!
776 bytes copied in 0.800 secs (970 bytes/sec)
If you have a hostname already configured, the command will automatically use the hostname plus the extension -confg as the name of the file.
Restoring the Cisco Configuration
What do you do if you've changed your running-config file and want to restore the configuration to the version in the startup-config file? The easiest way to get this done is to use the copy startup-config running-config command, or copy start run for short, but this will work only if you copied running-config into NVRAM before you made any changes! Of course, a reload of the device will work too!
If you did copy the configuration to a TFTP server as a second backup, you can restore the configuration using the copy tftp running-config command (copy tftp run for short), or the copy tftp startup-config command (copy tftp start for short), as shown in the following output. Just so you know, the old command we used to use for this is config net:
Todd#copy tftp running-config
Address or name of remote host []?10.10.10.254
Source filename []?todd-confg
Destination filename[running-config]?[enter]
Accessing tftp://10.10.10.254/todd-confg...
Loading todd-confg from 10.10.10.254 (via FastEthernet0/0):
!!
[OK - 776 bytes]
776 bytes copied in 9.212 secs (84 bytes/sec)
Todd#
*Mar 7 17:53:34.071: %SYS-5-CONFIG_I: Configured from
tftp://10.10.10.254/todd-confg by console
Okay, here we can see that the configuration file is an ASCII text file, meaning that before you copy the configuration stored on a TFTP server back to a router, you can make changes to the file with any text editor.
Erasing the Configuration
To delete the startup-config file on a Cisco router or switch, use the command erase startup-config, like this:
Todd#erase startup-config
Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm][enter]
[OK]
Erase of nvram: complete
*Mar 7 17:56:20.407: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
Todd#reload
System configuration has been modified. Save? [yes/no]:n
Proceed with reload? [confirm][enter]
*Mar 7 17:56:31.059: %SYS-5-RELOAD: Reload requested by console.
Reload Reason: Reload Command.
This command deletes the contents of NVRAM on the switch and router. If you type reload while in privileged mode and say no to saving changes, the switch or router will reload and come up into setup mode.
Using Cisco Discovery Protocol or LLDP for Device Discovery
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help administrators collect information about locally attached devices. Armed with CDP, you can gather hardware and protocol information about neighbor devices, which is crucial information to have when troubleshooting and documenting the network. Another dynamic discovery protocol is Link Layer Discovery Protocol (LLDP), but instead of being proprietary like CDP, it is vendor independent.
Let's start by exploring the CDP timer and CDP commands we'll need to verify our network.
Getting CDP Timers and Holdtime Information
The show cdp command (sh cdp for short) gives you information about two CDP global parameters that can be configured on Cisco devices:
- CDP timer delimits how often CDP packets are transmitted out all active interfaces.
- CDP holdtime delimits the amount of time that the device will hold packets received from neighbor devices.
Both Cisco routers and switches use the same parameters. Check out Figure 7.4 to see how CDP works within a switched network that I set up for my switching labs in this book.
The output on my 3560 SW-3 looks like this:
SW-3#sh cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
This output tells us that the default transmits every 60 seconds and will hold packets from a neighbor in the CDP table for 180 seconds. I can use the global commands cdp holdtime and cdp timer to configure the CDP holdtime and timer on a router if necessary like this:
SW-3(config)#cdp ?
advertise-v2 CDP sends version-2 advertisements
holdtime Specify the holdtime (in sec) to be sent in packets
run Enable CDP
timer Specify the rate at which CDP packets are sent (in sec)
tlv Enable exchange of specific tlv information
SW-3(config)#cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
SW-3(config)#cdp timer ?
<5-254> Rate at which CDP packets are sent (in sec)
You can turn off CDP completely with the no cdp run command from global configuration mode of a router and enable it with the cdp run command:
SW-3(config)#no cdp run
SW-3(config)#cdp run
To turn CDP off or on for an interface, use the no cdp enable and cdp enable commands.
Gathering Neighbor Information
The show cdp neighbors command (sh cdp nei for short) delivers information about directly connected devices. It's important to remember that CDP packets aren't passed through a Cisco switch and that you only see what's directly attached. So this means that if your router is connected to a switch, you won't see any of the Cisco devices connected to that switch!
The following output shows the show cdp neighbors command I used on my SW-3:
SW-3#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay Device ID
Local Intrfce Holdtme Capability Platform Port ID
SW-1 Fas 0/1 170 S I WS-C3560- Fas 0/15
SW-1 Fas 0/2 170 S I WS-C3560- Fas 0/16
SW-2 Fas 0/5 162 S I WS-C3560- Fas 0/5
SW-2 Fas 0/6 162 S I WS-C3560- Fas 0/6
Okay—we can see that I'm directly connected with a console cable to the SW-3 switch and also that SW-3 is directly connected to two other switches. However, do we really need the figure to draw out our network? We don't! CDP allows me to see who my directly connected neighbors are and gather information about them. From the SW-3 switch, we can see that there are two connections to SW-1 and two connections to SW-2. SW-3 connects to SW-1 with ports Fas 0/1 and Fas 0/2, and we have connections to SW-2 with local interfaces Fas 0/5 and Fas 0/6. Both the SW-1 and SW-2 switches are 3650 switches, and SW-1 is using ports Fas 0/15 and Fas 0/16 to connect to SW-3. SW-2 is using ports Fas 0/5 and Fas 0/6.
To sum this up, the device ID shows the configured hostname of the connected device, that the local interface is our interface, and that the port ID is the remote devices' directly connected interface. Remember that all you get to view are directly connected devices!
Table 7.2 summarizes the information displayed by the show cdp neighbors command for each device.
Table 7.2 Output of the show cdp neighbors command
Field |
Description |
Device ID |
The hostname of the device directly connected |
Local Interface |
The port or interface on which you are receiving the CDP packet |
Holdtime |
The remaining amount of time the router will hold the information before discarding it if no more CDP packets are received |
Capability |
The capability of the neighbor—the router, switch, or repeater. The capability codes are listed at the top of the command output. |
Platform |
The type of Cisco device directly connected. In the previous output, the SW-3 shows it's directly connected to two 3560 switches. |
Port ID |
The neighbor device's port or interface on which the CDP packets are multicast |
Another command that will deliver the goods on neighbor information is the show cdp neighbors detail command (show cdp nei de for short). This command can be run on both routers and switches, and it displays detailed information about each device connected to the device you're running the command on. Check out the router output in Listing 7.1.
Listing 7.1: Showing CDP neighbors
SW-3#sh cdp neighbors detail
-------------------------
Device ID: SW-1
Entry address(es):
IP address: 10.100.128.10
Platform: cisco WS-C3560-24TS, Capabilities: Switch IGMP
Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/15
Holdtime : 137 sec
Version :
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M),
Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 28-Jan-13 10:10 by prod_rel_team
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112;
payload len=27, value=00000000FFFFFFFF010221FF000000000000001C575EC880Fc00f000
VTP Management Domain: 'NULL'
Native VLAN: 1
Duplex: full
Power Available TLV:
Power request id: 0, Power management id: 1,
Power available: 0, Power management level: -1
Management address(es):
IP address: 10.100.128.10
-------------------------
[ouput cut]
-------------------------
Device ID: SW-2
Entry address(es):
IP address: 10.100.128.9
Platform: cisco WS-C3560-8PC, Capabilities: Switch IGMP
Interface: FastEthernet0/5, Port ID (outgoing port): FastEthernet0/5
Holdtime : 129 sec
Version :
Cisco IOS Software, C3560 Software (C3560-IPBASE-M),
Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 18:15 by nachen
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112;
payload len=27, value=00000000FFFFFFFF010221FF000000000000B41489D91880Fc00f000
VTP Management Domain: 'NULL'
Native VLAN: 1
Duplex: full
Power Available TLV:
Power request id: 0, Power management id: 1,
Power available: 0, Power management level: -1
Management address(es):
IP address: 10.100.128.9
[output cut]
So what's revealed here? First, we've been given the hostname and IP address of all directly connected devices. And in addition to the same information displayed by the show cdp neighbors command (see Table 7.2), the show cdp neighbors detail command tells us about the IOS version and IP address of the neighbor device—that's quite a bit!
The show cdp entry * command displays the same information as the show cdp neighbors detail command. There isn't any difference between these commands.
Documenting a Network Topology Using CDP
With that moving real-life scenario in mind, I'm now going to show you how to document a sample network by using CDP. You'll learn to determine the appropriate router types, interface types, and IP addresses of various interfaces using only CDP commands and the show running-config command. And you can only console into the Lab_A router to document the network. You'll have to assign any remote routers the next IP address in each range. We'll use a different figure for this example—Figure 7.5— to help us to complete the necessary documentation.
In this output, you can see that you have a router with four interfaces: two FastEthernet and two serial. First, determine the IP addresses of each interface by using the show running-config command like this:
Lab_A#sh running-config
Building configuration...
Current configuration : 960 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Lab_A
!
ip subnet-zero
!
!
interface FastEthernet0/0
ip address 192.168.21.1 255.255.255.0
duplex auto
!
interface FastEthernet0/1
ip address 192.168.18.1 255.255.255.0
duplex auto
!
interface Serial0/0
ip address 192.168.23.1 255.255.255.0
!
interface Serial0/1
ip address 192.168.28.1 255.255.255.0
!
ip classless
!
line con 0
line aux 0
line vty 0 4
!
end
With this step completed, you can now write down the IP addresses of the Lab_A router's four interfaces. Next, you must determine the type of device on the other end of each of these interfaces. It's easy—just use the show cdp neighbors command:
Lab_A#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
Lab_B Fas 0/0 178 R 2501 E0
Lab_C Fas 0/1 137 R 2621 Fa0/0
Lab_D Ser 0/0 178 R 2514 S1
Lab_E Ser 0/1 137 R 2620 S0/1
Wow—looks like we're connected to some old routers! But it's not our job to judge. Our mission is to draw out our network, so it's good that we've got some nice information to meet the challenge with now. By using both the show running-config and show cdp neighbors commands, we know about all the IP addresses of the Lab_A router, the types of routers connected to each of the Lab_A router's links, and all the interfaces of the remote routers.
Now that we're equipped with all the information gathered via show running-config and show cdp neighbors, we can accurately create the topology in Figure 7.6.
If we needed to, we could've also used the show cdp neighbors detail command to view the neighbor's IP addresses. But since we know the IP addresses of each link on the Lab_A router, we already know what the next available IP address is going to be.
Link Layer Discovery Protocol (LLDP)
Before moving on from CDP, I want to tell you about a nonproprietary discovery protocol that provides pretty much the same information as CDP but works in multi-vendor networks.
The IEEE created a new standardized discovery protocol called 802.1AB for Station and Media Access Control Connectivity Discovery. We'll just call it Link Layer Discovery Protocol (LLDP).
LLDP defines basic discovery capabilities, but it was also enhanced to specifically address the voice application, and this version is called LLDP-MED (Media Endpoint Discovery). It's good to remember that LLDP and LLDP-MED are not compatible.
LLDP has the following configuration guidelines and limitations:
- LLDP must be enabled on the device before you can enable or disable it on any interface.
- LLDP is supported only on physical interfaces.
- LLDP can discover up to one device per port.
- LLDP can discover Linux servers.
You can turn off LLDP completely with the no lldp run command from global configuration mode of a device and enable it with the lldp run command, which enables it on all interfaces as well.
SW-3(config)#no lldp run
SW-3(config)#lldp run
To turn LLDP off or on for an interface, use the lldp transmit and lldp receive commands.
SW-3(config-if)#no lldp transmit
SW-3(config-if)#no lldp receive
SW-3(config-if)#lldp transmit
SW-3(config-if)#lldp receive
Licensing
IOS licensing is now done quite differently than it was with previous versions of the IOS. Actually, there was no licensing before the new 15.0 IOS code, just your word and honor, and we can only guess based on how all products are downloaded on the Internet daily how well that has worked out for Cisco!
Starting with the IOS 15.0 code, things are much different—almost too different. I can imagine that Cisco will come back toward the middle on its licensing issues, so that the administration and management won't be as detailed as it is with the new 15.0 code license, but you can be the judge of that after reading this section.
A new ISR router is pre-installed with the software images and licenses that you ordered, and so as long as you ordered and paid for everything you need, you're set! If not, you can just install another license, which can be a tad tedious at first—enough so that installing a license was made an objective on the Cisco exam! Of course, it can be done, but it definitely requires some effort. As is typical with Cisco, if you spend enough money on their products, they tend to make it easier on you and your administration, and the licensing for the newest IOS is no exception, as you'll soon see.
On a positive note, Cisco provides evaluation licenses for most software packages and features that are supported on the hardware you purchased, and it's always nice to be able to try it out before you buy. Once the temporary license expires after 60 days, you need to acquire a permanent license in order to continue to use the extended features that aren't available in your current version. This method of licensing allows you to enable a router to use different parts of the IOS. So, what happens after 60 days? Well, nothing—back to the honor system for now. This is now called Right-To-Use (RTU) licensing, and it probably won't always be available via your honor, but for now it is.
But that's not the best part of the new licensing features. Prior to the 15.0 code release, there were eight different software feature sets for each hardware router type. With the IOS 15.0 code, the packaging is now called a universal image, meaning all feature sets are available in one file with all features packed neatly inside. So instead of the pre-15.0 IOS file packages of one image per feature set, Cisco now just builds one universal image that includes all of them in the file. Even so, we still need a different universal image per router model or series, just not a different image for each feature set as we did with previous IOS versions.
To use the features in the IOS software, you must unlock them using the software activation process. Since all features available are inside the universal image already, you can just unlock the features you need as you need them, and of course pay for these features when you determine that they meet your business requirements. All routers come with something called the IP Base licensing, which is the prerequisite for installing all other features.
There are three different technology packages available for purchase that can be installed as additional feature packs on top of the prerequisite IP Base (default), which provides entry-level IOS functionality. These are as follows:
Data: MPLS, ATM, and multiprotocol support
Unified Communications: VoIP and IP telephony
Security: Cisco IOS Firewall, IPS, IPsec, 3DES, and VPN
For example, if you need MPLS and IPsec, you'll need the default IP Base, Data, and Security premium packages unlocked on your router.
To obtain the license, you'll need the unique device identifier (UDI), which has two components: the product ID (PID) and the serial number of the router. The show license UDI command provides this information in an output as shown:
Router#sh license udi
Device# PID SN UDI
-------------------------------------------------------------------------
*0 CISCO2901/K9 FTX1641Y07J CISCO2901/K9:FTX1641Y07J
After the time has expired for your 60-day evaluation period, you can either obtain the license file from the Cisco License Manager (CLM), which is an automated process, or use the manual process through the Cisco Product License Registration portal. Typically only larger companies will use the CLM because you'd need to install software on a server, which then keeps track of all your licenses for you. If you have just a few licenses that you use, you can opt for the manual web browser process found on the Cisco Product License Registration portal and then just add in a few CLI commands. After that, you just basically keep track of putting all the different license features together for each device you manage. Although this sounds like a lot of work, you don't need to perform these steps often. But clearly, going with the CLM makes a lot of sense if you have bunches of licenses to manage because it will put together all the little pieces of licensing for each router in one easy process.
When you purchase the software package with the features that you want to install, you need to permanently activate the software package using your UDI and the product authorization key (PAK) that you received with your purchase. This is essentially your receipt acknowledging that you purchased the license. You then need to connect the license with a particular router by combining the PAK and the UDI, which you do online at the Cisco Product License Registration portal (www.cisco.com/go/license). If you haven't already registered the license on a different router, and it is valid, Cisco will then email you your permanent license, or you can download it from your account.
But wait! You're still not done. You now need to activate the license on the router. Whew... maybe it's worthwhile to install the CLM on a server after all! Staying with the manual method, you need to make the new license file available to the router either via a USB port on the router or through a TFTP server. Once it's available to the router, you'll use the license install command from privileged mode.
Assuming that you copied the file into flash memory, the command would look like something like this:
Router#license install ?
archive: Install from archive: file system
flash: Install from flash: file system
ftp: Install from ftp: file system
http: Install from http: file system
https: Install from https: file system
null: Install from null: file system
nvram: Install from nvram: file system
rcp: Install from rcp: file system
scp: Install from scp: file system
syslog: Install from syslog: file system
system: Install from system: file system
tftp: Install from tftp: file system
tmpsys: Install from tmpsys: file system
xmodem: Install from xmodem: file system
ymodem: Install from ymodem: file system
Router#license install flash:FTX1628838P_201302111432454180.lic
Installing licenses from "flash::FTX1628838P_201302111432454180.lic"
Installing...Feature:datak9...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install
April 12 2:31:19.786: %LICENSE-6-INSTALL: Feature datak9 1.0 was
installed in this device. UDI=CISCO2901/K9:FTX1628838P;
StoreIndex=1:Primary License Storage
April 12 2:31:20.078: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL:
Module name =c2800 Next reboot level = datak9 and License = datak9
You need to reboot to have the new license take effect. Now that you have your license installed and running, how do you use Right-To-Use licensing to check out new features on your router? Let's look into that now.
Right-To-Use Licenses (Evaluation Licenses)
Originally called evaluation licenses, Right-To-Use (RTU) licenses are what you need when you want to update your IOS to load a new feature but either don't want to wait to get the license or just want to test if this feature will truly meet your business requirements. This makes sense because if Cisco made it complicated to load and check out a feature, they could potentially miss out on a sale! Of course if the feature does work for you, they'll want you to buy a permanent license, but again, this is on the honor system at the time of this writing.
Cisco's license model allows you to install the feature you want without a PAK. The Right-To-Use license works for 60 days before you would need to install your permanent license. To enable the Right-To-Use license, you would use the license boot module command. The following demonstrates starting the Right-To-Use license on my 2900 series router, enabling the security module named securityk9:
Router(config)#license boot module c2900 technology-package securityk9
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE
OR LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING
SUCHPRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE
FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING
TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN.
[output cut]
Activation of the software command line interface will be evidence of
your acceptance of this agreement.
ACCEPT? [yes/no]: yes
% use 'write' command to make license boot config take effect on next boot
Feb 12 01:35:45.060: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL:
Module name =c2900 Next reboot level = securityk9 and License = securityk9
Feb 12 01:35:45.524: %LICENSE-6-EULA_ACCEPTED: EULA for feature
securityk9 1.0 has been accepted. UDI=CISCO2901/K9:FTX1628838P; StoreIndex=0:Built-In License Storage
Once the router is reloaded, you can use the security feature set. And it is really nice that you don't need to reload the router again if you choose to install a permanent license for this feature. The show license command shows the licenses installed on the router:
Router#show license
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: 8 weeks 2 days
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Active, In Use
License Count: Non-Counted
License Priority: None
Index 3 Feature: uck9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 4 Feature: datak9
Period left: Not Activated
Period Used: 0 minute 0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 5 Feature: gatekeeper
[output cut]
You can see in the preceding output that the ipbasek9 is permanent and the securityk9 has a license type of EvalRightToUse. The show license feature command provides the same information as show license, but it's summarized into one line as shown in the next output:
Router#sh license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
ipbasek9 no no no yes no
securityk9 yes yes no no yes
uck9 yes yes no yes yes
datak9 yes yes no no yes
gatekeeper yes yes no no yes
SSL_VPN yes yes no no yes
ios-ips-update yes yes yes no yes
SNASw yes yes no no yes
hseck9 yes no no no no
cme-srst yes yes no yes yes
WAAS_Express yes yes no no yes
UCVideo yes yes no no yes
The show version command also shows the license information at the end of the command output:
Router#show version
[output cut]
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2901/K9 FTX1641Y07J
Technology Package License Information for Module:'c2900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc uck9 Permanent uck9
data None None None
Configuration register is 0x2102
The show version command shows if the license was activated. Don't forget, you'll need to reload the router to have the license features take effect if the license evaluation is not already active.
Backing Up and Uninstalling the License
It would be a shame to lose your license if it has been stored in flash and your flash files become corrupted. So always back up your IOS license!
If your license has been saved in a location other than flash, you can easily back it up to flash memory via the license save command:
Router#license save flash:Todd_License.lic
The previous command will save your current license to flash. You can restore your license with the license install command I demonstrated earlier.
There are two steps to uninstalling the license on a router. First, to uninstall the license you need to disable the technology package, using the no license boot module command with the keyword disable at the end of the command line:
Router#license boot module c2900 technology-package securityk9 disable
The second step is to clear the license. To achieve this from the router, use the license clear command and then remove the license with the no license boot module command:
Router#license clear securityk9
Router#config t
Router(config)#no license boot module c2900 technology-package securityk9 disable
Router(config)#exit
Router#reload
After you run through the preceding commands, the license will be removed from your router.
Here's a summary of the license commands I used in this chapter. These are important commands to have down, and you really need to understand these to meet the Cisco objectives:
- show license determines the licenses that are active on your system. It also displays a group of lines for each feature in the currently running IOS image along with several status variables related to software activation and licensing, both licensed and unlicensed features.
- show license feature allows you to view the technology package licenses and feature licenses that are supported on your router along with several status variables related to software activation and licensing. This includes both licensed and unlicensed features.
- show license udi displays the unique device identifier (UDI) of the router, which comprises the product ID (PID) and serial number of the router.
- show version displays various pieces of information about the current IOS version, including the licensing details at the end of the command's output.
- license install url installs a license key file into a router.
- license boot module installs a Right-To-Use license feature on a router.
Logging
Network devices can be configured to generate a syslog message and forward it to various destinations. These four examples are popular ways to gather messages from Cisco devices:
- Logging buffer (on by default)
- Console line (on by default)
- Terminal lines (using the terminal monitor command)
- Syslog server
Logging is covered in the section, “Configuring and Verifying Syslog” earlier in this chapter.
Timezone
To set the time zone for display purposes, use the clock timezone global configuration command. To set the time to Coordinated Universal Time (UTC), use the no form of this command.
clock timezone zone hours-offset [minutes-offset]
no clock timezone
Loopback
Loopback interfaces are logical interfaces. The advantage of these interfaces is that unlike physical interfaces, they never go down. If you want to use a loopback interface as a diagnostic port, you can create a loopback interface as so:
Todd(config)#interface loopback ?
<0-2147483647> Loopback interface number
Todd(config)#interface loopback 0
*May 19 03:06:42.697: %LINEPROTO-5-UPDOWN: Line prot
changed state to ups
Todd(config-if)#ip address 20.20.20.1 255.255.255.0
Now I can use this port for diagnostics, and even as my source port of my ping or traceroute, as so:
Todd#ping
Protocol [ip]:
Target IP address: 10.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 20.20.20.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 20.20.20.1
These logical interfaces are great for diagnostics and for using them in our home labs where we don't have any real interfaces to play with, but we'll also use them in our OSPF configurations.
Exam Essentials
Describe the value of CDP and LLDP. Cisco Discovery Protocol can be used to help you document as well as troubleshoot your network. LLDP is a nonproprietary protocol that can provide the same information as CDP.
List the information provided by the output of the show cdp neighbors command. The show cdp neighbors command provides the following information: device ID, local interface, holdtime, capability, platform, and port ID (remote interface).
Back up an IOS image. By using the privileged-mode command copy flash tftp, you can back up a file from flash memory to a TFTP (network) server.
Restore or upgrade an IOS image. By using the privileged-mode command copy tftp flash, you can restore or upgrade a file from a TFTP (network) server to flash memory.
Describe best practices to prepare to back up an IOS image to a network server. Make sure that you can access the network server, ensure that the network server has adequate space for the code image, and verify the file naming and path requirement.
Remember how to install a permanent and Right-To-Use license. To install a permanent license on a router, use the install license url command. To install an evaluation feature, use the license boot module command.
Remember the verification commands used for licensing in the new ISR G2 routers. The show license command determines the licenses that are active on your system. The show license feature command allows you to view the technology package licenses and feature licenses that are supported on your router. The show license udi command displays the unique device identifier (UDI) of the router, which comprises the product ID (PID) and serial number of the router, and the show version command displays information about the current IOS version, including the licensing details at the end of the command's output.
Configure and verify initial device configuration
We connect to a Cisco device to configure it, verify its configuration, and check statistics, and although there are different approaches to this, the first place you would usually connect to is the console port. The console port is usually an RJ45, 8-pin modular connection located at the back of the device, and there may or may not be a password set on it by default.
You can also connect to a Cisco device through an auxiliary port, which is really the same thing as a console port, so it follows that you can use it as one. The main difference with an auxiliary port is that it also allows you to configure modem commands so that a modem can be connected to the router. This is a cool feature because it lets you dial up a remote router and attach to the auxiliary port if the router is down and you need to configure it remotely, out-of-band. One of the differences between Cisco routers and switches is that switches do not have an auxiliary port.
The third way to connect to a Cisco device is in-band, through the program Telnet or Secure Shell (SSH). In-band means configuring the device via the network, the opposite of out-of-band.
Bringing Up a Device
When you first bring up a Cisco IOS device, it will run a power-on self-test—a POST. Upon passing that, the machine will look for and then load the Cisco IOS from flash memory if an IOS file is present, then expand it into RAM. As you probably know, flash memory is electronically erasable programmable read-only memory—an EEPROM. The next step is for the IOS to locate and load a valid configuration known as the startup-config that will be stored in nonvolatile RAM (NVRAM).
Once the IOS is loaded and up and running, the startup-config will be copied from NVRAM into RAM and from then on it's referred to as the running-config.
But if a valid startup-config isn't found in NVRAM, your switch will enter setup mode, giving you a step-by-step dialog to help configure some basic parameters on it.
You can also enter setup mode at any time from the command line by typing the command setup from privileged mode, which I'll get to in a minute. Setup mode only covers some basic commands and generally isn't really all that helpful. Here's an example:
Would you like to enter the initial configuration dialog? [yes/no]: y
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: y
Configuring global parameters:
Enter host name [Switch]: Ctrl+C
Configuration aborted, no changes made.
I highly recommend going through setup mode once, then never again because you should always use the CLI instead!
Command-Line Interface (CLI)
I sometimes refer to the CLI as “cash line interface” because the ability to create advanced configurations on Cisco routers and switches using the CLI will earn you some decent cash!
Entering the CLI
After the interface status messages appear and you press Enter, the Switch> prompt will pop up. This is called user exec mode, or user mode for short, and although it's mostly used to view statistics, it is also a stepping stone along the way to logging in to privileged exec mode, called privileged mode for short.
You can view and change the configuration of a Cisco router only while in privileged mode, and you enter it via the enable command like this:
Switch>enable
Switch#
The Switch# prompt signals you're in privileged mode where you can both view and change the switch configuration. You can go back from privileged mode into user mode by using the disable command:
Switch#disable
Switch>
You can type logout from either mode to exit the console:
Switch>logout
Switch con0 is now available
Press RETURN to get started.
Next, I'll show how to perform some basic administrative configurations.
Overview of Router Modes
To configure from a CLI, you can make global changes to the router by typing configure terminal or just config t. This will get you into global configuration mode where you can make changes to the running-config. Commands run from global configuration mode are predictably referred to as global commands, and they are typically set only once and affect the entire router.
Type config from the privileged-mode prompt and then press Enter to opt for the default of terminal like this:
Switch#config
Configuring from terminal, memory, or network [terminal]? [press enter]
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
At this point, you make changes that affect the router as a whole (globally), hence the term global configuration mode. For instance, to change the running-config—the current configuration running in dynamic RAM (DRAM)—use the configure terminal command, as I just demonstrated.
CLI Prompts
Let's explore the different prompts you'll encounter when configuring a switch or router now, because knowing them well will really help you orient yourself and recognize exactly where you are at any given time while in configuration mode. I'm going to demonstrate some of the prompts used on a Cisco switch and cover the various terms used along the way. Make sure you're very familiar with them, and always check your prompts before making any changes to a router's configuration!
We're not going to venture into every last obscure command prompt you could potentially come across in the configuration mode world because that would get us deep into territory that's beyond the scope of this book. Instead, I'm going to focus on the prompts you absolutely must know to pass the exam plus the very handy and seriously vital ones you'll need and use the most in real-life networking—the cream of the crop.
Interfaces
To make changes to an interface, you use the interface command from global configuration mode:
Switch(config)#interface ?
Async Async interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Filter Filter interface
Filtergroup Filter Group interface
GigabitEthernet GigabitEthernet IEEE 802.3z
Group-Async Async Group interface
Lex Lex interface
Loopback Loopback interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Portgroup Portgroup interface
Pos-channel POS Channel of interfaces
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan Catalyst Vlans
fcpa Fiber Channel
range interface range command
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#
Did you notice that the prompt changed to Switch(config-if)#? This tells you that you're in interface configuration mode. And wouldn't it be nice if the prompt also gave you an indication of what interface you were configuring? Well, at least for now we'll have to live without the prompt information, because it doesn't. But it should already be clear to you that you really need to pay attention when configuring an IOS device!
Line Commands
To configure user-mode passwords, use the line command. The prompt then becomes Switch(config-line)#:
Switch(config)#line ?
<0-16> First Line number
console Primary terminal line
vty Virtual terminal
Switch(config)#line console 0
Switch(config-line)#
The line console 0 command is a global command, and sometimes you'll also hear people refer to global commands as major commands. In this example, any command typed from the (config-line) prompt is known as a subcommand.
Access List Configurations
To configure a standard named access list, you'll need to get to the prompt Switch(config-std-nacl)#:
Switch#config t
Switch(config)#ip access-list standard Todd
Switch(config-std-nacl)#
What you see here is a typical basic standard ACL prompt. There are various ways to configure access lists, and the prompts are only slightly different from this particular example.
Routing Protocol Configurations
I need to point out that we don't use routing or router protocols on 2960 switches, but we can and will use them on my 3560 switches. Here is an example of configuring routing on a layer 3 switch:
Switch(config)#router rip
IP routing not enabled
Switch(config)#ip routing
Switch(config)#router rip
Switch(config-router)#
Router and Switch Interfaces
Interface configuration is arguably the most important router configuration because without interfaces, a router is a pretty useless object. Furthermore, interface configurations must be totally precise to enable communication with other devices. Network layer addresses, media type, bandwidth, and other administrator commands are all used to configure an interface.
On a layer 2 switch, interface configurations typically involve a lot less work than router interface configuration. Check out the output from the powerful verification command show ip interface brief, which reveals all the interfaces on my 3560 switch:
Todd#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.255.8 YES DHCP up up
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset up up
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset up up
FastEthernet0/6 unassigned YES unset up up
FastEthernet0/7 unassigned YES unset down down
FastEthernet0/8 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset down down
The previous output shows the default routed port found on all Cisco switches (VLAN 1), plus eight switch FastEthernet interface ports, with one port being a Gigabit Ethernet port used for uplinks to other switches.
Different routers use different methods to choose the interfaces used on them. For instance, the following command shows one of my 2800 ISR Cisco routers with two FastEthernet interfaces along with two serial WAN interfaces:
Router>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.255.11 YES DHCP up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES unset administratively down down
Serial0/1/0 unassigned YES unset administratively down down
Router>
Previously, we always used the interface type number sequence to configure an interface, but the newer routers come with an actual physical slot and include a port number on the module plugged into it. So on a modular router, the configuration would be interface type slot/port, as demonstrated here:
Todd#config t
Todd(config)#interface GigabitEthernet 0/1
Todd(config-if)#
You can see that we are now at the Gigabit Ethernet slot 0, port 1 prompt, and from here we can make configuration changes to the interface. Make note of the fact that you can't just type int gigabitethernet 0. No shortcuts on the slot/port—you've got to type the slot/port variables in the command: type slot/port or, for example, int gigabitethernet 0/1 (or just int g0/1).
Once in interface configuration mode, we can configure various options. Keep in mind that speed and duplex are the two factors to be concerned with for the LAN:
Todd#config t
Todd(config)#interface GigabitEthernet 0/1
Todd(config-if)#speed 1000
Todd(config-if)#duplex full
So what's happened here? Well basically, this has shut off the autodetect mechanism on the port, forcing it to only run gigabit speeds at full-duplex. For the ISR series router, it's basically the same, but you get even more options! The LAN interfaces are the same, but the rest of the modules are different—they use three numbers instead of two. The three numbers used here can represent slot/subslot/port, but this depends on the card used in the ISR router. For the objectives, you just need to remember this: The first 0 is the router itself. You then choose the slot and then the port. Here's an example of a serial interface on my 2811:
Todd(config)#interface serial ?
<0-2> Serial interface number
Todd(config)#interface serial 0/0/?
<0-1> Serial interface number
Todd(config)#interface serial 0/0/0
Todd(config-if)#
This might look a little dicey to you, but I promise it's really not that hard! It helps to remember that you should always view the output of the show ip interface brief command or a show running-config output first so you know the exact interfaces you have to deal with. Here's one of my 2811's output that has even more serial interfaces installed:
Todd(config-if)#do show run
Building configuration...
[output cut]
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/0/1
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
[output cut]
For the sake of brevity, I didn't include my complete running-config, but I've displayed all you really need. You can see the two built-in FastEthernet interfaces, the two serial interfaces in slot 0 (0/0/0 and 0/0/1), the serial interface in slot 1 (0/1/0), and the serial interface in slot 2 (0/2/0). And once you see the interfaces like this, it makes it a lot easier to understand how the modules are inserted into the router.
Just understand that if you type interface e0 on an old 2500 series router, interface fastethernet 0/0 on a modular router (such as the 2800 series router), or interface serial 0/1/0 on an ISR router, all you're actually doing is choosing an interface to configure. Essentially, they're all configured the same way after that.
Let's delve deeper into our router interface discussion by exploring how to bring up the interface and set an IP address on it next.
Bringing Up an Interface
You can disable an interface with the interface command shutdown and enable it with the no shutdown command. Just to remind you, all switch ports are enabled by default and all router ports are disabled by default, so we're going to talk more about router ports than switch ports in the next few sections.
If an interface is shut down, it'll display as administratively down when you use the show interfaces command (sh int for short):
Router#sh int f0/0
FastEthernet0/1 is administratively down, line protocol is down
[output cut]
Another way to check an interface's status is via the show running-config command. You can bring up the router interface with the no shutdown command (no shut for short):
Router(config)#int f0/0
Router(config-if)#no shutdown
*August 21 13:45:08.455: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
Router(config-if)#do show int f0/0
FastEthernet0/0 is up, line protocol is up
[output cut]
Configuring an IP Address on an Interface
Even though you don't have to use IP on your routers, it's usually what everyone uses. To configure IP addresses on an interface, use the ip address command from interface configuration mode and remember that you do not set an IP address on a layer 2 switch port!
Todd(config)#int f0/1
Todd(config-if)#ip address 172.16.10.2 255.255.255.0
Also, don't forget to enable the interface with the no shutdown command. Remember to look at the command show interface int output to see if the interface is administratively shut down or not. Show ip int brief and show running-config will also give you this information.
Okay—now if you want to add a second subnet address to an interface, you have to use the secondary parameter. If you type another IP address and press Enter, it will replace the existing primary IP address and mask. This is definitely one of the Cisco IOS's coolest features!
So let's try it. To add a secondary IP address, just use the secondary parameter:
Todd(config-if)#ip address 172.16.20.2 255.255.255.0 ?
secondary Make this IP address a secondary address
<cr>
Todd(config-if)#ip address 172.16.20.2 255.255.255.0 secondary
Todd(config-if)#do sh run
Building configuration...
[output cut]
interface FastEthernet0/1
ip address 172.16.20.2 255.255.255.0 secondary
ip address 172.16.10.2 255.255.255.0
duplex auto
speed auto
!
But I've got to stop here to tell you that I really wouldn't recommend having multiple IP addresses on an interface because it's really inefficient. I showed you how anyway just in case you someday find yourself dealing with an MIS manager who's in love with really bad network design and makes you administer it! And who knows? Maybe someone will ask you about it someday and you'll get to seem really smart because you know this.
Exam Essentials
Describe the use of setup mode. Setup mode is automatically started if a router boots and no startup-config is in NVRAM. You can also bring up setup mode by typing setup from privileged mode. Setup provides a minimum amount of configuration in an easy format for someone who does not understand how to configure a Cisco router from the command line.
Differentiate user, privileged, and global configuration modes, both visually and from a command capabilities perspective. User mode, indicated by the routername> prompt, provides a command-line interface with very few available commands by default. User mode does not allow the configuration to be viewed or changed. Privileged mode, indicated by the routername# prompt, allows a user to both view and change the configuration of a router. You can enter privileged mode by typing the command enable and entering the enable password or enable secret password, if set. Global configuration mode, indicated by the routername(config)# prompt, allows configuration changes to be made that apply to the entire router (as opposed to a configuration change that might affect only one interface, for example).
Recognize additional prompts available in other modes and describe their use. Additional modes are reached via the global configuration prompt, routername(config)#, and their prompts include interface mode, router(config-if)#, for making interface settings; line configuration mode, router(config-line)#, used to set passwords and make other settings to various connection methods; and routing protocol modes for various routing protocols, router(config-router)#, used to enable and configure routing protocols.
Describe the process of preparing an interface for use. To use an interface, you must configure it with an IP address and subnet mask in the same subnet of the hosts that will be connecting to the switch that is connected to that interface. It also must be enabled with the no shutdown command. A serial interface that is connected back to back with another router serial interface must also be configured with a clock rate on the DCE end of the serial cable.
Perform device maintenance
There will be activities that will be recurring that maintain the devices. In the following sections, we'll talk about what some of these processes and procedures are.
Cisco IOS Upgrades and Recovery (SCP, FTP, TFTP, and MD5 Verify)
What happens if you need to restore the Cisco IOS to flash memory to replace an original file that has been damaged or if you want to upgrade the IOS? You can download the file from a TFTP server to flash memory by using the copy tftp flash command. This command requires the IP address of the TFTP host and the name of the file you want to download.
However, since IOSs can be very large today, we may want to use something other than TFTP, which is unreliable and can only transfer smaller files. Check this out:
Corp#copy ?
/erase Erase destination file system.
/error Allow to copy error file.
/noverify Don't verify image signature before reload.
/verify Verify image signature before reload.
archive: Copy from archive: file system
cns: Copy from cns: file system
flash: Copy from flash: file system
ftp: Copy from ftp: file system
http: Copy from http: file system
https: Copy from https: file system
null: Copy from null: file system
nvram: Copy from nvram: file system
rcp: Copy from rcp: file system
running-config Copy from current system configuration
scp: Copy from scp: file system
startup-config Copy from startup configuration
system: Copy from system: file system
tar: Copy from tar: file system
tftp: Copy from tftp: file system
tmpsys: Copy from tmpsys: file system
xmodem: Copy from xmodem: file system
ymodem: Copy from ymodem: file system
You can see from the output above that we have many options, and for the larger file we'll use FTP or SCP to copy our IOS into or from routers and switches, and we can even perform an MD5 verification with the /verify at the end of a command.
I'll just use TFTP for our examples because it's easiest. But before you begin, make sure the file you want to place in flash memory is in the default TFTP directory on your host. When you issue the command, TFTP won't ask you where the file is, so if the file you want to use isn't in the default directory of the TFTP host, this just won't work.
Router# copy tftp flash
Address or name of remote host []? 1.1.1.2
Source filename []? c2800nm-advsecurityk9-mz.151-4.M6.bin
Destination filename [c2800nm-advsecurityk9-mz.151-4.M6.bin]? [enter]
%Warning: There is a file already existing with this name
Do you want to over write? [confirm] [enter]
Accessing tftp://1.1.1.2/ c2800nm-advsecurityk9-mz.151-4.M6.bin...
Loading c2800nm-advsecurityk9-mz.151-4.M6.bin from 1.1.1.2 (via
FastEthernet0/0): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 21710744 bytes]
45395968 bytes copied in 82.880 secs (261954 bytes/sec)
Router#
In the preceding example, I copied the same file into flash memory, so it asked me if I wanted to overwrite it. Remember that we are “playing” with files in flash memory. If I had just corrupted my file by overwriting it, I won't know for sure until I reboot the router. Be careful with this command! If the file is corrupted, you'll need to do an IOS-restore from ROM monitor mode.
If you are loading a new file and you don't have enough room in flash memory to store both the new and existing copies, the router will ask to erase the contents of flash memory before writing the new file into flash memory, and if you are able to copy the IOS without erasing the old version, then make sure you remember to use the boot system flash: ios-file command.
There is one other way you can restore the IOS on a router, but it takes a while. You can use what is called the Xmodem protocol to actually upload an IOS file into flash memory through the console port. You'd use the Xmodem through the console port procedure if you had no network connectivity to the router or switch.
Password Recovery and Configuration Register
All Cisco routers have a 16-bit software register that's written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM. In the following sections, I am going to discuss the configuration register settings and how to use these settings to provide password recovery on your routers.
Understanding the Configuration Register Bits
The 16 bits (2 bytes) of the configuration register are read from 15 to 0, from left to right. The default configuration setting on Cisco routers is 0x2102. This means that bits 13, 8, and 1 are on, as shown in Table 7.3. Notice that each set of 4 bits (called a nibble) is read in binary with a value of 8, 4, 2, 1.
Table 7.3 The configuration register bit numbers
Configuration Register |
|
|
2 |
|
|
|
|
1 |
|
|
|
0 |
|
|
2 |
|
Bit number |
15 |
14 |
13 |
12 |
11 |
10 |
9 |
8 |
7 |
6 |
5 |
4 |
3 |
2 |
1 |
0 |
Binary |
0 |
0 |
1 |
0 |
0 |
0 |
0 |
1 |
0 |
0 |
0 |
0 |
0 |
0 |
1 |
0 |
Table 7.4 lists the software configuration bit meanings. Notice that bit 6 can be used to ignore the NVRAM contents. This bit is used for password recovery—something I'll go over with you soon in the section “Recovering Passwords.”
Table 7.4 Software configuration meanings
Bit |
Hex |
Description |
0–3 |
0x0000–0x000F |
Boot field (see Table 7.5) |
6 |
0x0040 |
Ignore NVRAM contents. |
7 |
0x0080 |
OEM bit enabled |
8 |
0x101 |
Break disabled |
10 |
0x0400 |
IP broadcast with all zeros |
5, 11–12 |
0x0800–0x1000 |
Console line speed |
13 |
0x2000 |
Boot default ROM software if network boot fails |
14 |
0x4000 |
IP broadcasts do not have net numbers. |
15 |
0x8000 |
Enable diagnostic messages and ignore NVRAM contents. |
The boot field, which consists of bits 0–3 in the configuration register (the last 4 bits), controls the router boot sequence and locates the Cisco IOS. Table 7.5 describes the boot field bits.
Table 7.5 The boot field (configuration register bits 00–03)
Boot Field |
Meaning |
Use |
00 |
ROM monitor mode |
To boot to ROM monitor mode, set the configuration register to 2100. You must manually boot the router with the b command. The router will show the rommon> prompt. |
01 |
Boot image from ROM |
To boot the mini-IOS image stored in ROM, set the configuration register to 2101. The router will show the Router(boot)> prompt. The mini-IOS is not available in all routers and is also referred to as RXBOOT. |
02–F |
Specifies a default boot filename |
Any value from 2102 through 210F tells the router to use the boot commands specified in NVRAM. |
Checking the Current Configuration Register Value
You can see the current value of the configuration register by using the show version command (sh version or show ver for short), as demonstrated here:
Router>sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M),
Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
[output cut]
Configuration register is 0x2102
The last information given from this command is the value of the configuration register. In this example, the value is 0x2102—the default setting. The configuration register setting of 0x2102 tells the router to look in NVRAM for the boot sequence.
Notice that the show version command also provides the IOS version, and in the preceding example, it shows the IOS version as 15.1(4)M6.
To change the configuration register, use the config-register command from global configuration mode.
Router(config)#config-register 0x2142
Router(config)#do sh ver
[output cut]
Configuration register is 0x2102 (will be 0x2142 at next reload)
It's important that you are careful when you set the configuration register!
Boot System Commands
Did you know that you can configure your router to boot another IOS if the flash is corrupted? Well, you can. You can boot all of your routers from a TFTP server, but it's old school, and people just don't do it anymore; it's just for backup in case of failure.
There are some boot commands you can play with that will help you manage the way your router boots the Cisco IOS—but please remember, we're talking about the router's IOS here, not the router's configuration!
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#boot ?
bootstrap Bootstrap image file
config Configuration file
host Router-specific config file
network Network-wide config file
system System image file
The boot command truly gives you a wealth of options, but first, I'll show you the typical settings that Cisco recommends. So let's get started—the boot system command will allow you to tell the router which system IOS file to boot from flash memory. Remember that the router, by default, boots the first system IOS file found in flash. You can change that with the following commands, as shown in the output:
Router(config)#boot system ?
WORD TFTP filename or URL
flash Boot from flash memory
ftp Boot from a server via ftp
mop Boot from a Decnet MOP server
rcp Boot from a server via rcp
rom Boot from rom
tftp Boot from a tftp server
Router(config)#boot system flash c2800nm-advsecurityk9-mz.151-4.M6.bin
Notice I could boot from FLASH, FTP, ROM, TFTP, or other useless options. The command I used configures the router to boot the IOS listed in it. This is a helpful command for when you load a new IOS into flash and want to test it, or even when you want to totally change which IOS is loading by default.
The next command is considered a fallback routine, but as I said, you can make it a permanent way to have your routers boot from a TFTP host. Personally, I wouldn't necessarily recommend doing this (single point of failure); I'm just showing you that it's possible:
Router(config)#boot system tftp ?
WORD System image filename
Router(config)#boot system tftp c2800nm-advsecurityk9-mz.151-4.M6.bin?
Hostname or A.B.C.D Address from which to download the file
<cr>
Router(config)#boot system tftp c2800nm-advsecurityk9-mz.151-4.M6.bin 1.1.1.2
Router(config)#
As your last recommended fallback option—the one to go to if the IOS in flash doesn't load and the TFTP host does not produce the IOS—load the mini-IOS from ROM like this:
Router(config)#boot system rom
Router(config)#do show run | include boot system
boot system flash c2800nm-advsecurityk9-mz.151-4.M6.bin
boot system tftp c2800nm-advsecurityk9-mz.151-4.M6.bin 1.1.1.2
boot system rom
Router(config)#
If the preceding configuration is set, the router will try to boot from the TFTP server if flash fails, and if the TFTP boot fails, the mini-IOS will load after six unsuccessful attempts of trying to locate the TFTP server.
In the next section, I'll show you how to load the router into ROM monitor mode so you can perform password recovery.
Recovering Passwords
If you're locked out of a router because you forgot the password, you can change the configuration register to help you get back on your feet. As I said earlier, bit 6 in the configuration register is used to tell the router whether to use the contents of NVRAM to load a router configuration.
The default configuration register value is 0x2102, meaning that bit 6 is off. With the default setting, the router will look for and load a router configuration stored in NVRAM (startup-config). To recover a password, you need to turn on bit 6. Doing this will tell the router to ignore the NVRAM contents. The configuration register value to turn on bit 6 is 0x2142.
Here are the main steps to password recovery:
- Boot the router and interrupt the boot sequence by performing a break, which will take the router into ROM monitor mode.
- Change the configuration register to turn on bit 6 (with the value 0x2142).
- Reload the router.
- Say “no” to entering setup mode, then enter privileged mode.
- Copy the startup-config file to running-config, and don't forget to verify that your interfaces are re-enabled.
- Change the password.
- Reset the configuration register to the default value.
- Save the router configuration.
- Reload the router (optional).
I'm going to cover these steps in more detail in the following sections. I'll also show you the commands to restore access to ISR series routers.
You can enter ROM monitor mode by pressing Ctrl+Break or Ctrl+Shift+6, then b, during router bootup. But if the IOS is corrupt or missing, if there's no network connectivity available to find a TFTP host, or if the mini-IOS from ROM doesn't load (meaning the default router fallback failed), the router will enter ROM monitor mode by default.
Interrupting the Router Boot Sequence
Your first step is to boot the router and perform a break. This is usually done by pressing the Ctrl+Break key combination when using HyperTerminal (personally, I use SecureCRT or PuTTY) while the router first reboots.
System Bootstrap, Version 15.1(4)M6, RELEASE SOFTWARE (fc2)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff0a530, Vector = 0x500, SP = 0x680127b0
C2800 platform with 32768 Kbytes of main memory
PC = 0xfff0a530, Vector = 0x500, SP = 0x80004374
monitor: command "boot" aborted due to user interrupt
rommon 1 >
Notice the line monitor: command "boot" aborted due to user interrupt. At this point, you will be at the rommon 1> prompt, which is called the ROM monitor mode.
Changing the Configuration Register
As I explained earlier, you can change the configuration register from within the IOS by using the config-register command. To turn on bit 6, use the configuration register value 0x2142.
To change the bit value on a Cisco ISR series router, you just enter the following command at the rommon 1> prompt:
rommon 1 >confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 >reset
Reloading the Router and Entering Privileged Mode
At this point, you need to reset the router like this:
- From the ISR series router, type I (for initialize) or reset.
- From an older series router, type I.
The router will reload and ask if you want to use setup mode (because no startup-config is used). Answer no to entering setup mode, press Enter to go into user mode, and then type enable to go into privileged mode.
Viewing and Changing the Configuration
Now you're past the point where you would need to enter the user-mode and privileged-mode passwords in a router. Copy the startup-config file to the running-config file:
copy startup-config running-config
Or use the shortcut:
copy start run
The configuration is now running in random access memory (RAM), and you're in privileged mode, meaning that you can now view and change the configuration. But you can't view the enable secret setting for the password since it is encrypted. To change the password, do this:
config t
enable secret todd
Resetting the Configuration Register and Reloading the Router
After you're finished changing passwords, set the configuration register back to the default value with the config-register command:
config t
config-register 0x2102
It's important to remember to enable your interfaces after copying the configuration from NVRAM to RAM.
Finally, save the new configuration with a copy running-config startup-config and use reload to reload the router.
To sum this up, we now have Cisco's suggested IOS backup routine configured on our router: flash, TFTP host, ROM.
File System Management
Cisco has created a file system called Cisco IFS that allows you to work with files and directories just as you would from a Windows DOS prompt. The commands you use are dir, copy, more, delete, erase or format, cd and pwd, and mkdir and rmdir.
Working with IFS gives you the ability to view all files, even those on remote servers. And you definitely want to find out if an image on one of your remote servers is valid before you copy it, right? You also need to know how big it is—size matters here! It's also a really good idea to take a look at the remote server's configuration and make sure it's all good before loading that file on your router.
It's very cool that IFS makes the file system user interface universal—it's not platform specific anymore. You now get to use the same syntax for all your commands on all of your routers, no matter the platform!
Sound too good to be true? Well, it kind of is because you'll find out that support for all commands on each file system and platform just isn't there. But it's really no big deal since various file systems differ in the actions they perform; the commands that aren't relevant to a particular file system are the very ones that aren't supported on that file system. Be assured that any file system or platform will fully support all the commands you need to manage it.
Another cool IFS feature is that it cuts down on all those obligatory prompts for a lot of the commands. If you want to enter a command, all you have to do is type all the necessary info straight into the command line—no more jumping through hoops of prompts! So, if you want to copy a file to an FTP server, all you'd do is first indicate where the desired source file is on your router, pinpoint where the destination file is to be on the FTP server, determine the username and password you're going to use when you want to connect to that server, and type it all in on one line—sleek! And for those of you resistant to change, you can still have the router prompt you for all the information it needs and enjoy entering a more elegantly minimized version of the command than you did before.
But even in spite of all this, your router might still prompt you—even if you did everything right in your command line. It comes down to how you've got the file prompt command configured and which command you're trying to use. But no worries—if that happens, the default value will be entered right there in the command, and all you have to do is hit Enter to verify the correct values.
IFS also lets you explore various directories and inventory files in any directory you want. Plus, you can make subdirectories in flash memory or on a card, but you only get to do that if you're working on one of the more recent platforms.
And get this—the new file system interface uses URLs to determine the whereabouts of a file. So just as they pinpoint places on the web, URLs now indicate where files are on your Cisco router, or even on a remote file server! You just type URLs right into your commands to identify where the file or directory is. It's really that easy—to copy a file from one place to another, you simply enter the copy source-url destination-url command—sweet! IFS URLs are a tad different than what you're used to though, and there's an array of formats to use that vary depending on where, exactly, the file is that you're after.
We're going to use Cisco IFS commands pretty much the same way that we used the copy command in the section “Cisco IOS Upgrades and Recovery (SCP, FTP, TFTP, and MD5 Verify)” earlier:
- For backing up the IOS
- For upgrading the IOS
- For viewing text files
Okay—with all that down, let's take a look at the common IFS commands available to us for managing the IOS. I'll get into configuration files soon, but for now I'm going to get you started with going over the basics used to manage the new Cisco IOS.
dir Same as with Windows, this command lets you view files in a directory. Type dir, hit Enter, and by default you get the contents of the flash:/ directory output.
copy This is one popular command, often used to upgrade, restore, or back up an IOS. But as I said, when you use it, it's really important to focus on the details—what you're copying, where it's coming from, and where it's going to land.
more Same as with Unix, this will take a text file and let you look at it on a card. You can use it to check out your configuration file or your backup configuration file.
show file This command will give you the skinny on a specified file or file system, but it's kind of obscure because people don't use it a lot.
delete Three guesses—yep, it deletes stuff. But with some types of routers, not as well as you'd think. That's because even though it whacks the file, it doesn't always free up the space it was using. To actually get the space back, you have to use something called the squeeze command too.
erase/format Use these with care—make sure that when you're copying files, you say no to the dialog that asks you if you want to erase the file system! The type of memory you're using determines if you can nix the flash drive or not.
cd/pwd Same as with Unix and DOS, cd is the command you use to change directories. Use the pwd command to print (show) the working directory.
mkdir/rmdir Use these commands on certain routers and switches to create and delete directories—the mkdir command for creation and the rmdir command for deletion. Use the cd and pwd commands to change into these directories.
Exam Essentials
Understand configuration register commands and settings. The 0x2102 setting is the default on all Cisco routers and tells the router to look in NVRAM for the boot sequence. 0x2101 tells the router to boot from ROM, and 0x2142 tells the router not to load the startup-config in NVRAM to provide password recovery.
Perform password recovery. The steps in the password recovery process are interrupt the router boot sequence, change the configuration register, reload the router and enter privileged mode, copy the startup-config file to running-config and verify that your interfaces are re-enabled, change/set the password, save the new configuration, reset the configuration register, and reload the router.
Restore or upgrade an IOS image. By using the privileged-mode command copy tftp flash, you can restore or upgrade a file from a TFTP (network) server to flash memory.
Describe best practices to prepare to back up an IOS image to a network server. Make sure that you can access the network server, ensure that the network server has adequate space for the code image, and verify the file naming and path requirement.
Understand and use Cisco IFS file system management commands. The commands to use are dir, copy, more, delete, erase or format, cd and pwd, and mkdir and rmdir, as well as system:running-config and nvram:startup-config.
Use Cisco IOS tools to troubleshoot and resolve problems
To assist with the process of maintaining the network, you have a number of IOS tools at your disposal to assist you in troubleshooting and resolving issues. In the following sections I'll add some detail to the use of some tools I have already mentioned and introduce some additional tools that are available to you.
Ping and Traceroute with Extended Option
You can use the ping and traceroute commands to test connectivity to remote devices, and both of them can be used with many protocols, not just IP. But don't forget that the show ip route command is a great troubleshooting command for verifying your routing table and the show interfaces command will reveal the status of each interface to you.
Using the ping Command
So far, you've seen lots of examples of pinging devices to test IP connectivity and name resolution using the DNS server. To see all the different protocols that you can use with the Ping program, type ping ?:
SW-1#ping ?
WORD Ping destination address or hostname
clns CLNS echo
ip IP echo
ipv6 IPv6 echo
tag Tag encapsulated IP echo
<cr>
The ping output displays the minimum, average, and maximum times it takes for a ping packet to find a specified system and return. Here's an example:
SW-1#ping SW-3
Translating "SW-3"...domain server (4.4.4.4) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.128.8, timeout is
2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max
= 28/31/32 ms
This output tells us that the DNS server was used to resolve the name and the device was pinged in a minimum of 28 ms (milliseconds), an average of 31 ms, and up to 32 ms. This network has some latency!
Using the traceroute Command
Traceroute—the traceroute command, or trace for short—shows the path a packet takes to get to a remote device. It uses time to live (TTL), time-outs, and ICMP error messages to outline the path a packet takes through an internetwork to arrive at a remote host.
The trace command, which you can deploy from either user mode or privileged mode, allows you to figure out which router in the path to an unreachable network host should be examined more closely as the probable cause of your network's failure.
To see the protocols that you can use with the traceroute command, type traceroute ?:
SW-1#traceroute ?
WORD Trace route to destination address or hostname
appletalk AppleTalk Trace
clns ISO CLNS Trace
ip IP Trace
ipv6 IPv6 Trace
ipx IPX Trace
mac Trace Layer2 path between 2 endpoints
oldvines Vines Trace (Cisco)
vines Vines Trace (Banyan)
<cr>
The traceroute command shows the hop or hops that a packet traverses on its way to a remote device.
Here's an example of using tracert on a Windows prompt—notice that the command is tracert, not traceroute:
C:>tracert www.whitehouse.gov
Tracing route to a1289.g.akamai.net [69.8.201.107]
over a maximum of 30 hops:
1 * * * Request timed out.
2 53 ms 61 ms 53 ms hlrn-dsl-gw15-207.hlrn.qwest.net
[207.225.112.207]
3 53 ms 55 ms 54 ms hlrn-agw1.inet.qwest.net [71.217.188.113]
4 54 ms 53 ms 54 ms hlr-core-01.inet.qwest.net [205.171.253.97]
5 54 ms 53 ms 54 ms apa-cntr-01.inet.qwest.net [205.171.253.26]
6 54 ms 53 ms 53 ms 63.150.160.34
7 54 ms 54 ms 53 ms www.whitehouse.gov [69.8.201.107]
Trace complete.
Terminal Monitor
One of the locations to which the logging system can direct system messages is the terminal monitor. When you're connected to the device remotely, system messages will not appear on the screen as they normally do unless you have directed the messages to the terminal. Setting the system to do so is covered in the section “Syslog” earlier in this chapter.
Log Events
Cisco devices send all log messages of the severity level you've chosen to the console. They'll also go to the buffer, and both happen by default. Events stored in the log can be extremely helpful in troubleshooting an issue. A detailed coverage of logging is in the section “Syslog” earlier in this chapter.
Local SPAN
A traffic sniffer can be a valuable tool for monitoring and troubleshooting your network. However, since the inception of switches into our networks more than 20 years ago, troubleshooting has become more difficult since we can't just plug an analyzer into a switch port and be able to read all the network traffic. Before we had switches, we used hubs, and when a hub receives a digital signal on one port, the hub sends out a copy of that digital signal on all ports except on the port where the hub received the signal. This allows a traffic sniffer that is connected to a hub port to receive all traffic in the network.
Modern local networks are essentially switched networks. After a switch boots, it starts to build up a layer 2 forwarding table based on the source MAC addresses of the different packets that the switch receives. After the switch builds this forwarding table, it then forwards traffic that is destined for a MAC address directly to the exit port. By default, this prevents a traffic sniffer that is connected to another port from receiving the unicast traffic. The SPAN feature was therefore introduced on switches to help solve this problem.
The SPAN feature allows you to analyze network traffic passing through the port by sending a copy of the traffic to another port on the switch that has been connected to a network analyzer or other monitoring device. SPAN copies the traffic that the device receives and/or sends on source ports to a destination port for analysis.
For example, if you would like to analyze the traffic flowing from PC1 to PC2 shown in Figure 7.7, you need to specify a source port of where you want to capture the data. You can either configure the interface Fa0/1 to capture the ingress traffic or the interface Fa0/3 to capture the egress traffic—your choice! Second, specify the destination port interface where the sniffer is connected and will capture the data, in this example Fa0/2. The traffic flowing from PC1 to PC2 will then be copied to that interface, and you will be able to analyze it with a traffic sniffer.
The following steps will configure SPAN on S1:
Step 1: Associate a SPAN session number with the source port of what you want to monitor:
S1(config)#monitor session 1 source interface f0/1
Step 2: Associate a SPAN session number with the destination interface:
S1(config)#monitor session 1 dest interface f0/2
Step 3: Verify that the SPAN session has been configured correctly:
S1(config)#do sh monitor
Session 1
---------
Type : Local Session
Source Ports :
Both : Fa0/1
Destination Ports : Fa0/2
Encapsulation : Native
Ingress : Disabled
Now connect up your network analyzer into port F0/2 and enjoy!
Exam Essentials
Describe the function of the ping command. Packet Internet Groper (ping) uses ICMP echo requests and ICMP echo replies to verify an active IP address on a network.
Ping a valid host ID from the correct prompt. You can ping an IP address from a router's user mode or privileged mode but not from configuration mode, unless you use the do command. You must ping a valid address, such as 1.1.1.1.
Describe network programmability in enterprise network architecture
Right now, in our current, traditional networks, our router and switch ports are the only devices that are not virtualized. So this is what we're really trying to do here—virtualize our physical ports.
First, understand that our current routers and switches run an operating system, such as Cisco IOS, that provides network functionality. This has worked well for us for 25 years or so, but it is way too cumbersome now to configure, implement, and troubleshoot these autonomous devices in today's large, complicated networks. Before you even get started, you have to understand the business requirements and then push that out to all the devices. This can take weeks or even months since each device is configured, maintained, and monitored separately.
Before we can talk about the new way to network our ports, you need to understand how our current networks forward data, which happens via these two planes:
Data plane This plane, also referred to as the forwarding plane, is physically responsible for forwarding frames of packets from its ingress to egress interfaces using protocols managed in the control plane. Here, data is received, the destination interface is looked up, and the forwarding of frames and packets happens, so the data plane relies completely on the control plane to provide solid information.
Control plane This plane is responsible for managing and controlling any forwarding table that the data plane uses. For example, routing protocols such as OSPF, EIGRP, RIP, and BGP as well as IPv4 ARP, IPv6 NDP, switch MAC address learning, and STP are all managed by the control plane.
Now that you understand that there are two planes used to forward traffic in our current or legacy network, let's take a look at the future of networking.
Function of a Controller
If you have worked on any enterprise Wi-Fi installations in the last decade, you would have designed your physical network and then configured a type of network controller that managed all the wireless APs in the network. It's hard to imagine that anyone would install a wireless network today without some type of controller in an enterprise network, where the access points (APs) receive their directions from the controller on how to manage the wireless frames and the APs have no operating system or brains to make many decisions on their own.
The same is now true for our physical router and switch ports, and it's precisely this centralized management of network frames and packets that Software Defined Networking (SDN) provides to us.
Separation of Control Plane and Data Plane
SDN removes the control plane intelligence from the network devices by having a central controller manage the network instead of having a full operating system (Cisco IOS, for example) on the devices. In turn, the controller manages the network by separating the control and data (forwarding) planes, which automates configuration and the remediation of all devices.
So instead of the network devices each having individual control planes, we now have a centralized control plane, which consolidates all network operations in the SDN controller. APIs allow for applications to control and configure the network without human intervention. The APIs are another type of configuration interface just like the CLI, SNMP, or GUI interfaces, which facilitate machine-to-machine operations.
The SDN architecture slightly differs from the architecture of traditional networks by adding a third layer, the application plane, as described here and shown in Figure 7.8:
Data (or forwarding) plane Contains network elements, meaning any physical or virtual device that deals with data traffic.
Control plane Usually a software solution, the SDN controllers reside here to provide centralized control of the router and switches that populate the data plane, removing the control plane from individual devices.
Application plane This new layer contains the applications that communicate their network requirements toward the controller using APIs.
SDN is pretty cool because your applications tell the network what to do based on business needs instead of you having to do it. Then the controller uses the APIs to pass instructions on to your routers, switches, or other network gear. So instead of taking weeks or months to push out a business requirement, the solution now only takes minutes.
Northbound and Southbound APIs
There are two sets of APIs that SDN uses and they are very different. As you already know, the SDN controller uses APIs to communicate with both the application and data planes. Communication with the data plane is defined with southbound interfaces, while services are offered to the application plane using the northbound interface. Let's take a deeper look at this oh-so-vital CCNA objective.
Southbound APIs
Logical southbound interface (SBIs) APIs (or device-to-control-plane interfaces) are used for communication between the controllers and network devices. They allow the two devices to communicate so that the controller can program the data plane forwarding tables of your routers and switches. SBIs are pictured in Figure 7.9.
Since all the network drawings had the network gear below the controller, the APIs that talked to the devices became known as southbound, meaning, “out the southbound interface of the controller.” And don't forget that with SDN, the term interface is no longer referring to a physical interface!
Unlike northbound APIs, southbound APIs have many standards, and you absolutely must know them well for the objectives. Let's talk about them now:
OpenFlow Describes an industry-standard API, which the ONF (opennetworking.org) defines. It configures white label switches, meaning that they are nonproprietary, and as a result defines the flow path through the network. All the configuration is done through NETCONF.
NETCONF Although not all devices support NETCONF yet, what this provides is a network management protocol standardized by the IETF. Using RPC, you can install, manipulate, and delete the configuration of network devices using XML.
onePK A Cisco proprietary SBI that allows you to inspect or modify the network element configuration without hardware upgrades. This makes life easier for developers by providing software development kits for Java, C, and Python.
OpFlex The name of the southbound API in the Cisco ACI world is OpFlex, an open-standard, distributed control system. Understand that OpenFlow first sends detailed and complex instructions to the control plane of the network elements in order to implement a new application policy—something called an imperative SDN model. On the other hand, OpFlex uses a declarative SDN model because the controller, which Cisco calls the APIC, sends a more abstract, “summary policy” to the network elements. The summary policy makes the controller believe that the network elements will implement the required changes using their own control planes, since the devices will use a partially centralized control plane.
Northbound APIs
To communicate from the SDN controller and the applications running over the network, you'll use northbound interfaces (NBIs), pictured in Figure 7.10.
By setting up a framework that allows the application to demand the network setup with the configuration that it needs, the NBIs allow your applications to manage and control the network. This is priceless for saving time because you no longer need to adjust and tweak your network to get a service or application running correctly.
The NBI applications include a wide variety of automated network services, from network virtualization and dynamic virtual network provisioning to more granular firewall monitoring, user identity management, and access policy control. This allows for cloud orchestration applications that tie together, for server provisioning, storage, and networking that enables a complete rollout of new cloud services in minutes instead of weeks!
Sadly, at this writing there is no single northbound interface that you can use for communication between the controller and all applications. So instead, you use various and sundry northbound APIs, with each one working only with a specific set of applications.
Most of the time, applications used by NBIs will be on the same system as the APIC controller, so the APIs don't need to send messages over the network since both programs run on the same system. However, if they don't reside on the same system, REST (Representational State Transfer) comes into play; it uses HTTP messages to transfer data over the API for applications that sit on different hosts.
Exam Essentials
Understand SDN. Understand how a controller works, and especially the control and data planes as well as the northbound and southbound APIs.
Review Questions
You can find the answers in the Appendix.
- How can you efficiently restrict the read-only function of a requesting SNMP management station based on the IP address?
- Place an ACL on the logical control plane.
- Place an ACL on the line when configuring the RO community string.
- Place an ACL on the VTY line.
- Place an ACL on all router interfaces.
- A switch is configured with the snmp-server community Cisco RO command running SNMPv2c. An NMS is trying to communicate to this router via SNMP, so what can be performed by the NMS? (Choose two.)
- The NMS can only graph obtained results.
- The NMS can graph obtained results and change the hostname of the router.
- The NMS can only change the hostname of the router.
- The NMS can use GETBULK and return many results.
- Which is true regarding SNMP? (Choose two.)
- SNMPv2c offers more security than SNMPv1.
- SNMPv3 uses TCP and introduced the GETBULK operation.
- SNMPv2c introduced the INFORM operation.
- SNMPv3 provides the best security of the three versions.
- Which of the following is a standards-based protocol that provides dynamic network discovery?
- DHCP
- LLDP
- DDNS
- SSTP
- CDP
- You are troubleshooting a connectivity problem in your corporate network and want to isolate the problem. You suspect that a router on the route to an unreachable network is at fault. What IOS user exec command should you issue?
- Router>ping
- Router>trace
- Router>show ip route
- Router>show interface
- Router>show cdp neighbors
- You copy a configuration from a network host to a router's RAM. The configuration looks correct, yet it is not working at all. What could the problem be?
- You copied the wrong configuration into RAM.
- You copied the configuration into flash memory instead.
- The copy did not override the no shutdown command in running-config.
- You copied the configuration into NVRAM.
- At which of the following prompts can you rename the router?
- router>
- router#
- router(config)#
- router(config-if)#
- The corporate office sends you a new router to connect, but upon connecting the console cable, you see that there is already a configuration on the router. What should be done before a new configuration is entered in the router?
- RAM should be erased and the router restarted.
- Flash should be erased and the router restarted.
- NVRAM should be erased and the router restarted.
- The new configuration should be entered and saved.
- What command can you use to determine the IP address of a directly connected neighbor?
- show cdp
- show cdp neighbors
- show cdp neighbors detail
- show neighbor detail
- According to the output, what interface does SW-2 use to connect to SW-3?
SW-3#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route BridgeS - Switch, H - Host, I - IGMP, r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay Device ID
Local Intrfce Holdtme Capability Platform Port ID
SW-1 Fas 0/1 170 S I WS-C3560- Fas 0/15
SW-1 Fas 0/2 170 S I WS-C3560- Fas 0/16
SW-2 Fas 0/5 162 S I WS-C3560- Fas 0/2
- Fas 0/1
- Fas 0/16
- Fas 0/2
- Fas 0/5