In diesem Beitrag werden wir uns die initiale Konfiguration eines Switch (kann auch bei einem Router angewandt werden) ansehen.
Die ToDo-Liste gehen wir dabei Schritt für Schritt durch:
- Hostname
- Console password
- Telnet password
- Enable password
- Management IP address (VLAN 1)
- Default gateway
- Shutdown
- Login banner
- Saving configuration
1. Als erstes geben wir dem Switch einen Namen. Dazu benutzen wir hostname als Kommando im globalen Konfigurationsmodus. Jede Firma wird hier ihre eigenen Namensschemen haben (z.B. den Standort, die Etage, Switchnummer, etc.). In unserem Fall verwenden wir einen ganz einfachen Namen.
1 2 3 4 5 6 7 |
Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname ? WORD This system's network name Switch(config)#hostname LabSwitch LabSwitch(config)# |
2. Es gibt fünf Passwörter für die Sicherheit auf Cisco-Geräten: für console, auxiliary, vty (telnet), enable password, enable secret. Um das Passwort für den console user-mode zu setzen, gehen wir in den console configuration mode.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
LabSwitch(config)#line console ? First Line number LabSwitch(config)#line console 0 LabSwitch(config-line)#password ? 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) line password LabSwitch(config-line)#password cisco LabSwitch(config-line)#end LabSwitch# %SYS-5-CONFIG_I: Configured from console by console LabSwitch# |
Der Switch frägt uns aber noch immer nicht nach einem Passwort. Warum? Nun, ganz einfach, wir haben vergessen, dem Switch zu sagen, er soll das Passwort auch prüfen.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
LabSwitch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. LabSwitch(config)#line console 0 LabSwitch(config-line)#? Line configuration commands: ... login Enable password checking ... LabSwitch(config-line)#login LabSwitch(config-line)#exec-timeout ? Timeout in minutes LabSwitch(config-line)#exec-timeout 0 ? Timeout in seconds LabSwitch(config-line)#exec-timeout 0 0 LabSwitch(config-line)# |
- exec-timeout: setze die Zeit, bis die Konsole bei Inaktivität gesperrt wird. Der erste Wert git die Minuten an, der zweite die Sekunden. Sind beide Werte 0, wird nicht gesperrt.
3. Telnet erlaubt uns, den Switch per Remote zu verwalten. Über den Line-Mode wird das Passwort gesetz. Dazu werden beim Aufruf zwei Parameter angegeben. Die erste und die letzte Line-Nummer.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
LabSwitch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. LabSwitch(config)#line ? First Line number console Primary terminal line vty Virtual terminal LabSwitch(config)#line vty ? First Line number LabSwitch(config)#line vty 0 ? Last Line number LabSwitch(config)#line vty 0 15 LabSwitch(config-line)#password cisco LabSwitch(config-line)# |
- Der VTY benötigt kein Login-Command, dies ist per Default gesetzt.
1 2 3 4 5 6 7 8 9 10 11 12 |
LabSwitch#show running-config | begin line vty line vty 0 4 password cisco login line vty 5 15 password cisco login ! ! end LabSwitch# |
4. „enable password“ schützt den Übergang vom User Mode in den Privileged Mode. Es ist ähnlich wie andere Passwörter, aber es ist aus dem globalen Konfigurationsmodus, weil es das gesamte Gerät beeinflusst. enable password und enable secret commands machen genau das gleiche:
- enable password setzt das Passwort im Klartext.
- enable secret verschlüsselt das Passwort als MD5-Hash.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
LabSwitch(config)#enable ? password Assign the privileged level password secret Assign the privileged level secret LabSwitch(config)#enable password ? 7 Specifies a HIDDEN password will follow LINE The UNENCRYPTED (cleartext) 'enable' password level Set exec level password LabSwitch(config)#enable password cisco LabSwitch(config)#enable secret ? 0 Specifies an UNENCRYPTED password will follow 5 Specifies an ENCRYPTED secret will follow LINE The UNENCRYPTED (cleartext) 'enable' secret level Set exec level password LabSwitch(config)#enable secret c1sc0 LabSwitch(config)#^Z %SYS-5-CONFIG_I: Configured from console by console LabSwitch#show running-config Building configuration... ... ! hostname LabSwitch ! enable secret 5 $1$mERr$fUHfKnbAzwSaPfCLSoNMr1 enable password cisco ! LabSwitch# |
Wenn das secret Passwort gesetzt ist, kann das Passwort nicht mehr im Klartext gesetzt werden, da Cisco den Sicherungsweg bevorzugt.
All the console, Telnet password as enable password are saved in clear text, Cisco has a command that allows you to encrypt those passwords:
1 2 3 4 5 |
LabSwitch(config)#service ? password-encryption Encrypt system passwords timestamps Timestamp debug/log messages LabSwitch(config)#service password-encryption LabSwitch(config)# |
5. Assigning IP address to a switch has a relation with VLAN, by default switch ports are all part of VLAN 1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
LabSwitch#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gig1/1, Gig1/2 ... ... LabSwitch#conf t Enter configuration commands, one per line. End with CNTL/Z. LabSwitch(config)#interface vlan 1 LabSwitch(config-if)#ip address ? A.B.C.D IP address dhcp IP Address negotiated via DHCP LabSwitch(config-if)#ip address 172.16.30.11 255.255.255.0 LabSwitch(config-if)#no shutdown LabSwitch(config-if)# %LINK-5-CHANGED: Interface Vlan1, changed state to up LabSwitch(config-if)# |
6. Now, we move on to the default gateway, that allows you to manage the switch remotely (really remotely, outside the LAN), the default gateway is the IP address of the router interface (to communicate out of your network).
1 2 3 4 |
LabSwitch(config)#ip default-gateway ? A.B.C.D IP address of default gateway LabSwitch(config)#ip default-gateway 172.16.30.1 LabSwitch(config)# |
Now, that switch knows how can get off its own network.
7. The shutdown command allows you to shutdown interfaces (turn off) as well as turn on using the negative command (no shutdown), so to shutdown an interface:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
LabSwitch#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/1 unassigned YES manual down down FastEthernet0/2 unassigned YES manual down down FastEthernet0/3 unassigned YES manual down down FastEthernet0/4 unassigned YES manual down down FastEthernet0/5 unassigned YES manual down down FastEthernet0/6 unassigned YES manual down down FastEthernet0/7 unassigned YES manual down down FastEthernet0/8 unassigned YES manual down down FastEthernet0/9 unassigned YES manual down down FastEthernet0/10 unassigned YES manual down down --More-- LabSwitch#conf t Enter configuration commands, one per line. End with CNTL/Z. LabSwitch(config)#interface fastEthernet 0/1 LabSwitch(config-if)#shutdown %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down MainSwitch(config-if)# |
Also, you can turn off a list of interfaces, using the rang argument:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
LabSwitch(config)#interface range fastEthernet 0/1 - 10 LabSwitch(config-if-range)#shutdown %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down %LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down LabSwitch(config-if-range)# |
- You can notice that the syslog messages inform you about what really happening on your device.
8. There are more than banner that can use on Cisco device, here we are focusing on the motd banner (Message Of The Day)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
LabSwitch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. LabSwitch(config)#banner ? motd Set Message of the Day banner ... LabSwitch(config)#banner motd ? LINE c banner-text c, where 'c' is a delimiting character LabSwitch(config)#banner motd # Enter TEXT message. End with the character '#'. Welcome To The MainSwitch Unauthorized Access Prohibited # LabSwitch(config)# |
Where # is the eliminated character (marks the beginning and the end of the message). So, when you try to connect to the switch:
1 2 3 4 5 6 |
Welcome To The LabSwitch Unauthorized Access Prohibited User Access Verification Password: |
9. Finally, the great piece is to save the configuration, running-config is running on RAM not NVRAM (Non-Volatile) where the the startup-config is saved:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
LabSwitch#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] LabSwitch# LabSwitch#write memory Building configuration... [OK] LabSwitch# LabSwitch#wr Building configuration... [OK] LabSwitch# |
- write memory (or wr as shortcut) do the same as copy running-config startup-config
10. To verify your configuration, you can use the show commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
LabSwitch#show running-config Building configuration... Current configuration : 1263 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname LabSwitch ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 enable password 7 0822455D0A16 ! ... |