In diesem Beitrag werden wir uns die initiale Konfiguration eines Switch (kann auch bei einem Router angewandt werden) ansehen.
Die ToDo-Liste gehen wir dabei Schritt für Schritt durch:
- Hostname
- Console password
- Telnet password
- Enable password
- Management IP address (VLAN 1)
- Default gateway
- Shutdown
- Login banner
- Saving configuration
1. Als erstes geben wir dem Switch einen Namen. Dazu benutzen wir hostname als Kommando im globalen Konfigurationsmodus. Jede Firma wird hier ihre eigenen Namensschemen haben (z.B. den Standort, die Etage, Switchnummer, etc.). In unserem Fall verwenden wir einen ganz einfachen Namen.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname ?
WORD This system's network name
Switch(config)#hostname LabSwitch
LabSwitch(config)#
2. Es gibt fünf Passwörter für die Sicherheit auf Cisco-Geräten: für console, auxiliary, vty (telnet), enable password, enable secret. Um das Passwort für den console user-mode zu setzen, gehen wir in den console configuration mode.
LabSwitch(config)#line console ?
First Line number
LabSwitch(config)#line console 0
LabSwitch(config-line)#password ?
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
LabSwitch(config-line)#password cisco
LabSwitch(config-line)#end
LabSwitch#
%SYS-5-CONFIG_I: Configured from console by console
LabSwitch#
Der Switch frägt uns aber noch immer nicht nach einem Passwort. Warum? Nun, ganz einfach, wir haben vergessen, dem Switch zu sagen, er soll das Passwort auch prüfen.
LabSwitch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LabSwitch(config)#line console 0
LabSwitch(config-line)#?
Line configuration commands:
...
login Enable password checking
...
LabSwitch(config-line)#login
LabSwitch(config-line)#exec-timeout ?
Timeout in minutes
LabSwitch(config-line)#exec-timeout 0 ?
Timeout in seconds
LabSwitch(config-line)#exec-timeout 0 0
LabSwitch(config-line)#
- exec-timeout: setze die Zeit, bis die Konsole bei Inaktivität gesperrt wird. Der erste Wert git die Minuten an, der zweite die Sekunden. Sind beide Werte 0, wird nicht gesperrt.
3. Telnet erlaubt uns, den Switch per Remote zu verwalten. Über den Line-Mode wird das Passwort gesetz. Dazu werden beim Aufruf zwei Parameter angegeben. Die erste und die letzte Line-Nummer.
LabSwitch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LabSwitch(config)#line ?
First Line number
console Primary terminal line
vty Virtual terminal
LabSwitch(config)#line vty ?
First Line number
LabSwitch(config)#line vty 0 ?
Last Line number
LabSwitch(config)#line vty 0 15
LabSwitch(config-line)#password cisco
LabSwitch(config-line)#
- Der VTY benötigt kein Login-Command, dies ist per Default gesetzt.
LabSwitch#show running-config | begin line vty
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
end
LabSwitch#
4. „enable password“ schützt den Übergang vom User Mode in den Privileged Mode. Es ist ähnlich wie andere Passwörter, aber es ist aus dem globalen Konfigurationsmodus, weil es das gesamte Gerät beeinflusst. enable password und enable secret commands machen genau das gleiche:
- enable password setzt das Passwort im Klartext.
- enable secret verschlüsselt das Passwort als MD5-Hash.
LabSwitch(config)#enable ?
password Assign the privileged level password
secret Assign the privileged level secret
LabSwitch(config)#enable password ?
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password
LabSwitch(config)#enable password cisco
LabSwitch(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
LabSwitch(config)#enable secret c1sc0
LabSwitch(config)#^Z
%SYS-5-CONFIG_I: Configured from console by console
LabSwitch#show running-config
Building configuration...
...
!
hostname LabSwitch
!
enable secret 5 $1$mERr$fUHfKnbAzwSaPfCLSoNMr1
enable password cisco
!
LabSwitch#
Wenn das secret Passwort gesetzt ist, kann das Passwort nicht mehr im Klartext gesetzt werden, da Cisco den Sicherungsweg bevorzugt.
All the console, Telnet password as enable password are saved in clear text, Cisco has a command that allows you to encrypt those passwords:
LabSwitch(config)#service ?
password-encryption Encrypt system passwords
timestamps Timestamp debug/log messages
LabSwitch(config)#service password-encryption
LabSwitch(config)#
5. Assigning IP address to a switch has a relation with VLAN, by default switch ports are all part of VLAN 1
LabSwitch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig1/1, Gig1/2
...
...
LabSwitch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LabSwitch(config)#interface vlan 1
LabSwitch(config-if)#ip address ?
A.B.C.D IP address
dhcp IP Address negotiated via DHCP
LabSwitch(config-if)#ip address 172.16.30.11 255.255.255.0
LabSwitch(config-if)#no shutdown
LabSwitch(config-if)#
%LINK-5-CHANGED: Interface Vlan1, changed state to up
LabSwitch(config-if)#
6. Now, we move on to the default gateway, that allows you to manage the switch remotely (really remotely, outside the LAN), the default gateway is the IP address of the router interface (to communicate out of your network).
LabSwitch(config)#ip default-gateway ?
A.B.C.D IP address of default gateway
LabSwitch(config)#ip default-gateway 172.16.30.1
LabSwitch(config)#
Now, that switch knows how can get off its own network.
7. The shutdown command allows you to shutdown interfaces (turn off) as well as turn on using the negative command (no shutdown), so to shutdown an interface:
LabSwitch#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES manual down down
FastEthernet0/2 unassigned YES manual down down
FastEthernet0/3 unassigned YES manual down down
FastEthernet0/4 unassigned YES manual down down
FastEthernet0/5 unassigned YES manual down down
FastEthernet0/6 unassigned YES manual down down
FastEthernet0/7 unassigned YES manual down down
FastEthernet0/8 unassigned YES manual down down
FastEthernet0/9 unassigned YES manual down down
FastEthernet0/10 unassigned YES manual down down
--More--
LabSwitch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LabSwitch(config)#interface fastEthernet 0/1
LabSwitch(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
MainSwitch(config-if)#
Also, you can turn off a list of interfaces, using the rang argument:
LabSwitch(config)#interface range fastEthernet 0/1 - 10
LabSwitch(config-if-range)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down
LabSwitch(config-if-range)#
- You can notice that the syslog messages inform you about what really happening on your device.
8. There are more than banner that can use on Cisco device, here we are focusing on the motd banner (Message Of The Day)
LabSwitch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LabSwitch(config)#banner ?
motd Set Message of the Day banner
...
LabSwitch(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
LabSwitch(config)#banner motd #
Enter TEXT message. End with the character '#'.
Welcome To The MainSwitch
Unauthorized Access Prohibited
#
LabSwitch(config)#
Where # is the eliminated character (marks the beginning and the end of the message). So, when you try to connect to the switch:
Welcome To The LabSwitch
Unauthorized Access Prohibited
User Access Verification
Password:
9. Finally, the great piece is to save the configuration, running-config is running on RAM not NVRAM (Non-Volatile) where the the startup-config is saved:
LabSwitch#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
LabSwitch#
LabSwitch#write memory
Building configuration...
[OK]
LabSwitch#
LabSwitch#wr
Building configuration...
[OK]
LabSwitch#
- write memory (or wr as shortcut) do the same as copy running-config startup-config
10. To verify your configuration, you can use the show commands:
LabSwitch#show running-config
Building configuration...
Current configuration : 1263 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname LabSwitch
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
enable password 7 0822455D0A16
!
...