Tech Journal 2021

• t= terminal enable = # config = config exit to exit

• (config)interface range FastEthernet 0/x-y (let's you configure multiple ports at one time)

• (config-if-range)switchport access vlan x (defines the vlan for all ports in the range)

• set vlan 2 3/1-12

• switch# configure terminal

• 2. switch(config)# interface {{type slot/port} | {port-channel number}}

• 3. switch(config-if)# switchport mode {access | trunk}

• 4. switch(config-if)# switchport access vlan vlan-id

• 
  

• t= terminal enable = # config = config exit to exit

• 
  

• enter the VLAN 1 configuration mode with the interface vlan 1 global configuration command.

• assign an IP address with the ip address IP_ADDRESS SUBNET_MASK interface subcommand.

• enable the VLAN 1 interface with the no shutdown interface subcommand.

• 
  

• copy running-config startup-config

From command terminal on workstation, type "sudo minicom -s"

• • This will allow you to set the terminal settings to connect to the Cisco switch

3. Press "A" to setup which serial port to use. For our CentOS systems, it should be /dev/ttyUSB0 (that is a zero)

4. Press "E" to change baud rate to 9600

5. Escape back and press F to turn off hardware flow control

6. "Save Setup to dfl"

7. Select Exit - this will take you to the normal minicom session

8. Power on switch, (plug it in), you should see the loading messages

9. If you see a message asking to start the "initial configuration dialogue" - type "no"

• enable password"password"

• enable secret student

• crypto key generate

• line con 0

• show mac address-table

1. Go to services in dhcp and enable it, fill in default gateway, start ip is the first ip you want to be given, set subnet mask, set max number of hosts, hit save

2. server is the default pool cant change name but can be set as a management pool

3. in the fonfig menu go to the vlan through int vlan (x) then ip helper-address (ip address)

4. set the erver pool up with a ip range since it was overwriting

-show spanning-tree

Click on "Simulation"

Click "Edit Filters" and then "Show All/None" to turn off all protocols.

enable routing in config menu by comand ip routing

dont forget no shut on vlan 1

if its not caring vlan set as access

• show interfaces status

• show spanning-tree bridge under root id

• show vlan

config - spanning-tree vlan 170 priority 32767

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip nat inside

R1(config-if)#exit

R1(config)#interface serial 0/0/0

R1(config-if)#ip nat outside

R1(config-if)#exit

ip nat inside source static 10.0.0.2 50.0.0.1

Power off the switch while still connected to the console and minicom. (Just pull the plug!)

5. Hold the "mode" button and power on the switch (plug it in)

6. After about 15 seconds you should see output similar to:

The system has been interrupted prior to initializing the

flash filesystem. The following commands will initialize

the flash filesystem, and finish loading the operating

system software:

flash_init

load_helper

boot

switch:

7. You are now in recovery mode. You will need to mount "flash" so you can work with the config files

• type the command "flash_init" - this will initialize (aka mount) the flash file system

8. Once initialized, you should be able to use "dir flash:" to see the contents of flash

9. From here, you can delete the configuration (config.text) and the vlan database (vlan.dat) using the following commands:

• del flash:config.text

• del flash:vlan.dat

• NOTE: on Catalyst Switches, these are synched with the configuration files in NVRAM - deleting them here will cause the switch to boot without a startup-config. So it will boot to the factory-fresh default config

10. Type "boot" and the switch will boot to it's factory fresh state! Type "N" for entering setup

Part 2: Configure basic switch settings

1. On the switch, set the following:

• hostname to "SwitchX" where X is your (student 1's) Foster Workstation #)

• VLAN 1 IP address to 192.168.100.X where X is your (student 1's) Foster Workstation #

• Set the "enable" password to one of your choosing (enable secret xxxxxxxx)

• Only one student should know the password!

• Set the console password:

  • line console 0

  • password xxxxxxxx

  • login

  • Only one student should know the password!

• Set the switch to encrypt passwords in the config

  • service password-encryption

2. Save the settings to the startup configuration

• copy running-config startup-config (or copy run start)

3. Type "exit" until you are logged out of the switch - it should now prompt you for a login (console password)

4. Screenshot: Showing Student 1's switch asking for login

Part 3: Configure Student 2's switch

1. Repeat Parts 1 and 2 on the other switch (this will be for student 2)

2. Screenshot: Showing Student 2's switch asking for login

Part 4: Password Recovery

1. Console into Student 1's switch again. The student who does not know the password to that switch will need to get access to it - without losing the configuration!

2. Power off switch - and power on again holding Mode button for ~15 seconds

3. From recovery mode:

• Mount (initialize flash)

• Renanme (do not delete) config.text

  • e.g. "rename flash:config.text flash:config.old"

• Type "boot" to load switch

4. Switch will now boot to default config (type no (N) for setup)

5. You are now able to access the switch (enable mode etc...) but the config is not loaded.

6.Next you will type rename flash:config.old flash:config.text to rename the configuration file with its original name.

Switch#rename flash:config.old flash:config.text

Destination filename [config.text]

!--- Press Return or Enter.

Switch#

7. Then, you can copy the former configuration file into running memory.

Switch#copy flash:config.text system:running-config

Destination filename [running-config]?

!--- Press Return or Enter.

8. The configuration file is now reloaded. You can overwrite the current passwords that you do not know. For example:

Sw1# conf t

!--- To overwrite existing secret password

Sw1(config)#enable secret <new_secret_password>

!--- To overwrite existing console password

Sw1(config-line)#line con 0

Sw1(config-line)#password <new_console_password>

9. Save new changes with "copy run start"

10. Reboot the switch with "reload" command

11. Switch will now allow you to login with new passwords!

Part 5: Reset Passwords on other switch

1. Repeat Part 4 on 2nd switch!

Define "Inside" and "Outside" interfaces

2. Create Address Pool named "test" for the Public IP addresses that 192.168 clients can use. It only has 1 IP in the pool (30.0.0.120)

R1(config)#ip nat pool test 30.0.0.120 30.0.0.120 netmask 255.0.0.0

3. Create an access-list that defines which internal IP's can use the Public IP pool test

R1(config)#access-list 1 permit 192.168.0.0 0.0.0.255

4. Assign pool and access rule to interface with nat statement - basically saying that access-list 1 (192.168 addresses) can be translated to the PAT IP' from pool "test" when going from the "inside" to "outside". Overload states that the IP can be used by many (up to 64,000) clients.

R1(config)#ip nat inside source list 1 pool test overload

• Example of vlan definition from switch cli in config mode

  • switch1(config)# vlan 200

  • switch1(config-vlan)#name Sales

  • switch1(config-vlan)#exit

  • switch1(config)#

• Once vlans are defined, the command "show vlan brief" will display the VLAN database

The following commands will allow you to define the appropriate ports as "Access Ports" for the VLANs

(from config mode) interface range fastethernet 0/1-5

for example, this will allow you to enter interface config mode for a range of ports

prompt will look like: Switch1(config-if-range)#

Then set those ports to Access with: switchport mode access

Then assign the proper VLAN id to those ports (e,g,): switchport access vlan 200

Run "show vlan brief" and you should see the proper port assignments

• Use the following commands to set them as Trunk ports

  • switchport mode trunk

  • switchport trunk allowed vlan all (this will allow all defined vlans on that switch over the trunk)

• "show interfaces trunk" will show your trunk configuration (on ports that have active connections)

• Create OSPF instance (router ospf instance_number) [1 is fine] having diffrent instance number is okay but area must be same

• Tell it to advertise on Area 0 all its (the router you are on) directly connected networks

  • #(config-router) network network_address wildcard_mask area 0 wilecard is fliped nework 255.255.255.0=0.0.0.255

Switch(config)#hostname S1

S1(config)#vtp mode server

Device mode already VTP SERVER.

S1(config)#vtp domain example

Changing VTP domain name from NULL to example

S1(config)#vtp password vinita

Setting device VLAN database password to vinita

S1(config)#vlan 10

S1(config)#name Sales

S1(config-vlan)#exit

• sh vlan brief

  • vlans should now be there!

• sh vtp status

  • See info on VTP process

interface range fastethernet 0/1-24

switchport mode access

switchport port-security

switchport port-security mac sticky

switchport port-security max 1

switchport port-security vio shut

From the CLI on the switches - co into config mode for the affected interfaces

Use the command "shutdown" (this will make the port administratively down)

Then use the command "no shutdown" (this will reenable the interface)

Switch(config)#int range fastethernet 0/3-24

Switch(config-if-range)#shut

Objective: Configure a Catalyst Switch with a baseline configuration consistent with one found in a production network

Goals:

• Clear existing configuration

• Set passwords for admin access

• Set SSH for remote configuration

• Configure VLANs

• Set PortFast on Access Ports

• Set PortSecurity on specific ports

Each student will configure their own switch - and the switches will be used for subsequent labs

Task 1 - Reset Switch to Default

• Use "sudo minicom" to console into switch

• If you are able to boot the switch and access without password

  • "erase startup-config" will remove the saved config file

  • To delete vlans

    • "delete flash:vlan.dat" will delete the VLAN database

  • "reload" will then boot to factory defaults

  • do not run the set-up wizard

• If a password is set - you will need to use the MODE button and erase the config and vlan.dat files. SHould be in Tech Journal

Task 2 - Set up Basic Configuration

• Set hostname (use SW-#) where # is the number of your Foster workstation

• Set banner (MOTD) that says "unauthorized access is prohibited"

• Set "secret" password

  • Make sure to document password

• set ip domain name to "Foster202.com"

Task 3 - Set up SSH Access for Remote Administration

• Again, should be in Tech Journal

• Set up and admin user

  • username a_name_you_want privilege 15 secret 0 a_password_you_want

  • Make sure to document name and password

• generate rsa keys (hint: crypto key...) with size 1024

• Configure to use SSH v2 (ip ssh version 2)

  • "sh ip ssh" or "do sh ip ssh" should show that version 2.0 is enabled

• Configure "line vty 0 4" this will bring you to line configuration setting up remote access

• Use the "transport input ssh" command to ensure that only SSH is allowed - and not telnet

• Use "login local" to use the username you created above

Task 4 - Set IP for Switch Management

• Assign the IP address of 192.168.202.X 255.255.255.0 to your VLAN 1 virtual interface

  • X is your Foster Workstation #

  • Remember - the VLAN 1 interface is shutdown by default!

Now is a good time to make sure you are saving your config (copy running-config startup-config)

Task 5 - Set up a VLAN on your switch

• Add a VLAN with the id# of your Foster 202 workstation # - and a name you choose

• Make ports 10 through 20 on your switch Access ports in that VLAN

• Configure port fast for those access ports (10 to 20)

Task 6 Port Security

• Setup Port Security on the ports in VLAN # (from Task 5 - where # is your workstation #)

  • Dynamic security and set to "sticky"

  • Set maximum MAC addresses to 1

  • Set violation mode to shutdown the port

• Configure switch so that ports 21 to 24 cannot be used without an administrator activating them (hint - shut them down!)

As you are wrapping up, test SSH by connecting your switch to a neighbors switch on port 1 (which are both in VLAN 1). From the CLI, try and SSH into each others switches.

Make sure to save your configuration before powering off!

• copy running-config startup-config

Remember to make a note of the switch you used as you will use it again.

Standard

1. Create ACL:

device(config)# ip access-list standard Net1

device(config-std-nacl-Net1)# deny host 10.157.22.26

device(config-std-nacl-Net1)# deny 10.16.4.0 0.0.0.255

device(config-std-nacl-Net1)# permit any

2. Apply to interface

device(config)# int eth 1/1

device(config-if-e10000-1/1)# ip access-group Net1 in

EXtended

Create Access List

(config)# ip access-list extended MYACL

(config-nacl-myacl)# deny tcp host 10.0.0.2 host 10.0.1.2 eq 80

(config-nacl-myacl)# deny tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 23

(config-nacl-myacl)# permit ip any any

2. Apply to Interface

(config)# interface fastEthernet 0/0

(config-if)# ip access-group MYACL in

R1(config)# ip route remote_network_ip_address subnet_mask ip_of_next_hop

• • ip routing

• BOS-Multilayer(config)#interface vlan 5

• BOS-Multilayer(config-if)#ip address 10.20.5.1 255.255.255.0

• ip route 0.0.0.0 0.0.0.0 ip_address_of_next_hop

create a DHCP Pool for the local vlan

SW(config)# ip dhcp pool XXXX_Wing_Pool (where xxxx is location of wing for that switch)

creates pool

SW(dhcp-config)# network 192.168.X.0 255.255.255.0 where x is the local vlan #

sets network to assign ip's from

SW(dhcp-config)# default-router 192.168.X.1 where x is the local vlan #

sets the default gateway that will be assigned to clients

SW(dhcp-config)# lease 0 4

Sets lease time to 0 days and 4 hours

Challenge 3 - Configure OSPF Routing

The Multilayer switches are connected to their local VLAN - and the Backbone VLAN - but are not aware of the local VLANs in the other wings. We can use OSPF to share information among the MLS' to build their routing tables

1. On Backbone Switch

   • SW(config)# router ospf 1

     • this creates the (first) OSPF process on the router

   • SW(config-router)# network 192.168.202.0 0.0.0.255 area 0

     • This will let neighbors in area 0 know that the router is on the backbone network

     • Notice the "Wildcard" mask. It is an inverse method of writing subnet masks and is used in some Cisco commands

2. On Each Wing Switch

   • SW(config)# router ospf 1

     • this creates the (first) OSPF process on the router

   • SW(config-router)# network 192.168.202.0 0.0.0.255 area 0

     • This will let neighbors in area 0 know that the router is on the backbone network

   • SW(config-router)# network 192.168.x.0 0.0.0.255 area 0

     • where x is the local vlan #

     • This will let neighbors in area 0 know about the VLAN/subnet local to that wing

3. Routing Tables should be built automatically

   • "sh ip route" command will show all of the Wing VLAN networks

   • Wing switches should be able to ping remote PI's

• How to view the contents of the "flash" directory on a switch

show flash, show version

• How to use TFTP to copy an IOS image file from a switch to a server

• Use the console connection on the PC. From the privileged prompt (router#) run the command "dir flash:" or "show flash" to view the files stored in flash.

  1. 
     

• Then run "show version" - you should see the running IOS version should match what is in flash

• Using TFTP (Trivial File Transfer Protocol), you can copy the IOS image file to a server for backup

  1. TFTP is a simplified version of FTP - it does not use authentication or encryption so should only be used periodically for non-sensitive files

• Using the command "copy flash tftp" - will do just that, copy the contents of flash to a TFTP server

  1. You will then be prompted for

     1. Source Filename: Name of the image (.bin) file. You can copy/paste from the output of the dir flash: from step 1

     2. Address of remote host: IP address of TFTP server

     3. Destination Filename: if not changing, can just hit Enter

  2. You should see it copy over

  3. 
     

• You now have a backup of the image file

• How to set variables in ROMMON mode

As indicated, before tftpdnld can be used, the following variable must be set in ROMMON. This can be done by simply using:

• variable_name = setting

  • for example

  • rommon 3 > IP_SUBNET_MASK=255.0.0.0

• Need to set the following at the rommon prompt

  • IP_ADDRESS : IP address assigned to the router.
    IP_SUBNET_MASK :- Must match with the subnet of TFTP Server.
    DEFAULT_GATEWAY :- For this process it would be IP Address of TFTP Server.
    TFTP_SERVER :- IP address of TFTP Server.
    TFTP_FILE :- Exact name of IOS file. Name is case sensitive.

• When all variables are set, type "tftpdnld"

  • You will get a warning that flash will be overwritten. You can type "y" in this case, but be mindful that it does recreate the flash partition

  • If successful, you will see output that the file is copying over

• If TFTP worked - type "reset" from the rommon prompt to reboot server

• It should load with the restore IOS!

• 
  

• How to use "tftpdnld" to retrieve an image file from a server

TFTP can also be used to upgrade to a different or new version of IOS. If there is enough flash storage, it is possible to copy a second image file onto flash

1. Copy an IOS image from TFTP onto flash:

   • Simply reverse the command we used to back up the server - copy from tftp to flash

   • From router#

     • copy tftp flash

     • Prompted for: Address is IP of TFTP server

     • Source filename: the name of the image file on TFTP Server

       • For this lab use: c1841-ipbasek9-mz.124-12.bin

     • Destination Filename: hit enter to keep the same

     • Type "show flash" to see that it copied over

• 
  

• How to specify what image a switch should boot from

• Set router to boot from the new image

  1. The "boot system" command will let you specify which image the system should boot from

     1. From "config" mode on router

        1. boot system flash:name_of_IOS-file (use the ipbasek9 file you copied over)

     2. Save config with a "copy run start"

• Reload router with "reload" command

1. On Backbone Switch

   • SW(config)# router ospf 1

     • this creates the (first) OSPF process on the router

   • SW(config-router)# network 192.168.202.0 0.0.0.255 area 0

     • This will let neighbors in area 0 know that the router is on the backbone network

     • Notice the "Wildcard" mask. It is an inverse method of writing subnet masks and is used in some Cisco commands

2. On Each Wing Switch

   • SW(config)# router ospf 1

     • this creates the (first) OSPF process on the router

   • SW(config-router)# network 192.168.202.0 0.0.0.255 area 0

     • This will let neighbors in area 0 know that the router is on the backbone network

   • SW(config-router)# network 192.168.x.0 0.0.0.255 area 0

     • where x is the local vlan #

     • This will let neighbors in area 0 know about the VLAN/subnet local to that wing

3. Routing Tables should be built automatically

   • "sh ip route" command will show all of the Wing VLAN networks

   • Wing switches should be able to ping remote PI's

4. SP Autonomous System # is 1000

5. Groups will use the AS #'s 1X00 (where X is the group # - so Group 1 will be AS 1100

6. On Backbone Router

   • Need to create a BGP Instance for your AS#

     • router bgp 1X00

   • Need to establish a peering relationship with your ISP

     • (config-router)# neighbor 192.168.1.1 remote-as 1000

   • Advertise your local networks on BGP

     • Example-if your group has VLANs 10 and 11

       1. (config-router)#network 192.168.10.0 mask 255.255.255.0

       2. (config-router)#network 192.168.11.0 mask 255.255.255.0

     • You would need a "network statement" for each local vlan

     • Do not advertise the backbone VLAN (192.168.1.0/24)

     • Do not advertise the ISP VLAN (192.168.100.0/24)

When BGP works- ISP should start seeing your networks - and you should see networks from the ISP

Standard

1. Create ACL:

device(config)# ip access-list standard Net1

device(config-std-nacl-Net1)# deny host 10.157.22.26

device(config-std-nacl-Net1)# deny 10.16.4.0 0.0.0.255

device(config-std-nacl-Net1)# permit any

2. Apply to interface

device(config)# int eth 1/1

device(config-if-e10000-1/1)# ip access-group Net1 in

EXtended

Create Access List

(config)# ip access-list extended MYACL

(config-nacl-myacl)# deny tcp host 10.0.0.2 host 10.0.1.2 eq 80

(config-nacl-myacl)# deny tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 23

(config-nacl-myacl)# permit ip any any

2. Apply to Interface

(config)# interface fastEthernet 0/0

(config-if)# ip access-group MYACL in

1. Turn DHCP Snooping on for the Switch

   • (config)# ip dhcp snooping

2. Enable snooping on any VLANs that use DHCP

   • (confg)# ip dhcp snooping vlan 10

   • (confg)# ip dhcp snooping vlan 20

   • …

3. Set the interface facing the DHCP server as Trusted

   • (config)# interface gi0/4

   • (config-if)# ip dhcp snooping trust

Rate Limiting for DHCP Snooping helps protect against DHCP DoS

• Set per interface

• # of DHCP packets allowed per second

• Can set on “trusted” ports (those facing the DHCP server)

  • Depending on how large your network is - can typically set between 25-100

  • If it is a busy DHCP server, want to make sure not to set too low

  • (config-if)#ip dhcp snooping limit rate 25

• If very worried about Rogue DHCP - can set on all untrusted ports

  • These would be any/all client ports

  • Can use interface range (e.g. (config)# interface fa0/2-48)

  • Than set to low number (between 5-15)

  • (config-if-range)#ip dhcp snooping limit rate 10

snmp-server community "password" (ro,rw)

using the "snmp-server community" command from global configuration mode

Set the Read-only community string name

Set the Read-Write community string name

Remember - they are like passwords so should not be to easy to guess

Use the "?" to help you get the correct syntax

Go to your SNMP Management Station - Desktop - MIB Browser

Click "Advanced" and fill in the info for Router 0 and change to SNMP v3 - click OK

Expand MIB Tree

Navigate through "router_std MIBs" to get to and highlight the .sysUpTime object

Hint: follow .mib-2, .system

With the object selected, you should see the OID in the upper right. Set operation to GET and hit GO

You should see the result of the query

Submit: Screenshots of-

.sysUpTime

.ifPhysAddress (the mac addresses for interfaces on the router - will need to navigate to the OID in same MIB under .interfaces

Step 2: Change a Configuration Setting using SNMP SET

Find and select the .sysName OID

Send a GET to retrieve the router's hostname

Make note of the "Type" of value

Change operation to SET

Use the proper data type for that OID

Set a value for the hostname to "your-name-router"

Click OK and then GO

Result Table should show the new name

Submit Screenshot of new hostname in Result Table

Click on router and got to CLI - you should see the new hostname!

On SYSLOG server go to Services - SYSLOG and make sure it is on

On your router, configure syslog

from global config

suppress logging to the console with "no logging console"

Configure router to use timestamps on log and debug messages

service timestamps log datetime msec

service timestamps debug datetime msec

Log events related to enabling privileged mode with "logging userinfo"

Set logging to the highest level (most logs) with "logging trap debugging"

Configure the router to log to the syslog server with "logging A.B.C.D" where A.B.C.D is the IP of your SYSLOG Server

Enable logging to all destinations with "logging on"

Exit privileged mode and the cli and log back in a few times

Go to your SYSLOG Server - Services - SYSLOG and review the events

Submit: Screenshot of log-on events

To test debug logging

From non-config mode

debug ip icmp (this will turn on logging for icmp events)

ping something from the router

SYSLOG server should have recorded the debug events