BASIC CONFIGURATION

STEPS

Trainer : Ramu
 7. MGMT Ip address
8. Banner Configuration
Basic Steps 9. Clock Set

1. Hostname Change 10. Interface configuration setting

10.A – Duplex settings
2. Telnet password 10.B – Speed Settings
3. Enable password / Secret 10.C – SHUT/UNSHUT interface
4. SSH Password 10.D – Interface Description
10.E – interface Range
5. Telnet with Username/password
6. SSH with Username/password [Link] default Gateway configuration

[Link] to Save configuration

STEP1:
• Connect to the device via console

• Use a terminal emulation software such as PuTTY and connect to the

console of the switch.
• You will get the initial command prompt
“Switch>”
• Type “enable” and hit enter.
• You will get into privileged mode (“Switch#”)
• Now, get into Global Configuration Mode:

Switch# configure terminal

Switch(config)#
STEP2: Set up a hostname for the particular switch to
distinguish it in the network
• Switch(config)# hostname < Name of the Switch >?
SwitchName(config)#

RULES :
• Hostnames should follow the ARPANET rules.
• They should start with a letter, end with a letter or digit, contain only letters, digits, and
hyphens, and be 63 characters or fewer
• ? Not allowed in start/end
• Hostname may contain at least one alphabet or '-' or '_' character
• A hostname of less than 10 characters is recommended
• Note that the length of your hostname may cause longer configuration mode prompts to
be truncated

•
How long hostname can be
[Link]
• Names must be 63 characters or fewer
• you must place the hostname in a device according to a location or area
where it is located
• you can set codes by area/zone in where are located the devices, so, you
won't use too many chars.

• But don't include the model on an ASW since you need to be sure to
rename it again when upgraded. There are times where other admins or
vendors forget to rename the upgraded switch ,This is quite common
specially if you have multiple geographical sites.
ENABLE PASSWORD/SECRET PASSWORD
• STEP3: Configure an administration password (enable password)

switch(config)# enable password <ABCD>

• Remove :
• no enable password

• STEP4: Configure an administration password (enable password)

• switch(config)# enable secret <ABCD>

Can we configure Both
• Both Enable Password & Secret password shouldn’t be same
• If you set the enable password to the same as the enable secret, you have
made the enable secret as prone to attack as the enable password

• If you are using both enable password and enable secret password then
enable scret password override the enable [Link] secret
passowrd will be given priority and that passwoed will be yours enable
password to login into

• If configured both on same switch , Secret password will be precedence

Why Enable secret
• enable secret command for better security

• enable [password] => will set the password an unencrypted

password which is in clear text format

• enable secret [password] => It provides encryption automatically

using MD5 hash algorithm
Can we encrypt Enable password
• Yes , we can
• Command : service password-encryption

Ex: enable password 7 0822455D0A16544541

Can we Crack Type 7 Passwords
• Yes,we can

• [Link]
• [Link]
routers/[Link]
• [Link]
Can we Crack Type5 Passwords
• Need Skills to Decrypt
• Only Week passwords can do
• [Link]
[Link]
• [Link]
password/td-p/3084900
• [Link]
cookbook/0596527225/[Link]

• This SECRET command uses the cryptographically strong MD5

algorithm to encrypt passwords. It it extremely difficult to crack this
algorithm. In fact, there are no known ways to uniquely reverse MD5
encryptions, which is why it is called a nonreversible algorithm.
CISCO PASSWORD TYPES
• [Link]
documents/understanding-the-differences-between-the-cisco-
password-secret/ta-p/3163238

• [Link]
TELNET PASSWORD
• It’s an Application layer protocol
• It’s for Remote device access purpose
• telnet is that everything is sent in plaintext
• TELNET : Terminal emulator protocol
• Protocol Number : 23
• TCP protocol
• Not secure
How to configure

• Access the Switch over console port

• switch(config)# line vty 0 15

• switch(config-line)# password ABCD123
• switch(config-line)# login
• switch(config-line)# exit
• switch(config)#
TELNET with Local Username/Password
• Create username and password on Switch

• switch(config)# line vty 0 15

• switch(config-line)# password ABCD123
• switch(config-line)# login Local -----→ Login with Local database detils
• switch(config-line)# exit
• switch(config)#
Verification
• Launch Putty Application
SSH PASSWORD
• [Link]
105/user-mode-and-privileged-mode-security

• [Link]
ios

• [Link]
router-switch-to-enable-ssh-and-how-to-connect-cisco-router-switch-
[Link]
SSH
• Secureshell
• It’s a Cryptographic Protocol
• for remote access to your Cisco IOS devices
• Encrypts the Access messages
• It gives the security for remote access to your Cisco IOS devices
• TCP protocol
• Port number : 22

• SSH (Secure Shell) is a secure method for remote access as is includes

authentication and encryption. To do this, it uses a RSA public/private
keypair.
What is RSA Keypair
• Rivest, Shamir, and Adleman (RSA) key generation is an SSH server-
side requirement. Devices that act as SSH clients need not generate
RSA keys.

• The RSA key pair size must be greater than or equal to 768 bits.
SSH v1 and v2
• There are two versions: version 1 and 2. Version 2 is more secure and
commonly used.

• Last but not least, to configure SSH you require an IOS image that
supports crypto features. Otherwise you won’t be able to configure
SSH.
SSH Server / Client Confguration
SSH Server on Cisco Switch :
Step1 : Generate RSA keypair
• the name of the RSA keypair will be the hostname and domain name of
the switch.
Step1.a - Let’s configure a hostname:
switch(config)#hostname switch1
Step1.b - configure a domain name
switch(config)#ip domain-name [Link]
• Now we can generate the RSA keypair:
• switch(config)#crypto key generate rsa
The name for the keys will be: [Link]
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)
• When you use the crypto key generate rsa command,
• it will ask you how many bits you want to use for the key size.

• a key size of 2048 bits is acceptable.

• Key sizes of 1024 or smaller should be avoided. Larger key sizes also
take longer to calculate.
• Step2 : Define SSH version
SSH version 1 is the default version. Let’s switch to version 2:

Switch (config)#ip ssh version 2

Step 3 : SSH is enabled but we also have to configure the VTY lines:

Switch(config)#line vty 0 4
Switch(config-line)#transport input ssh
Switch(config-line)#login local

• This ensures that we only want to use SSH (not telnet or anything else) and that we want to check the local
database for usernames. Let’s create a user:

• Switch(config)#username admin password abc123

• Everything is now in place. We should be able to connect to switch through SSH now.
• SSH Time Out :
Default SSH authentication timeout (time you have to enter correct
user credentials after making the initial connection) is set to 120
seconds.

If you wish to change it,command is

# ip ssh time-out 60

• SSH Retries :
# ip ssh authentication-retries 4
• MOTD banner: the “message of the day” banner is presented to
everyone that connects to the router.
• Login banner: this one is displayed just before the authentication
prompt.
• Exec banner: displayed before the user sees the exec prompt.
• Incoming banner: used for users that connect through reverse telnet.
BANNER Messages
• Message of the Day (MOTD): This type of logon message has been around for a long time on Unix
and mainframe systems. The idea of the message is to display a temporary notice to users, such
as issues with system availability.

• However, because the message displays when a user connects to the device prior to login, most
network administrators are now using it to display legal notices regarding access to the switch,
such as unauthorized access to this device is prohibited and violators will be prosecuted to the full
extent of the law and other such cheery endearments.

• Login: This banner is displayed before login to the system, but after the MOTD banner is
displayed. Typically, this banner is used to display a permanent message to the users.

• Exec: This banner displays after the login is complete when the connecting user enters User EXEC
mode. Whereas all users who attempt to connect to the switch see the other banners, only users
who successfully log on to the switch see this banner, which can be used to post reminders to
your network administrators.

To configure each of these banners and set them up on your switch, follow these commands:
 MESSAGE BANNER CONFIGURATION
Banner EXEC Message :
Banner MOTD message : Banner Login :
• Switch1>enable Switch1(config)#banner exec #
• Switch1#configure terminal • Switch1(config)#banner Enter TEXT message. End with the
• Switch1(config)#banner motd # login # character '#'.
*** Ensure that you update the system
• Enter TEXT message. End with Enter TEXT message. End configuration ***
the character '#'. with the character '#'. *** documentation after making system
• This device is for authorized changes. ***
personnel only. *** Login Required.
• If you have not been provided Unauthorized use is
with permission to prohibited ***
• access this device - disconnect
at once. #

#
• Notice that each of the banner lines ends with a # symbol; this is a
delimiter to identify the end of the message.
• You can specify any character you want, but the character you choose
is the one you will use to end the banner message.
CLOCK Set
• [Link]
clock-and-time-zone/

• [Link]
[Link]
CLOCK SET

• Clock sets the Timezone –date-time to the Cisco IOS device

• If a Cisco Switch / router boots up before you've configured a local

time or network time source, it will display the date as March 1, 1993.
Here's an example:
Router> show clock
[Link].415 UTC Mon Mar 1 1993
Router>
• UTC : Coordinated universal Time
• GMT : Greenwich Mean time
Benefits with Clock set
some of the benefits of setting the correct time on a router:

• Log files display the proper time stamp, which can help when
troubleshooting a problem.
• The correct time allows you to make connections between two
different times.
• You can do successful automate tasks
Config steps
• Configure the time zone
• Configure Daylight Saving Time
• Configure the clock

• Configure the time zone

Configure the time zone from config mode and set Hours offset, Minutes
offset.

For Example, India time zone is IST and +5:30 Hours

Switch (config)#clock timezone IST 5 30

Configure Clock

Configure Date and Time from EXEC mode.

For Example, 11:13 PM, 15th July 2017

Switch#clock set [Link] 15 July 2017

Verification :
Now the device clock shows as below:
SWITCH1#sh clock
[Link].931 IST Sat Jul 15 2017
SWITCH1#.
Interface settings
• [Link]
networking-switch-interface-configuration/
 Interface Port Identification
All ports in current IOS versions are numbered, starting at the
motherboard in one of these formats:

network-module-slot/port,
0/interface-card-slot/port,
or network-module-slot/interface-card-slot/port.

[Link]
• To specify an interface, you specify the location of the port that represents the interface.
Effectively, all modules are connected to the motherboard slot on the switch, which is always slot
0 and the first zero in the interface name.

• If you have a switch installed in a Switch HWIC or working with a chassis-based system, specify
the slot that the card is installed into and then the interface in the format of 0/0/1 — 0 for the
motherboard, 0 for the first HWIC slot, 1 for the first port on the network module.

• If the switch does not have an expansion module, specify 0 for the motherboard and 1 for the first
port on the switch.

• Switch1(config)#interface fastEthernet 0/1

• When working with switches, the first interface is numbered one, whereas when you work with
most other Cisco devices, you find the first interface is zero.
Interface Transmission Modes
Duplex
• A duplex communication system is a point-to-point system composed
of two or more connected parties or devices that can communicate
with one another in both directions

• Full Duplex -> Device can receive /send data simultaneously

• Half Duplex -> Device can do either sending or receving data

Full vs Half Duplex settings
Speed Settings
• Speed Auto
Interfaces Speed configuration

• Fastethernet =100Mbps
• Gig Ethernet = 1000Mbps
• Ten Gig Ethernet = 10Gig
Interface Range configuration
Interface configuration over Range will help to
• Can Prepare configuration template for interface with common
settings
• Can apply at a time all common settings to the interfaces
• Save’s time
How to save configuration

• Copy run start

• Write

• Write memory
SUMMARY
BASIC SWITCH SETTINGS CONFIGURATION & VERIFICATION
[Link] FEATURE CONFIGURATION VERIFICATION
1 HOSTNAME Completed Completed
2 Enable password/Enable secret Completed Completed
3 TELNET Password Completed Completed
4 SSH Password Completed Completed
5 BANNER Completed Completed
6 Management IP Completed Completed
7 Clock Set Completed Completed
8 INTERFACE SETTINGS Completed Completed
8.1 Duplex settings Completed Completed
8.2 Speed Settings Completed Completed
8.3 Description Completed Completed
8.4 Shut/Unshut Completed Completed
8.5 Interface Range configuration Completed Completed
9 Saving configuration Completed Completed
10 IP Deafult configuration Completed Completed