Figure 1 Figure 2 Figure 3

Operating Systems

All end devices and network devices require an operating system (OS). As shown in Figure 1, the portion of the OS that interacts directly with computer hardware is known as the kernel. The portion that interfaces with applications and the user is known as the shell. The user can interact with the shell using a command-line interface (CLI) or a graphical user interface (GUI).

When using a CLI as shown in Figure 2, the user interacts directly with the system in a text-based environment by entering commands on the keyboard at a command prompt. The system executes the command, often providing textual output. The CLI requires very little overhead to operate. However, it does require that the user have knowledge of the underlying structure that controls the system.

A GUI interface such as Windows, OS X, Apple iOS, or Android allows the user to interact with the system using an environment of graphical icons, menus, and windows. The GUI example in Figure 3 is more user-friendly and requires less knowledge of the underlying command structure that controls the system. For this reason, many individuals rely on GUI environments.

However, GUIs may not always be able to provide all of the features available at the CLI. GUIs can also fail, crash, or simply not operate as specified. For these reasons, network devices are typically accessed through a CLI. The CLI is less resource intensive and very stable when compared to a GUI.

The network operating system used on Cisco devices is called the Cisco Internetwork Operating System (IOS). 📷 Cisco IOS is used for most Cisco devices regardless of the type or size of the device.

Note: The operating system on home routers is usually called firmware. The most common method for configuring a home router is by using a web browser-based GUI.

Access Methods

Console SSH Telnet

A Cisco IOS switch can be implemented with no configuration and still switch data between connected devices. By connecting two PCs to a switch, those PCs will instantly have connectivity with one another.

Even though a Cisco switch will function immediately, configuring initial settings are a recommended best practice. There are several ways to access the CLI environment and configure the device. The most common methods are:

Console – This is a physical management port that provides out-of-band access to a Cisco device. Out-of-band access refers to access via a dedicated management channel that is used for device maintenance purposes only.

Secure Shell (SSH) – SSH is a method for remotely establishing a secure CLI connection through a virtual interface, over a network. Unlike a console connection, SSH connections require active networking services on the device including an active interface configured with an address.

Telnet - Telnet is an insecure method of remotely establishing a CLI session through a virtual interface, over a network. Unlike SSH, Telnet does not provide a securely encrypted connection. User authentication, passwords, and commands are sent over the network in plaintext.

Note: Some devices, such as routers, may also support a legacy auxiliary port that was used to establish a CLI session remotely using a modem. Similar to a console connection, the 📷 AUX port is out-of-band and does not require networking services to be configured or available.

Purpose of OS

Network operating systems are similar to a PC operating system. Through a GUI, a PC operating system enables a user to:

Use a mouse to make selections and run programs

Enter text and text-based commands

View output on a monitor

A CLI-based network operating system like the Cisco IOS on a switch or router enables a network technician to:

Use a keyboard to run CLI-based network programs

Use a keyboard to enter text and text-based commands

View output on a monitor

Cisco networking devices run particular versions of the Cisco IOS. The IOS version is dependent on the type of device being used and the required features. While all devices come with a default IOS and feature set, it is possible to upgrade the IOS version or feature set to obtain additional capabilities.

Location of the Cisco IOS

Cisco IOS stored in 📷 Flash

Non-volatile storage, not lost when power is lost

Can be changed or overwritten as needed

Can be used to store multiple versions of IOS

IOS copied from flash to volatile RAM

Quantity of flash and RAM memory determines IOS that can be used

Navigating the IOS

Cisco IOS Modes of Operation

To initially configure a Cisco device, a console connection must be established. Once consoled in, the network technician will have to navigate through various command modes of the IOS CLI. The Cisco IOS modes use a hierarchical structure and are quite similar for both switches and routers.

Primary Command Modes

As a security feature, the Cisco IOS software separates management access into the following two command modes:

User EXEC Mode - This mode has limited capabilities but is useful for basic operations. It allows only a limited number of basic monitoring commands but does not allow the execution of any commands that might change the configuration of the device. The user EXEC mode is identified by the CLI prompt that ends with the > symbol.

Privileged EXEC Mode - To execute configuration commands, a network administrator must access privileged EXEC mode. Higher configuration modes, like global configuration mode, can only be reached from privileged EXEC mode. The privileged EXEC mode can be identified by the prompt ending with the # symbol.

Configuration Command Modes

To configure the device, the user must enter Global Configuration Mode, which is commonly called global config mode.

From global config mode, CLI configuration changes are made that affect the operation of the device as a whole. Global configuration mode is identified by a prompt that ends with (config)# after the device name, such as Switch(config)#.

Global configuration mode is accessed before other specific configuration modes. From global config mode, the user can enter different sub-configuration modes. Each of these modes allows the configuration of a particular part or function of the IOS device. Two common sub-configuration modes include:

Line Configuration Mode - Used to configure console, SSH, Telnet, or AUX access.

Interface Configuration Mode - Used to configure a switch port or router network interface.

When using the CLI, the mode is identified by the command-line prompt that is unique to that mode. By default, every prompt begins with the device name. Following the name, the remainder of the prompt indicates the mode. For example, the default prompt for line configuration mode is Switch(config-line)# and the default prompt for interface configuration mode is Switch(config-if)#.

Terminal Emulation Programs

Figure 1 Figure 2 Figure 3

There are a number of excellent terminal emulation programs available for connecting to a networking device either by a serial connection over a console port or by a SSH/Telnet connection. Some of these include:

PuTTY (Figure 1)

Tera Term (Figure 2)

SecureCRT (Figure 3)

OS X Terminal

These programs allow you to enhance your productivity by adjusting window sizes, changing font sizes, and changing color schemes.

The Command Structure

Basic IOS Command Structure

A Cisco IOS device supports many commands. Each IOS command has a specific format or syntax and can only be executed in the appropriate mode. The general syntax for a command is the command followed by any appropriate keywords and arguments.

Keyword - a specific parameter defined in the operating system (in the figure, ip protocols)

Argument - not predefined; a value or variable defined by the user (in the figure, 192.168.10.5)

After entering each complete command, including any keywords and arguments, press the Enter key to submit the command to the command interpreter.

IOS Command Syntax

A command might require one or more arguments. To determine the keywords and arguments required for a command, refer to the command syntax. The syntax provides the pattern or format that must be used when entering a command.

For instance, the syntax for using the description command is description string. The argument is a string value provided by the user. The description command is typically used to identify the purpose of an interface. For example, entering the command, description Connects to the main headquarter office switch, describes where the other device is at the end of the connection.

The following examples demonstrate conventions used to document and use IOS commands.

ping ip-address - The command is ping and the user-defined argument is the ip-address of the destination device. For example, ping 10.10.10.5.

traceroute ip-address - The command is traceroute and the user-defined argument is the ip-address of the destination device. For example, traceroute 192.168.254.254.

The Cisco IOS Command Reference is the ultimate source of information for a particular IOS command. Refer to the Chapter Appendix to learn more about the Cisco IOS Command Reference.

Navigating the IOS cont...

Navigate Between IOS Modes

Various commands are used to move in and out of command prompts. To move from user EXEC mode to privileged EXEC mode, use the enable command. Use the disable privileged EXEC mode command to return to user EXEC mode.

Note: Privileged EXEC mode is sometimes called enable mode.

To move in and out of global configuration mode, use the configure terminal privileged EXEC mode command. To return to the privileged EXEC mode, enter the exit global config mode command.

There are many different sub-configuration modes. For example, to enter line sub-configuration mode, you use the line command followed by the management line type and number you wish to access. To exit a sub-configuration mode and return to global configuration mode, use the exit command. Notice the changes in the command prompt.

Switch(config)# line console 0

Switch(config-line)#

To move from any sub-configuration mode of the global configuration mode to the mode one step above it in the hierarchy of modes, enter the exit command.

Switch(config-line)# exit

Switch(config)#

To move from any sub-configuration mode to the privileged EXEC mode, enter the end command or enter the key combination Ctrl+Z.

Switch(config-line)# end

Switch#

You can also move directly from one sub-configuration mode to another. Notice how after the network device name, the command prompt changes from (config-line)# to (config-if)#.

Switch(config-line)# interface FastEthernet 0/1

Switch(config-if)#

Configuring Hostnames

Once the naming convention has been identified, the next step is to apply the names to the devices using the CLI.

From global configuration mode, enter the command hostname followed by the name of the switch and press Enter. Notice the change in the command prompt name.

Note: To remove the configured hostname and return the switch to the default prompt, use the no hostname global config command.

Always make sure the documentation is updated each time a device is added or modified. Identify devices in the documentation by their location, purpose, and address.

Secure Device Access

The use of weak or easily guessed passwords continues to be a security issue in many facets of the business world. Network devices, including home wireless routers, should always have passwords configured to limit administrative access.

Cisco IOS can be configured to use hierarchical mode passwords to allow different access privileges to a network device.

💡 Limiting Device Access

💡 Password Choosing Guidelines

Device Names

When configuring a networking device, one of the first steps is configuring a unique device name or hostname. Hostnames that appear in CLI prompts can be used in various authentication processes between devices, and should be used on topology diagrams.

If the device name is not explicitly configured, a factory assigned default name is used by the Cisco IOS. The default name for a Cisco IOS switch is "Switch." If all network devices were left with their default names, it would be difficult to identify a specific device. For instance, when accessing a remote device using SSH, it is important to have confirmation that you are connected to the proper device.

By choosing names wisely, it is easier to remember, document, and identify network devices. Guidelines for hostname configuration are listed:

Start with a letter

Contains no spaces

Ends with a letter or digit

Uses only letters, digits, and dashes

Be less than 64 characters in length

The hostnames used in the device IOS preserve capitalization and lowercase characters. Therefore, it allows you to capitalize a name as you ordinarily would. This contrasts with most Internet naming schemes, where uppercase and lowercase characters are treated identically.

📷 Configure Device Names

Encrypt Passwords

The startup-config and running-config files display most passwords in plaintext. This is a security threat since anyone can see the passwords used if they have access to these files.

To encrypt passwords, use the service password-encryption global config command. The command applies weak encryption to all unencrypted passwords. This encryption applies only to passwords in the configuration file, not to passwords as they are sent over the network. The purpose of this command is to keep unauthorized individuals from viewing passwords in the configuration file.

Banner Messages

Although requiring passwords is one way to keep unauthorized personnel out of a network, it is vital to provide a method for declaring that only authorized personnel should attempt to gain entry into the device. To do this, add a banner to the device output. Banners can be an important part of the legal process in the event that someone is prosecuted for breaking into a device. Some legal systems do not allow prosecution, or even the monitoring of users, unless a notification is visible.

To create a banner message of the day on a network device, use the banner motd # the message of the day # global config command. The “#” in the command syntax is called the delimiting character. It is entered before and after the message. The delimiting character can be any character as long as it does not occur in the message. For this reason, symbols such as the "#" are often used. After the command is executed, the banner will be displayed on all subsequent attempts to access the device until the banner is removed.

Because banners can be seen by anyone who attempts to log in, the message must be worded very carefully. The exact content or wording of a banner depends on the local laws and corporate policies. The banner should state that only authorized personnel are allowed to access the device. Any wording that implies a login is "welcome" or "invited" is inappropriate. Further, the banner can include scheduled system shutdowns and other information that affects all network users.

Configure Passwords

Figure 1 Figure 2 Figure 3

The most important password to configure is access to the privileged EXEC mode, as shown in Figure 1. To secure privileged EXEC access, use the enable secret password global config command.

To secure the user EXEC access, the console port must be configured, as shown in Figure 2. Enter line console configuration mode using the line console 0 global configuration command. The zero is used to represent the first (and in most cases the only) console interface. Next, specify the user EXEC mode password using the password password command. Finally, enable user EXEC access using the login command. Console access will now require a password before gaining access to the user EXEC mode.

VTY lines enable remote access to the device. To secure VTY lines used for SSH and Telnet, enter line VTY mode using the line vty 0 15 global config command, as shown in Figure 3. Many Cisco switches support up to 16 VTY lines that are numbered 0 to 15. Next, specify the VTY password using the password password command. Lastly, enable VTY access using the login command.

Configuration files can also be saved and archived to a text document. This sequence of steps ensures that a working copy of the configuration file is available for editing or reuse later.

For example, assume that a switch has been configured, and the running configuration has been saved on the device.

Open a terminal emulation software such as PuTTY or Tera Term (Figure 1) connected to a switch.

Enable logging in the terminal software, such as PuTTY or Tera Term, and assign a name and file location to save the log file. Figure 2 displays that All session output will be captured to the file specified (i.e., MySwitchLogs).

Execute the show running-config or show startup-config command at the privileged EXEC prompt. Text displayed in the terminal window will be placed into the chosen file.

Disable logging in the terminal software. Figure 3 shows how to disable logging by choosing the None session logging option.

The text file created can be used as a record of how the device is currently implemented. The file could require editing before being used to restore a saved configuration to a device.

To restore a configuration file to a device:

Enter global configuration mode on the device.

Copy and paste the text file into the terminal window connected to the switch.

The text in the file will be applied as commands in the CLI and become the running configuration on the device. This is a convenient method of manually configuring a device.

Figure 1 Figure 2 Figure 3

Interfaces and Ports cont...

Not only does each link on the Internet require a specific network media type, but each link also requires a particular network technology. For example, Ethernet is the most common local area network (LAN) technology used today. Ethernet ports are found on end-user devices, switch devices, and other networking devices that can physically connect to the network using a cable.

Cisco IOS Layer 2 switches have physical ports for devices to connect. These ports do not support Layer 3 IP addresses. Therefore, switches have one or more switch virtual interfaces (SVIs). These are virtual interfaces because there is no physical hardware on the device associated with it. An SVI is created in software.

The virtual interface provides a means to remotely manage a switch over a network using IPv4. Each switch comes with one SVI appearing in the default configuration "out-of-the-box." The default SVI is interface VLAN1.

Note: A Layer 2 switch does not need an IP address. The IP address assigned to the SVI is used to remotely access the switch. An IP address is not necessary for the switch to perform its operations.

IP Addresses

The use of IP addresses is the primary means of enabling devices to locate one another and establish end-to-end communication on the Internet. Each end device on a network must be configured with an IP address. Examples of end devices are listed in 💡 Figure 1.

The structure of an IPv4 address is called dotted decimal notation and is represented by four decimal numbers between 0 and 255. IPv4 addresses are assigned to individual devices connected to a network.

With the IPv4 address, a subnet mask is also necessary. A subnet mask is a special type of IPv4 address. Coupled with the IPv4 address, the subnet mask determines which particular subnet the device is a member.

The example in 📷 Figure 2 displays the IPv4 address (192.168.1.10), subnet mask (255.255.255.0), and default gateway (192.168.1.1) assigned to a host. The default gateway address is the IP address of the router that the host will use to access remote networks, including the Internet.

IP addresses can be assigned to both physical ports and virtual interfaces on devices. A virtual interface means that there is no physical hardware on the device associated with it.

Interfaces and Ports

Network communications depend on end user device interfaces, networking device interfaces, and the cables that connect them. Each physical interface has specifications, or standards, that define it. A cable connecting to the interface must be designed to match the physical standards of the interface. Types of network media include twisted-pair copper cables, fiber-optic cables, coaxial cables, or wireless as shown in the figure.

Different types of network media have different features and benefits. Not all network media has the same characteristics and is appropriate for the same purpose. Some of the differences between various types of media include:

Distance the media can successfully carry a signal

Environment in which the media is to be installed

Amount of data and the speed at which it must be transmitted

Cost of the media and installation

Automatic IP Address Configuration for End Devices

PCs typically default to using DHCP for automatic IP address configuration. DHCP is a technology that is used in almost every network. The best way to understand why DHCP is so popular is by considering all the extra work that would have to take place without it.

In a network, DHCP enables automatic IPv4 address configuration for every end device that has DHCP enabled. Imagine the amount of time it would consume if every time you connected to the network, you had to manually enter the IP address, the subnet mask, the default gateway, and the DNS server. Multiply that by every user and every device in an organization and you see the problem. Manual configuration also increases the chance of misconfiguration by duplicating another device’s IP address.

To configure DHCP on a Windows PC, you only need to select “Obtain an IP address automatically" and “Obtain DNS server address automatically". Your PC will search out a DHCP server and be assigned the address settings necessary to communicate on the network.

It is possible to display the IP configuration settings on a Windows PC by using the ipconfig command at the command prompt. The output will show the IP address, subnet mask, and gateway information received from the DHCP server.

Switch Virtual Interface Configuration

To access the switch remotely, an IP address and a subnet mask must be configured on the SVI. To configure an SVI on a switch, use the interface vlan 1 global configuration command. Vlan 1 is not an actual physical interface but a virtual one. Next assign an IPv4 address using the ip address ip-address subnet-mask interface configuration command. Finally, enable the virtual interface using the no shutdown interface configuration command.

After these commands are configured, the switch has all the IPv4 elements ready for communication over the network.

Interface Addressing Verification

In the same way that you use commands and utilities like ipconfig to verify a PC host’s network configuration, you also use commands to verify the interfaces and address settings of intermediary devices like switches and routers.

End-to-End Connectivity Test

The ping command can be used to test connectivity to another device on the network or a website on the Internet.

Manual IP Address Configuration for End Devices

Figure 1 Figure 2

In order for an end device to communicate over the network, it must be configured with a unique IP address and subnet mask. IP address information can be entered into end devices manually, or automatically using Dynamic Host Configuration Protocol (DHCP).

To manually configure an IP address on a Windows host, open the Control Panel > Network Sharing Center > Change adapter settings and choose the adapter. Next right-click and select Properties to display the Local Area Connection Properties shown in Figure 1.

Highlight Internet Protocol Version 4 (TCP/IPv4) and click Properties to open the Internet Protocol Version 4 (TCP/IPv4) Properties window shown in Figure 2. Configure the IPv4 address and subnet mask information, and default gateway.

Note: The DNS server addresses are the IP addresses of the Domain Name System (DNS) servers, which are used to translate IP addresses to domain names, such as www.cisco.com.