Configuring Cisco Routers and Switches for Management
Randy Zhang
Cisco Systems is the undisputed leader of data networking, in revenue, profit, product breadth, influence, and installed base. It has about 80% of the market share for routers and is in a leading position in LAN and ATM switching markets. These routers and switches play a significant role in enterprise and Internet connectivity today. With the continued decline in price per switched port and demand for higher bandwidth, more and more switches are deployed in networks in the place of shared hubs. Additionally, some routing functions are being implemented in switches, pushing switching onto the backbones. There are also trends indicating that traditional routers are being increasingly deployed on the network edges, taking on more functionality for remote access and security.
Most Cisco devices are configured with commands. For experienced administrators of Cisco devices, the command-line interface provides an efficient way to accomplish configuration changes or do troubleshooting. For people new to Cisco equipment, however, configuration of these devices is not easy. The short cycles of software update and product changes and inconsistent commands across product lines further add to the difficulty. This article provides an introduction to configuring Cisco routers and switches. Specifically, information will be given for the following subjects: status monitoring for Cisco routers and switches, getting started on configuring Cisco routers and switches, configuring Cisco routers and switches for SNMP and RMON management, access security configuration, and troubleshooting.
Basic Functionality
Cisco routers can be combined into four major groups, based on functionality and performance. The first group, Cisco's high-end core routers, consists of the 7000 series, 7200 series, 7500 series, and the new gigabit switch router (GSR) 12000 series. This group of routers is currently operating on the Internet and enterprise backbones. They generally come in big chassis and provide various combinations of high-speed LAN and WAN interfaces. The 12000 GSR, for example, is a carrier-class router that can support link speeds up to OC-48 (2.4 Gbps), and uses a switched backplane with capacity as high as 60 Gbps. The mid-range group of routers, such as 3600, 4000, and 4700 series, come with a smaller chassis and limited slots and hardware configurations. These routers have LAN, ATM, ISDN, serial, and asynchronous interfaces, and can be used as campus and enterprise backbone routers and remote access routers. The access group of routers includes the 1000, 2000, 2500, and 2600 series. The most popular one in this group is the 2500 series, which provides Ethernet and Token Ring interfaces on the LAN side, and ISDN and serial interfaces on the WAN side. The last group contains the 700 series routers, which are primarily used for home, telecommuting, and small branch office connectivity. These routers generally provide two channels of ISDN BRI, and one Ethernet interface. In Cisco's literature, all routers of 4700 series and lower are grouped together as "access routers", which are divided into modular access routers (1600-4700) and fixed-configuration access routers (700-2500). Overlapping occurs because of multiple hardware configurations within the same series.
On the ATM switching front, Cisco has two carrier-class WAN switches, IGX 8400 and BPX 8600. These switches, intended for service providers and large enterprise networks, provide broadband and narrowband services with end-to-end quality of service. BPX provides high-density ports with speed up to OC-12 and is used at the core of the network. IGX is generally used on the edge of the network and provides interfaces up to OC-3 speed. LightStream 1010 is the other popular ATM switch for the campus and enterprise backbones. It provides T1/E1, T3/E3, OC-3, and OC-12 interfaces. On the LAN switching side, Cisco has the Catalyst family of switches. For the backbone, data center, and wiring closet, there are 5000 and 5500 series. These two provide Gigabit Ethernet, ATM, Fast Ethernet, Ethernet, FDDI, Token Ring, and route switching. For desktop and workgroup switching, Cisco has Catalyst 3000, 2900, 2600, 1900, 1200, etc.
Monitoring Status
The operating system running on the majority of the Cisco equipment is Cisco Internetworking Operating System, IOS. These devices include most of the routers and LightStream ATM switches. The Catalyst family of switches uses a different operating system, either through a command-line interface or a menu-driven interface. The confusing part is that ATM LAN emulation module in the Catalyst 5000 uses IOS, thus this module is configured separately from the main switch. The 700 series routers use yet another OS, but the command-line interface is similar to that of the Catalyst. This article concentrates on the configuration of the first two types of operating systems. The trend appears to be that they are going to be IOS or IOS-like. This section presents some basic commands to monitor the Cisco equipment.
For IOS and most Catalyst switches, there are two common levels of login restriction, or exec levels. The user exec level is the first level of access that requires a password, if configured. Once authenticated, user is presented with a router> prompt, for example. A limited subset of commands are available at this level. The other level is the privileged exec level, which is the highest level (level 15) in IOS. Users at this level have all privileges and can access all commands. To enter into privileged level from user exec level (level 1), the command is enable, which will demand an enable password, if configured. The prompt for this level is router#. The specific differences between the two access levels and how to configure passwords will be discussed below. IOS actually has 15 levels altogether, which allow setting up various degrees of privileges to increase the manageability and flexibility.
The online help for IOS and the Catalyst is accessed by entering ?, which will list the appropriate commands or options to complete the command. The help is context-sensitive. Another feature of the IOS interface is that commands and parameters can be shortened, as long as there are enough letters to be unique. For example, the show command can be entered as sh. All commands are not case-sensitive. Some useful keystrokes are:
Ct rl-p or Up arrows - to recall the previous command
Tab - to expand the command
Ct rl-z - to escape to the previous prompt level
The basic monitoring commands are generally in the category of show commands. The following is a list of common commands to monitor IOS equipment and the Catalyst switches. The exact commands or their output may vary depending on the platform and software version.
IOS
sh ow version - IOS version, ROM version, platform, system image name, uptime, interface summary, RAM size, flash size, etc.
sh ow hardware - Similar to show version depending on the platform and IOS version
show clock - Time, date, and time zone
sh ow interface - Interface type, layer 2 and layer 3 addresses, status, bandwidth, traffic statistics
show atm - ATM specific interface status
show lane - ATM LAN emulation status
sh ow proc cpu - CPU utilization for the device and for each process
sh ow proc mem - Total memory usage and process memory usage
sh ow diagnostics - Module status. LightStream 1010 has show diagnostic power-on to display the self-test results for various components; its output is similar to the Catalyst's show test
sh ow environment all - Power supplies, temperature readings, and voltage readings
pi ng - To test connectivity; it can be used for various network protocols, including IP
tr ace - To trace connectivity; it can be used for multi-protocols, similar to ping
ex it, logout, quit - Quit from the exec or logout
Catalyst
sh ow version - Versions for the switch and individual modules, uptime, sizes of RAM, NVRAM, flash, and memory usage
sh ow time - Same output as IOS show clock
sh ow interface - Status of management interface only; output is similar to UNIX ifconfig -a
show mac - Port-level traffic statistics
sh ow port - Port status, VLAN, duplex, speed, and type of port
sh ow vlan - VLAN number, name, status, and module/ports that belong to the VLAN
sh ow trunk - Trunking ports, mode, status, and VLANs allowed on the trunk
sh ow system - Power supply status, fan status, system status, traffic load, system name, location, and contact.
sh ow test - Power-on self-test results for various components
pi ng - To test network connectivity in a IP-based network, the output is similar to UNIX
ex it, logout, quit - Logout
Basic Configurations
For a new IOS router without configuration, a setup mode is entered once the router is booted up. The setup basically consists of a list of questions to be answered to help start the initial configuration. If the user chooses to run the setup, the following basic information is needed: hostname of the router, passwords, protocol and address of each interface (or multiple protocols can be assigned to the same interface), routing protocols, etc. Once completed, the configuration needs to be saved to NVRAM, so that it will be available after rebooting.
There are two types of configuration files in IOS, the operating configuration is running-config, and the permanent configuration is startup-config. The running-config is updated automatically and immediately whenever there are configuration changes, but the startup-config needs to be updated manually, using the IOS command copy running-config startup-config. IOS devices use several storage devices: ROM is used for ROM Monitor and boot ROM; flash memory is used for system images; NVRAM is used for the startup-config; and DRAM is used to store running-config, routing tables, caches, queues, packets, etc.
To enter into the configuration mode, the user must be logged in to the privileged exec mode first. There are two common sources of configuration for IOS:
co nfigure terminal - Configuration commands are entered through a terminal, directly connected through the console port or a virtual terminal through telnet. This is useful for minor changes to the configuration file or troubleshooting. The result of changes is immediate. After entering this mode, the IOS prompt becomes router(config)#
co nfigure network - Configuration file is downloaded from a remote host through tftp. This is useful for major changes, but the caution should be taken to ensure that the syntax is correct.
copy tftp - Similar to configure network
Both configuration files are stored in clear text, and are viewable in privileged exec mode.
show running-config - To view the operating configuration
show startup-config - To view the permanent configuration
Within the IOS configuration, there are two levels of commands: those that apply to the entire device are global commands, and those that apply to the interface level are interface commands. All global commands are entered at the configuration mode, at the prompt router(config)#. There are three steps to get into the global configuration mode of an IOS router:
- Login to the router through the console or telnet and supply a line password, a router> prompt is presented;
- Become a privileged user using the enable command and supply the enable password;
- Enter configure terminal to get into configuration mode.
To configure network interfaces, one extra step is needed. Once in the global configuration mode, enter the command interface interface-type slot/module# (italicized font indicates the information must be supplied by the user), such as interface ethernet 2/0. The prompt would change to router(config-if)#, indicating that it is under the interface configuration mode. All the commands entered thereafter are interface-level commands. To enable IP routing for the interface, for example, enter the command ip address address mask. The configuration can be tested by pressing Ctrl-z to return to the privileged exec mode and pinging the IP address just entered. To enable a routing protocol on the router, use the router protocol command in the global configuration mode. For example, the command router rip enables RIP routing.
The Catalyst switches basically use the set command to change the configuration. They do not have the concept of running-config and startup-config as in IOS, thus any configuration changes are immediate and permanent. There is no configuration mode either, and all configuration commands are entered at the privileged exec mode. Basic configurations for such switches are defining VLANS, assigning ports to VLANS, creating VLAN trunking, and changing port configuration. The switches are shipped with a default VLAN (VLAN 1) that includes all the ports. Thus if only one VLAN is used, no configuration is necessary. VLAN trunking uses Cisco's own VLAN trunking protocol, Inter-Switch Link (ISL). Thus, it is not interoperable with other vendors' switches. As indicated above, the ATM LANE module in the Catalyst switches uses IOS. To configure the module, enter the command session module# at the switch prompt. Once logged in to the module, configuration commands are entered like other IOS commands.
se t vlan - To create VLANs and to assign ports to VLANs
se t port - To change port speed and duplex
set trunk - To assign a port to be a trunk
se t interface - To change the management interface configuration: VLAN and IP address
Configuring SNMP and RMON
To enable SNMP and RMON on IOS routers, enter the following commands at the global configuration mode:
sn mp-server community - To enable SNMP with a community string for each type of access: read-only and write. The default access level is read-only. Security considerations for SNMP are discussed in the next section
sn mp-server enable traps - To generate traps when failures occur. This command is used in conjunction with the next one
sn mp-server host - To specify the network management station to receive the traps
sn mp-server contact - To specify the contact; this information is used by an SNMP management station
sn mp-server location - To specify the physical location; this information is used by an SNMP management station
rm on - To enable RMON globally; RMON groups can be specified at this level. Additionally more RMON groups can be specified at the interface level
ho stname - To specify the device hostname
sh ow snmp - To view SNMP configuration
sh ow rmon - To view RMON configuration
For the Catalyst switches, use the set command to enable SNMP and RMON:
se t snmp community - To enable SNMP with a community string for each type of access type: read-only, read-write, and read-write-all
se t snmp trap enable - To enable traps; this is required for the next command
se t snmp trap ip-address - To specify the network management station's IP address to receive the traps
se t snmp rmon enable - To enable RMON. The RMON agent in the Catalyst 5000 series includes the following groups from RFC-1757: statistics, historical information, alarms, and events - for any Ethernet port or Fast EtherChannel
se t system name - To set the switch hostname
se t system contact - To specify switch contact information used by a management station
se t system location - To specify switch physical location
sh ow snmp - To view SNMP and RMON configuration
Cisco also provides two software packages to help manage their devices: CiscoWorks for routers and CiscoWorks for Switched Internetworks (CWSI) for switches. CiscoWorks can run standalone or can be integrated into HP OpenView, Sun NetManager, and IBM NetView. It has following management modules: fault, performance, accounting, configuration, device, and security. CWSI can run standalone on Solaris, HP-UX, AIX, and Windows NT, or can be integrated into OpenView, SunNet Manager, and NetView. The CWSI bundle includes VlanDirector, ATMDirector, TrafficDirector, and Resource Manager. Both CiscoWorks and CWSI include CiscoView, a GUI package that allows viewing, monitoring, and configuring of Cisco devices to the port level.
To enable packet analyzers and sniffers to monitor a switched network, the Catalyst switches can be configured to have a port as the traffic monitoring port, so that traffic on other ports or networks can be mirrored to that port.
se t span enable - To enable port monitoring; span stands for switched port analyzer
se t span module/port - To set a port as the monitoring port for other ports
se t span vlan - To set a port as the monitoring port for the specified VLAN
Access Security
As indicated above, there are two basic levels of access restriction for IOS devices and the Catalyst switches (i.e., line access and enable access). Line access controls the telnet connection, and enable access controls the privileged access. In IOS, an additional password or the same password as the line can be used for the console port, but the Catalyst uses the same password for both console and line.
To configure the console password in IOS configuration mode:
line console 0
password password
login
To configure the line password in IOS:
line vty 0 4
password password
login
To configure the enable password in IOS:
enable password password
All of the above passwords are stored in clear text in the config file by default. To encrypt them, enter:
service password-encryption
According to Cisco, this encryption is weak. To use a better encryption scheme (such as MD5) for the enable password, enter:
enable secret password
This password is the result of one-way hash and is more difficult to break. Note that once this command is configured, the enable password is not used for the privileged mode authentication.
For Catalyst switches, use the following commands in the privileged exec mode:
set password password
set enablepass password
To protect against unauthorized access and malicious attacks, IOS provides additional security means. They basically can be categorized into: (1) allowing telnet access only from a few trusted network hosts; (2) restricting SNMP access to the predefined network management workstations; (3) disabling potentially dangerous yet not so useful services; and (4) enabling firewalling. The Catalyst switches only provide the first category of protection.
To restrict telnet access in IOS, use an IP access list. The following configuration, for example, only allows workstation with a class C IP address of c.c.c.c to telnet into the device.
access-list 1 permit c.c.c.c 0.0.0.0
line vty 0 4
login password password
access-class 1 in
For the Catalyst switches, enter:
set ip permit enable
set ip permit c.c.c.c 255.255.255.255
To restrict SNMP access to a specified workstation, a similar access list can be configured in IOS. The following example configures a community string of $EcRe&t for read and write accesses to one workstation with the IP address of c.c.c.c. Additional management workstations can be added if needed.
snmp-server community $EcRe&t RW 2
access-list 2 permit c.c.c.c 0.0.0.0
The following services could be used for denial of service (DOS) attack or other malicious attacks, such as Echo, Chargen, source-routing, and finger. To disable these services in IOS, enter:
no ip source-route
no service finger
no service tcp-small-servers
no service udp-small-servers
Cisco routers can be configured to filter packets based on TCP/IP header information, such as source IP address, destination IP address, and TCP/UDP port numbers. In this case, the router basically functions also as a standalone packet-filtering firewall, so extensive and careful filtering and logging should be implemented. Cisco switches and other routers can be installed on the protected networks so that their access is only allowed for trusted hosts and networks, thus adding another layer of security. More granular access control can be provided by a centralized security server using RADIUS or TACACS+. A full-fledged discussion on security is beyond the scope of this article.
Basic Troubleshooting
When routers and switches are not functioning as they should, the first step is to troubleshoot the configuration before deciding that the problem is hardware-based. There are extensive show commands for these purposes. The commands described above usually the place to start. If, for example, it appears that the router does not accept certain commands, make sure the running IOS version meets the minimum version requirement, particularly for certain feature sets. When errors occur, IOS normally gives quite descriptive messages, based on which further actions can be taken. If incorrect configuration commands are suspected, use the command show running-config to doublecheck the configuration. This section will introduce more troubleshooting commands and tips for the following: (1) how to perform a system reboot; (2) interface troubleshooting; and (3) connectivity troubleshooting.
As indicated before, most commands take effect immediately when entered. Thus, rebooting is generally not needed for configuration changes. Additionally, most components are also hot-swappable, meaning system rebooting is not required for insertion of new components or removal of old components. But if rebooting is necessary, use the IOS reload command. For the Catalyst, use reset system. To manually shutdown an interface in IOS, enter the interface configuration mode, and use the command shutdown. To bring the interface back up, use the command no shutdown.
The command to troubleshoot the interface is show interface. If the interface is functioning correctly, it should show that the interface is up, and that the line protocol is up. If the interface is manually shutdown, it would show the interface is administratively down, and the line protocol is down. If both line and line protocol are down but not administratively down, this may indicate an interface problem. If, however, the line is up but the line protocol is down, a connection or clocking problem may be the culprit, depending on the type of interface. If the line is up and the line protocol is up, pay attention to input/output errors, buffer failures, and the number of collisions (Ethernet). Increasing input errors, for example, may indicate faulty equipment.
Besides interface problems, connectivity problems can also be a result of a routing problem. Depending on the routing architecture, protocols, and network technologies, diagnosing and solving the problem may prove to be quite a complex endeavor. A full discussion of the subject is out of the scope of the article, but some basic commands are ping, trace, show ip protocol, and show ip route.
Another very useful tool for advanced troubleshooting is IOS debugging. These commands must be entered in the privileged mode.
show debugging - To display the state of each debugging option de bug - To begin message logging for the specified debug command
no debug - To turn message logging off for the specified debug command
The system gives high priority to debugging output. Thus debugging commands should be turned on only for troubleshooting specific problems or during troubleshooting sessions with technical support personnel. Debugging is definitely not suitable for daily monitoring purpose. Excessive debugging output can render the system inoperable, especially in a busy production system. Use with extreme care.
Troubleshooting switches is usually much simpler than troubleshooting routers because switches are layer 2 devices (unless layer 3 switching or route switching is enabled). Basic troubleshooting commands for the Catalyst switches were discussed above. Two common problems associated with these switches are related to port configuration mismatch and spanning tree. If the switching port is autosensing, yet the workstation appears to have trouble establishing a link, a static port setting can be forced on the switch. The spanning tree is used to avoid traffic loops and is automatically enabled per VLAN on the switch. If a directly connected workstation still has link problems after a static port setting change, it may be related to spanning tree. Disabling spanning tree can allow the switch and the workstation to establish a link in a much shorter time, but with the consequence of potential traffic loops. The debugging tool is not supported on the Catalyst switches.
Summary
Due to the tremendous pace of technological advances in the internetworking arena and often unpredictable market demands, products may change significantly and rapidly. Providing competent technical support for these products is often challenging, to say the least. Although this article has provided an overview of configuring and troubleshooting Cisco routers and switches, additional resources and continued training likely will be required. A brief list of such resources is included. From my experience, the best method of staying on top of the administrative challenge presented by Cisco routers routers and switches is to pay frequent visits to the Cisco Web site (www.cisco.com). The site provides in depth technical docutmentation for all Cisco equipment, although certain online support requires the purchase of a Cisco support contract. There is also an excellent newsgroup devoted to issues relating to Cisco equipment (www.dcom.sys.cisco). Last, I recommend having some Cisco equipment with which to do hands-on configuration, which will give you the best look and feel of Cisco IOS.
About the Author
Randy Zhang has 5 years experience supporting networks and various types of systems. He has a Ph.D. in forestry from the University of Nebraska. He is currently a senior systems and network analyst at UCLA Medical Center, supporting the hospital's high-speed imaging and information networks that primarily consist of Cisco devices and Sun servers and workstations. He is a Certified Microsoft Professional and Certified Novell Administrator. He can be reached at hzhang@radsci.ucla.edu.
|